Fix future-architect#548 and future-architect#557 - RHEL's Fast Scan …

…no longer required internet connection and root privilege
mai346 · Dec 14, 2017 · 4764a96 · 4764a96
1 parent 1214d8c
commit 4764a96
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 31 deletions.
diff --git a/README.ja.md b/README.ja.md
@@ -917,10 +917,10 @@ configtestサブコマンドは、config.tomlで定義されたサーバ/コン
 | Alpine       |    3.2 and later | - |
 | Ubuntu       |          12, 14, 16| - |
 | Debian       |             7, 8, 9| reboot-notifier|
-| CentOS       |                6, 7| yum-utils |
+| CentOS       |                6, 7| - |
 | Amazon       |                All | yum-utils |
-| RHEL         |            5, 6, 7 | yum-utils | 
-| Oracle Linux |            5, 6, 7 | yum-utils |
+| RHEL         |            5, 6, 7 | - | 
+| Oracle Linux |            5, 6, 7 | - |
 | SUSE Enterprise|            11, 12 | - |
 | FreeBSD      |             10, 11 | - |
 | Raspbian     |    Jessie, Stretch | - |
@@ -944,9 +944,11 @@ Deep Scan Modeでスキャンするためには、下記のパッケージが必
 | CentOS       |                6, 7| yum-utils, yum-plugin-changelog |
 | Amazon       |                All | yum-utils, yum-plugin-changelog |
 | RHEL         |                  5 | yum-utils, yum-changelog, yum-security |
-| RHEL         |               6, 7 | yum-utils, yum-plugin-changelog |
+| RHEL         |                  6 | yum-utils, yum-plugin-changelog, yum-plugin-security |
+| RHEL         |                  7 | yum-utils, yum-plugin-changelog |
 | Oracle Linux |                  5 | yum-utils, yum-changelog, yum-security |
-| Oracle Linux |               6, 7 | yum-utils, yum-plugin-changelog |
+| Oracle Linux |                  6 | yum-utils, yum-plugin-changelog, yum-plugin-security |
+| Oracle Linux |                  7 | yum-utils, yum-plugin-changelog |
 | SUSE Enterprise|            11, 12 | - |
 | FreeBSD      |                 10 | -            |
 | Raspbian     |     Wheezy, Jessie | -            |

diff --git a/README.md b/README.md
@@ -924,10 +924,10 @@ The configtest subcommand checks whether vuls is able to connect via SSH to serv
 | Alpine       |      3.2 and later | - |
 | Ubuntu       |          12, 14, 16| - |
 | Debian       |             7, 8, 9| reboot-notifier|
-| CentOS       |                6, 7| yum-utils |
+| CentOS       |                6, 7| - |
 | Amazon       |                All | yum-utils |
-| RHEL         |            5, 6, 7 | yum-utils | 
-| Oracle Linux |            5, 6, 7 | yum-utils |
+| RHEL         |            5, 6, 7 | - |
+| Oracle Linux |            5, 6, 7 | - |
 | SUSE Enterprise|            11, 12 | - |
 | FreeBSD      |             10, 11 | - |
 | Raspbian     |    Jessie, Stretch | - |
@@ -949,9 +949,11 @@ In order to scan with deep scan mode, the following dependencies are required, s
 | CentOS       |                6, 7| yum-utils, yum-plugin-changelog |
 | Amazon       |                All | yum-utils, yum-plugin-changelog |
 | RHEL         |                  5 | yum-utils, yum-changelog, yum-security |
-| RHEL         |               6, 7 | yum-utils, yum-plugin-changelog |
+| RHEL         |                  6 | yum-utils, yum-plugin-changelog, yum-plugin-security |
+| RHEL         |                  7 | yum-utils, yum-plugin-changelog |
 | Oracle Linux |                  5 | yum-utils, yum-changelog, yum-security |
-| Oracle Linux |               6, 7 | yum-utils, yum-plugin-changelog |
+| Oracle Linux |                  6 | yum-utils, yum-plugin-changelog, yum-plugin-security |
+| Oracle Linux |                  7 | yum-utils, yum-plugin-changelog |
 | SUSE Enterprise|            11, 12 | - |
 | FreeBSD      |                 10 | -            |
 | Raspbian     |     Wheezy, Jessie | -            |

diff --git a/scan/redhat.go b/scan/redhat.go
@@ -65,7 +65,7 @@ func detectRedhat(c config.ServerInfo) (itsMe bool, red osTypeInterface) {
 		// Need to discover Oracle Linux first, because it provides an
 		// /etc/redhat-release that matches the upstream distribution
 		if r := exec(c, "cat /etc/oracle-release", noSudo); r.isSuccess() {
-			re := regexp.MustCompile(`(.*) release (\d[\d.]*)`)
+			re := regexp.MustCompile(`(.*) release (\d[\d\.]*)`)
 			result := re.FindStringSubmatch(strings.TrimSpace(r.Stdout))
 			if len(result) != 3 {
 				util.Log.Warn("Failed to parse Oracle Linux version: %s", r)
@@ -84,7 +84,7 @@ func detectRedhat(c config.ServerInfo) (itsMe bool, red osTypeInterface) {
 		// $ cat /etc/redhat-release
 		// CentOS release 6.5 (Final)
 		if r := exec(c, "cat /etc/redhat-release", noSudo); r.isSuccess() {
-			re := regexp.MustCompile(`(.*) release (\d[\d.]*)`)
+			re := regexp.MustCompile(`(.*) release (\d[\d\.]*)`)
 			result := re.FindStringSubmatch(strings.TrimSpace(r.Stdout))
 			if len(result) != 3 {
 				util.Log.Warn("Failed to parse RedHat/CentOS version: %s", r)
@@ -173,13 +173,14 @@ func (o *redhat) checkIfSudoNoPasswd() error {
 }
 
 // - Fast scan mode
-//    No additional dependencies needed
+//    Amazon        ... yum-utils
 //
 // - Deep scan mode
-//    CentOS 6, 7 	... yum-utils
-//    RHEL 5     	... yum-security, yum-changelog
-//    RHEL 6, 7     ... yum-utils, yum-plugin-changelog
-//    Amazon 		... yum-utils
+//    CentOS 6,7    ... yum-utils, yum-plugin-changelog
+//    RHEL 5 (U1-)  ... yum-utils, yum-security, yum-changelog
+//    RHEL 6        ... yum-utils, yum-security, yum-plugin-changelog
+//    RHEL 7        ... yum-utils, yum-plugin-changelog
+//    Amazon        ... yum-utils
 func (o *redhat) checkDependencies() error {
 	majorVersion, err := o.Distro.MajorVersion()
 	if err != nil {
@@ -196,16 +197,27 @@ func (o *redhat) checkDependencies() error {
 		}
 	}
 
-	packNames := []string{"yum-utils"}
-	if config.Conf.Deep {
+	packNames := []string{}
+
+	if !config.Conf.Deep {
+		// Fast Scan
+		switch o.Distro.Family {
+		case config.Amazon:
+			packNames = append(packNames, "yum-utils")
+		}
+	} else {
+		// Deep Scan
 		switch o.Distro.Family {
 		case config.CentOS, config.Amazon:
-			packNames = append(packNames, "yum-plugin-changelog")
+			packNames = append(packNames, "yum-utils", "yum-plugin-changelog")
 		case config.RedHat, config.Oracle:
-			if majorVersion < 6 {
-				packNames = append(packNames, "yum-security", "yum-changelog")
-			} else {
-				packNames = append(packNames, "yum-plugin-changelog")
+			switch majorVersion {
+			case 5:
+				packNames = append(packNames, "yum-utils", "yum-security", "yum-changelog")
+			case 6:
+				packNames = append(packNames, "yum-utils", "yum-plugin-security", "yum-plugin-changelog")
+			default:
+				packNames = append(packNames, "yum-utils", "yum-plugin-changelog")
 			}
 		default:
 			return fmt.Errorf("Not implemented yet: %s", o.Distro)
@@ -238,6 +250,16 @@ func (o *redhat) scanPackages() error {
 	}
 	o.Kernel.RebootRequired = rebootRequired
 
+	if !config.Conf.Deep {
+		switch o.Distro.Family {
+		case config.Amazon:
+			// nop
+		default:
+			o.Packages = installed
+			return nil
+		}
+	}
+
 	updatable, err := o.scanUpdatablePackages()
 	if err != nil {
 		o.log.Errorf("Failed to scan installed packages: %s", err)
@@ -246,10 +268,6 @@ func (o *redhat) scanPackages() error {
 	installed.MergeNewVersion(updatable)
 	o.Packages = installed
 
-	if !config.Conf.Deep && o.Distro.Family != config.Amazon {
-		return nil
-	}
-
 	var unsecures models.VulnInfos
 	if unsecures, err = o.scanUnsecurePackages(updatable); err != nil {
 		o.log.Errorf("Failed to scan vulnerable packages: %s", err)
@@ -455,7 +473,7 @@ func (o *redhat) getAvailableChangelogs(packNames []string) (map[string]string,
 	if config.Conf.SkipBroken {
 		yumopts += " --skip-broken"
 	}
-	cmd := `yum --color=never changelog all %s %s | grep -A 1000000 "==================== Available Packages ===================="`
+	cmd := `yum --color=never changelog all %s updates %s | grep -A 1000000 "==================== Updated Packages ===================="`
 	cmd = fmt.Sprintf(cmd, yumopts, strings.Join(packNames, " "))
 
 	r := o.exec(util.PrependProxyEnv(cmd), o.sudo())
@@ -475,7 +493,7 @@ func (o *redhat) divideChangelogsIntoEachPackages(stdout string) map[string]stri
 	packNameVer, contents := "", []string{}
 	for scanner.Scan() {
 		line := scanner.Text()
-		if strings.HasPrefix(line, "==================== Available Packages ====================") {
+		if strings.HasPrefix(line, "==================== Updated Packages ====================") {
 			continue
 		}
 		if newBlock {

diff --git a/scan/redhat_test.go b/scan/redhat_test.go
@@ -1256,7 +1256,7 @@ func TestDivideChangelogsIntoEachPackages(t *testing.T) {
 		out map[string]string
 	}{
 		{
-			in: `==================== Available Packages ====================
+			in: `==================== Updated Packages ====================
 1:NetworkManager-1.4.0-20.el7_3.x86_64   rhui-rhel-7-server-rhui-rpms
 * Mon Apr 24 21:00:00 2017 Beniamino Galvani <[email protected]> - 1:1.4.0-20
 - vlan: use parent interface mtu as default (rh#1414186)