checker: suppress CVE warnings for vendor-backported OpenSSH fixes
Distributions backport security fixes without bumping the upstream OpenSSH version, so a banner like "OpenSSH_9.2p1 Debian-2+deb12u3" was wrongly flagged for regreSSHion despite carrying the fix. Thread the banner vendor comment into analyseBannerVulns and add a per-CVE VendorFixes table recording the earliest patched package revision per distro/upstream version. Revisions are compared with a faithful port of dpkg's verrevcmp ordering. Populated for CVE-2024-6387 from DSA-5724-1 (Debian) and USN-6859-1 (Ubuntu).
This commit is contained in:
parent
258d799a97
commit
fb2ae7d903
3 changed files with 261 additions and 19 deletions
|
|
@ -113,7 +113,7 @@ func (r *knownVulnsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter
|
|||
}
|
||||
var issues []Issue
|
||||
for _, ep := range data.Endpoints {
|
||||
issues = append(issues, analyseBannerVulns(ep.Addr(), ep.Banner, ep.SoftVer)...)
|
||||
issues = append(issues, analyseBannerVulns(ep.Addr(), ep.Banner, ep.SoftVer, ep.Vendor)...)
|
||||
}
|
||||
if len(issues) == 0 {
|
||||
return []sdk.CheckState{passState("ssh.known_vulnerabilities.ok", "No known CVE match against the advertised OpenSSH versions.")}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue