Skip to content

Commit

Permalink
feat: add oracle support (project-copacetic#706)
Browse files Browse the repository at this point in the history
Signed-off-by: Miaha Cybersec <[email protected]>
Signed-off-by: Miaha <[email protected]>
Co-authored-by: Ashna Mehrotra <[email protected]>
  • Loading branch information
MiahaCybersec and ashnamehrotra authored Jul 29, 2024
1 parent 0d0f2f3 commit 358a7ff
Show file tree
Hide file tree
Showing 7 changed files with 103 additions and 6 deletions.
16 changes: 16 additions & 0 deletions integration/fixtures/test-images.json
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,22 @@
"description": "Valid rpm DB, yum present",
"ignoreErrors": false
},
{
"image": "docker.io/library/oraclelinux",
"tag": "7.9",
"digest": "sha256:ba39a0daabd2df95ed5f374d016e87513f8e579ecc5a1599d7cf94679a281a34",
"distro": "Oracle Linux 7.9",
"description": "Valid rpm DB, yum present",
"ignoreErrors": false
},
{
"image": "docker.io/library/oraclelinux",
"tag": "8.9",
"digest": "sha256:67c889172b07b1f4067050abf4bcf7fce2febd280664df261fe17fa82501a498",
"distro": "Oracle Linux 8.9",
"description": "Valid rpm DB, yum present",
"ignoreErrors": true
},
{
"image": "docker.io/library/rockylinux",
"tag": "8.9.20231119",
Expand Down
22 changes: 17 additions & 5 deletions integration/patch_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,9 @@ func TestPatch(t *testing.T) {

for _, img := range images {
img := img
if !reportFile {
// Oracle tends to throw false positives with Trivy
// See https://github.com/aquasecurity/trivy/issues/1967#issuecomment-1092987400
if !reportFile && !strings.Contains(img.Image, "oracle") {
img.IgnoreErrors = false
}

Expand Down Expand Up @@ -92,15 +94,18 @@ func TestPatch(t *testing.T) {
t.Log("patching image")
patch(t, ref, tagPatched, dir, img.IgnoreErrors, reportFile)

if reportFile {
switch {
case strings.Contains(img.Image, "oracle"):
t.Log("Oracle image detected. Skipping Trivy scan.")
case reportFile:
t.Log("scanning patched image")
scanner().
withIgnoreFile(ignoreFile).
withSkipDBUpdate().
// here we want a non-zero exit code because we are expecting no vulnerabilities.
withExitCode(1).
scan(t, patchedRef, img.IgnoreErrors)
} else {
default:
t.Log("scanning patched image")
scanner().
withIgnoreFile(ignoreFile).
Expand All @@ -110,7 +115,7 @@ func TestPatch(t *testing.T) {
}

// currently validation is only present when patching with a scan report
if reportFile {
if reportFile && !strings.Contains(img.Image, "oracle") {
t.Log("verifying the vex output")
validVEXJSON(t, dir)
}
Expand Down Expand Up @@ -207,7 +212,13 @@ func patch(t *testing.T, ref, patchedTag, path string, ignoreErrors bool, report
cmd.Env = append(cmd.Env, dockerDINDAddress.env()...)

out, err := cmd.CombinedOutput()
require.NoError(t, err, string(out))

if strings.Contains(ref, "oracle") && reportFile && !ignoreErrors {
assert.Contains(t, string(out), "Error: Detected Oracle image passed in\n"+
"Please read https://project-copacetic.github.io/copacetic/website/troubleshooting before patching your Oracle image")
} else {
require.NoError(t, err, string(out))
}
}

func scanner() *scannerCmd {
Expand Down Expand Up @@ -248,6 +259,7 @@ func (s *scannerCmd) scan(t *testing.T, ref string, ignoreErrors bool) {
cmd.Env = append(cmd.Env, os.Environ()...)
cmd.Env = append(cmd.Env, dockerDINDAddress.env()...)
out, err := cmd.CombinedOutput()

assert.NoError(t, err, string(out))
}

Expand Down
2 changes: 2 additions & 0 deletions pkg/patch/patch.go
Original file line number Diff line number Diff line change
Expand Up @@ -326,6 +326,8 @@ func getOSType(ctx context.Context, osreleaseBytes []byte) (string, error) {
return "redhat", nil
case strings.Contains(osType, "rocky"):
return "rocky", nil
case strings.Contains(osType, "oracle"):
return "oracle", nil
default:
log.Error("unsupported osType ", osType)
return "", errors.ErrUnsupported
Expand Down
43 changes: 43 additions & 0 deletions pkg/patch/patch_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,49 @@ func TestGetOSType(t *testing.T) {
err: nil,
expectedOSType: "rocky",
},
{
osRelease: []byte(`NAME="Oracle Linux Server"
VERSION="7.9"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"
PRETTY_NAME="Oracle Linux Server 7.9"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:7:9:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://github.com/oracle/oracle-linux"
ORACLE_BUGZILLA_PRODUCT="Oracle Linux 7"
ORACLE_BUGZILLA_PRODUCT_VERSION=7.9
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=7.9`),
err: nil,
expectedOSType: "oracle",
},
{
osRelease: []byte(`NAME="Oracle Linux Server"
VERSION="8.9"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="8.9"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Oracle Linux Server 8.9"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:8:9:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://github.com/oracle/oracle-linux"
ORACLE_BUGZILLA_PRODUCT="Oracle Linux 8"
ORACLE_BUGZILLA_PRODUCT_VERSION=8.9
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=8.9`),
err: nil,
expectedOSType: "oracle",
},
{
osRelease: nil,
err: errors.ErrUnsupported,
Expand Down
2 changes: 1 addition & 1 deletion pkg/pkgmgr/pkgmgr.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ func GetPackageManager(osType string, osVersion string, config *buildkit.Config,
return &apkManager{config: config, workingFolder: workingFolder}, nil
case "debian", "ubuntu":
return &dpkgManager{config: config, workingFolder: workingFolder, osVersion: osVersion}, nil
case "cbl-mariner", "centos", "redhat", "rocky", "amazon":
case "cbl-mariner", "centos", "oracle", "redhat", "rocky", "amazon":
return &rpmManager{config: config, workingFolder: workingFolder, osVersion: osVersion}, nil
default:
return nil, fmt.Errorf("unsupported osType %s specified", osType)
Expand Down
7 changes: 7 additions & 0 deletions pkg/pkgmgr/rpm.go
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,14 @@ func (rm *rpmManager) InstallUpdates(ctx context.Context, manifest *unversioned.
var updates unversioned.UpdatePackages
var rpmComparer VersionComparer
var err error

if manifest != nil {
if manifest.Metadata.OS.Type == "oracle" && !ignoreErrors {
err = errors.New("Detected Oracle image passed in\n" +
"Please read https://project-copacetic.github.io/copacetic/website/troubleshooting before patching your Oracle image")
return &rm.config.ImageState, nil, err
}

rpmComparer = VersionComparer{isValidRPMVersion, isLessThanRPMVersion}
updates, err = GetUniqueLatestUpdates(manifest.Updates, rpmComparer, ignoreErrors)
if err != nil {
Expand Down
17 changes: 17 additions & 0 deletions website/docs/troubleshooting.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,23 @@
title: Troubleshooting
---

## Copa and Trivy throw errors when Oracle Linux is passed in

Copa supports patching Oracle Linux in two ways:

With a vulnerability scan, `--ignore-errors` must be passed in. This will patch all CVEs aside from false positives reported by Trivy:

```bash
copa patch -r /oracle-7.9-vulns.json -i docker.io/library/oraclelinux:7.9 --ignore-errors
```

Without a vulnerability scan, Copa will update all packages in the image:

```bash
copa patch -i docker.io/library/oraclelinux:7.9
```

Oracle reports CVEs in a way that causes Trivy to report false positives that Copa will be unable to patch. To patch the entire image, use the Copa `--ignore-errors` flag or omit the vulnerability scan report to upgrade all outdated packages. See [this GitHub issue](https://github.com/aquasecurity/trivy/issues/1967#issuecomment-1092987400) for more information.
## Filtering Vulnerabilities

You might want to filter/ignore some of the vulnerabilities while patching. To do so, you need to first filter those undesired vulnerabilities from your scanner output.
Expand Down

0 comments on commit 358a7ff

Please sign in to comment.