rhel

package
v1.5.30 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 6, 2024 License: Apache-2.0 Imports: 33 Imported by: 5

Documentation

Overview

Package rhel implements the machinery for processing layers and security data from the Red Hat ecosystem.

See the various exported types for details on the heuristics employed.

In addition, containers themselves are recognized via the github.com/quay/claircore/rhel/rhcc package.

Index

Constants

View Source
const (

	// DefaultContainerAPI is the default Red Hat Container API URL.
	//
	//doc:url indexer
	DefaultContainerAPI = "https://catalog.redhat.com/api/containers/"
	// DefaultRepo2CPEMappingURL is default URL with a mapping file provided by Red Hat.
	//
	//doc:url indexer
	DefaultRepo2CPEMappingURL = "https://security.access.redhat.com/data/metrics/repository-to-cpe.json"
)
View Source
const DefaultManifest = `https://security.access.redhat.com/data/oval/v2/PULP_MANIFEST`

DefaultManifest is the url for the Red Hat OVAL pulp repository.

Variables

This section is empty.

Functions

func NewEcosystem added in v0.1.0

func NewEcosystem(_ context.Context) *indexer.Ecosystem

NewEcosystem provides the set of scanners and coalescer for the rhel ecosystem.

Types

type Coalescer added in v0.1.0

type Coalescer struct{}

Coalescer takes individual layer artifacts and coalesces them into a full report on the manifest's contents.

Due to the specifics of the RHEL build system, some information needs to be back-propagated. That is to say, some information discovered in later layers is also attributed to earlier layers. Both the product and distribution information work this way.

A Coalescer is safe for concurrent use.

func (*Coalescer) Coalesce added in v0.1.0

func (*Coalescer) Coalesce(ctx context.Context, artifacts []*indexer.LayerArtifacts) (*claircore.IndexReport, error)

Coalesce implements indexer.Coalescer.

type DistributionScanner added in v0.0.14

type DistributionScanner struct{}

DistributionScanner implements distribution detection logic for RHEL by looking for an `etc/os-release` file in the layer and failing that, an `etc/redhat-release` file.

The DistributionScanner can be used concurrently.

func (*DistributionScanner) Kind added in v0.0.14

func (*DistributionScanner) Kind() string

Kind implements indexer.VersionedScanner.

func (*DistributionScanner) Name added in v0.0.14

func (*DistributionScanner) Name() string

Name implements indexer.VersionedScanner.

func (*DistributionScanner) Scan added in v0.0.14

Scan implements indexer.DistributionScanner.

func (*DistributionScanner) Version added in v0.0.14

func (*DistributionScanner) Version() string

Version implements indexer.VersionedScanner.

type Factory added in v0.1.0

type Factory struct {
	// contains filtered or unexported fields
}

Factory contains the configuration for fetching and parsing a Pulp manifest.

func NewFactory added in v0.1.0

func NewFactory(_ context.Context, manifest string) (*Factory, error)

NewFactory creates a Factory making updaters based on the contents of the provided pulp manifest.

func (*Factory) Configure added in v0.1.0

func (f *Factory) Configure(ctx context.Context, cfg driver.ConfigUnmarshaler, c *http.Client) error

Configure implements driver.Configurable.

func (*Factory) UpdaterSet added in v0.1.0

func (f *Factory) UpdaterSet(ctx context.Context) (driver.UpdaterSet, error)

UpdaterSet implements driver.UpdaterSetFactory.

The returned Updaters determine the claircore.Distribution it's associated with based on the path in the Pulp manifest.

type FactoryConfig added in v0.1.0

type FactoryConfig struct {
	URL string `json:"url" yaml:"url"`
	// IgnoreUnpatched dictates whether to ingest unpatched advisory data
	// from the RHEL security feeds.
	IgnoreUnpatched bool `json:"ignore_unpatched" yaml:"ignore_unpatched"`
}

FactoryConfig is the configuration accepted by the rhel updaters.

By convention, this should be in a map called "rhel".

type Matcher added in v0.0.8

type Matcher struct {
	// contains filtered or unexported fields
}

Matcher implements driver.Matcher.

func (*Matcher) Filter added in v0.0.8

func (*Matcher) Filter(record *claircore.IndexRecord) bool

Filter implements driver.Matcher.

func (*Matcher) Name added in v0.0.8

func (*Matcher) Name() string

Name implements driver.Matcher.

func (*Matcher) Query added in v0.0.8

func (m *Matcher) Query() []driver.MatchConstraint

Query implements driver.Matcher.

func (*Matcher) Vulnerable added in v0.0.8

func (m *Matcher) Vulnerable(ctx context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error)

Vulnerable implements driver.Matcher.

Vulnerable will interpret the claircore.Vulnerability.Repo.CPE as a CPE match expression, and to be considered vulnerable, the relationship between claircore.IndexRecord.Repository.CPE and the claircore.Vulnerability.Repo.CPE needs to be a CPE Name Comparison Relation of SUPERSET(⊇)(Source is a superset or equal to the target). https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7696.pdf Section 6.2.

type MatcherFactory added in v1.5.29

type MatcherFactory struct {
	// contains filtered or unexported fields
}

func (*MatcherFactory) Configure added in v1.5.29

MatcherFactory implements driver.MatcherConfigurable.

func (*MatcherFactory) Matcher added in v1.5.29

func (f *MatcherFactory) Matcher(ctx context.Context) ([]driver.Matcher, error)

MatcherFactory implements driver.MatcherFactory

type MatcherFactoryConfig added in v1.5.29

type MatcherFactoryConfig struct {
	IgnoreUnpatched bool `json:"ignore_unpatched" yaml:"ignore_unpatched"`
}

type RepositoryScanner added in v0.1.0

type RepositoryScanner struct {
	// contains filtered or unexported fields
}

RepositoryScanner implements repository detection logic for RHEL.

The RHEL detection logic needs outside information because the Red Hat build system does not (and did not, in the past) store the relevant information in the layer itself. In addition, dnf and yum do not persist provenance information outside of a cache and rpm considers such information outside its baliwick.

In the case of the RHEL ecosystem, "repository" is a bit of a misnomer, as advisories are tracked on the Product level, and so Clair's "repository" data is used instead to indicate a Product. This mismatch can lead to apparent duplications in reporting. For example, if an advisory is marked as affecting "cpe:/a:redhat:enterprise_linux:8" and "cpe:/a:redhat:enterprise_linux:8::appstream", this results in two advisories being recorded. (CPEs do not namespace the way this example may imply; that is to say, the latter is not "contained in" or a "member of" the former.) If a layer reports that it is both the "cpe:/a:redhat:enterprise_linux:8" and "cpe:/a:redhat:enterprise_linux:8::appstream" layer, then both advisories match.

func (*RepositoryScanner) Configure added in v0.1.0

Configure implements indexer.RPCScanner.

func (*RepositoryScanner) Kind added in v0.1.0

func (*RepositoryScanner) Kind() string

Kind implements indexer.VersionedScanner.

func (*RepositoryScanner) Name added in v0.1.0

func (*RepositoryScanner) Name() string

Name implements indexer.VersionedScanner.

func (*RepositoryScanner) Scan added in v0.1.0

func (r *RepositoryScanner) Scan(ctx context.Context, l *claircore.Layer) (repositories []*claircore.Repository, err error)

Scan implements indexer.RepositoryScanner.

func (*RepositoryScanner) Version added in v0.1.0

func (*RepositoryScanner) Version() string

Version implements indexer.VersionedScanner.

type RepositoryScannerConfig added in v1.4.12

type RepositoryScannerConfig struct {
	// DisableAPI disables the use of the API.
	DisableAPI bool `json:"disable_api" yaml:"disable_api"`
	// API is the URL to talk to the Red Hat Container API.
	//
	// See [DefaultContainerAPI] and [containerapi.ContainerAPI].
	API string `json:"api" yaml:"api"`
	// Repo2CPEMappingURL can be used to fetch the repo mapping file.
	// Consulting the mapping file is preferred over the Container API.
	//
	// See [DefaultRepo2CPEMappingURL] and [repo2cpe].
	Repo2CPEMappingURL string `json:"repo2cpe_mapping_url" yaml:"repo2cpe_mapping_url"`
	// Repo2CPEMappingFile, if specified, is consulted instead of the [Repo2CPEMappingURL].
	//
	// This should be provided to avoid any network traffic.
	Repo2CPEMappingFile string `json:"repo2cpe_mapping_file" yaml:"repo2cpe_mapping_file"`
	// Timeout controls the timeout for any remote calls this package makes.
	//
	// The default is 10 seconds.
	Timeout time.Duration `json:"timeout" yaml:"timeout"`
}

RepositoryScannerConfig is the configuration expected for a RepositoryScanner.

Providing the "URL" and "File" members controls how the RepositoryScanner handles updating its mapping file:

  • If the "URL" is provided or no configuration is provided, the mapping file is fetched at construction time and then updated periodically.
  • If only the "File" is provided, it will be consulted exclusively.
  • If both the "URL" and "File" are provided, the file will be loaded initially and then updated periodically from the URL.

type Updater

type Updater struct {
	ovalutil.Fetcher // fetch method promoted via embed
	// contains filtered or unexported fields
}

Updater fetches and parses RHEL-flavored OVAL databases.

func NewUpdater

func NewUpdater(name string, release int, uri string, ignoreUnpatched bool) (*Updater, error)

NewUpdater returns an Updater.

func (*Updater) Configure added in v1.4.12

func (u *Updater) Configure(ctx context.Context, cf driver.ConfigUnmarshaler, c *http.Client) error

Configure implements driver.Configurable.

func (*Updater) Name

func (u *Updater) Name() string

Name implements driver.Updater.

func (*Updater) Parse

Parse implements driver.Updater.

Parse treats the data inside the provided io.ReadCloser as Red Hat flavored OVAL XML. The distribution associated with vulnerabilities is configured via the Updater. The repository associated with vulnerabilies is based on the affected CPE list.

type UpdaterConfig added in v1.4.12

type UpdaterConfig struct {
	ovalutil.FetcherConfig
	Release int64 `json:"release" yaml:"release"`
}

UpdaterConfig is the configuration expected for any given updater.

See also ovalutil.FetcherConfig.

Directories

Path Synopsis
Package dockerfile implements a minimal dockerfile parser.
Package dockerfile implements a minimal dockerfile parser.
internal
containerapi
Package containerapi is a minimal client around the Red Hat Container API.
Package containerapi is a minimal client around the Red Hat Container API.
pulp
Package pulp is for reading a Pulp manifest.
Package pulp is for reading a Pulp manifest.
Package rhcc implements an ecosystem for the Red Hat Container Catalog.
Package rhcc implements an ecosystem for the Red Hat Container Catalog.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL