rhel

package
v1.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 28, 2023 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Overview

Package rhel implements the machinery for processing layers and security data from the Red Hat ecosystem.

See the various exported types for details on the heuristics employed.

In addition, containers themselves are recognized via the github.com/vishnuchalla/claircore/rhel/rhcc package.

Index

Constants

View Source
const (

	// DefaultContainerAPI is the default Red Hat Container API URL.
	//
	//doc:url indexer
	DefaultContainerAPI = "https://catalog.redhat.com/api/containers/"
	// DefaultRepo2CPEMappingURL is default URL with a mapping file provided by Red Hat.
	//
	//doc:url indexer
	DefaultRepo2CPEMappingURL = "https://access.redhat.com/security/data/metrics/repository-to-cpe.json"
)
View Source
const DefaultManifest = `https://access.redhat.com/security/data/oval/v2/PULP_MANIFEST`

DefaultManifest is the url for the Red Hat OVAL pulp repository.

Variables

This section is empty.

Functions

func NewEcosystem

func NewEcosystem(ctx context.Context) *indexer.Ecosystem

NewEcosystem provides the set of scanners and coalescer for the rhel ecosystem.

Types

type Coalescer

type Coalescer struct{}

Coalescer takes individual layer artifacts and coalesces them into a full report on the manifest's contents.

Due to the specifics of the RHEL build system, some information needs to be back-propagated. That is to say, some information discovered in later layers is also attributed to earlier layers. Both the product and distribution information work this way.

A Coalescer is safe for concurrent use.

func (*Coalescer) Coalesce

func (*Coalescer) Coalesce(ctx context.Context, artifacts []*indexer.LayerArtifacts) (*claircore.IndexReport, error)

Coalesce implements indexer.Coalescer.

type DistributionScanner

type DistributionScanner struct{}

DistributionScanner implements distribution detection logic for RHEL by looking for an `etc/os-release` file in the layer and failing that, an `etc/redhat-release` file.

The DistributionScanner can be used concurrently.

func (*DistributionScanner) Kind

func (*DistributionScanner) Kind() string

Kind implements indexer.VersionedScanner.

func (*DistributionScanner) Name

func (*DistributionScanner) Name() string

Name implements indexer.VersionedScanner.

func (*DistributionScanner) Scan

Scan implements indexer.DistributionScanner.

func (*DistributionScanner) Version

func (*DistributionScanner) Version() string

Version implements indexer.VersionedScanner.

type Factory

type Factory struct {
	// contains filtered or unexported fields
}

Factory contains the configuration for fetching and parsing a Pulp manifest.

func NewFactory

func NewFactory(ctx context.Context, manifest string) (*Factory, error)

NewFactory creates a Factory making updaters based on the contents of the provided pulp manifest.

func (*Factory) Configure

func (f *Factory) Configure(ctx context.Context, cfg driver.ConfigUnmarshaler, c *http.Client) error

Configure implements driver.Configurable.

func (*Factory) UpdaterSet

func (f *Factory) UpdaterSet(ctx context.Context) (driver.UpdaterSet, error)

UpdaterSet implements driver.UpdaterSetFactory.

The returned Updaters determine the claircore.Distribution it's associated with based on the path in the Pulp manifest.

type FactoryConfig

type FactoryConfig struct {
	URL string `json:"url" yaml:"url"`
}

FactoryConfig is the configuration accepted by the rhel updaters.

By convention, this should be in a map called "rhel".

type Matcher

type Matcher struct{}

Matcher implements driver.Matcher.

func (*Matcher) Filter

func (*Matcher) Filter(record *claircore.IndexRecord) bool

Filter implements driver.Matcher.

func (*Matcher) Name

func (*Matcher) Name() string

Name implements driver.Matcher.

func (*Matcher) Query

func (*Matcher) Query() []driver.MatchConstraint

Query implements driver.Matcher.

func (*Matcher) Vulnerable

func (m *Matcher) Vulnerable(ctx context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error)

Vulnerable implements driver.Matcher.

type RepositoryScanner

type RepositoryScanner struct {
	// contains filtered or unexported fields
}

RepositoryScanner implements repository detection logic for RHEL.

The RHEL detection logic needs outside information because the Red Hat build system does not (and did not, in the past) store the relevant information in the layer itself. In addition, dnf and yum do not persist provenance information outside of a cache and rpm considers such information outside its baliwick.

In the case of the RHEL ecosystem, "repository" is a bit of a misnomer, as advisories are tracked on the Product level, and so Clair's "repository" data is used instead to indicate a Product. This mismatch can lead to apparent duplications in reporting. For example, if an advisory is marked as affecting "cpe:/a:redhat:enterprise_linux:8" and "cpe:/a:redhat:enterprise_linux:8::appstream", this results in two advisories being recorded. (CPEs do not namespace the way this example may imply; that is to say, the latter is not "contained in" or a "member of" the former.) If a layer reports that it is both the "cpe:/a:redhat:enterprise_linux:8" and "cpe:/a:redhat:enterprise_linux:8::appstream" layer, then both advisories match.

func (*RepositoryScanner) Configure

Configure implements indexer.RPCScanner.

func (*RepositoryScanner) Kind

func (*RepositoryScanner) Kind() string

Kind implements indexer.VersionedScanner.

func (*RepositoryScanner) Name

func (*RepositoryScanner) Name() string

Name implements indexer.VersionedScanner.

func (*RepositoryScanner) Scan

func (r *RepositoryScanner) Scan(ctx context.Context, l *claircore.Layer) (repositories []*claircore.Repository, err error)

Scan implements indexer.RepositoryScanner.

func (*RepositoryScanner) Version

func (*RepositoryScanner) Version() string

Version implements indexer.VersionedScanner.

type RepositoryScannerConfig

type RepositoryScannerConfig struct {
	// API is the URL to talk to the Red Hat Container API.
	//
	// See [DefaultContainerAPI] and [containerapi.ContainerAPI].
	API string `json:"api" yaml:"api"`
	// Repo2CPEMappingURL can be used to fetch the repo mapping file.
	// Consulting the mapping file is preferred over the Container API.
	//
	// See [DefaultRepo2CPEMappingURL] and [repo2cpe].
	Repo2CPEMappingURL string `json:"repo2cpe_mapping_url" yaml:"repo2cpe_mapping_url"`
	// Repo2CPEMappingFile, if specified, is consulted instead of the [Repo2CPEMappingURL].
	//
	// This should be provided to avoid any network traffic.
	Repo2CPEMappingFile string `json:"repo2cpe_mapping_file" yaml:"repo2cpe_mapping_file"`
	// Timeout controls the timeout for any remote calls this package makes.
	//
	// The default is 10 seconds.
	Timeout time.Duration `json:"timeout" yaml:"timeout"`
}

RepositoryScannerConfig is the configuration expected for a RepositoryScanner.

Providing the "URL" and "File" members controls how the RepositoryScanner handles updating its mapping file:

  • If the "URL" is provided or no configuration is provided, the mapping file is fetched at construction time and then updated periodically.
  • If only the "File" is provided, it will be consulted exclusively.
  • If both the "URL" and "File" are provided, the file will be loaded initially and then updated periodically from the URL.

type Updater

type Updater struct {
	ovalutil.Fetcher // fetch method promoted via embed
	// contains filtered or unexported fields
}

Updater fetches and parses RHEL-flavored OVAL databases.

func NewUpdater

func NewUpdater(name string, release int, uri string) (*Updater, error)

NewUpdater returns an Updater.

func (*Updater) Configure

func (u *Updater) Configure(ctx context.Context, cf driver.ConfigUnmarshaler, c *http.Client) error

Configure implements driver.Configurable.

func (*Updater) Name

func (u *Updater) Name() string

Name implements driver.Updater.

func (*Updater) Parse

Parse implements driver.Updater.

Parse treats the data inside the provided io.ReadCloser as Red Hat flavored OVAL XML. The distribution associated with vulnerabilities is configured via the Updater. The repository associated with vulnerabilies is based on the affected CPE list.

type UpdaterConfig

type UpdaterConfig struct {
	ovalutil.FetcherConfig
	Release int64 `json:"release" yaml:"release"`
}

UpdaterConfig is the configuration expected for any given updater.

See also ovalutil.FetcherConfig.

Directories

Path Synopsis
Package dockerfile implements a minimal dockerfile parser.
Package dockerfile implements a minimal dockerfile parser.
internal
containerapi
Package containerapi is a minimal client around the Red Hat Container API.
Package containerapi is a minimal client around the Red Hat Container API.
pulp
Package pulp is for reading a Pulp manifest.
Package pulp is for reading a Pulp manifest.
Package rhcc implements an ecosystem for the Red Hat Container Catalog.
Package rhcc implements an ecosystem for the Red Hat Container Catalog.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL