Documentation ¶
Overview ¶
Package rhel implements the machinery for processing layers and security data from the Red Hat ecosystem.
See the various exported types for details on the heuristics employed.
In addition, containers themselves are recognized via the github.com/vishnuchalla/claircore/rhel/rhcc package.
Index ¶
- Constants
- func NewEcosystem(ctx context.Context) *indexer.Ecosystem
- type Coalescer
- type DistributionScanner
- type Factory
- type FactoryConfig
- type Matcher
- type RepositoryScanner
- func (r *RepositoryScanner) Configure(ctx context.Context, f indexer.ConfigDeserializer, c *http.Client) error
- func (*RepositoryScanner) Kind() string
- func (*RepositoryScanner) Name() string
- func (r *RepositoryScanner) Scan(ctx context.Context, l *claircore.Layer) (repositories []*claircore.Repository, err error)
- func (*RepositoryScanner) Version() string
- type RepositoryScannerConfig
- type Updater
- type UpdaterConfig
Constants ¶
const ( // DefaultContainerAPI is the default Red Hat Container API URL. // //doc:url indexer DefaultContainerAPI = "https://catalog.redhat.com/api/containers/" // DefaultRepo2CPEMappingURL is default URL with a mapping file provided by Red Hat. // //doc:url indexer DefaultRepo2CPEMappingURL = "https://access.redhat.com/security/data/metrics/repository-to-cpe.json" )
const DefaultManifest = `https://access.redhat.com/security/data/oval/v2/PULP_MANIFEST`
DefaultManifest is the url for the Red Hat OVAL pulp repository.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Coalescer ¶
type Coalescer struct{}
Coalescer takes individual layer artifacts and coalesces them into a full report on the manifest's contents.
Due to the specifics of the RHEL build system, some information needs to be back-propagated. That is to say, some information discovered in later layers is also attributed to earlier layers. Both the product and distribution information work this way.
A Coalescer is safe for concurrent use.
func (*Coalescer) Coalesce ¶
func (*Coalescer) Coalesce(ctx context.Context, artifacts []*indexer.LayerArtifacts) (*claircore.IndexReport, error)
Coalesce implements indexer.Coalescer.
type DistributionScanner ¶
type DistributionScanner struct{}
DistributionScanner implements distribution detection logic for RHEL by looking for an `etc/os-release` file in the layer and failing that, an `etc/redhat-release` file.
The DistributionScanner can be used concurrently.
func (*DistributionScanner) Kind ¶
func (*DistributionScanner) Kind() string
Kind implements indexer.VersionedScanner.
func (*DistributionScanner) Name ¶
func (*DistributionScanner) Name() string
Name implements indexer.VersionedScanner.
func (*DistributionScanner) Scan ¶
func (ds *DistributionScanner) Scan(ctx context.Context, l *claircore.Layer) ([]*claircore.Distribution, error)
Scan implements indexer.DistributionScanner.
func (*DistributionScanner) Version ¶
func (*DistributionScanner) Version() string
Version implements indexer.VersionedScanner.
type Factory ¶
type Factory struct {
// contains filtered or unexported fields
}
Factory contains the configuration for fetching and parsing a Pulp manifest.
func NewFactory ¶
NewFactory creates a Factory making updaters based on the contents of the provided pulp manifest.
func (*Factory) Configure ¶
func (f *Factory) Configure(ctx context.Context, cfg driver.ConfigUnmarshaler, c *http.Client) error
Configure implements driver.Configurable.
func (*Factory) UpdaterSet ¶
UpdaterSet implements driver.UpdaterSetFactory.
The returned Updaters determine the claircore.Distribution it's associated with based on the path in the Pulp manifest.
type FactoryConfig ¶
type FactoryConfig struct {
URL string `json:"url" yaml:"url"`
}
FactoryConfig is the configuration accepted by the rhel updaters.
By convention, this should be in a map called "rhel".
type Matcher ¶
type Matcher struct{}
Matcher implements driver.Matcher.
func (*Matcher) Filter ¶
func (*Matcher) Filter(record *claircore.IndexRecord) bool
Filter implements driver.Matcher.
func (*Matcher) Query ¶
func (*Matcher) Query() []driver.MatchConstraint
Query implements driver.Matcher.
func (*Matcher) Vulnerable ¶
func (m *Matcher) Vulnerable(ctx context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error)
Vulnerable implements driver.Matcher.
type RepositoryScanner ¶
type RepositoryScanner struct {
// contains filtered or unexported fields
}
RepositoryScanner implements repository detection logic for RHEL.
The RHEL detection logic needs outside information because the Red Hat build system does not (and did not, in the past) store the relevant information in the layer itself. In addition, dnf and yum do not persist provenance information outside of a cache and rpm considers such information outside its baliwick.
In the case of the RHEL ecosystem, "repository" is a bit of a misnomer, as advisories are tracked on the Product level, and so Clair's "repository" data is used instead to indicate a Product. This mismatch can lead to apparent duplications in reporting. For example, if an advisory is marked as affecting "cpe:/a:redhat:enterprise_linux:8" and "cpe:/a:redhat:enterprise_linux:8::appstream", this results in two advisories being recorded. (CPEs do not namespace the way this example may imply; that is to say, the latter is not "contained in" or a "member of" the former.) If a layer reports that it is both the "cpe:/a:redhat:enterprise_linux:8" and "cpe:/a:redhat:enterprise_linux:8::appstream" layer, then both advisories match.
func (*RepositoryScanner) Configure ¶
func (r *RepositoryScanner) Configure(ctx context.Context, f indexer.ConfigDeserializer, c *http.Client) error
Configure implements indexer.RPCScanner.
func (*RepositoryScanner) Kind ¶
func (*RepositoryScanner) Kind() string
Kind implements indexer.VersionedScanner.
func (*RepositoryScanner) Name ¶
func (*RepositoryScanner) Name() string
Name implements indexer.VersionedScanner.
func (*RepositoryScanner) Scan ¶
func (r *RepositoryScanner) Scan(ctx context.Context, l *claircore.Layer) (repositories []*claircore.Repository, err error)
Scan implements indexer.RepositoryScanner.
func (*RepositoryScanner) Version ¶
func (*RepositoryScanner) Version() string
Version implements indexer.VersionedScanner.
type RepositoryScannerConfig ¶
type RepositoryScannerConfig struct { // API is the URL to talk to the Red Hat Container API. // // See [DefaultContainerAPI] and [containerapi.ContainerAPI]. API string `json:"api" yaml:"api"` // Repo2CPEMappingURL can be used to fetch the repo mapping file. // Consulting the mapping file is preferred over the Container API. // // See [DefaultRepo2CPEMappingURL] and [repo2cpe]. Repo2CPEMappingURL string `json:"repo2cpe_mapping_url" yaml:"repo2cpe_mapping_url"` // Repo2CPEMappingFile, if specified, is consulted instead of the [Repo2CPEMappingURL]. // // This should be provided to avoid any network traffic. Repo2CPEMappingFile string `json:"repo2cpe_mapping_file" yaml:"repo2cpe_mapping_file"` // Timeout controls the timeout for any remote calls this package makes. // // The default is 10 seconds. Timeout time.Duration `json:"timeout" yaml:"timeout"` }
RepositoryScannerConfig is the configuration expected for a RepositoryScanner.
Providing the "URL" and "File" members controls how the RepositoryScanner handles updating its mapping file:
- If the "URL" is provided or no configuration is provided, the mapping file is fetched at construction time and then updated periodically.
- If only the "File" is provided, it will be consulted exclusively.
- If both the "URL" and "File" are provided, the file will be loaded initially and then updated periodically from the URL.
type Updater ¶
type Updater struct { ovalutil.Fetcher // fetch method promoted via embed // contains filtered or unexported fields }
Updater fetches and parses RHEL-flavored OVAL databases.
func NewUpdater ¶
NewUpdater returns an Updater.
func (*Updater) Configure ¶
Configure implements driver.Configurable.
func (*Updater) Parse ¶
func (u *Updater) Parse(ctx context.Context, r io.ReadCloser) ([]*claircore.Vulnerability, error)
Parse implements driver.Updater.
Parse treats the data inside the provided io.ReadCloser as Red Hat flavored OVAL XML. The distribution associated with vulnerabilities is configured via the Updater. The repository associated with vulnerabilies is based on the affected CPE list.
type UpdaterConfig ¶
type UpdaterConfig struct { ovalutil.FetcherConfig Release int64 `json:"release" yaml:"release"` }
UpdaterConfig is the configuration expected for any given updater.
See also ovalutil.FetcherConfig.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package dockerfile implements a minimal dockerfile parser.
|
Package dockerfile implements a minimal dockerfile parser. |
internal
|
|
containerapi
Package containerapi is a minimal client around the Red Hat Container API.
|
Package containerapi is a minimal client around the Red Hat Container API. |
pulp
Package pulp is for reading a Pulp manifest.
|
Package pulp is for reading a Pulp manifest. |
Package rhcc implements an ecosystem for the Red Hat Container Catalog.
|
Package rhcc implements an ecosystem for the Red Hat Container Catalog. |