empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-07 09:18:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a26e5002a3
fleet/server/vulnerabilities/oval/sync.go
Juan Fernandez 9d01ba33c6
Feature 6096: Scan RHEL/CentOS hosts using OVAL definitions (#6241) 
Extended the OVAL parser/analyzer so that we can scan RHEL based systems.
2022-06-23 16:44:45 -04:00

147 lines
3.6 KiB
Go
Raw Blame History

package oval
import (
"context"
"fmt"
"io"
"net/http"
"net/url"
"os"
"path/filepath"
"strings"
"time"
"github.com/fleetdm/fleet/v4/pkg/download"
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/google/go-github/v37/github"
)
func ghNvdFileGetter(client *http.Client) func(string) (io.ReadCloser, error) {
return func(file string) (io.ReadCloser, error) {
src, r, err := github.NewClient(client).Repositories.DownloadContents(
context.Background(), "fleetdm", "nvd", file, nil)
if err != nil {
return nil, err
}
// Even if err is nil, the request can fail
if r.StatusCode != http.StatusOK {
return nil, fmt.Errorf("github http status error: %d", r.StatusCode)
}
return src, nil
}
}
func downloadDecompressed(client *http.Client) func(string, string) error {
return func(u, dstPath string) error {
parsedUrl, err := url.Parse(u)
if err != nil {
return err
}
return download.DownloadAndExtract(client, parsedUrl, dstPath)
}
}
func whatToDownload(osVers *fleet.OSVersions, existing map[string]bool, date time.Time) []Platform {
var r []Platform
for _, os := range osVers.OSVersions {
platform := NewPlatform(os.Platform, os.Name)
_, ok := existing[platform.ToFilename(date, "json")]
if !ok && platform.IsSupported() {
r = append(r, platform)
}
}
return r
}
// removeOldDefs walks 'path' removing any old oval definitions, returns a set containing
// definitions that are up to date according to 'date'
func removeOldDefs(date time.Time, path string) (map[string]bool, error) {
dateSuffix := fmt.Sprintf("-%d_%02d_%02d.json", date.Year(), date.Month(), date.Day())
upToDate := make(map[string]bool)
err := filepath.WalkDir(path, func(path string, d os.DirEntry, err error) error {
if strings.HasPrefix(filepath.Base(path), OvalFilePrefix) {
if strings.HasSuffix(path, dateSuffix) {
upToDate[filepath.Base(path)] = true
} else {
err := os.Remove(path)
if err != nil {
return err
}
}
}
return nil
})
if err != nil {
return nil, err
}
return upToDate, nil
}
// Sync syncs the oval definitions for one or more platforms.
// If 'platforms' is nil, then all supported platforms will be synched.
func Sync(client *http.Client, dstDir string, platforms []Platform) error {
sources, err := getOvalSources(ghNvdFileGetter(client))
if err != nil {
return err
}
if platforms == nil {
for s := range sources {
platforms = append(platforms, s)
}
}
dwn := downloadDecompressed(client)
for _, platform := range platforms {
defFile, err := downloadDefinitions(sources, platform, dwn)
if err != nil {
return err
}
dstFile := strings.Replace(filepath.Base(defFile), ".xml", ".json", 1)
dstPath := filepath.Join(dstDir, dstFile)
err = parseDefinitions(platform, defFile, dstPath)
if err != nil {
return err
}
err = os.Remove(defFile)
if err != nil {
return err
}
}
return nil
}
// Refresh checks all local OVAL artifacts contained in 'vulnPath' deleting the old and downloading
// any missing definitions based on today's date and all the hosts' platforms/os versions contained in 'osVersions'.
// Returns a slice of Platforms of the newly downloaded OVAL files.
func Refresh(
ctx context.Context,
client *http.Client,
versions *fleet.OSVersions,
vulnPath string,
) ([]Platform, error) {
now := time.Now()
existing, err := removeOldDefs(now, vulnPath)
if err != nil {
return nil, err
}
toDownload := whatToDownload(versions, existing, now)
if len(toDownload) > 0 {
err = Sync(client, vulnPath, toDownload)
if err != nil {
return nil, err
}
}
return toDownload, nil
}
Reference in New Issue View Git Blame Copy Permalink