Support Alpine Linux #194 (#545)

* Support Alpine Linux #194 * Fix testcase * Fix README * Fix dep files * Fix changelog * Bump up version
2017-12-01 23:17:28 +09:00
parent d00e912934
commit e788e6a5ad
26 changed files with 502 additions and 120 deletions
--- a/scan/alpine.go
+++ b/scan/alpine.go
@@ -0,0 +1,171 @@
+/* Vuls - Vulnerability Scanner
+Copyright (C) 2016  Future Architect, Inc. Japan.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package scan
+
+import (
+	"bufio"
+	"fmt"
+	"strings"
+
+	"github.com/future-architect/vuls/config"
+	"github.com/future-architect/vuls/models"
+	"github.com/future-architect/vuls/util"
+)
+
+// inherit OsTypeInterface
+type alpine struct {
+	base
+}
+
+// NewAlpine is constructor
+func newAlpine(c config.ServerInfo) *alpine {
+	d := &alpine{
+		base: base{
+			osPackages: osPackages{
+				Packages:  models.Packages{},
+				VulnInfos: models.VulnInfos{},
+			},
+		},
+	}
+	d.log = util.NewCustomLogger(c)
+	d.setServerInfo(c)
+	return d
+}
+
+// Alpine
+// https://github.com/mizzy/specinfra/blob/master/lib/specinfra/helper/detect_os/alpine.rb
+func detectAlpine(c config.ServerInfo) (itsMe bool, os osTypeInterface) {
+	os = newAlpine(c)
+
+	if r := exec(c, "ls /etc/alpine-release", noSudo); !r.isSuccess() {
+		return false, os
+	}
+
+	if r := exec(c, "cat /etc/alpine-release", noSudo); r.isSuccess() {
+		os.setDistro(config.Alpine, strings.TrimSpace(r.Stdout))
+		return true, os
+	}
+
+	return false, os
+}
+
+func (o *alpine) checkDependencies() error {
+	o.log.Infof("Dependencies... No need")
+	return nil
+}
+
+func (o *alpine) checkIfSudoNoPasswd() error {
+	o.log.Infof("sudo ... No need")
+	return nil
+}
+
+func (o *alpine) apkUpdate() error {
+	r := o.exec("apk update", noSudo)
+	if !r.isSuccess() {
+		return fmt.Errorf("Failed to SSH: %s", r)
+	}
+	return nil
+}
+
+func (o *alpine) scanPackages() error {
+	if err := o.apkUpdate(); err != nil {
+		return err
+	}
+	// collect the running kernel information
+	release, version, err := o.runningKernel()
+	if err != nil {
+		o.log.Errorf("Failed to scan the running kernel version: %s", err)
+		return err
+	}
+	o.Kernel = models.Kernel{
+		Release: release,
+		Version: version,
+	}
+
+	installed, err := o.scanInstalledPackages()
+	if err != nil {
+		o.log.Errorf("Failed to scan installed packages: %s", err)
+		return err
+	}
+
+	updatable, err := o.scanUpdatablePackages()
+	if err != nil {
+		o.log.Errorf("Failed to scan installed packages: %s", err)
+		return err
+	}
+
+	installed.MergeNewVersion(updatable)
+	o.Packages = installed
+	return nil
+}
+
+func (o *alpine) scanInstalledPackages() (models.Packages, error) {
+	cmd := util.PrependProxyEnv("apk info -v")
+	r := o.exec(cmd, noSudo)
+	if !r.isSuccess() {
+		return nil, fmt.Errorf("Failed to SSH: %s", r)
+	}
+	return o.parseApkInfo(r.Stdout)
+}
+
+func (o *alpine) parseApkInfo(stdout string) (models.Packages, error) {
+	packs := models.Packages{}
+	scanner := bufio.NewScanner(strings.NewReader(stdout))
+	for scanner.Scan() {
+		line := scanner.Text()
+		ss := strings.Split(line, "-")
+		if len(ss) < 3 {
+			return nil, fmt.Errorf("Failed to parse apk info -v: %s", line)
+		}
+		name := strings.Join(ss[:len(ss)-2], "-")
+		packs[name] = models.Package{
+			Name:    name,
+			Version: strings.Join(ss[len(ss)-2:], "-"),
+		}
+	}
+	return packs, nil
+}
+
+func (o *alpine) scanUpdatablePackages() (models.Packages, error) {
+	cmd := util.PrependProxyEnv("apk version")
+	r := o.exec(cmd, noSudo)
+	if !r.isSuccess() {
+		return nil, fmt.Errorf("Failed to SSH: %s", r)
+	}
+	return o.parseApkVersion(r.Stdout)
+}
+
+func (o *alpine) parseApkVersion(stdout string) (models.Packages, error) {
+	packs := models.Packages{}
+	scanner := bufio.NewScanner(strings.NewReader(stdout))
+	for scanner.Scan() {
+		line := scanner.Text()
+		if !strings.Contains(line, "<") {
+			continue
+		}
+		ss := strings.Split(line, "<")
+		namever := strings.TrimSpace(ss[0])
+		tt := strings.Split(namever, "-")
+		name := strings.Join(tt[:len(tt)-2], "-")
+		packs[name] = models.Package{
+			Name:       name,
+			NewVersion: strings.TrimSpace(ss[1]),
+		}
+	}
+	return packs, nil
+}
--- a/scan/alpine_test.go
+++ b/scan/alpine_test.go
@@ -0,0 +1,75 @@
+package scan
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/future-architect/vuls/config"
+	"github.com/future-architect/vuls/models"
+)
+
+func TestParseApkInfo(t *testing.T) {
+	var tests = []struct {
+		in    string
+		packs models.Packages
+	}{
+		{
+			in: `musl-1.1.16-r14
+busybox-1.26.2-r7
+`,
+			packs: models.Packages{
+				"musl": {
+					Name:    "musl",
+					Version: "1.1.16-r14",
+				},
+				"busybox": {
+					Name:    "busybox",
+					Version: "1.26.2-r7",
+				},
+			},
+		},
+	}
+	d := newAlpine(config.ServerInfo{})
+	for i, tt := range tests {
+		pkgs, _ := d.parseApkInfo(tt.in)
+		if !reflect.DeepEqual(tt.packs, pkgs) {
+			t.Errorf("[%d] expected %v, actual %v", i, tt.packs, pkgs)
+		}
+	}
+}
+
+func TestParseApkVersion(t *testing.T) {
+	var tests = []struct {
+		in    string
+		packs models.Packages
+	}{
+		{
+			in: `Installed:                                Available:
+libcrypto1.0-1.0.1q-r0                  < 1.0.2m-r0
+libssl1.0-1.0.1q-r0                     < 1.0.2m-r0
+nrpe-2.14-r2                            < 2.15-r5
+`,
+			packs: models.Packages{
+				"libcrypto1.0": {
+					Name:       "libcrypto1.0",
+					NewVersion: "1.0.2m-r0",
+				},
+				"libssl1.0": {
+					Name:       "libssl1.0",
+					NewVersion: "1.0.2m-r0",
+				},
+				"nrpe": {
+					Name:       "nrpe",
+					NewVersion: "2.15-r5",
+				},
+			},
+		},
+	}
+	d := newAlpine(config.ServerInfo{})
+	for i, tt := range tests {
+		pkgs, _ := d.parseApkVersion(tt.in)
+		if !reflect.DeepEqual(tt.packs, pkgs) {
+			t.Errorf("[%d] expected %v, actual %v", i, tt.packs, pkgs)
+		}
+	}
+}
--- a/scan/debian.go
+++ b/scan/debian.go
@@ -29,8 +29,7 @@ import (
 	"github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/models"
 	"github.com/future-architect/vuls/util"
-
-	"github.com/knqyf263/go-deb-version"
+	version "github.com/knqyf263/go-deb-version"
 )

 // inherit OsTypeInterface
--- a/scan/executil.go
+++ b/scan/executil.go
@@ -41,6 +41,7 @@ import (

 type execResult struct {
 	Servername string
+	Container  conf.Container
 	Host       string
 	Port       string
 	Cmd        string
@@ -51,9 +52,16 @@ type execResult struct {
 }

 func (s execResult) String() string {
+	sname := ""
+	if s.Container.ContainerID == "" {
+		sname = s.Servername
+	} else {
+		sname = s.Container.Name + "@" + s.Servername
+	}
+
 	return fmt.Sprintf(
 		"execResult: servername: %s\n  cmd: %s\n  exitstatus: %d\n  stdout: %s\n  stderr: %s\n  err: %s",
-		s.Servername, s.Cmd, s.ExitStatus, s.Stdout, s.Stderr, s.Error)
+		sname, s.Cmd, s.ExitStatus, s.Stdout, s.Stderr, s.Error)
 }

 func (s execResult) isSuccess(expectedStatusCodes ...int) bool {
@@ -167,10 +175,11 @@ func exec(c conf.ServerInfo, cmd string, sudo bool, log ...*logrus.Entry) (resul
 func localExec(c conf.ServerInfo, cmdstr string, sudo bool) (result execResult) {
 	cmdstr = decorateCmd(c, cmdstr, sudo)
 	var cmd *ex.Cmd
-	if c.Distro.Family == conf.FreeBSD {
+	switch c.Distro.Family {
+	// case conf.FreeBSD, conf.Alpine, conf.Debian:
+	// cmd = ex.Command("/bin/sh", "-c", cmdstr)
+	default:
 		cmd = ex.Command("/bin/sh", "-c", cmdstr)
-	} else {
-		cmd = ex.Command("/bin/bash", "-c", cmdstr)
 	}
 	var stdoutBuf, stderrBuf bytes.Buffer
 	cmd.Stdout = &stdoutBuf
@@ -196,6 +205,7 @@ func localExec(c conf.ServerInfo, cmdstr string, sudo bool) (result execResult)

 func sshExecNative(c conf.ServerInfo, cmd string, sudo bool) (result execResult) {
 	result.Servername = c.ServerName
+	result.Container = c.Container
 	result.Host = c.Host
 	result.Port = c.Port

@@ -311,6 +321,7 @@ func sshExecExternal(c conf.ServerInfo, cmd string, sudo bool) (result execResul
 	result.Stdout = stdoutBuf.String()
 	result.Stderr = stderrBuf.String()
 	result.Servername = c.ServerName
+	result.Container = c.Container
 	result.Host = c.Host
 	result.Port = c.Port
 	result.Cmd = fmt.Sprintf("%s %s", sshBinaryPath, strings.Join(args, " "))
@@ -324,6 +335,16 @@ func getSSHLogger(log ...*logrus.Entry) *logrus.Entry {
 	return log[0]
 }

+func dockerShell(family string) string {
+	switch family {
+	// case conf.Alpine, conf.Debian:
+	// return "/bin/sh"
+	default:
+		// return "/bin/bash"
+		return "/bin/sh"
+	}
+}
+
 func decorateCmd(c conf.ServerInfo, cmd string, sudo bool) string {
 	if sudo && c.User != "root" && !c.IsContainer() {
 		cmd = fmt.Sprintf("sudo -S %s", cmd)
@@ -341,9 +362,11 @@ func decorateCmd(c conf.ServerInfo, cmd string, sudo bool) string {
 	if c.IsContainer() {
 		switch c.Containers.Type {
 		case "", "docker":
-			cmd = fmt.Sprintf(`docker exec --user 0 %s /bin/bash -c '%s'`, c.Container.ContainerID, cmd)
+			cmd = fmt.Sprintf(`docker exec --user 0 %s %s -c '%s'`,
+				c.Container.ContainerID, dockerShell(c.Distro.Family), cmd)
 		case "lxd":
-			cmd = fmt.Sprintf(`lxc exec %s -- /bin/bash -c '%s'`, c.Container.Name, cmd)
+			cmd = fmt.Sprintf(`lxc exec %s -- %s -c '%s'`,
+				c.Container.Name, dockerShell(c.Distro.Family), cmd)
 		}
 	}
 	//  cmd = fmt.Sprintf("set -x; %s", cmd)
--- a/scan/executil_test.go
+++ b/scan/executil_test.go
@@ -75,7 +75,7 @@ func TestDecorateCmd(t *testing.T) {
 			},
 			cmd:      "ls",
 			sudo:     false,
-			expected: `docker exec --user 0 abc /bin/bash -c 'ls'`,
+			expected: `docker exec --user 0 abc /bin/sh -c 'ls'`,
 		},
 		// root sudo true docker
 		{
@@ -86,7 +86,7 @@ func TestDecorateCmd(t *testing.T) {
 			},
 			cmd:      "ls",
 			sudo:     true,
-			expected: `docker exec --user 0 abc /bin/bash -c 'ls'`,
+			expected: `docker exec --user 0 abc /bin/sh -c 'ls'`,
 		},
 		// non-root sudo false, docker
 		{
@@ -97,7 +97,7 @@ func TestDecorateCmd(t *testing.T) {
 			},
 			cmd:      "ls",
 			sudo:     false,
-			expected: `docker exec --user 0 abc /bin/bash -c 'ls'`,
+			expected: `docker exec --user 0 abc /bin/sh -c 'ls'`,
 		},
 		// non-root sudo true, docker
 		{
@@ -108,7 +108,7 @@ func TestDecorateCmd(t *testing.T) {
 			},
 			cmd:      "ls",
 			sudo:     true,
-			expected: `docker exec --user 0 abc /bin/bash -c 'ls'`,
+			expected: `docker exec --user 0 abc /bin/sh -c 'ls'`,
 		},
 		// non-root sudo true, docker
 		{
@@ -119,7 +119,7 @@ func TestDecorateCmd(t *testing.T) {
 			},
 			cmd:      "ls | grep hoge",
 			sudo:     true,
-			expected: `docker exec --user 0 abc /bin/bash -c 'ls | grep hoge'`,
+			expected: `docker exec --user 0 abc /bin/sh -c 'ls | grep hoge'`,
 		},
 		// -------------lxd-------------
 		// root sudo false lxd
@@ -131,7 +131,7 @@ func TestDecorateCmd(t *testing.T) {
 			},
 			cmd:      "ls",
 			sudo:     false,
-			expected: `lxc exec def -- /bin/bash -c 'ls'`,
+			expected: `lxc exec def -- /bin/sh -c 'ls'`,
 		},
 		// root sudo true lxd
 		{
@@ -142,7 +142,7 @@ func TestDecorateCmd(t *testing.T) {
 			},
 			cmd:      "ls",
 			sudo:     true,
-			expected: `lxc exec def -- /bin/bash -c 'ls'`,
+			expected: `lxc exec def -- /bin/sh -c 'ls'`,
 		},
 		// non-root sudo false, lxd
 		{
@@ -153,7 +153,7 @@ func TestDecorateCmd(t *testing.T) {
 			},
 			cmd:      "ls",
 			sudo:     false,
-			expected: `lxc exec def -- /bin/bash -c 'ls'`,
+			expected: `lxc exec def -- /bin/sh -c 'ls'`,
 		},
 		// non-root sudo true, lxd
 		{
@@ -164,7 +164,7 @@ func TestDecorateCmd(t *testing.T) {
 			},
 			cmd:      "ls",
 			sudo:     true,
-			expected: `lxc exec def -- /bin/bash -c 'ls'`,
+			expected: `lxc exec def -- /bin/sh -c 'ls'`,
 		},
 		// non-root sudo true lxd
 		{
@@ -175,7 +175,7 @@ func TestDecorateCmd(t *testing.T) {
 			},
 			cmd:      "ls | grep hoge",
 			sudo:     true,
-			expected: `lxc exec def -- /bin/bash -c 'ls | grep hoge'`,
+			expected: `lxc exec def -- /bin/sh -c 'ls | grep hoge'`,
 		},
 	}

--- a/scan/serverapi.go
+++ b/scan/serverapi.go
@@ -106,6 +106,11 @@ func detectOS(c config.ServerInfo) (osType osTypeInterface) {
 		return
 	}

+	if itsMe, osType = detectAlpine(c); itsMe {
+		util.Log.Debugf("Alpine. Host: %s:%s", c.Host, c.Port)
+		return
+	}
+
 	//TODO darwin https://github.com/mizzy/specinfra/blob/master/lib/specinfra/helper/detect_os/darwin.rb
 	osType.setErrs([]error{fmt.Errorf("Unknown OS Type")})
 	return