oracle: omit ksplice-related vulnerabilities

BradLugo · BradLugo · commit 081a7413f566 · 2025-04-15T11:48:08.000-07:00
Signed-off-by: Brad Lugo &lt;blugo@redhat.com&gt;
diff --git a/oracle/parser.go b/oracle/parser.go
@@ -12,6 +12,7 @@ import (
 	"github.com/quay/claircore"
 	"github.com/quay/claircore/internal/xmlutil"
 	"github.com/quay/claircore/libvuln/driver"
+	"github.com/quay/claircore/pkg/cpe"
 	"github.com/quay/claircore/pkg/ovalutil"
 )
 
@@ -71,6 +72,45 @@ func (u *Updater) Parse(ctx context.Context, r io.ReadCloser) ([]*claircore.Vuln
 		if len(vs) == 0 {
 			return nil, fmt.Errorf("could not determine dist")
 		}
+
+		// Check if the vulnerability only affects a userspace_ksplice package.
+		//  These errata should never be applied to a container since ksplice
+		//  userspace packages are not supported to be run within a container.
+		// If we couldn't find a CPE list, make sure to include the
+		//  vulnerability. We'd rather have false positives for
+		//  userspace_ksplice packages than have false negatives for
+		//  *everything*.
+		isOnlyKsplice := len(def.Advisory.AffectedCPEList) > 0
+		// If there's at least one ksplice CPE and not all the affected CPEs
+		//  are ksplice related, this will cause false positives we can catch.
+		//  This should (almost) never happen.
+		atLeastOneKsplice := false
+		for _, affected := range def.Advisory.AffectedCPEList {
+			wfn, err := cpe.Unbind(affected)
+			if err != nil {
+				// Found a CPE but could not parse it. Assume it's not a
+				//  userspace_ksplice package.
+				zlog.Warn(ctx).Str("cpe", affected).Msg("could not parse CPE")
+				isOnlyKsplice = false
+				atLeastOneKsplice = true
+				break
+			}
+			if wfn.Attr[cpe.Edition].V == "userspace_ksplice" {
+				atLeastOneKsplice = true
+			} else {
+				isOnlyKsplice = false
+			}
+		}
+
+		if !isOnlyKsplice {
+			//  This should (almost) never happen.
+			if atLeastOneKsplice {
+				zlog.Warn(ctx).Str("def.Title", def.Title).Msg("potential false positives: vulnerability has at least one unskippable ksplice match")
+			}
+		} else {
+			return nil, fmt.Errorf("skippable ksplice vulnerabilities")
+		}
+
 		return vs, nil
 	}
 	vulns, err := ovalutil.RPMDefsToVulns(ctx, &root, protoVulns)
diff --git a/oracle/parser_test.go b/oracle/parser_test.go
@@ -25,7 +25,7 @@ func TestParse(t *testing.T) {
 		t.Fatal(err)
 	}
 	t.Logf("found %d vulnerabilities", len(vs))
-	if got, want := len(vs), 6065; got != want {
+	if got, want := len(vs), 6021; got != want {
 		t.Fatalf("got: %d vulnerabilities, want: %d vulnerabilities", got, want)
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ func TestParse(t *testing.T) {`
`25`	`25`	`t.Fatal(err)`
`26`	`26`	`}`
`27`	`27`	`t.Logf("found %d vulnerabilities", len(vs))`
`28`		`- if got, want := len(vs), 6065; got != want {`
	`28`	`+ if got, want := len(vs), 6021; got != want {`
`29`	`29`	`t.Fatalf("got: %d vulnerabilities, want: %d vulnerabilities", got, want)`
`30`	`30`	`}`
`31`	`31`	`}`