Skip to content

[DO-NOT-MERGE-YET] feat(detector/vuls2): SUSE by vuls2 #2284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
shino wants to merge 9 commits into
base: master
Choose a base branch
from
+1,838 −551
Open

[DO-NOT-MERGE-YET] feat(detector/vuls2): SUSE by vuls2 #2284

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a60daf7
feat(detector/vuls2): SUSE by vuls2
shino Oct 10, 2025
9c67bc9
remove vuls0 suse things
shino Feb 3, 2026
76637ba
fix for micro / tumbleweed
shino Feb 5, 2026
7d77102
update integration to include tumbleweed
shino Feb 5, 2026
98864ea
fix for opensuse
shino Feb 9, 2026
9219e66
fix
shino Feb 10, 2026
973db5c
add unit test
shino Feb 10, 2026
56a28e6
fix fixstate
shino Feb 12, 2026
94d87c2
add opensuse
shino Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions detector/detector.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,11 +322,12 @@ func Detect(rs []models.ScanResult, dir string) ([]models.ScanResult, error) {
func DetectPkgCves(r *models.ScanResult, ovalCnf config.GovalDictConf, gostCnf config.GostConf, vuls2Conf config.Vuls2Conf, logOpts logging.LogOpts, noProgress bool) error {
if isPkgCvesDetactable(r) {
switch r.Family {
case constant.RedHat, constant.CentOS, constant.Fedora, constant.Alma, constant.Rocky, constant.Oracle, constant.Alpine, constant.Ubuntu:
case constant.RedHat, constant.CentOS, constant.Fedora, constant.Alma, constant.Rocky, constant.Oracle, constant.Alpine, constant.Ubuntu,
constant.OpenSUSE, constant.OpenSUSELeap, constant.SUSEEnterpriseServer, constant.SUSEEnterpriseDesktop:
if err := vuls2.Detect(r, vuls2Conf, noProgress); err != nil {
return xerrors.Errorf("Failed to detect CVE with Vuls2: %w", err)
}
case constant.Amazon, constant.OpenSUSE, constant.OpenSUSELeap, constant.SUSEEnterpriseServer, constant.SUSEEnterpriseDesktop:
case constant.Amazon:
if err := detectPkgsCvesWithOval(ovalCnf, r, logOpts); err != nil {
return xerrors.Errorf("Failed to detect CVE with OVAL: %w", err)
}
Expand Down
86 changes: 84 additions & 2 deletions detector/vuls2/vendor.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,36 @@ func preConvertBinaryVersion(family, version string) string {
}
}

func toVuls2Family(vuls0Family, vuls0Release string) string {
switch vuls0Family {
case constant.SUSEEnterpriseServer, constant.SUSEEnterpriseDesktop:
return ecosystemTypes.EcosystemTypeSUSELinuxEnterprise
case constant.OpenSUSE:
switch vuls0Release {
case "tumbleweed":
return ecosystemTypes.EcosystemTypeOpenSUSETumbleweed
default:
return vuls0Family
}
default:
return vuls0Family
}
}

func toVuls2Release(vuls0Family, vuls0Release string) string {
switch vuls0Family {
case constant.OpenSUSE:
switch vuls0Release {
case "tumbleweed":
return ""
default:
return vuls0Release
}
default:
return vuls0Release
}
}

func ignoreVulnerability(e ecosystemTypes.Ecosystem, v vulnerabilityTypes.Vulnerability, as models.DistroAdvisories) bool {
et, _, _ := strings.Cut(string(e), ":")

Expand Down Expand Up @@ -462,6 +492,12 @@ func advisoryReference(e ecosystemTypes.Ecosystem, s sourceTypes.SourceID, da mo
Source: "UBUNTU",
RefID: da.AdvisoryID,
}, nil
case ecosystemTypes.EcosystemTypeSUSELinuxEnterprise, ecosystemTypes.EcosystemTypeOpenSUSE, ecosystemTypes.EcosystemTypeOpenSUSELeap, ecosystemTypes.EcosystemTypeOpenSUSETumbleweed:
return models.Reference{
Link: fmt.Sprintf("https://www.suse.com/security/cve/%s.html", da.AdvisoryID),
Source: "SUSE",
RefID: da.AdvisoryID,
}, nil
default:
return models.Reference{}, xerrors.Errorf("unsupported family: %s", et)
}
Expand All @@ -479,6 +515,8 @@ func cveContentSourceLink(ccType models.CveContentType, v vulnerabilityTypes.Vul
return fmt.Sprintf("https://ubuntu.com/security/%s", v.Content.ID)
case models.Nvd:
return fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", v.Content.ID)
case models.SUSE:
return fmt.Sprintf("https://www.suse.com/security/cve/%s.html", v.Content.ID)
default:
return ""
}
Expand Down Expand Up @@ -682,6 +720,8 @@ func toCveContentType(e ecosystemTypes.Ecosystem, s sourceTypes.SourceID) models
default:
return models.Ubuntu
}
case ecosystemTypes.EcosystemTypeSUSELinuxEnterprise, ecosystemTypes.EcosystemTypeOpenSUSE, ecosystemTypes.EcosystemTypeOpenSUSELeap, ecosystemTypes.EcosystemTypeOpenSUSETumbleweed:
return models.SUSE
default:
return models.NewCveContentType(et)
}
Expand All @@ -695,9 +735,9 @@ func toCvss(e ecosystemTypes.Ecosystem, src sourceTypes.SourceID, ss []severityT
)

for _, s := range ss {
et, _, _ := strings.Cut(string(e), ":")
switch s.Type {
case severityTypes.SeverityTypeVendor:
et, _, _ := strings.Cut(string(e), ":")
switch et {
case ecosystemTypes.EcosystemTypeUbuntu:
switch src {
Expand All @@ -708,12 +748,39 @@ func toCvss(e ecosystemTypes.Ecosystem, src sourceTypes.SourceID, ss []severityT
}
default:
}
case ecosystemTypes.EcosystemTypeSUSELinuxEnterprise, ecosystemTypes.EcosystemTypeOpenSUSE, ecosystemTypes.EcosystemTypeOpenSUSELeap, ecosystemTypes.EcosystemTypeOpenSUSETumbleweed:
if s.Vendor != nil {
if cvss2.Vector != "" {
cvss2.NVDBaseSeverity = *s.Vendor
}
if cvss3.Vector != "" {
cvss3.BaseSeverity = *s.Vendor
}
if cvss4.Vector != "" {
cvss4.Severity = *s.Vendor
}
}
default:
}
case severityTypes.SeverityTypeCVSSv2:
switch et {
case ecosystemTypes.EcosystemTypeSUSELinuxEnterprise, ecosystemTypes.EcosystemTypeOpenSUSE, ecosystemTypes.EcosystemTypeOpenSUSELeap, ecosystemTypes.EcosystemTypeOpenSUSETumbleweed:
if s.Source != "SUSE" {
continue
}
default:
}
if cvss2.Vector == "" && s.CVSSv2 != nil {
cvss2 = *s.CVSSv2
}
case severityTypes.SeverityTypeCVSSv30:
switch et {
case ecosystemTypes.EcosystemTypeSUSELinuxEnterprise, ecosystemTypes.EcosystemTypeOpenSUSE, ecosystemTypes.EcosystemTypeOpenSUSELeap, ecosystemTypes.EcosystemTypeOpenSUSETumbleweed:
if s.Source != "SUSE" {
continue
}
default:
}
if cvss3.Vector == "" && s.CVSSv30 != nil {
cvss3 = v31.CVSSv31{
Vector: s.CVSSv30.Vector,
Expand All @@ -722,10 +789,24 @@ func toCvss(e ecosystemTypes.Ecosystem, src sourceTypes.SourceID, ss []severityT
}
}
case severityTypes.SeverityTypeCVSSv31:
switch et {
case ecosystemTypes.EcosystemTypeSUSELinuxEnterprise, ecosystemTypes.EcosystemTypeOpenSUSE, ecosystemTypes.EcosystemTypeOpenSUSELeap, ecosystemTypes.EcosystemTypeOpenSUSETumbleweed:
if s.Source != "SUSE" {
continue
}
default:
}
if !strings.HasPrefix(cvss3.Vector, "CVSS:3.1/") && s.CVSSv31 != nil {
cvss3 = *s.CVSSv31
}
case severityTypes.SeverityTypeCVSSv40:
switch et {
case ecosystemTypes.EcosystemTypeSUSELinuxEnterprise, ecosystemTypes.EcosystemTypeOpenSUSE, ecosystemTypes.EcosystemTypeOpenSUSELeap, ecosystemTypes.EcosystemTypeOpenSUSETumbleweed:
if s.Source != "SUSE" {
continue
}
default:
}
if cvss4.Vector == "" && s.CVSSv40 != nil {
cvss4 = *s.CVSSv40
}
Expand Down Expand Up @@ -765,7 +846,8 @@ func toVuls0Confidence(e ecosystemTypes.Ecosystem, s sourceTypes.SourceID) model
DetectionMethod: models.DetectionMethod("EPELMatch"),
SortOrder: 1,
}
case ecosystemTypes.EcosystemTypeRedHat, ecosystemTypes.EcosystemTypeFedora, ecosystemTypes.EcosystemTypeAlma, ecosystemTypes.EcosystemTypeRocky, ecosystemTypes.EcosystemTypeOracle, ecosystemTypes.EcosystemTypeAlpine:
case ecosystemTypes.EcosystemTypeRedHat, ecosystemTypes.EcosystemTypeFedora, ecosystemTypes.EcosystemTypeAlma, ecosystemTypes.EcosystemTypeRocky, ecosystemTypes.EcosystemTypeOracle, ecosystemTypes.EcosystemTypeAlpine,
ecosystemTypes.EcosystemTypeSUSELinuxEnterprise, ecosystemTypes.EcosystemTypeOpenSUSE, ecosystemTypes.EcosystemTypeOpenSUSELeap, ecosystemTypes.EcosystemTypeOpenSUSETumbleweed:
return models.OvalMatch
case ecosystemTypes.EcosystemTypeUbuntu:
switch s {
Expand Down
11 changes: 8 additions & 3 deletions detector/vuls2/vuls2.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
criteriaTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria"
criterionTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion"
vcAffectedRangeTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion/versioncriterion/affected/range"
vcFixStatusTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion/versioncriterion/fixstatus"
vcPackageTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion/versioncriterion/package"
segmentTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/segment"
ecosystemTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/segment/ecosystem"
Expand Down Expand Up @@ -140,8 +141,8 @@ func preConvert(sr *models.ScanResult) scanTypes.ScanResult {
return scanTypes.ScanResult{
JSONVersion: 0,
ServerName: sr.ServerName,
Family: ecosystemTypes.Ecosystem(sr.Family),
Release: sr.Release,
Family: ecosystemTypes.Ecosystem(toVuls2Family(sr.Family, sr.Release)),
Release: toVuls2Release(sr.Family, sr.Release),

Kernel: scanTypes.Kernel{
Release: sr.RunningKernel.Release,
Expand Down Expand Up @@ -559,6 +560,10 @@ func walkCriteria(e ecosystemTypes.Ecosystem, sourceID sourceTypes.SourceID, ca

switch fcn.Criterion.Version.Package.Type {
case vcPackageTypes.PackageTypeBinary, vcPackageTypes.PackageTypeSource:
if !cn.Criterion.Version.Vulnerable {
continue
}

rangeType, fixedIn := func() (vcAffectedRangeTypes.RangeType, string) {
if fcn.Criterion.Version.Affected == nil {
return vcAffectedRangeTypes.RangeTypeUnknown, ""
Expand All @@ -581,7 +586,7 @@ func walkCriteria(e ecosystemTypes.Ecosystem, sourceID sourceTypes.SourceID, ca
return fixState(e, sourceID, fcn.Criterion.Version.FixStatus.Vendor)
}(),
FixedIn: fixedIn,
NotFixedYet: fixedIn == "",
NotFixedYet: cn.Criterion.Version.FixStatus == nil || cn.Criterion.Version.FixStatus.Class != vcFixStatusTypes.ClassFixed,
},
})
}
Expand Down
Loading
Loading