diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 9251ed2b..c221d83c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,3 +8,7 @@ updates:
directory: "/"
schedule:
interval: daily
+ ignore:
+ # used to generate Mariner models.
+ # pin to keep from introducing needless drift in the models.
+ - dependency-name: "xsdata"
diff --git a/poetry.lock b/poetry.lock
index 8b85f90b..120b412f 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.2 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
[[package]]
name = "attrs"
@@ -477,21 +477,21 @@ files = [
[[package]]
name = "docformatter"
-version = "1.7.5"
+version = "1.5.0"
description = "Formats docstrings to follow PEP 257"
optional = false
-python-versions = ">=3.7,<4.0"
+python-versions = ">=3.6,<4.0"
files = [
- {file = "docformatter-1.7.5-py3-none-any.whl", hash = "sha256:a24f5545ed1f30af00d106f5d85dc2fce4959295687c24c8f39f5263afaf9186"},
- {file = "docformatter-1.7.5.tar.gz", hash = "sha256:ffed3da0daffa2e77f80ccba4f0e50bfa2755e1c10e130102571c890a61b246e"},
+ {file = "docformatter-1.5.0-py3-none-any.whl", hash = "sha256:ae56c64822c3184602ac83ec37650c9785e80dfec17b4eba4f49ad68815d71c0"},
+ {file = "docformatter-1.5.0.tar.gz", hash = "sha256:9dc71659d3b853c3018cd7b2ec34d5d054370128e12b79ee655498cb339cc711"},
]
[package.dependencies]
-charset_normalizer = ">=3.0.0,<4.0.0"
+tomli = {version = ">=2.0.0,<3.0.0", markers = "python_version >= \"3.7\""}
untokenize = ">=0.1.1,<0.2.0"
[package.extras]
-tomli = ["tomli (>=2.0.0,<3.0.0)"]
+tomli = ["tomli (<2.0.0)"]
[[package]]
name = "dunamai"
@@ -2083,32 +2083,30 @@ files = [
[[package]]
name = "xsdata"
-version = "24.5"
+version = "22.12"
description = "Python XML Binding"
optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.7"
files = [
- {file = "xsdata-24.5-py3-none-any.whl", hash = "sha256:6ff12949083d9a0d9934c50401b347ccbf254bb10bf8472aef956b92662f7858"},
- {file = "xsdata-24.5.tar.gz", hash = "sha256:4e8414a01bff603ca38a361d04d819934fcc525f9b4220f0076e040d84a4a963"},
+ {file = "xsdata-22.12-py3-none-any.whl", hash = "sha256:981755b69148fe954c46f4f6eb12f441e915df403ba86b21165e444667970cc1"},
+ {file = "xsdata-22.12.tar.gz", hash = "sha256:a3d5f1b7b6fff8c916f7825c836ea285a4e7d3f3a94dcbbed0e63ba15dc94466"},
]
[package.dependencies]
click = {version = ">=5.0", optional = true, markers = "extra == \"cli\""}
click-default-group = {version = ">=1.2", optional = true, markers = "extra == \"cli\""}
-docformatter = {version = ">=1.7.2", optional = true, markers = "extra == \"cli\""}
+docformatter = {version = "1.5.0", optional = true, markers = "extra == \"cli\""}
jinja2 = {version = ">=2.10", optional = true, markers = "extra == \"cli\""}
-lxml = {version = ">=4.5.0", optional = true, markers = "extra == \"lxml\""}
+lxml = {version = ">=4.4.1", optional = true, markers = "extra == \"lxml\""}
requests = {version = "*", optional = true, markers = "extra == \"soap\""}
-ruff = {version = ">=0.3.0", optional = true, markers = "extra == \"cli\""}
toposort = {version = ">=1.5", optional = true, markers = "extra == \"cli\""}
-typing-extensions = "*"
[package.extras]
-cli = ["click (>=5.0)", "click-default-group (>=1.2)", "docformatter (>=1.7.2)", "jinja2 (>=2.10)", "ruff (>=0.3.0)", "toposort (>=1.5)"]
-docs = ["markdown-exec[ansi]", "mkdocs", "mkdocs-gen-files", "mkdocs-literate-nav", "mkdocs-material", "mkdocs-minify-plugin", "mkdocstrings[python]", "pymdownx-superfence-filter-lines"]
-lxml = ["lxml (>=4.5.0)"]
+cli = ["click (>=5.0)", "click-default-group (>=1.2)", "docformatter (==1.5.0)", "jinja2 (>=2.10)", "toposort (>=1.5)"]
+docs = ["furo", "sphinx", "sphinx-autobuild", "sphinx-autodoc-typehints", "sphinx-copybutton", "sphinx-inline-tabs"]
+lxml = ["lxml (>=4.4.1)"]
soap = ["requests"]
-test = ["pre-commit", "pytest", "pytest-benchmark", "pytest-cov"]
+test = ["codecov", "pre-commit", "pytest", "pytest-benchmark", "pytest-cov", "tox"]
[[package]]
name = "xxhash"
@@ -2337,4 +2335,4 @@ cffi = ["cffi (>=1.11)"]
[metadata]
lock-version = "2.0"
python-versions = "^3.9"
-content-hash = "abc243d653b5b0394046797abe80e6dc0e3a452a7144f3efb17e9dc8d5ff7fad"
+content-hash = "b15b6f6e33ea6b8806cb3f639d611527205ac052ec6d931191adefac20c187a1"
diff --git a/pyproject.toml b/pyproject.toml
index 4da0fac7..6b0637cb 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -54,7 +54,7 @@ orjson = "^3.8.6"
SQLAlchemy = ">= 1.4.46, < 2.0" # note: 1.4.x currently required for enterprise
mergedeep = "^1.3.4"
importlib-metadata = "^7.0.1"
-xsdata = {extras = ["cli", "lxml", "soap"], version = ">=22.12,<25.0"}
+xsdata = {extras = ["cli", "lxml", "soap"], version = "=22.12"}
pytest-snapshot = "^0.9.0"
mashumaro = "^3.10"
iso8601 = "^2.1.0"
diff --git a/schema/vulnerability/os/schema-1.0.1.json b/schema/vulnerability/os/schema-1.0.1.json
new file mode 100644
index 00000000..0b54d79b
--- /dev/null
+++ b/schema/vulnerability/os/schema-1.0.1.json
@@ -0,0 +1,186 @@
+{
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "type": "object",
+ "title": "os-vulnerability",
+ "description": "represents vulnerability records for common linux distributions",
+ "properties": {
+ "Vulnerability": {
+ "type": "object",
+ "properties": {
+ "CVSS": {
+ "type": "array",
+ "items": [
+ {
+ "type": "object",
+ "properties": {
+ "base_metrics": {
+ "type": "object",
+ "properties": {
+ "base_score": {
+ "type": "number"
+ },
+ "base_severity": {
+ "type": "string"
+ },
+ "exploitability_score": {
+ "type": "number"
+ },
+ "impact_score": {
+ "type": "number"
+ }
+ },
+ "required": [
+ "base_score",
+ "base_severity",
+ "exploitability_score",
+ "impact_score"
+ ]
+ },
+ "status": {
+ "type": "string"
+ },
+ "vector_string": {
+ "type": "string"
+ },
+ "version": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "base_metrics",
+ "status",
+ "vector_string",
+ "version"
+ ]
+ }
+ ]
+ },
+ "Description": {
+ "type": "string"
+ },
+ "FixedIn": {
+ "type": "array",
+ "items": [
+ {
+ "type": "object",
+ "properties": {
+ "Name": {
+ "type": "string"
+ },
+ "NamespaceName": {
+ "type": "string"
+ },
+ "VendorAdvisory": {
+ "type": "object",
+ "properties": {
+ "AdvisorySummary": {
+ "type": "array",
+ "items": {}
+ },
+ "NoAdvisory": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "NoAdvisory"
+ ]
+ },
+ "Version": {
+ "type": "string"
+ },
+ "VersionFormat": {
+ "type": "string"
+ },
+ "VulnerableRange": {
+ "type": ["string", "null"]
+ },
+ "Module": {
+ "type": ["string", "null"]
+ }
+ },
+ "required": [
+ "Name",
+ "NamespaceName",
+ "Version",
+ "VersionFormat"
+ ]
+ }
+ ]
+ },
+ "Link": {
+ "type": "string"
+ },
+ "Metadata": {
+ "type": "object",
+ "properties": {
+ "Issued": {
+ "type": "string"
+ },
+ "RefId": {
+ "type": "string"
+ },
+ "CVE": {
+ "type": "array",
+ "items": [
+ {
+ "type": "object",
+ "properties": {
+ "Name": {
+ "type": "string"
+ },
+ "Link": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "Name"
+ ]
+ }
+ ]
+ },
+ "NVD": {
+ "type": "object",
+ "properties": {
+ "CVSSv2": {
+ "type": "object",
+ "properties": {
+ "Score": {
+ "type": "number"
+ },
+ "Vectors": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "Score"
+ ]
+ }
+ }
+ }
+ }
+ },
+ "Name": {
+ "type": "string"
+ },
+ "NamespaceName": {
+ "type": "string"
+ },
+ "Severity": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "Description",
+ "FixedIn",
+ "Link",
+ "Metadata",
+ "Name",
+ "NamespaceName",
+ "Severity"
+ ]
+ }
+ },
+ "required": [
+ "Vulnerability"
+ ]
+}
diff --git a/src/vunnel/providers/mariner/model/generated.py b/src/vunnel/providers/mariner/model/generated.py
index e9baad13..bf6585e9 100644
--- a/src/vunnel/providers/mariner/model/generated.py
+++ b/src/vunnel/providers/mariner/model/generated.py
@@ -272,8 +272,8 @@ class Meta:
"type": "Attribute",
}
)
- criterion: Optional[Criterion] = field(
- default=None,
+ criterion: List[Criterion] = field(
+ default_factory=list,
metadata={
"type": "Element",
}
diff --git a/src/vunnel/providers/mariner/parser.py b/src/vunnel/providers/mariner/parser.py
index 678f3432..67c2b648 100644
--- a/src/vunnel/providers/mariner/parser.py
+++ b/src/vunnel/providers/mariner/parser.py
@@ -18,6 +18,8 @@
from vunnel.workspace import Workspace
LESS_THAN_OR_EQUAL_TO = "less than or equal"
+LESS_THAN = "less than"
+GREATER_THAN = "greater than"
IGNORED_PATCHABLE_VALUES = ["Not Applicable"]
@@ -90,45 +92,78 @@ def name_and_version(self, test_id: str) -> tuple[str | None, str | None]:
def namespace_name(self) -> str:
return f"mariner:{self.mariner_version}"
- def get_test(self, definition: Definition) -> RpminfoTest | None:
- if definition is None or definition.criteria is None or definition.criteria.criterion is None:
- return None
- return self.tests_by_id.get(definition.criteria.criterion.test_ref, None)
+ def get_tests(self, definition: Definition) -> list[RpminfoTest]:
+ tests = []
+ if definition and definition.criteria and definition.criteria.criterion:
+ for criterion in definition.criteria.criterion:
+ test = self.tests_by_id.get(criterion.test_ref, None)
+ if test:
+ tests.append(test)
+ return tests
+
+ def get_states(self, tests: list[RpminfoTest]) -> list[RpminfoState]:
+ states = []
+ for test in tests:
+ if test and test.state and test.state.state_ref:
+ state = self.states_by_id.get(test.state.state_ref, None)
+ if state:
+ states.append(state)
+ return states
+
+ def get_objects(self, tests: list[RpminfoTest]) -> list[RpminfoObject]:
+ objects = []
+ for test in tests:
+ if test and test.object_value and test.object_value.object_ref:
+ obj = self.objects_by_id.get(test.object_value.object_ref, None)
+ if obj:
+ objects.append(obj)
+ return objects
- def get_state(self, definition: Definition) -> RpminfoState | None:
- test = self.get_test(definition)
- if test is None or test.state is None or test.state.state_ref is None:
- return None
- return self.states_by_id.get(test.state.state_ref, None)
+ def make_fixed_in(self, definition: Definition) -> FixedIn | None:
+ tests = self.get_tests(definition)
+ states = self.get_states(tests)
+ objects = self.get_objects(tests)
- def get_object(self, definition: Definition) -> RpminfoObject | None:
- test = self.get_test(definition)
- if test is None or test.object_value is None or test.object_value.object_ref is None:
+ if not states or not objects:
return None
- return self.objects_by_id.get(test.object_value.object_ref, None)
- def make_fixed_in(self, definition: Definition) -> FixedIn | None:
- state = self.get_state(definition)
- obj = self.get_object(definition)
- if state is None or state.evr is None:
+ name = objects[0].name
+ if not name:
return None
- if obj is None or obj.name is None:
+
+ fixed_version = None
+
+ vulnerability_range = []
+ for state in states:
+ if state.evr and state.evr.value:
+ if state.evr.operation == LESS_THAN:
+ vulnerability_range.append(f"< {state.evr.value}")
+ # if vulnerability has an upper bound (< as opposed to <=),
+ # then assume the upper bound is the fixed version
+ fixed_version = state.evr.value
+ elif state.evr.operation == GREATER_THAN:
+ vulnerability_range.append(f"> {state.evr.value}")
+ elif state.evr.operation == LESS_THAN_OR_EQUAL_TO:
+ vulnerability_range.append(f"<= {state.evr.value}")
+
+ if not vulnerability_range:
return None
- version = state.evr.value
- # There are 2 choices for state.ever.operation: "less than" or "less than or equal to".
- # So for this vulnerability, either the statement, "versions < 3.2.1 are vulernable"
- # or the statement "versions <= 3.2.1 are vulnerable". In the second statement,
- # the data has no information about any fixed version, so we report "None"
- # as the fixed version, meaning we consider all version vulnerable.
- # For example, if version 3.2.1 of a library is vulnerable, and is the latest version
- # mariner data might have "versions <= 3.2.1" is vulnerable.
- if state.evr.operation == LESS_THAN_OR_EQUAL_TO:
- version = "None" # legacy API needs the string "None" instead of None
+
+ # make output deterministic. Reverse so that
+ # output reads like >1.2.3 <1.3.0 instead of the reverse.
+ vulnerability_range.sort(reverse=True)
+
+ if not fixed_version:
+ fixed_version = "None" # a required string in JSON schema
+
+ vulnerability_range_str = ", ".join(vulnerability_range)
+
return FixedIn(
- Name=obj.name,
+ Name=name,
NamespaceName=self.namespace_name(),
VersionFormat="rpm",
- Version=version,
+ Version=fixed_version,
+ VulnerableRange=vulnerability_range_str,
Module=None,
VendorAdvisory=None,
)
diff --git a/src/vunnel/utils/vulnerability.py b/src/vunnel/utils/vulnerability.py
index 7b7d4175..23b760e8 100644
--- a/src/vunnel/utils/vulnerability.py
+++ b/src/vunnel/utils/vulnerability.py
@@ -78,6 +78,7 @@ class FixedIn:
Version: str
Module: str | None
VendorAdvisory: VendorAdvisory | None
+ VulnerableRange: str | None = None
def __post_init__(self):
if self.Module is None:
diff --git a/tests/unit/providers/mariner/test-fixtures/mariner-truncated-2.0-oval.xml b/tests/unit/providers/mariner/test-fixtures/mariner-truncated-2.0-oval.xml
index cfa5abbc..d7a5a392 100644
--- a/tests/unit/providers/mariner/test-fixtures/mariner-truncated-2.0-oval.xml
+++ b/tests/unit/providers/mariner/test-fixtures/mariner-truncated-2.0-oval.xml
@@ -7,6 +7,23 @@
1683806521
+
+
+ CVE-2023-29404 affecting package golang for versions less than 1.20.7-1
+
+ CBL-Mariner
+
+
+ true
+ 44771-1
+ Critical
+ CVE-2023-29404 affecting package golang for versions less than 1.20.7-1. A patched version of the package is available.
+
+
+
+
+
+
CVE-2023-0687 affecting package glibc 2.35-4
@@ -75,6 +92,14 @@
+
+
+
+
+
+
+
+
@@ -93,6 +118,12 @@
+
+ golang
+
+
+ golang
+
glibc
@@ -107,6 +138,12 @@
+
+ 0:1.20.7-1.cm2
+
+
+ 0:1.19.0.cm2
+
0:2.35-4.cm2
diff --git a/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2022-3736.json b/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2022-3736.json
index 3acb83c0..f2432f52 100644
--- a/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2022-3736.json
+++ b/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2022-3736.json
@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"mariner:2.0/CVE-2022-3736","item":{"Vulnerability":{"Name":"CVE-2022-3736","NamespaceName":"mariner:2.0","Description":"CVE-2022-3736 affecting package bind 9.16.33-1. No patch is available currently.","Severity":"High","Link":"https://nvd.nist.gov/vuln/detail/CVE-2022-3736","CVSS":[],"FixedIn":[{"Name":"bind","NamespaceName":"mariner:2.0","VersionFormat":"rpm","Version":"None","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Metadata":{}}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"mariner:2.0/CVE-2022-3736","item":{"Vulnerability":{"Name":"CVE-2022-3736","NamespaceName":"mariner:2.0","Description":"CVE-2022-3736 affecting package bind 9.16.33-1. No patch is available currently.","Severity":"High","Link":"https://nvd.nist.gov/vuln/detail/CVE-2022-3736","CVSS":[],"FixedIn":[{"Name":"bind","NamespaceName":"mariner:2.0","VersionFormat":"rpm","Version":"None","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":"<= 0:9.16.33-1.cm2"}],"Metadata":{}}}}
diff --git a/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2023-21977.json b/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2023-21977.json
index b3e4a8ba..da5bcc9e 100644
--- a/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2023-21977.json
+++ b/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2023-21977.json
@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"mariner:2.0/CVE-2023-21977","item":{"Vulnerability":{"Name":"CVE-2023-21977","NamespaceName":"mariner:2.0","Description":"CVE-2023-21977 affecting package mysql 8.0.32-1. An upgraded version of the package is available that resolves this issue.","Severity":"Medium","Link":"https://nvd.nist.gov/vuln/detail/CVE-2023-21977","CVSS":[],"FixedIn":[{"Name":"mysql","NamespaceName":"mariner:2.0","VersionFormat":"rpm","Version":"0:8.0.33-1.cm2","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Metadata":{}}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"mariner:2.0/CVE-2023-21977","item":{"Vulnerability":{"Name":"CVE-2023-21977","NamespaceName":"mariner:2.0","Description":"CVE-2023-21977 affecting package mysql 8.0.32-1. An upgraded version of the package is available that resolves this issue.","Severity":"Medium","Link":"https://nvd.nist.gov/vuln/detail/CVE-2023-21977","CVSS":[],"FixedIn":[{"Name":"mysql","NamespaceName":"mariner:2.0","VersionFormat":"rpm","Version":"0:8.0.33-1.cm2","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":"< 0:8.0.33-1.cm2"}],"Metadata":{}}}}
diff --git a/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2023-21980.json b/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2023-21980.json
index 6447c5fd..f6946145 100644
--- a/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2023-21980.json
+++ b/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2023-21980.json
@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"mariner:2.0/CVE-2023-21980","item":{"Vulnerability":{"Name":"CVE-2023-21980","NamespaceName":"mariner:2.0","Description":"CVE-2023-21980 affecting package mysql 8.0.32-1. An upgraded version of the package is available that resolves this issue.","Severity":"High","Link":"https://nvd.nist.gov/vuln/detail/CVE-2023-21980","CVSS":[],"FixedIn":[{"Name":"mysql","NamespaceName":"mariner:2.0","VersionFormat":"rpm","Version":"0:8.0.33-1.cm2","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Metadata":{}}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"mariner:2.0/CVE-2023-21980","item":{"Vulnerability":{"Name":"CVE-2023-21980","NamespaceName":"mariner:2.0","Description":"CVE-2023-21980 affecting package mysql 8.0.32-1. An upgraded version of the package is available that resolves this issue.","Severity":"High","Link":"https://nvd.nist.gov/vuln/detail/CVE-2023-21980","CVSS":[],"FixedIn":[{"Name":"mysql","NamespaceName":"mariner:2.0","VersionFormat":"rpm","Version":"0:8.0.33-1.cm2","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":"< 0:8.0.33-1.cm2"}],"Metadata":{}}}}
diff --git a/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2023-29404.json b/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2023-29404.json
new file mode 100644
index 00000000..e193890e
--- /dev/null
+++ b/tests/unit/providers/mariner/test-fixtures/snapshots/mariner:2.0/CVE-2023-29404.json
@@ -0,0 +1 @@
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"mariner:2.0/CVE-2023-29404","item":{"Vulnerability":{"Name":"CVE-2023-29404","NamespaceName":"mariner:2.0","Description":"CVE-2023-29404 affecting package golang for versions less than 1.20.7-1. A patched version of the package is available.","Severity":"Critical","Link":"https://nvd.nist.gov/vuln/detail/CVE-2023-29404","CVSS":[],"FixedIn":[{"Name":"golang","NamespaceName":"mariner:2.0","VersionFormat":"rpm","Version":"0:1.20.7-1.cm2","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":"> 0:1.19.0.cm2, < 0:1.20.7-1.cm2"}],"Metadata":{}}}}
diff --git a/tests/unit/providers/mariner/test_mariner.py b/tests/unit/providers/mariner/test_mariner.py
index 1fd03045..04ef8955 100644
--- a/tests/unit/providers/mariner/test_mariner.py
+++ b/tests/unit/providers/mariner/test_mariner.py
@@ -17,6 +17,26 @@
(
"test-fixtures/mariner-truncated-2.0-oval.xml",
[
+ Vulnerability(
+ Name="CVE-2023-29404",
+ NamespaceName="mariner:2.0",
+ Description="CVE-2023-29404 affecting package golang for versions less than 1.20.7-1. A patched version of the package is available.",
+ Severity="Critical",
+ Link="https://nvd.nist.gov/vuln/detail/CVE-2023-29404",
+ CVSS=[],
+ FixedIn=[
+ FixedIn(
+ Name="golang",
+ NamespaceName="mariner:2.0",
+ VersionFormat="rpm",
+ Version="0:1.20.7-1.cm2",
+ Module=None,
+ VendorAdvisory=None,
+ VulnerableRange="> 0:1.19.0.cm2, < 0:1.20.7-1.cm2",
+ )
+ ],
+ Metadata={},
+ ),
Vulnerability(
Name="CVE-2023-21980",
NamespaceName="mariner:2.0",
@@ -30,6 +50,7 @@
NamespaceName="mariner:2.0",
VersionFormat="rpm",
Version="0:8.0.33-1.cm2",
+ VulnerableRange="< 0:8.0.33-1.cm2",
Module=None,
VendorAdvisory=None,
)
@@ -51,6 +72,7 @@
Version="0:8.0.33-1.cm2",
Module=None,
VendorAdvisory=None,
+ VulnerableRange="< 0:8.0.33-1.cm2",
)
],
Metadata={},
@@ -70,6 +92,7 @@
Version="None",
Module=None,
VendorAdvisory=None,
+ VulnerableRange="<= 0:9.16.33-1.cm2",
),
],
),
@@ -103,7 +126,7 @@ def mock_download(*args, **kwargs):
p.update(None)
- assert 3 == workspace.num_result_entries()
+ assert 4 == workspace.num_result_entries()
assert workspace.result_schemas_valid(require_entries=True)
diff --git a/tests/unit/providers/sles/test-fixtures/snapshots/sles:15.1/cve-2021-29154.json b/tests/unit/providers/sles/test-fixtures/snapshots/sles:15.1/cve-2021-29154.json
index b125e93f..4ad117aa 100644
--- a/tests/unit/providers/sles/test-fixtures/snapshots/sles:15.1/cve-2021-29154.json
+++ b/tests/unit/providers/sles/test-fixtures/snapshots/sles:15.1/cve-2021-29154.json
@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"sles:15.1/cve-2021-29154","item":{"Vulnerability":{"Name":"CVE-2021-29154","NamespaceName":"sles:15.1","Description":"BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.","Severity":"High","Link":"https://www.suse.com/security/cve/CVE-2021-29154","CVSS":[{"version":"3.1","vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.0,"exploitability_score":1.0,"impact_score":5.9,"base_severity":"High"},"status":"N/A"}],"FixedIn":[{"Name":"kernel-default","NamespaceName":"sles:15.1","VersionFormat":"rpm","Version":"0:4.12.14-197.89.2","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Metadata":{}}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"sles:15.1/cve-2021-29154","item":{"Vulnerability":{"Name":"CVE-2021-29154","NamespaceName":"sles:15.1","Description":"BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.","Severity":"High","Link":"https://www.suse.com/security/cve/CVE-2021-29154","CVSS":[{"version":"3.1","vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.0,"exploitability_score":1.0,"impact_score":5.9,"base_severity":"High"},"status":"N/A"}],"FixedIn":[{"Name":"kernel-default","NamespaceName":"sles:15.1","VersionFormat":"rpm","Version":"0:4.12.14-197.89.2","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}
diff --git a/tests/unit/providers/sles/test-fixtures/snapshots/sles:15/cve-2021-29154.json b/tests/unit/providers/sles/test-fixtures/snapshots/sles:15/cve-2021-29154.json
index 74103153..c348671c 100644
--- a/tests/unit/providers/sles/test-fixtures/snapshots/sles:15/cve-2021-29154.json
+++ b/tests/unit/providers/sles/test-fixtures/snapshots/sles:15/cve-2021-29154.json
@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"sles:15/cve-2021-29154","item":{"Vulnerability":{"Name":"CVE-2021-29154","NamespaceName":"sles:15","Description":"BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.","Severity":"High","Link":"https://www.suse.com/security/cve/CVE-2021-29154","CVSS":[{"version":"3.1","vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.0,"exploitability_score":1.0,"impact_score":5.9,"base_severity":"High"},"status":"N/A"}],"FixedIn":[{"Name":"kernel-default","NamespaceName":"sles:15","VersionFormat":"rpm","Version":"0:4.12.14-150.72.1","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Metadata":{}}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"sles:15/cve-2021-29154","item":{"Vulnerability":{"Name":"CVE-2021-29154","NamespaceName":"sles:15","Description":"BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.","Severity":"High","Link":"https://www.suse.com/security/cve/CVE-2021-29154","CVSS":[{"version":"3.1","vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.0,"exploitability_score":1.0,"impact_score":5.9,"base_severity":"High"},"status":"N/A"}],"FixedIn":[{"Name":"kernel-default","NamespaceName":"sles:15","VersionFormat":"rpm","Version":"0:4.12.14-150.72.1","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}