зеркало из https://github.com/mozilla/scribe.git
support setting scribe onlynewest on certain packages as required
This collapses returned version strings such that only the newest version string for a given package is considered if multiple are installed. Right now this is just a static list in the code but should probably be adjustable by a config file.
This commit is contained in:
Aaron Meihm
Родитель
43a146fa98
Коммит
d73d66473a
|
|
@ -26,6 +26,42 @@ var centosReleases = []centosRelease{
|
|||
{PLATFORM_CENTOS_6, "release 6", centos_expression, "^centos-release$"},
|
||||
}
|
||||
|
||||
// The list of packages for this platform we will only consider the newest version for in the
|
||||
// generated policy
|
||||
var centosOnlyNewestPackages = []string{
|
||||
"kernel",
|
||||
"kernel-abi-whitelists",
|
||||
"kernel-headers",
|
||||
"kernel-devel",
|
||||
"kernel-debug",
|
||||
"kernel-debug-devel",
|
||||
"kernel-debuginfo",
|
||||
"kernel-debuginfo-common",
|
||||
"kernel-doc",
|
||||
"kernel-tools",
|
||||
"kernel-tools-debuginfo",
|
||||
"kernel-tools-libs",
|
||||
"perf",
|
||||
"perf-debuginfo",
|
||||
"python-perf",
|
||||
"python-perf-debuginfo",
|
||||
}
|
||||
|
||||
// In some cases we only want to collect version information on the latest installed version
|
||||
// of a package to use for tests. For example, on CentOS we may have multiple versions of
|
||||
// "kernel" installed but we only want to test against the latest version so we don't get a
|
||||
// bunch of false positives.
|
||||
//
|
||||
// This function returns true if this is the case.
|
||||
func centosOnlyNewest(pkgname string) bool {
|
||||
for _, x := range centosOnlyNewestPackages {
|
||||
if x == pkgname {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// Adds a release test to scribe document doc. The release test is a dependency
|
||||
// for each other vuln check, and validates if a given package is vulnerable that the
|
||||
// platform is also what is expected (e.g., package X is vulnerable and operating system
|
||||
|
|
|
|||
|
|
@ -31,11 +31,12 @@ type supportedPlatform struct {
|
|||
clairNamespace string
|
||||
clairNamespaceId int // Populated upon query of the database
|
||||
releaseTest func(supportedPlatform, *scribe.Document) (string, error)
|
||||
pkgNewest func(string) bool
|
||||
}
|
||||
|
||||
var supportedPlatforms = []supportedPlatform{
|
||||
{PLATFORM_CENTOS_6, "centos6", "centos:6", 0, centosReleaseTest},
|
||||
{PLATFORM_CENTOS_7, "centos7", "centos:7", 0, centosReleaseTest},
|
||||
{PLATFORM_CENTOS_6, "centos6", "centos:6", 0, centosReleaseTest, centosOnlyNewest},
|
||||
{PLATFORM_CENTOS_7, "centos7", "centos:7", 0, centosReleaseTest, centosOnlyNewest},
|
||||
}
|
||||
|
||||
// Given a clair namespace, return the supportedPlatform entry for it if it is
|
||||
|
|
@ -175,6 +176,7 @@ func generatePolicy(p string) error {
|
|||
if !found {
|
||||
newobj.Object = objname
|
||||
newobj.Package.Name = x.pkgName
|
||||
newobj.Package.OnlyNewest = platform.pkgNewest(x.pkgName)
|
||||
doc.Objects = append(doc.Objects, newobj)
|
||||
}
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче