aquasecurity · MaineK00n · Jan 25, 2022
@@ -113,25 +113,28 @@ func (vs VulnSrc) save(errataVer map[string][]RLSA) error {
 func (vs VulnSrc) commit(tx *bolt.Tx, platformName string, errata []RLSA) error {
 	for _, erratum := range errata {
 		for _, cveID := range erratum.CveIDs {
-			putAdvisoryCount := 0
-			for _, pkg := range erratum.Packages {
+			for _, pkglist := range erratum.PkgLists {
 				// Skip the modular packages until the following bug is fixed.
 				// https://forums.rockylinux.org/t/some-errata-missing-in-comparison-with-rhel-and-almalinux/3843/8
-				if strings.Contains(pkg.Release, ".module+el") {
+				// If erratum.Pkglists is 0, it fails to use modules.yaml to break down the affected package into modules.
+				if len(erratum.PkgLists) == 0 {
 					continue
 				}
 
-				advisory := types.Advisory{
-					FixedVersion: utils.ConstructVersion(pkg.Epoch, pkg.Version, pkg.Release),
+				for _, pkg := range pkglist.Packages {
+					pkgName := pkg.Name
+					if pkglist.Module.Name != "" && pkglist.Module.Stream != "" {
+						pkgName = fmt.Sprintf("%s:%s::%s", pkglist.Module.Name, pkglist.Module.Stream, pkg.Name)
+					}
+
+					advisory := types.Advisory{
+						FixedVersion: utils.ConstructVersion(pkg.Epoch, pkg.Version, pkg.Release),
+					}
+					if err := vs.dbc.PutAdvisoryDetail(tx, cveID, pkgName, []string{platformName}, advisory); err != nil {
+						return xerrors.Errorf("failed to save Rocky advisory: %w", err)
+					}
 				}
-				if err := vs.dbc.PutAdvisoryDetail(tx, cveID, pkg.Name, []string{platformName}, advisory); err != nil {
-					return xerrors.Errorf("failed to save Rocky advisory: %w", err)
-				}
-
-				putAdvisoryCount++
-			}
 
-			if putAdvisoryCount > 0 {
 				var references []string
 				for _, ref := range erratum.References {
 					references = append(references, ref.Href)

@@ -1,12 +1,12 @@
 package rocky
 
 import (
-	"github.com/aquasecurity/trivy-db/pkg/vulnsrctest"
 	"path/filepath"
 	"testing"
 
 	"github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrctest"
 )
 
 func TestVulnSrc_Update(t *testing.T) {
@@ -57,9 +57,50 @@ func TestVulnSrc_Update(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "happy modular package",
+			dir:  filepath.Join("testdata", "modular"),
+			wantValues: []vulnsrctest.WantValues{
+				{
+					Key: []string{"data-source", "rocky 8"},
+					Value: types.DataSource{
+						ID:   vulnerability.Rocky,
+						Name: "Rocky Linux updateinfo",
+						URL:  "https://download.rockylinux.org/pub/rocky/",
+					},
+				},
+				{
+					Key: []string{"advisory-detail", "CVE-2020-25097", "rocky 8", "squid:4::libecap"},
+					Value: types.Advisory{
+						FixedVersion: "1.0.1-2.module+el8.4.0+404+316a0dc5",
+					},
+				},
+				{
+					Key: []string{"advisory-detail", "CVE-2020-25097", "rocky 8", "squid:4::libecap-devel"},
+					Value: types.Advisory{
+						FixedVersion: "1.0.1-2.module+el8.4.0+404+316a0dc5",
+					},
+				},
+				{
+					Key: []string{"vulnerability-detail", "CVE-2020-25097", string(vulnerability.Rocky)},
+					Value: types.VulnerabilityDetail{
+						Severity: types.SeverityHigh,
+						References: []string{
+							"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-25097.json",
+						},
+						Title:       "Important: squid:4 security update",
+						Description: "For more information visit https://errata.rockylinux.org/RLSA-2021:1979",
+					},
+				},
+				{
+					Key:   []string{"vulnerability-id", "CVE-2020-25097"},
+					Value: map[string]interface{}{},
+				},
+			},
+		},
 		{
 			name:       "skip advisories for modular package",
-			dir:        filepath.Join("testdata", "modular"),
+			dir:        filepath.Join("testdata", "no_moduleinfo"),
 			wantValues: []vulnsrctest.WantValues{},
 		},
 		{

@@ -9,38 +9,43 @@
   },
   "severity": "Important",
   "description": "For more information visit https://errata.rockylinux.org/RLSA-2021:1989",
-  "packages": [
+  "pkglists": [
     {
-      "name": "bind-export-libs",
-      "epoch": "32",
-      "version": "9.11.26",
-      "release": "4.el8_4",
-      "arch": "i686",
-      "filename": "bind-export-libs-9.11.26-4.el8_4.i686.rpm"
-    },
-    {
-      "name": "bind-export-libs",
-      "epoch": "32",
-      "version": "9.11.26",
-      "release": "4.el8_4",
-      "arch": "x86_64",
-      "filename": "bind-export-libs-9.11.26-4.el8_4.x86_64.rpm"
-    },
-    {
-      "name": "bind-export-devel",
-      "epoch": "32",
-      "version": "9.11.26",
-      "release": "4.el8_4",
-      "arch": "x86_64",
-      "filename": "bind-export-devel-9.11.26-4.el8_4.x86_64.rpm"
-    },
-    {
-      "name": "bind-export-devel",
-      "epoch": "32",
-      "version": "9.11.26",
-      "release": "4.el8_4",
-      "arch": "i686",
-      "filename": "bind-export-devel-9.11.26-4.el8_4.i686.rpm"
+      "packages": [
+        {
+          "name": "bind-export-libs",
+          "epoch": "32",
+          "version": "9.11.26",
+          "release": "4.el8_4",
+          "arch": "i686",
+          "filename": "bind-export-libs-9.11.26-4.el8_4.i686.rpm"
+        },
+        {
+          "name": "bind-export-libs",
+          "epoch": "32",
+          "version": "9.11.26",
+          "release": "4.el8_4",
+          "arch": "x86_64",
+          "filename": "bind-export-libs-9.11.26-4.el8_4.x86_64.rpm"
+        },
+        {
+          "name": "bind-export-devel",
+          "epoch": "32",
+          "version": "9.11.26",
+          "release": "4.el8_4",
+          "arch": "x86_64",
+          "filename": "bind-export-devel-9.11.26-4.el8_4.x86_64.rpm"
+        },
+        {
+          "name": "bind-export-devel",
+          "epoch": "32",
+          "version": "9.11.26",
+          "release": "4.el8_4",
+          "arch": "i686",
+          "filename": "bind-export-devel-9.11.26-4.el8_4.i686.rpm"
+        }
+      ],
+      "module": {}
     }
   ],
   "references": [
@@ -51,7 +56,5 @@
       "type": "cve"
     }
   ],
-  "cveids": [
-    "CVE-2021-25215"
-  ]
-}
+  "cveids": ["CVE-2021-25215"]
+}
@@ -9,22 +9,35 @@
   },
   "severity": "Important",
   "description": "For more information visit https://errata.rockylinux.org/RLSA-2021:1979",
-  "packages": [
+  "pkglists": [
     {
-      "name": "libecap",
-      "epoch": "0",
-      "version": "1.0.1",
-      "release": "2.module+el8.4.0+404+316a0dc5",
-      "arch": "x86_64",
-      "filename": "libecap-1.0.1-2.module+el8.4.0+404+316a0dc5.x86_64.rpm"
-    },
-    {
-      "name": "libecap-devel",
-      "epoch": "0",
-      "version": "1.0.1",
-      "release": "2.module+el8.4.0+404+316a0dc5",
-      "arch": "x86_64",
-      "filename": "libecap-devel-1.0.1-2.module+el8.4.0+404+316a0dc5.x86_64.rpm"
+      "packages": [
+        {
+          "name": "libecap",
+          "epoch": "0",
+          "version": "1.0.1",
+          "release": "2.module+el8.4.0+404+316a0dc5",
+          "arch": "x86_64",
+          "src": "libecap-1.0.1-2.module+el8.4.0+404+316a0dc5.src.rpm",
+          "filename": "libecap-1.0.1-2.module+el8.4.0+404+316a0dc5.x86_64.rpm"
+        },
+        {
+          "name": "libecap-devel",
+          "epoch": "0",
+          "version": "1.0.1",
+          "release": "2.module+el8.4.0+404+316a0dc5",
+          "arch": "x86_64",
+          "src": "libecap-1.0.1-2.module+el8.4.0+404+316a0dc5.src.rpm",
+          "filename": "libecap-devel-1.0.1-2.module+el8.4.0+404+316a0dc5.x86_64.rpm"
+        }
+      ],
+      "module": {
+        "stream": "4",
+        "name": "squid",
+        "version": 8050020211109223548,
+        "arch": "x86_64",
+        "context": "b4937e53"
+      }
     }
   ],
   "references": [

@@ -0,0 +1,39 @@
+{
+  "id": "RLSA-2021:1979",
+  "title": "Important: squid:4 security update",
+  "issued": {
+    "date": "2021-07-22 03:16:49"
+  },
+  "updated": {
+    "date": "2021-05-18 00:00:00"
+  },
+  "severity": "Important",
+  "description": "For more information visit https://errata.rockylinux.org/RLSA-2021:1979",
+  "packages": [
+    {
+      "name": "libecap",
+      "epoch": "0",
+      "version": "1.0.1",
+      "release": "2.module+el8.4.0+404+316a0dc5",
+      "arch": "x86_64",
+      "filename": "libecap-1.0.1-2.module+el8.4.0+404+316a0dc5.x86_64.rpm"
+    },
+    {
+      "name": "libecap-devel",
+      "epoch": "0",
+      "version": "1.0.1",
+      "release": "2.module+el8.4.0+404+316a0dc5",
+      "arch": "x86_64",
+      "filename": "libecap-devel-1.0.1-2.module+el8.4.0+404+316a0dc5.x86_64.rpm"
+    }
+  ],
+  "references": [
+    {
+      "href": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-25097.json",
+      "id": "CVE-2020-25097",
+      "title": "Update information for CVE-2020-25097 is retrieved from Red Hat",
+      "type": "cve"
+    }
+  ],
+  "cveids": ["CVE-2020-25097"]
+}
@@ -6,7 +6,7 @@ type RLSA struct {
 	Title       string      `json:"title,omitempty"`
 	Severity    string      `json:"severity,omitempty"`
 	Description string      `json:"description,omitempty"`
-	Packages    []Package   `json:"packages,omitempty"`
+	PkgLists    []PkgList   `json:"pkglists,omitempty"`
 	References  []Reference `json:"references,omitempty"`
 	CveIDs      []string    `json:"cveids,omitempty"`
 }
@@ -19,6 +19,12 @@ type Reference struct {
 	Type  string `json:"type,omitempty"`
 }
 
+// PkgList has modular package information
+type PkgList struct {
+	Packages []Package `json:"packages,omitempty"`
+	Module   Module    `json:"module,omitempty"`
+}
+
 // Package has affected package information
 type Package struct {
 	Name     string `json:"name,omitempty"`
@@ -28,3 +34,12 @@ type Package struct {
 	Arch     string `json:"arch,omitempty"`
 	Filename string `json:"filename,omitempty"`
 }
+
+// Module has module information
+type Module struct {
+	Stream  string `json:"stream,omitempty"`
+	Name    string `json:"name,omitempty"`
+	Version int64  `json:"version,omitempty"`
+	Arch    string `json:"arch,omitempty"`
+	Context string `json:"context,omitempty"`
+}