refactor(scan): remove yum-security related code (#836)

* refactor(scan): remove yum-security related code

* fix(reporting): error if no OVAL entry

README.md

@@ -114,12 +114,7 @@ Vuls uses multiple vulnerability databases
 
 [Deep Scan](https://vuls.io/docs/en/architecture-deep-scan.html)
 
-- Scan with root privilege
-- Parses the Changelog
-    Changelog has a history of version changes. When a security issue is fixed, the relevant CVE ID is listed.
-    By parsing the changelog and analysing the updates between the installed version of software on the server and the newest version of that software
-    it's possible to create a list of all vulnerabilities that need to be fixed.
-- Sometimes load on the scan target server
+- Same as fast root scan for now
 
 ### [Remote scan, Local scan mode, Server mode](https://vuls.io/docs/en/architecture-remote-local.html)
 

go.sum

@@ -264,6 +264,8 @@ github.com/kotakanbe/goval-dictionary v0.1.3-0.20190612145907-3fbb67115698 h1:5/
 github.com/kotakanbe/goval-dictionary v0.1.3-0.20190612145907-3fbb67115698/go.mod h1:D0FzzGCYCJCgPy5+wGgEOvWTb8fxUxqdxkWM2JDwguA=
 github.com/kotakanbe/goval-dictionary v0.1.3-0.20190613041505-2362c088a437 h1:gnwqfC+G78bmvVHETLvZOUKopUD/ljQAdwcvHiLKMKA=
 github.com/kotakanbe/goval-dictionary v0.1.3-0.20190613041505-2362c088a437/go.mod h1:VupP39J8370MdBkmvQQVmuYf98VrcQzhiGo+UiNW4rs=
+github.com/kotakanbe/goval-dictionary v0.1.3-0.20190613053258-078b163b76ec h1:gMji7JMOrnUYUorYUTM7TRlvy8D613WkQhayEQhBsFI=
+github.com/kotakanbe/goval-dictionary v0.1.3-0.20190613053258-078b163b76ec/go.mod h1:VupP39J8370MdBkmvQQVmuYf98VrcQzhiGo+UiNW4rs=
 github.com/kotakanbe/goval-dictionary v0.1.3-0.20190613053258-8b98657de17d h1:S2hGRg/3mxi8eR7DROKT9kqTEjGLgm4dDHm72/DIJrQ=
 github.com/kotakanbe/goval-dictionary v0.1.3-0.20190613053258-8b98657de17d/go.mod h1:VupP39J8370MdBkmvQQVmuYf98VrcQzhiGo+UiNW4rs=
 github.com/kotakanbe/logrus-prefixed-formatter v0.0.0-20180123152602-928f7356cb96 h1:xNVK0mQJdQjw+QYeaMM4G6fvucWr8rTGGIhlPakx1wU=

oval/redhat.go

@@ -119,7 +119,6 @@ func (o RedHatBase) update(r *models.ScanResult, defPacks defPacks) (nCVEs int)
 				if v.LastModified.After(ovalContent.LastModified) {
 					util.Log.Debugf("%s, OvalID: %d ignroed: ",
 						cve.CveID, defPacks.def.ID)
-					continue
 				} else {
 					util.Log.Debugf("%s OVAL will be overwritten", cve.CveID)
 				}

report/report.go

@@ -67,7 +67,6 @@ func FillCveInfos(dbclient DBClient, rs []models.ScanResult, dir string) ([]mode
 			}
 			cpeURIs := []string{}
 
-			// runningContainer
 			if len(r.Container.ContainerID) == 0 {
 				cpeURIs = c.Conf.Servers[r.ServerName].CpeNames
 				owaspDCXMLPath := c.Conf.Servers[r.ServerName].OwaspDCXMLPath
@@ -80,6 +79,7 @@ func FillCveInfos(dbclient DBClient, rs []models.ScanResult, dir string) ([]mode
 					cpeURIs = append(cpeURIs, cpes...)
 				}
 			} else {
+				// runningContainer
 				if s, ok := c.Conf.Servers[r.ServerName]; ok {
 					if con, ok := s.Containers[r.Container.Name]; ok {
 						cpeURIs = con.Cpes
@@ -325,8 +325,7 @@ func FillWithOval(driver ovaldb.DB, r *models.ScanResult) (nCVEs int, err error)
 		return 0, err
 	}
 	if !ok {
-		util.Log.Warnf("OVAL entries of %s %s are not found. It's recommended to use OVAL to improve scanning accuracy. For details, see https://github.com/kotakanbe/goval-dictionary#usage , Then report with --ovaldb-path or --ovaldb-url flag", ovalFamily, r.Release)
-		return 0, nil
+		return 0, xerrors.Errorf("OVAL entries of %s %s are not found. Fetch OVAL before reporting. For details, see https://github.com/kotakanbe/goval-dictionary#usage", ovalFamily, r.Release)
 	}
 
 	_, err = ovalClient.CheckIfOvalFresh(driver, ovalFamily, r.Release)

scan/amazon.go

@@ -100,18 +100,6 @@ func (o rootPrivAmazon) repoquery() bool {
 	return false
 }
 
-func (o rootPrivAmazon) yumRepolist() bool {
-	return false
-}
-
-func (o rootPrivAmazon) yumUpdateInfo() bool {
-	return false
-}
-
-func (o rootPrivAmazon) yumChangelog() bool {
-	return false
-}
-
 func (o rootPrivAmazon) yumMakeCache() bool {
 	return false
 }

scan/centos.go

@@ -59,11 +59,7 @@ func (o *centos) depsFastRoot() []string {
 }
 
 func (o *centos) depsDeep() []string {
-	return []string{
-		"yum-utils",
-		"yum-plugin-ps",
-		"yum-plugin-changelog",
-	}
+	return o.depsFastRoot()
 }
 
 func (o *centos) checkIfSudoNoPasswd() error {
@@ -107,18 +103,6 @@ func (o rootPrivCentos) repoquery() bool {
 	return false
 }
 
-func (o rootPrivCentos) yumRepolist() bool {
-	return false
-}
-
-func (o rootPrivCentos) yumUpdateInfo() bool {
-	return false
-}
-
-func (o rootPrivCentos) yumChangelog() bool {
-	return false
-}
-
 func (o rootPrivCentos) yumMakeCache() bool {
 	return false
 }

scan/oracle.go

@@ -52,59 +52,11 @@ func (o *oracle) depsFast() []string {
 }
 
 func (o *oracle) depsFastRoot() []string {
-	if o.getServerInfo().Mode.IsOffline() {
-		//TODO
-		// return []string{"yum-plugin-ps"}
-	}
-
-	majorVersion, _ := o.Distro.MajorVersion()
-	switch majorVersion {
-	case 5:
-		return []string{
-			"yum-utils",
-			"yum-security",
-		}
-	case 6:
-		return []string{
-			"yum-utils",
-			"yum-plugin-security",
-			//TODO
-			// return []string{"yum-plugin-ps"}
-		}
-	default:
-		return []string{
-			"yum-utils",
-			//TODO
-			// return []string{"yum-plugin-ps"}
-		}
-	}
+	return []string{"yum-utils"}
 }
 
 func (o *oracle) depsDeep() []string {
-	majorVersion, _ := o.Distro.MajorVersion()
-	switch majorVersion {
-	case 5:
-		return []string{
-			"yum-utils",
-			"yum-security",
-			"yum-changelog",
-		}
-	case 6:
-		return []string{
-			"yum-utils",
-			"yum-plugin-security",
-			"yum-plugin-changelog",
-			//TODO
-			// return []string{"yum-plugin-ps"}
-		}
-	default:
-		return []string{
-			"yum-utils",
-			"yum-plugin-changelog",
-			//TODO
-			// return []string{"yum-plugin-ps"}
-		}
-	}
+	return o.depsFastRoot()
 }
 
 func (o *oracle) checkIfSudoNoPasswd() error {
@@ -126,21 +78,7 @@ func (o *oracle) sudoNoPasswdCmdsFastRoot() []cmd {
 	if o.getServerInfo().Mode.IsOffline() {
 		return cmds
 	}
-
-	majorVersion, _ := o.Distro.MajorVersion()
-	if majorVersion < 6 {
-		return []cmd{
-			{"yum repolist --color=never", exitStatusZero},
-			{"yum list-security --security --color=never", exitStatusZero},
-			{"yum info-security --color=never", exitStatusZero},
-			{"repoquery -h", exitStatusZero},
-		}
-	}
-	return append(cmds,
-		cmd{"yum repolist --color=never", exitStatusZero},
-		cmd{"yum updateinfo list updates --security --color=never", exitStatusZero},
-		cmd{"yum updateinfo updates --security --color=never", exitStatusZero},
-		cmd{"repoquery -h", exitStatusZero})
+	return append(cmds, cmd{"repoquery -h", exitStatusZero})
 }
 
 func (o *oracle) sudoNoPasswdCmdsDeep() []cmd {
@@ -153,19 +91,6 @@ func (o rootPrivOracle) repoquery() bool {
 	return true
 }
 
-func (o rootPrivOracle) yumRepolist() bool {
-	return true
-}
-
-func (o rootPrivOracle) yumUpdateInfo() bool {
-	return true
-}
-
-// root privilege isn't needed
-func (o rootPrivOracle) yumChangelog() bool {
-	return false
-}
-
 func (o rootPrivOracle) yumMakeCache() bool {
 	return true
 }