rhel

package
v1.5.48 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 5, 2025 License: Apache-2.0 Imports: 28 Imported by: 5

Documentation

Overview

Package rhel implements the machinery for processing layers and security data from the Red Hat ecosystem.

See the various exported types for details on the heuristics employed.

In addition, containers themselves are recognized via the github.com/quay/claircore/rhel/rhcc package.

Index

Constants

View Source 
const (

	// DefaultRepo2CPEMappingURL is default URL with a mapping file provided by Red Hat.
	//
	//doc:url indexer
	DefaultRepo2CPEMappingURL = "https://security.access.redhat.com/data/metrics/repository-to-cpe.json"
)

Variables

This section is empty.

Functions

func IsCPESubstringMatch added in v1.5.40 

func IsCPESubstringMatch(recordCPE cpe.WFN, vulnCPE cpe.WFN) bool

IsCPESubstringMatch is a Red Hat specific hack that handles the "CPE patterns" in the VEX data. For historical/unfathomable reasons, Red Hat doesn't use the syntax defined in the Matching Expression spec. For example, "cpe:/a:redhat:openshift:4" is expected to match "cpe:/a:redhat:openshift:4.13::el8".

This is defined (citation needed) to be a substring match on the "pattern" and "target" CPEs. Since we always normalize CPEs into v2.3 "Formatted String" form, we need to trim the added "ANY" attributes from the pattern.

TODO(crozzy) Remove once RH VEX data updates CPEs with standard matching expressions.

func NewEcosystem added in v0.1.0 

func NewEcosystem(_ context.Context) *indexer.Ecosystem

NewEcosystem provides the set of scanners and coalescer for the rhel ecosystem.

Types

type Coalescer added in v0.1.0 

type Coalescer struct{}

Coalescer takes individual layer artifacts and coalesces them into a full report on the manifest's contents.

Due to the specifics of the RHEL build system, some information needs to be back-propagated. That is to say, some information discovered in later layers is also attributed to earlier layers. Both the product and distribution information work this way.

A Coalescer is safe for concurrent use.

func (*Coalescer) Coalesce added in v0.1.0 

func (*Coalescer) Coalesce(ctx context.Context, artifacts []*indexer.LayerArtifacts) (*claircore.IndexReport, error)

Coalesce implements indexer.Coalescer.

type DistributionScanner added in v0.0.14 

type DistributionScanner struct{}

DistributionScanner implements distribution detection logic for RHEL by looking for an `etc/os-release` file in the layer and failing that, an `etc/redhat-release` file.

The DistributionScanner can be used concurrently.

func (*DistributionScanner) Kind added in v0.0.14 

func (*DistributionScanner) Kind() string

Kind implements indexer.VersionedScanner.

func (*DistributionScanner) Name added in v0.0.14 

func (*DistributionScanner) Name() string

Name implements indexer.VersionedScanner.

func (*DistributionScanner) Scan added in v0.0.14 

func (ds *DistributionScanner) Scan(ctx context.Context, l *claircore.Layer) ([]*claircore.Distribution, error)

Scan implements indexer.DistributionScanner.

func (*DistributionScanner) Version added in v0.0.14 

func (*DistributionScanner) Version() string

Version implements indexer.VersionedScanner.

type Matcher added in v0.0.8 

type Matcher struct {
	// contains filtered or unexported fields
}

Matcher implements driver.Matcher.

func (*Matcher) Filter added in v0.0.8 

func (*Matcher) Filter(record *claircore.IndexRecord) bool

Filter implements driver.Matcher.

func (*Matcher) Name added in v0.0.8 

func (*Matcher) Name() string

Name implements driver.Matcher.

func (*Matcher) Query added in v0.0.8 

func (m *Matcher) Query() []driver.MatchConstraint

Query implements driver.Matcher.

func (*Matcher) Vulnerable added in v0.0.8 

func (m *Matcher) Vulnerable(ctx context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error)

Vulnerable implements driver.Matcher.

Vulnerable will interpret the claircore.Vulnerability.Repo.CPE as a CPE match expression, and to be considered vulnerable, the relationship between claircore.IndexRecord.Repository.CPE and the claircore.Vulnerability.Repo.CPE needs to be a CPE Name Comparison Relation of SUPERSET(⊇)(Source is a superset or equal to the target).

See: https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7696.pdf Section 6.2.

type MatcherFactory added in v1.5.29 

type MatcherFactory struct {
	// contains filtered or unexported fields
}

func (*MatcherFactory) Configure added in v1.5.29 

func (f *MatcherFactory) Configure(ctx context.Context, cfg driver.MatcherConfigUnmarshaler, _ *http.Client) error

MatcherFactory implements driver.MatcherConfigurable.

func (*MatcherFactory) Matcher added in v1.5.29 

func (f *MatcherFactory) Matcher(ctx context.Context) ([]driver.Matcher, error)

MatcherFactory implements driver.MatcherFactory

type MatcherFactoryConfig added in v1.5.29 

type MatcherFactoryConfig struct {
	IgnoreUnpatched bool `json:"ignore_unpatched" yaml:"ignore_unpatched"`
}

type PackageScanner added in v1.5.40 

type PackageScanner struct{}

PackageScanner implements a indexer.PackageScanner that consults both the rpm and dnf databases.

func (PackageScanner) Kind added in v1.5.40 

func (p PackageScanner) Kind() string

Kind implements indexer.PackageScanner.

func (PackageScanner) Name added in v1.5.40 

func (p PackageScanner) Name() string

Name implements indexer.PackageScanner.

func (PackageScanner) Scan added in v1.5.40 

func (p PackageScanner) Scan(ctx context.Context, layer *claircore.Layer) ([]*claircore.Package, error)

Scan implements indexer.PackageScanner.

This implementation stores additional information needed to correlate with claircore.Repository values in the "RepositoryHint" field.

func (PackageScanner) Version added in v1.5.40 

func (p PackageScanner) Version() string

Version implements indexer.PackageScanner.

type RepositoryScanner added in v0.1.0 

type RepositoryScanner struct {
	// contains filtered or unexported fields
}

RepositoryScanner implements repository detection logic for RHEL.

The RHEL detection logic needs outside information because the Red Hat build system does not (and did not, in the past) store the relevant information in the layer itself. In addition, dnf and yum do not persist provenance information outside of a cache and rpm considers such information outside its baliwick.

In the case of the RHEL ecosystem, "repository" is a bit of a misnomer, as advisories are tracked on the Product level, and so Clair's "repository" data is used instead to indicate a Product. This mismatch can lead to apparent duplication in reporting. For example, if an advisory is marked as affecting "cpe:/a:redhat:enterprise_linux:8" and "cpe:/a:redhat:enterprise_linux:8::appstream", this results in two advisories being recorded. (CPEs do not namespace the way this example may imply; that is to say, the latter is not "contained in" or a "member of" the former.) If a layer reports that it is both the "cpe:/a:redhat:enterprise_linux:8" and "cpe:/a:redhat:enterprise_linux:8::appstream" layer, then both advisories match.

func (*RepositoryScanner) Configure added in v0.1.0 

func (r *RepositoryScanner) Configure(ctx context.Context, f indexer.ConfigDeserializer, c *http.Client) error

Configure implements indexer.RPCScanner.

func (*RepositoryScanner) Kind added in v0.1.0 

func (*RepositoryScanner) Kind() string

Kind implements indexer.VersionedScanner.

func (*RepositoryScanner) Name added in v0.1.0 

func (*RepositoryScanner) Name() string

Name implements indexer.VersionedScanner.

func (*RepositoryScanner) Scan added in v0.1.0 

func (r *RepositoryScanner) Scan(ctx context.Context, l *claircore.Layer) ([]*claircore.Repository, error)

Scan implements indexer.RepositoryScanner.

The two important pieces of information are the "repoid" and CPE, which are stored in the claircore.Repository's "Name" and "CPE" fields, respectively.

func (*RepositoryScanner) Version added in v0.1.0 

func (*RepositoryScanner) Version() string

Version implements indexer.VersionedScanner.

type RepositoryScannerConfig added in v1.4.12 

type RepositoryScannerConfig struct {
	// Repo2CPEMappingURL can be used to fetch the repo mapping file.
	//
	// See [DefaultRepo2CPEMappingURL] and [repo2cpe].
	Repo2CPEMappingURL string `json:"repo2cpe_mapping_url" yaml:"repo2cpe_mapping_url"`
	// Repo2CPEMappingFile, if specified, is consulted instead of the [Repo2CPEMappingURL].
	//
	// This should be provided to avoid any network traffic.
	Repo2CPEMappingFile string `json:"repo2cpe_mapping_file" yaml:"repo2cpe_mapping_file"`
	// Timeout controls the timeout for any remote calls this package makes.
	//
	// The default is 10 seconds.
	Timeout time.Duration `json:"timeout" yaml:"timeout"`
	// DisableAPI disables the use of the API.
	DisableAPI bool `json:"disable_api" yaml:"disable_api"`
}

RepositoryScannerConfig is the configuration expected for a RepositoryScanner.

Providing the "URL" and "File" members controls how the RepositoryScanner handles updating its mapping file:

  • If the "URL" is provided or no configuration is provided, the mapping file is fetched at construction time and then updated periodically.
  • If only the "File" is provided, it will be consulted exclusively.
  • If both the "URL" and "File" are provided, the file will be loaded initially and then updated periodically from the URL.

Source Files

View all Source files

Directories

Path Synopsis
Package dockerfile implements a minimal dockerfile parser.
 Package dockerfile implements a minimal dockerfile parser.
internal
common
Package rhcc implements an ecosystem for the Red Hat Container Catalog.
 Package rhcc implements an ecosystem for the Red Hat Container Catalog.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.