feat(detector/vuls2): SUSE by vuls2

shino · shino · commit a12a1049256b · 2026-01-19T14:14:57.000+09:00
diff --git a/detector/detector.go b/detector/detector.go
@@ -322,11 +322,12 @@ func Detect(rs []models.ScanResult, dir string) ([]models.ScanResult, error) {
 func DetectPkgCves(r *models.ScanResult, ovalCnf config.GovalDictConf, gostCnf config.GostConf, vuls2Conf config.Vuls2Conf, logOpts logging.LogOpts, noProgress bool) error {
 	if isPkgCvesDetactable(r) {
 		switch r.Family {
-		case constant.RedHat, constant.CentOS, constant.Fedora, constant.Alma, constant.Rocky, constant.Oracle, constant.Alpine, constant.Ubuntu:
+		case constant.RedHat, constant.CentOS, constant.Fedora, constant.Alma, constant.Rocky, constant.Oracle, constant.Alpine, constant.Ubuntu,
+			constant.OpenSUSE, constant.OpenSUSELeap, constant.SUSEEnterpriseServer, constant.SUSEEnterpriseDesktop:
 			if err := vuls2.Detect(r, vuls2Conf, noProgress); err != nil {
 				return xerrors.Errorf("Failed to detect CVE with Vuls2: %w", err)
 			}
-		case constant.Amazon, constant.OpenSUSE, constant.OpenSUSELeap, constant.SUSEEnterpriseServer, constant.SUSEEnterpriseDesktop:
+		case constant.Amazon:
 			if err := detectPkgsCvesWithOval(ovalCnf, r, logOpts); err != nil {
 				return xerrors.Errorf("Failed to detect CVE with OVAL: %w", err)
 			}
diff --git a/detector/vuls2/vendor.go b/detector/vuls2/vendor.go
@@ -462,6 +462,13 @@ func advisoryReference(e ecosystemTypes.Ecosystem, s sourceTypes.SourceID, da mo
 			Source: "UBUNTU",
 			RefID:  da.AdvisoryID,
 		}, nil
+	case ecosystemTypes.EcosystemTypeOpenSUSE, ecosystemTypes.EcosystemTypeOpenSUSELeap, ecosystemTypes.EcosystemTypeOpenSUSELeapMicro, ecosystemTypes.EcosystemTypeOpenSUSETumbleweed,
+		ecosystemTypes.EcosystemTypeSUSEEnterpriseServer, ecosystemTypes.EcosystemTypeSUSEEnterpriseDesktop, ecosystemTypes.EcosystemTypeSUSEEnterpriseMicro:
+		return models.Reference{
+			Link:   fmt.Sprintf("https://www.suse.com/security/cve/%s.html", da.AdvisoryID),
+			Source: "SUSE",
+			RefID:  da.AdvisoryID,
+		}, nil
 	default:
 		return models.Reference{}, xerrors.Errorf("unsupported family: %s", et)
 	}
@@ -479,6 +486,8 @@ func cveContentSourceLink(ccType models.CveContentType, v vulnerabilityTypes.Vul
 		return fmt.Sprintf("https://ubuntu.com/security/%s", v.Content.ID)
 	case models.Nvd:
 		return fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", v.Content.ID)
+	case models.SUSE:
+		return fmt.Sprintf("https://www.suse.com/security/cve/%s", v.Content.ID)
 	default:
 		return ""
 	}
@@ -765,7 +774,7 @@ func toVuls0Confidence(e ecosystemTypes.Ecosystem, s sourceTypes.SourceID) model
 			DetectionMethod: models.DetectionMethod("EPELMatch"),
 			SortOrder:       1,
 		}
-	case ecosystemTypes.EcosystemTypeRedHat, ecosystemTypes.EcosystemTypeFedora, ecosystemTypes.EcosystemTypeAlma, ecosystemTypes.EcosystemTypeRocky, ecosystemTypes.EcosystemTypeOracle, ecosystemTypes.EcosystemTypeAlpine:
+	case ecosystemTypes.EcosystemTypeRedHat, ecosystemTypes.EcosystemTypeFedora, ecosystemTypes.EcosystemTypeAlma, ecosystemTypes.EcosystemTypeRocky, ecosystemTypes.EcosystemTypeOracle, ecosystemTypes.EcosystemTypeAlpine, ecosystemTypes.EcosystemTypeSUSEEnterpriseServer, ecosystemTypes.EcosystemTypeSUSEEnterpriseDesktop, ecosystemTypes.EcosystemTypeSUSEEnterpriseMicro, ecosystemTypes.EcosystemTypeOpenSUSE, ecosystemTypes.EcosystemTypeOpenSUSELeap, ecosystemTypes.EcosystemTypeOpenSUSELeapMicro, ecosystemTypes.EcosystemTypeOpenSUSETumbleweed:
 		return models.OvalMatch
 	case ecosystemTypes.EcosystemTypeUbuntu:
 		switch s {
diff --git a/detector/vuls2/vuls2.go b/detector/vuls2/vuls2.go
@@ -19,6 +19,7 @@ import (
 	criteriaTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria"
 	criterionTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion"
 	vcAffectedRangeTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion/versioncriterion/affected/range"
+	"github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion/versioncriterion/fixstatus"
 	vcPackageTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion/versioncriterion/package"
 	segmentTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/segment"
 	ecosystemTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/segment/ecosystem"
@@ -494,6 +495,10 @@ func walkCriteria(e ecosystemTypes.Ecosystem, sourceID sourceTypes.SourceID, ca
 
 		switch fcn.Criterion.Version.Package.Type {
 		case vcPackageTypes.PackageTypeBinary, vcPackageTypes.PackageTypeSource:
+			if !cn.Criterion.Version.Vulnerable {
+				continue
+			}
+
 			rangeType, fixedIn := func() (vcAffectedRangeTypes.RangeType, string) {
 				if fcn.Criterion.Version.Affected == nil {
 					return vcAffectedRangeTypes.RangeTypeUnknown, ""
@@ -513,10 +518,21 @@ func walkCriteria(e ecosystemTypes.Ecosystem, sourceID sourceTypes.SourceID, ca
 							if fcn.Criterion.Version.FixStatus == nil {
 								return ""
 							}
-							return fixState(e, sourceID, fcn.Criterion.Version.FixStatus.Vendor)
+							if s := fixState(e, sourceID, fcn.Criterion.Version.FixStatus.Vendor); s != "" {
+								return s
+							}
+							if fcn.Criterion.Version.FixStatus.Class == fixstatus.ClassUnknown {
+								return "Unknown"
+							}
+							return ""
+						}(),
+						FixedIn: fixedIn,
+						NotFixedYet: func() bool {
+							if cn.Criterion.Version.FixStatus == nil {
+								return true
+							}
+							return cn.Criterion.Version.FixStatus.Class != fixstatus.ClassFixed
 						}(),
-						FixedIn:     fixedIn,
-						NotFixedYet: fixedIn == "",
 					},
 				})
 			}
diff --git a/detector/vuls2/vuls2_test.go b/detector/vuls2/vuls2_test.go
@@ -6202,6 +6202,297 @@ func Test_postConvert(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "suse (prefer unfixed to fixed)",
+			args: args{
+				scanned: scanTypes.ScanResult{
+					Kernel: scanTypes.Kernel{
+						Release: "5.3.18-59.37-default",
+					},
+					OSPackages: []scanTypes.OSPackage{
+						{
+							Name:    "binutils",
+							Version: "2.37",
+							Release: "7.26.1",
+							Arch:    "x86_64",
+						},
+						{
+							Name:    "sles-release",
+							Version: "15.3",
+							Release: "55.4.1",
+							Arch:    "x86_64",
+						},
+					},
+				},
+				detected: detectTypes.DetectResult{
+					Detected: []detectTypes.VulnerabilityData{
+						{
+							ID: "CVE-2022-4285",
+							Advisories: []dbTypes.VulnerabilityDataAdvisory{
+								{
+									ID: "SUSE-CU-2023:3179-1",
+									Contents: map[sourceTypes.SourceID]map[dataTypes.RootID][]advisoryTypes.Advisory{
+										sourceTypes.SUSEOVAL: {
+											dataTypes.RootID("CVE-2022-4285"): {
+												{
+													Content: advisoryContentTypes.Content{
+														ID: "SUSE-CU-2023:3179-1",
+													},
+													Segments: []segmentTypes.Segment{
+														{
+															Ecosystem: ecosystemTypes.Ecosystem("suse.linux.enterprise.server:15"),
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+							Vulnerabilities: []dbTypes.VulnerabilityDataVulnerability{
+								{
+									ID: "CVE-2022-4285",
+									Contents: map[sourceTypes.SourceID]map[dataTypes.RootID][]vulnerabilityTypes.Vulnerability{
+										sourceTypes.SUSEOVAL: {
+											dataTypes.RootID("CVE-2022-4285"): {
+												{
+													Content: vulnerabilityContentTypes.Content{
+														ID: "CVE-2022-4285",
+														Severity: []severityTypes.Severity{
+															{
+																Type:   severityTypes.SeverityTypeCVSSv31,
+																Source: "SUSE",
+																CVSSv31: toPtr(cvssV31Types.CVSSv31{
+																	Vector:                "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
+																	BaseScore:             5.5,
+																	BaseSeverity:          "MEDIUM",
+																	TemporalScore:         5.5,
+																	TemporalSeverity:      "MEDIUM",
+																	EnvironmentalScore:    5.5,
+																	EnvironmentalSeverity: "MEDIUM",
+																}),
+															},
+														},
+													},
+													Segments: []segmentTypes.Segment{
+														{
+															Ecosystem: ecosystemTypes.Ecosystem("suse.linux.enterprise.server:15"),
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+							Detections: []detectTypes.VulnerabilityDataDetection{
+								{
+									Ecosystem: ecosystemTypes.Ecosystem("suse.linux.enterprise.server:15"),
+									Contents: map[sourceTypes.SourceID][]conditionTypes.FilteredCondition{
+										sourceTypes.SUSEOVAL: {
+											{
+												Criteria: criteriaTypes.FilteredCriteria{
+													Operator: criteriaTypes.CriteriaOperatorTypeOR,
+													Criterias: []criteriaTypes.FilteredCriteria{
+														{
+															Operator: criteriaTypes.CriteriaOperatorTypeAND,
+															Criterias: []criteriaTypes.FilteredCriteria{
+																{
+																	Operator: criteriaTypes.CriteriaOperatorTypeOR,
+																	Criterions: []criterionTypes.FilteredCriterion{
+																		{
+																			Criterion: criterionTypes.Criterion{
+																				Type: criterionTypes.CriterionTypeVersion,
+																				Version: toPtr(versioncriterionTypes.Criterion{
+																					Vulnerable: false,
+																					Package: vcPackageTypes.Package{
+																						Type: vcPackageTypes.PackageTypeBinary,
+																						Binary: &vcBinaryPackageTypes.Package{
+																							Name: "sles-release",
+																						},
+																					},
+																					Affected: &vcAffectedTypes.Affected{
+																						Type: vcAffectedRangeTypes.RangeTypeRPMVersionOnly,
+																						Range: []vcAffectedRangeTypes.Range{
+																							{
+																								Equal: "15.3",
+																							},
+																						},
+																					},
+																				}),
+																			},
+																			Accepts: criterionTypes.AcceptQueries{
+																				Version: []int{1},
+																			},
+																		},
+																	},
+																},
+																{
+																	Operator: criteriaTypes.CriteriaOperatorTypeOR,
+																	Criterions: []criterionTypes.FilteredCriterion{
+																		{
+																			Criterion: criterionTypes.Criterion{
+																				Type: criterionTypes.CriterionTypeVersion,
+																				Version: toPtr(versioncriterionTypes.Criterion{
+																					Vulnerable: true,
+																					FixStatus: toPtr(vcFixStatusTypes.FixStatus{
+																						Class: vcFixStatusTypes.ClassFixed,
+																					}),
+																					Package: vcPackageTypes.Package{
+																						Type: vcPackageTypes.PackageTypeBinary,
+																						Binary: &vcBinaryPackageTypes.Package{
+																							Name: "binutils",
+																							Architectures: []string{
+																								"aarch64",
+																								"ppc64le",
+																								"s390x",
+																								"x86_64",
+																							},
+																						},
+																					},
+																					Affected: &vcAffectedTypes.Affected{
+																						Type: vcAffectedRangeTypes.RangeTypeRPM,
+																						Range: []vcAffectedRangeTypes.Range{
+																							{
+																								LessThan: "0:2.41-150100.7.46.1",
+																							},
+																						},
+																						Fixed: []string{"0:2.41-150100.7.46.1"},
+																					},
+																				}),
+																			},
+																			Accepts: criterionTypes.AcceptQueries{
+																				Version: []int{0},
+																			},
+																		},
+																	},
+																},
+															},
+														},
+														{
+															Operator: criteriaTypes.CriteriaOperatorTypeAND,
+															Criterias: []criteriaTypes.FilteredCriteria{
+																{
+																	Operator: criteriaTypes.CriteriaOperatorTypeOR,
+																	Criterions: []criterionTypes.FilteredCriterion{
+																		{
+																			Criterion: criterionTypes.Criterion{
+																				Type: criterionTypes.CriterionTypeVersion,
+																				Version: toPtr(versioncriterionTypes.Criterion{
+																					Vulnerable: false,
+																					Package: vcPackageTypes.Package{
+																						Type: vcPackageTypes.PackageTypeBinary,
+																						Binary: &vcBinaryPackageTypes.Package{
+																							Name: "sles-release",
+																						},
+																					},
+																					Affected: &vcAffectedTypes.Affected{
+																						Type: vcAffectedRangeTypes.RangeTypeRPMVersionOnly,
+																						Range: []vcAffectedRangeTypes.Range{
+																							{
+																								Equal: "15.3",
+																							},
+																						},
+																					},
+																				}),
+																			},
+																			Accepts: criterionTypes.AcceptQueries{
+																				Version: []int{1},
+																			},
+																		},
+																	},
+																},
+																{
+																	Operator: criteriaTypes.CriteriaOperatorTypeOR,
+																	Criterions: []criterionTypes.FilteredCriterion{
+																		{
+																			Criterion: criterionTypes.Criterion{
+																				Type: criterionTypes.CriterionTypeVersion,
+																				Version: toPtr(versioncriterionTypes.Criterion{
+																					Vulnerable: true,
+																					FixStatus: toPtr(vcFixStatusTypes.FixStatus{
+																						Class: vcFixStatusTypes.ClassUnfixed,
+																					}),
+																					Package: vcPackageTypes.Package{
+																						Type: vcPackageTypes.PackageTypeBinary,
+																						Binary: &vcBinaryPackageTypes.Package{
+																							Name: "binutils",
+																							Architectures: []string{
+																								"aarch64",
+																								"ppc64le",
+																								"s390x",
+																								"x86_64",
+																							},
+																						},
+																					},
+																					Affected: &vcAffectedTypes.Affected{
+																						Type: vcAffectedRangeTypes.RangeTypeRPM,
+																					},
+																				}),
+																			},
+																			Accepts: criterionTypes.AcceptQueries{
+																				Version: []int{0},
+																			},
+																		},
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			want: models.VulnInfos{
+				"CVE-2022-4285": {
+					CveID:       "CVE-2022-4285",
+					Confidences: models.Confidences{models.OvalMatch},
+					AffectedPackages: models.PackageFixStatuses{
+						{
+							Name:        "binutils",
+							NotFixedYet: true,
+						},
+					},
+					DistroAdvisories: models.DistroAdvisories{
+						{
+							AdvisoryID: "SUSE-CU-2023:3179-1",
+							Issued:     time.Date(1000, time.January, 1, 0, 0, 0, 0, time.UTC),
+							Updated:    time.Date(1000, time.January, 1, 0, 0, 0, 0, time.UTC),
+						},
+					},
+					CveContents: models.CveContents{
+						models.SUSE: []models.CveContent{
+							{
+								Type:          models.SUSE,
+								CveID:         "CVE-2022-4285",
+								Cvss3Score:    5.5,
+								Cvss3Vector:   "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
+								Cvss3Severity: "MEDIUM",
+								SourceLink:    "https://www.suse.com/security/cve/CVE-2022-4285",
+								References: models.References{
+									{
+										Link:   "https://www.suse.com/security/cve/SUSE-CU-2023:3179-1.html",
+										Source: "SUSE",
+										RefID:  "SUSE-CU-2023:3179-1",
+									},
+								},
+								Published:    time.Date(1000, time.January, 1, 0, 0, 0, 0, time.UTC),
+								LastModified: time.Date(1000, time.January, 1, 0, 0, 0, 0, time.UTC),
+								Optional: map[string]string{
+									"vuls2-sources": "[{\"root_id\":\"CVE-2022-4285\",\"source_id\":\"suse-oval\",\"segment\":{\"ecosystem\":\"suse.linux.enterprise.server:15\"}}]",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
