checker: suppress CVE warnings for vendor-backported OpenSSH fixes
Distributions backport security fixes without bumping the upstream OpenSSH version, so a banner like "OpenSSH_9.2p1 Debian-2+deb12u3" was wrongly flagged for regreSSHion despite carrying the fix. Thread the banner vendor comment into analyseBannerVulns and add a per-CVE VendorFixes table recording the earliest patched package revision per distro/upstream version. Revisions are compared with a faithful port of dpkg's verrevcmp ordering. Populated for CVE-2024-6387 from DSA-5724-1 (Debian) and USN-6859-1 (Ubuntu).
This commit is contained in:
parent
258d799a97
commit
fb2ae7d903
3 changed files with 261 additions and 19 deletions
92
checker/vulns_vendorfix_test.go
Normal file
92
checker/vulns_vendorfix_test.go
Normal file
|
|
@ -0,0 +1,92 @@
|
|||
// This file is part of the happyDomain (R) project.
|
||||
// Copyright (c) 2020-2026 happyDomain
|
||||
// Authors: Pierre-Olivier Mercier, et al.
|
||||
//
|
||||
// This program is offered under a commercial and under the AGPL license.
|
||||
// For commercial licensing, contact us at <contact@happydomain.org>.
|
||||
//
|
||||
// For AGPL licensing:
|
||||
// This program is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Affero General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Affero General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Affero General Public License
|
||||
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
package checker
|
||||
|
||||
import "testing"
|
||||
|
||||
func hasIssue(issues []Issue, code string) bool {
|
||||
for _, i := range issues {
|
||||
if i.Code == code {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func TestVendorFixSuppressesRegreSSHion(t *testing.T) {
|
||||
const code = "cve_2024_6387_regreSSHion"
|
||||
cases := []struct {
|
||||
name string
|
||||
soft string
|
||||
vendor string
|
||||
flagged bool
|
||||
}{
|
||||
// Vanilla upstream in the affected window: must flag.
|
||||
{"upstream 9.2p1", "OpenSSH_9.2p1", "", true},
|
||||
// Debian bookworm before / at / after the fix.
|
||||
{"debian unpatched", "OpenSSH_9.2p1", "Debian-2+deb12u2", true},
|
||||
{"debian patched", "OpenSSH_9.2p1", "Debian-2+deb12u3", false},
|
||||
{"debian later point release", "OpenSSH_9.2p1", "Debian-2+deb12u10", false},
|
||||
// Ubuntu jammy: numeric ".10" must beat ".2" (dpkg numeric run).
|
||||
{"ubuntu jammy unpatched", "OpenSSH_8.9p1", "Ubuntu-3ubuntu0.2", true},
|
||||
{"ubuntu jammy patched", "OpenSSH_8.9p1", "Ubuntu-3ubuntu0.10", false},
|
||||
// Ubuntu noble.
|
||||
{"ubuntu noble patched", "OpenSSH_9.6p1", "Ubuntu-3ubuntu13.3", false},
|
||||
{"ubuntu noble unpatched", "OpenSSH_9.6p1", "Ubuntu-3ubuntu13.2", true},
|
||||
// A fix recorded for a different upstream version must not apply.
|
||||
{"vendor mismatch upstream", "OpenSSH_9.3p1", "Debian-2+deb12u3", true},
|
||||
// Not affected at all (below 8.5p1): never flagged regardless.
|
||||
{"debian bullseye", "OpenSSH_8.4p1", "Debian-5+deb11u1", false},
|
||||
}
|
||||
for _, tc := range cases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
banner := "SSH-2.0-" + tc.soft
|
||||
if tc.vendor != "" {
|
||||
banner += " " + tc.vendor
|
||||
}
|
||||
issues := analyseBannerVulns("host:22", banner, tc.soft, tc.vendor)
|
||||
if got := hasIssue(issues, code); got != tc.flagged {
|
||||
t.Fatalf("regreSSHion flagged=%v, want %v (issues=%v)", got, tc.flagged, issues)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestDpkgVerCmp(t *testing.T) {
|
||||
cases := []struct {
|
||||
a, b string
|
||||
want int // sign
|
||||
}{
|
||||
{"2+deb12u3", "2+deb12u2", 1},
|
||||
{"2+deb12u3", "2+deb12u3", 0},
|
||||
{"2+deb12u3", "2+deb12u10", -1},
|
||||
{"3ubuntu0.10", "3ubuntu0.2", 1},
|
||||
{"3ubuntu13.3", "3ubuntu13.2", 1},
|
||||
{"1.0", "1.0~rc1", 1}, // tilde sorts before everything
|
||||
}
|
||||
for _, tc := range cases {
|
||||
got := dpkgVerCmp(tc.a, tc.b)
|
||||
if (got > 0) != (tc.want > 0) || (got < 0) != (tc.want < 0) {
|
||||
t.Errorf("dpkgVerCmp(%q,%q)=%d, want sign %d", tc.a, tc.b, got, tc.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue