feat(wrlinux): Add Wind River Linux vulnerability data (#177)

Signed-off-by: Sakib Sajal <[email protected]>

Author: sajal-wr

.github/workflows/update.yml

@@ -99,6 +99,10 @@ jobs:
       name: CBL-Mariner Vulnerability Data
       run: ./vuln-list-update -target mariner
 
+    - if: always()
+      name: WindRiver CVE Tracker
+      run: ./vuln-list-update -target wrlinux
+
     - if: always()
       name: OSV Database
       run: ./vuln-list-update -target osv

README.md

@@ -20,7 +20,7 @@ https://github.com/aquasecurity/vuln-list/
 $ vuln-list-update -h
 Usage of vuln-list-update:
   -target string
-        update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, debian, debian-oval, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, go-vulndb, mariner, kevc)
+        update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, debian, debian-oval, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, go-vulndb, mariner, kevc, wrlinux)
   -years string
         update years (only redhat)
 ```

main.go

@@ -39,6 +39,7 @@ import (
 	susecvrf "github.com/aquasecurity/vuln-list-update/suse/cvrf"
 	"github.com/aquasecurity/vuln-list-update/ubuntu"
 	"github.com/aquasecurity/vuln-list-update/utils"
+	"github.com/aquasecurity/vuln-list-update/wrlinux"
 )
 
 const (
@@ -49,7 +50,7 @@ const (
 
 var (
 	target = flag.String("target", "", "update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, "+
-		"debian, debian-oval, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, go-vulndb, mariner, kevc, wolfi)")
+		"debian, debian-oval, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, go-vulndb, mariner, kevc, wolfi, wrlinux)")
 	years        = flag.String("years", "", "update years (only redhat)")
 	targetUri    = flag.String("target-uri", "", "alternative repository URI (only glad)")
 	targetBranch = flag.String("target-branch", "", "alternative repository branch (only glad)")
@@ -235,6 +236,11 @@ func run() error {
 			return xerrors.Errorf("Wolfi update error: %w", err)
 		}
 		commitMsg = "Wolfi Issue Tracker"
+	case "wrlinux":
+		if err := wrlinux.Update(); err != nil {
+			return xerrors.Errorf("WRLinux update error: %w", err)
+		}
+		commitMsg = "Wind River CVE Tracker"
 	default:
 		return xerrors.New("unknown target")
 	}

wrlinux/testdata/multiple_multiline_note

@@ -0,0 +1,19 @@
+Candidate: CVE-2012-0880
+PublicDate: 2017-08-08
+Description:
+ Apache Xerces-C++ allows remote attackers to cause a denial of
+ service (CPU consumption) via a crafted message sent to an XML
+ service that causes hash table collisions.
+Notes:
+ note 1 line 1
+  note 1 line 2
+ note 2 line 1
+  note 2 line 2
+Priority: high
+Bugs:
+ LIN10-1106
+
+Patches_xerces:
+10.17.41.1_xerces: released (10.17.41.1)
+10.18.44.1_xerces: ignored (will not fix)
+10.19.45.1_xerces: ignored (will not fix)

wrlinux/testdata/multiple_packages

@@ -0,0 +1,19 @@
+Candidate: CVE-2015-8985
+PublicDate: 2017-03-20
+Description:
+ The pop_fail_stack function in the GNU C Library (aka glibc or
+ libc6) allows context-dependent attackers to cause a denial of
+ service (assertion failure and application crash) via vectors
+ related to extended regular expression processing.
+Notes:
+ glibc
+Priority: medium
+Bugs:
+
+Patches_glibc:
+10.18.44.1_glibc: pending
+10.19.45.1_glibc: pending
+
+Patches_eglibc:
+10.18.44.1_eglibc: pending
+10.19.45.1_eglibc: pending

wrlinux/testdata/multiple_references_and_notes

@@ -0,0 +1,22 @@
+Candidate: CVE-2021-39648
+PublicDate: 2021-12-15
+Description:
+ In gadget_dev_desc_UDC_show of configfs.c, there is a possible
+ disclosure of kernel heap memory due to a race condition.
+References:
+ Upstream kernel
+ Upstream linux
+Notes:
+ This could lead to local information disclosure with System execution privileges needed.
+ User interaction is not needed for exploitation.
+Priority: medium
+Bugs:
+ LINCD-7525
+ LIN1021-2165
+ LIN1019-7478
+ LIN1018-8466
+Patches_linux:
+10.20.6.0_linux: not-affected
+10.21.20.1_linux: not-affected
+10.19.45.1_linux: released (10.19.45.21)
+10.18.44.1_linux: released (10.18.44.25)

wrlinux/testdata/no_references_or_notes

@@ -0,0 +1,17 @@
+Candidate: CVE-2020-24241
+PublicDate: 2020-08-25
+Description:
+ In Netwide Assembler (NASM) 2.15rc10, there is heap use-after-free
+ in saa_wbytes in nasmlib/saa.c.
+Priority: medium
+Bugs:
+ LINCD-2974
+ LIN1019-5289
+ LIN1018-6614
+ LIN10-7689
+
+Patches_nasm:
+10.20.6.0_nasm: not-affected
+10.19.45.1_nasm: pending
+10.18.44.1_nasm: ignored
+10.17.41.1_nasm: released (10.17.41.22)

wrlinux/testdata/with_comments_and_line_breaks

@@ -0,0 +1,28 @@
+Candidate: CVE-2022-3134
+
+PublicDate: 2022-09-06
+
+Description:
+ Use After Free in GitHub repository vim/vim prior to 9.0.0389.
+
+Notes:
+
+Priority: high
+
+Bugs:
+ LINCD-10301
+ LIN1022-1711
+ LIN1021-4364
+ LIN1019-8796
+ LIN1018-9727
+
+# fixes/patches for different WRLinux releases
+# <vulnerable_release>_<package>: <status> [(<fixed_release>)]
+Patches_vim:
+10.20.6.0_vim: not-affected
+10.22.33.1_vim: not-affected
+# the following have releases have been fixed
+10.21.20.1_vim: released (10.21.20.14)
+10.19.45.1_vim: released (10.19.45.26)
+
+10.18.44.1_vim: released (10.18.44.28)