Display a warning for OS that has reached EOL (#118)

aquasecurity · Aug 19, 2019 · 0611bf9 · 0611bf9
1 parent 9a9cb01
commit 0611bf9
Show file tree

Hide file tree

Showing 12 changed files with 609 additions and 6 deletions.
diff --git a/misc/eol/data/debian.csv b/misc/eol/data/debian.csv
@@ -0,0 +1,19 @@
+1.1,Buzz,buzz,1993-08-16,1996-06-17,1997-06-05
+1.2,Rex,rex,1996-06-17,1996-12-12,1998-06-05
+1.3,Bo,bo,1996-12-12,1997-06-05,1999-03-09
+2.0,Hamm,hamm,1997-06-05,1998-07-24,2000-03-09
+2.1,Slink,slink,1998-07-24,1999-03-09,2000-10-30
+2.2,Potato,potato,1999-03-09,2000-08-15,2003-07-30
+3.0,Woody,woody,2000-08-15,2002-07-19,2006-06-30
+3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-30
+4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15
+5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06
+6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31
+7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26
+8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-06
+9,Stretch,stretch,2015-04-25,2017-06-17
+10,Buster,buster,2017-06-17
+11,Bullseye,bullseye,2019-08-01
+12,Bookworm,bookworm,2021-08-01
+,Sid,sid,1993-08-16
+,Experimental,experimental,1993-08-16
diff --git a/misc/eol/data/ubuntu.csv b/misc/eol/data/ubuntu.csv
@@ -0,0 +1,31 @@
+4.10,Warty Warthog,warty,2004-03-05,2004-10-20,2006-04-30
+5.04,Hoary Hedgehog,hoary,2004-10-20,2005-04-08,2006-10-31
+5.10,Breezy Badger,breezy,2005-04-08,2005-10-12,2007-04-13
+6.06 LTS,Dapper Drake,dapper,2005-10-12,2006-06-01,2009-07-14,2011-06-01
+6.10,Edgy Eft,edgy,2006-06-01,2006-10-26,2008-04-25
+7.04,Feisty Fawn,feisty,2006-10-26,2007-04-19,2008-10-19
+7.10,Gutsy Gibbon,gutsy,2007-04-19,2007-10-18,2009-04-18
+8.04 LTS,Hardy Heron,hardy,2007-10-18,2008-04-24,2011-05-12,2013-05-09
+8.10,Intrepid Ibex,intrepid,2008-04-24,2008-10-30,2010-04-30
+9.04,Jaunty Jackalope,jaunty,2008-10-30,2009-04-23,2010-10-23
+9.10,Karmic Koala,karmic,2009-04-23,2009-10-29,2011-04-29
+10.04 LTS,Lucid Lynx,lucid,2009-10-29,2010-04-29,2013-05-09,2015-04-29
+10.10,Maverick Meerkat,maverick,2010-04-29,2010-10-10,2012-04-10
+11.04,Natty Narwhal,natty,2010-10-10,2011-04-28,2012-10-28
+11.10,Oneiric Ocelot,oneiric,2011-04-28,2011-10-13,2013-05-09
+12.04 LTS,Precise Pangolin,precise,2011-10-13,2012-04-26,2017-04-26,2017-04-26,2019-04-26
+12.10,Quantal Quetzal,quantal,2012-04-26,2012-10-18,2014-05-16
+13.04,Raring Ringtail,raring,2012-10-18,2013-04-25,2014-01-27
+13.10,Saucy Salamander,saucy,2013-04-25,2013-10-17,2014-07-17
+14.04 LTS,Trusty Tahr,trusty,2013-10-17,2014-04-17,2019-04-25,2019-04-25,2022-04-25
+14.10,Utopic Unicorn,utopic,2014-04-17,2014-10-23,2015-07-23
+15.04,Vivid Vervet,vivid,2014-10-23,2015-04-23,2016-01-23
+15.10,Wily Werewolf,wily,2015-04-23,2015-10-22,2016-07-22
+16.04 LTS,Xenial Xerus,xenial,2015-10-22,2016-04-21,2021-04-21,2021-04-21,2024-04-21
+16.10,Yakkety Yak,yakkety,2016-04-21,2016-10-13,2017-07-20
+17.04,Zesty Zapus,zesty,2016-10-13,2017-04-13,2018-01-13
+17.10,Artful Aardvark,artful,2017-04-13,2017-10-19,2018-07-19
+18.04 LTS,Bionic Beaver,bionic,2017-10-19,2018-04-26,2023-04-26,2023-04-26,2028-04-26
+18.10,Cosmic Cuttlefish,cosmic,2018-04-26,2018-10-18,2019-07-18
+19.04,Disco Dingo,disco,2018-10-18,2019-04-18,2020-01-18
+19.10,Eoan Ermine,eoan,2019-04-18,2019-10-17,2020-07-17
diff --git a/misc/eol/main.go b/misc/eol/main.go
@@ -0,0 +1,56 @@
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+)
+
+// This script displays EOL dates
+func main() {
+	fmt.Println("Debian")
+	debianEOL()
+
+	fmt.Println("\nUbuntu")
+	ubuntuEOL()
+}
+
+func debianEOL() {
+	f, err := os.Open("data/debian.csv")
+	if err != nil {
+		panic(err)
+	}
+	defer f.Close()
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		fields := strings.Split(line, ",")
+
+		if len(fields) < 6 && fields[0] != "" {
+			fmt.Printf("\"%s\": time.Date(3000, 1, 1, 23, 59, 59, 0, time.UTC),\n", fields[0])
+		} else if len(fields) == 6 {
+			eol, _ := time.Parse("2006-1-2", fields[5])
+			fmt.Printf("\"%s\": time.Date(%d, %d, %d, 23, 59, 59, 0, time.UTC),\n", fields[0], eol.Year(), eol.Month(), eol.Day())
+		}
+	}
+}
+
+func ubuntuEOL() {
+	f, err := os.Open("data/ubuntu.csv")
+	if err != nil {
+		panic(err)
+	}
+	defer f.Close()
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		fields := strings.Split(line, ",")
+
+		eol, _ := time.Parse("2006-1-2", fields[len(fields)-1])
+		fmt.Printf("\"%s\": time.Date(%d, %d, %d, 23, 59, 59, 0, time.UTC),\n", strings.Fields(fields[0])[0], eol.Year(), eol.Month(), eol.Day())
+	}
+}
diff --git a/pkg/scanner/ospkg/alpine/alpine.go b/pkg/scanner/ospkg/alpine/alpine.go
@@ -2,6 +2,7 @@ package alpine
 
 import (
 	"strings"
+	"time"
 
 	"github.com/knqyf263/fanal/analyzer"
 	version "github.com/knqyf263/go-rpm-version"
@@ -12,6 +13,30 @@ import (
 	"golang.org/x/xerrors"
 )
 
+var (
+	eolDates = map[string]time.Time{
+		"2.0":  time.Date(2012, 4, 1, 23, 59, 59, 0, time.UTC),
+		"2.1":  time.Date(2012, 11, 1, 23, 59, 59, 0, time.UTC),
+		"2.2":  time.Date(2013, 5, 1, 23, 59, 59, 0, time.UTC),
+		"2.3":  time.Date(2013, 11, 1, 23, 59, 59, 0, time.UTC),
+		"2.4":  time.Date(2014, 5, 1, 23, 59, 59, 0, time.UTC),
+		"2.5":  time.Date(2014, 11, 1, 23, 59, 59, 0, time.UTC),
+		"2.6":  time.Date(2015, 5, 1, 23, 59, 59, 0, time.UTC),
+		"2.7":  time.Date(2015, 11, 1, 23, 59, 59, 0, time.UTC),
+		"3.0":  time.Date(2016, 5, 1, 23, 59, 59, 0, time.UTC),
+		"3.1":  time.Date(2016, 11, 1, 23, 59, 59, 0, time.UTC),
+		"3.2":  time.Date(2017, 5, 1, 23, 59, 59, 0, time.UTC),
+		"3.3":  time.Date(2017, 11, 1, 23, 59, 59, 0, time.UTC),
+		"3.4":  time.Date(2018, 5, 1, 23, 59, 59, 0, time.UTC),
+		"3.5":  time.Date(2018, 11, 1, 23, 59, 59, 0, time.UTC),
+		"3.6":  time.Date(2019, 5, 1, 23, 59, 59, 0, time.UTC),
+		"3.7":  time.Date(2019, 11, 1, 23, 59, 59, 0, time.UTC),
+		"3.8":  time.Date(2020, 5, 1, 23, 59, 59, 0, time.UTC),
+		"3.9":  time.Date(2020, 11, 1, 23, 59, 59, 0, time.UTC),
+		"3.10": time.Date(2021, 5, 1, 23, 59, 59, 0, time.UTC),
+	}
+)
+
 type Scanner struct{}
 
 func NewScanner() *Scanner {
@@ -51,3 +76,21 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
 	}
 	return vulns, nil
 }
+
+func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
+	now := time.Now()
+	return s.isSupportedVersion(now, osFamily, osVer)
+}
+
+func (s *Scanner) isSupportedVersion(now time.Time, osFamily, osVer string) bool {
+	if strings.Count(osVer, ".") > 1 {
+		osVer = osVer[:strings.LastIndex(osVer, ".")]
+	}
+
+	eol, ok := eolDates[osVer]
+	if !ok {
+		log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
+		return false
+	}
+	return now.Before(eol)
+}
diff --git a/pkg/scanner/ospkg/alpine/alpine_test.go b/pkg/scanner/ospkg/alpine/alpine_test.go
@@ -0,0 +1,64 @@
+package alpine
+
+import (
+	"os"
+	"testing"
+	"time"
+
+	"github.com/knqyf263/trivy/pkg/log"
+)
+
+func TestMain(m *testing.M) {
+	log.InitLogger(false)
+	os.Exit(m.Run())
+}
+
+func TestScanner_IsSupportedVersion(t *testing.T) {
+	vectors := map[string]struct {
+		now       time.Time
+		osFamily  string
+		osVersion string
+		expected  bool
+	}{
+		"alpine3.6": {
+			now:       time.Date(2019, 3, 2, 23, 59, 59, 0, time.UTC),
+			osFamily:  "alpine",
+			osVersion: "3.6",
+			expected:  true,
+		},
+		"alpine3.6 with EOL": {
+			now:       time.Date(2019, 5, 2, 23, 59, 59, 0, time.UTC),
+			osFamily:  "alpine",
+			osVersion: "3.6.5",
+			expected:  false,
+		},
+		"alpine3.9": {
+			now:       time.Date(2019, 5, 2, 23, 59, 59, 0, time.UTC),
+			osFamily:  "alpine",
+			osVersion: "3.9.0",
+			expected:  true,
+		},
+		"alpine3.10": {
+			now:       time.Date(2019, 5, 2, 23, 59, 59, 0, time.UTC),
+			osFamily:  "alpine",
+			osVersion: "3.10",
+			expected:  true,
+		},
+		"unknown": {
+			now:       time.Date(2019, 5, 2, 23, 59, 59, 0, time.UTC),
+			osFamily:  "alpine",
+			osVersion: "unknown",
+			expected:  false,
+		},
+	}
+
+	for testName, v := range vectors {
+		s := NewScanner()
+		t.Run(testName, func(t *testing.T) {
+			actual := s.isSupportedVersion(v.now, v.osFamily, v.osVersion)
+			if actual != v.expected {
+				t.Errorf("[%s] got %v, want %v", testName, actual, v.expected)
+			}
+		})
+	}
+}
diff --git a/pkg/scanner/ospkg/debian/debian.go b/pkg/scanner/ospkg/debian/debian.go
@@ -2,19 +2,40 @@ package debian
 
 import (
 	"strings"
+	"time"
 
+	"github.com/knqyf263/fanal/analyzer"
 	version "github.com/knqyf263/go-deb-version"
-
-	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
-
 	"golang.org/x/xerrors"
 
-	"github.com/knqyf263/trivy/pkg/scanner/utils"
-
-	"github.com/knqyf263/fanal/analyzer"
 	"github.com/knqyf263/trivy/pkg/log"
+	"github.com/knqyf263/trivy/pkg/scanner/utils"
 	"github.com/knqyf263/trivy/pkg/vulnsrc/debian"
 	debianoval "github.com/knqyf263/trivy/pkg/vulnsrc/debian-oval"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
+)
+
+var (
+	eolDates = map[string]time.Time{
+		"1.1": time.Date(1997, 6, 5, 23, 59, 59, 0, time.UTC),
+		"1.2": time.Date(1998, 6, 5, 23, 59, 59, 0, time.UTC),
+		"1.3": time.Date(1999, 3, 9, 23, 59, 59, 0, time.UTC),
+		"2.0": time.Date(2000, 3, 9, 23, 59, 59, 0, time.UTC),
+		"2.1": time.Date(2000, 10, 30, 23, 59, 59, 0, time.UTC),
+		"2.2": time.Date(2003, 7, 30, 23, 59, 59, 0, time.UTC),
+		"3.0": time.Date(2006, 6, 30, 23, 59, 59, 0, time.UTC),
+		"3.1": time.Date(2008, 3, 30, 23, 59, 59, 0, time.UTC),
+		"4.0": time.Date(2010, 2, 15, 23, 59, 59, 0, time.UTC),
+		"5.0": time.Date(2012, 2, 6, 23, 59, 59, 0, time.UTC),
+		// LTS
+		"6.0": time.Date(2016, 2, 29, 23, 59, 59, 0, time.UTC),
+		"7":   time.Date(2018, 5, 31, 23, 59, 59, 0, time.UTC),
+		"8":   time.Date(2020, 6, 30, 23, 59, 59, 0, time.UTC),
+		"9":   time.Date(3000, 1, 1, 23, 59, 59, 0, time.UTC),
+		"10":  time.Date(3000, 1, 1, 23, 59, 59, 0, time.UTC),
+		"11":  time.Date(3000, 1, 1, 23, 59, 59, 0, time.UTC),
+		"12":  time.Date(3000, 1, 1, 23, 59, 59, 0, time.UTC),
+	}
 )
 
 type Scanner struct{}
@@ -78,3 +99,21 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
 	}
 	return vulns, nil
 }
+
+func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
+	now := time.Now()
+	return s.isSupportedVersion(now, osFamily, osVer)
+}
+
+func (s *Scanner) isSupportedVersion(now time.Time, osFamily, osVer string) bool {
+	if strings.Count(osVer, ".") > 0 {
+		osVer = osVer[:strings.Index(osVer, ".")]
+	}
+
+	eol, ok := eolDates[osVer]
+	if !ok {
+		log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
+		return false
+	}
+	return now.Before(eol)
+}
diff --git a/pkg/scanner/ospkg/debian/debian_test.go b/pkg/scanner/ospkg/debian/debian_test.go
@@ -0,0 +1,64 @@
+package debian
+
+import (
+	"os"
+	"testing"
+	"time"
+
+	"github.com/knqyf263/trivy/pkg/log"
+)
+
+func TestMain(m *testing.M) {
+	log.InitLogger(false)
+	os.Exit(m.Run())
+}
+
+func TestScanner_IsSupportedVersion(t *testing.T) {
+	vectors := map[string]struct {
+		now       time.Time
+		osFamily  string
+		osVersion string
+		expected  bool
+	}{
+		"debian7": {
+			now:       time.Date(2019, 3, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "debian",
+			osVersion: "7",
+			expected:  false,
+		},
+		"debian8": {
+			now:       time.Date(2019, 3, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "debian",
+			osVersion: "8.11",
+			expected:  true,
+		},
+		"debian8 eol ends": {
+			now:       time.Date(2020, 7, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "debian",
+			osVersion: "8.0",
+			expected:  false,
+		},
+		"debian9": {
+			now:       time.Date(2020, 7, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "debian",
+			osVersion: "9",
+			expected:  true,
+		},
+		"unknown": {
+			now:       time.Date(2020, 7, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "debian",
+			osVersion: "unknown",
+			expected:  false,
+		},
+	}
+
+	for testName, v := range vectors {
+		s := NewScanner()
+		t.Run(testName, func(t *testing.T) {
+			actual := s.isSupportedVersion(v.now, v.osFamily, v.osVersion)
+			if actual != v.expected {
+				t.Errorf("[%s] got %v, want %v", testName, actual, v.expected)
+			}
+		})
+	}
+}