Add support for RedHat EUS data (#796)

willmurphyscode · wagoodman · web-flow · commit 174c1b4d81c7 · 2025-07-22T13:09:52.000-04:00
* wip: rhel eus support

Signed-off-by: Will Murphy &lt;willmurphyscode@users.noreply.github.com&gt;

* add tests

Signed-off-by: Alex Goodman &lt;wagoodman@users.noreply.github.com&gt;

* remove comment

Signed-off-by: Alex Goodman &lt;wagoodman@users.noreply.github.com&gt;

---------

Signed-off-by: Will Murphy &lt;willmurphyscode@users.noreply.github.com&gt;
Signed-off-by: Alex Goodman &lt;wagoodman@users.noreply.github.com&gt;
Co-authored-by: Alex Goodman &lt;wagoodman@users.noreply.github.com&gt;
diff --git a/src/vunnel/providers/rhel/parser.py b/src/vunnel/providers/rhel/parser.py
@@ -37,6 +37,7 @@
 class Parser:
     __cve_rhel_product_name_base__ = "Red Hat Enterprise Linux"
     __rhel_release_pattern__ = re.compile(__cve_rhel_product_name_base__ + r"\s*(\d+)$")
+    __rhel_eus_pattern__ = re.compile(r"Red Hat Enterprise Linux (\d+\.\d+) Extended Update Support")
     __summary_url__ = "https://access.redhat.com/hydra/rest/securitydata/cve.json"
     __rhsa_url__ = "https://access.redhat.com/hydra/rest/securitydata/oval/{}.json"
     __last_synced_filename__ = "last_synced"
@@ -410,15 +411,8 @@ def _parse_affected_release(self, cve_id: str, content) -> list[FixedIn]:  # noq
             # first pass to just parse affected releases and construct a list of objects
             for item in ars:
                 try:
-                    match = re.match(
-                        self.__rhel_release_pattern__,
-                        item.get("product_name", None),
-                    )
-                    if not match:
-                        continue
-
-                    platform = match.group(1)
-                    if not platform:  # track even deny-listed platforms here, filter them out later
+                    platform = self._parse_platform(item.get("product_name", None))
+                    if not platform:
                         continue
 
                     ar_obj = AffectedRelease(platform=platform)
@@ -572,21 +566,14 @@ def _parse_package_name_and_module(self, item: dict) -> tuple[str | None, str |
 
         return package_name, module
 
-    def _parse_package_state(self, cve_id: str, content) -> list[FixedIn]:  # noqa: C901
+    def _parse_package_state(self, cve_id: str, content) -> list[FixedIn]:
         affected: list[FixedIn] = []
         out_of_support: list[FixedIn] = []  # Track items out of support to be able to add them if others are affected
         pss = content.get("package_state", [])
 
         for item in pss:
             try:
-                match = re.match(
-                    Parser.__rhel_release_pattern__,
-                    item.get("product_name", None),
-                )
-                if not match:
-                    continue
-
-                platform = match.group(1)
+                platform = self._parse_platform(item.get("product_name", None))
                 if not platform or f"{namespace}:{platform}" in self.skip_namespaces:
                     continue
 
@@ -645,6 +632,26 @@ def _parse_package_state(self, cve_id: str, content) -> list[FixedIn]:  # noqa:
 
         return affected + out_of_support
 
+    def _parse_platform(self, product_name: str | None) -> str | None:
+        is_eus = False
+        match = re.match(
+            self.__rhel_release_pattern__,
+            product_name,
+        )
+        if not match:
+            match = re.match(
+                self.__rhel_eus_pattern__,
+                product_name,
+            )
+            if not match:
+                return None
+            is_eus = True
+
+        platform = match.group(1)
+        if platform and is_eus:
+            platform = f"{platform}+eus"
+        return platform
+
     def _parse_cvss3(self, cvss3: dict | None) -> RHELCVSS3 | None:
         if not cvss3:
             return None
diff --git a/src/vunnel/utils/csaf_types.py b/src/vunnel/utils/csaf_types.py
@@ -301,7 +301,7 @@ class Document(OmitNoneORJSONModel):
 class CSAFDoc(OmitNoneORJSONModel):
     document: Document
     product_tree: ProductTree
-    vulnerabilities: list[Vulnerability]
+    vulnerabilities: list[Vulnerability] = field(default_factory=list)
 
 
 def from_path(path: str) -> CSAFDoc:
diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8.6+eus/cve-2023-4863.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8.6+eus/cve-2023-4863.json
@@ -0,0 +1,77 @@
+{
+  "identifier": "rhel:8.6+eus/cve-2023-4863",
+  "item": {
+    "Vulnerability": {
+      "CVSS": [
+        {
+          "base_metrics": {
+            "base_score": 9.6,
+            "base_severity": "Critical",
+            "exploitability_score": 2.8,
+            "impact_score": 6.0
+          },
+          "status": "verified",
+          "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
+          "version": "3.1"
+        }
+      ],
+      "Description": "A heap-based buffer flaw was found in the way libwebp, a library used to process \"WebP\" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.",
+      "FixedIn": [
+        {
+          "Module": null,
+          "Name": "libwebp",
+          "NamespaceName": "rhel:8.6+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2023:5189",
+                "Link": "https://access.redhat.com/errata/RHSA-2023:5189"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:1.0.0-7.el8_6.1",
+          "VersionFormat": "rpm"
+        },
+        {
+          "Module": null,
+          "Name": "firefox",
+          "NamespaceName": "rhel:8.6+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2023:5198",
+                "Link": "https://access.redhat.com/errata/RHSA-2023:5198"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:102.15.1-1.el8_6",
+          "VersionFormat": "rpm"
+        },
+        {
+          "Module": null,
+          "Name": "thunderbird",
+          "NamespaceName": "rhel:8.6+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2023:5202",
+                "Link": "https://access.redhat.com/errata/RHSA-2023:5202"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:102.15.1-1.el8_6",
+          "VersionFormat": "rpm"
+        }
+      ],
+      "Link": "https://access.redhat.com/security/cve/CVE-2023-4863",
+      "Metadata": {},
+      "Name": "CVE-2023-4863",
+      "NamespaceName": "rhel:8.6+eus",
+      "Severity": "High"
+    }
+  },
+  "schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.2.json"
+}
diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8.6+eus/cve-2023-5129.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8.6+eus/cve-2023-5129.json
@@ -0,0 +1,77 @@
+{
+  "identifier": "rhel:8.6+eus/cve-2023-5129",
+  "item": {
+    "Vulnerability": {
+      "CVSS": [
+        {
+          "base_metrics": {
+            "base_score": 0.0,
+            "base_severity": "None",
+            "exploitability_score": 2.8,
+            "impact_score": -0.2
+          },
+          "status": "verified",
+          "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N",
+          "version": "3.1"
+        }
+      ],
+      "Description": "This CVE ID has been rejected by its CVE Numbering Authority. Duplicate of CVE-2023-4863.",
+      "FixedIn": [
+        {
+          "Module": null,
+          "Name": "libwebp",
+          "NamespaceName": "rhel:8.6+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2023:5189",
+                "Link": "https://access.redhat.com/errata/RHSA-2023:5189"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:1.0.0-7.el8_6.1",
+          "VersionFormat": "rpm"
+        },
+        {
+          "Module": null,
+          "Name": "firefox",
+          "NamespaceName": "rhel:8.6+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2023:5198",
+                "Link": "https://access.redhat.com/errata/RHSA-2023:5198"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:102.15.1-1.el8_6",
+          "VersionFormat": "rpm"
+        },
+        {
+          "Module": null,
+          "Name": "thunderbird",
+          "NamespaceName": "rhel:8.6+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2023:5202",
+                "Link": "https://access.redhat.com/errata/RHSA-2023:5202"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:102.15.1-1.el8_6",
+          "VersionFormat": "rpm"
+        }
+      ],
+      "Link": "https://access.redhat.com/security/cve/CVE-2023-5129",
+      "Metadata": {},
+      "Name": "CVE-2023-5129",
+      "NamespaceName": "rhel:8.6+eus",
+      "Severity": "Unknown"
+    }
+  },
+  "schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.2.json"
+}
diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8.6+eus/cve-2023-5217.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8.6+eus/cve-2023-5217.json
@@ -0,0 +1,77 @@
+{
+  "identifier": "rhel:8.6+eus/cve-2023-5217",
+  "item": {
+    "Vulnerability": {
+      "CVSS": [
+        {
+          "base_metrics": {
+            "base_score": 8.8,
+            "base_severity": "High",
+            "exploitability_score": 2.8,
+            "impact_score": 5.9
+          },
+          "status": "verified",
+          "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+          "version": "3.1"
+        }
+      ],
+      "Description": "A heap-based buffer overflow flaw was found in the way libvpx, a library used to process VP8 and VP9 video codecs data, processes certain specially formatted video data via a crafted HTML page. This flaw allows an attacker to crash or remotely execute arbitrary code in an application, such as a web browser that is compiled with this library.",
+      "FixedIn": [
+        {
+          "Module": null,
+          "Name": "thunderbird",
+          "NamespaceName": "rhel:8.6+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2023:5430",
+                "Link": "https://access.redhat.com/errata/RHSA-2023:5430"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:115.3.1-1.el8_6",
+          "VersionFormat": "rpm"
+        },
+        {
+          "Module": null,
+          "Name": "firefox",
+          "NamespaceName": "rhel:8.6+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2023:5436",
+                "Link": "https://access.redhat.com/errata/RHSA-2023:5436"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:115.3.1-1.el8_6",
+          "VersionFormat": "rpm"
+        },
+        {
+          "Module": null,
+          "Name": "libvpx",
+          "NamespaceName": "rhel:8.6+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2023:5538",
+                "Link": "https://access.redhat.com/errata/RHSA-2023:5538"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:1.7.0-10.el8_6",
+          "VersionFormat": "rpm"
+        }
+      ],
+      "Link": "https://access.redhat.com/security/cve/CVE-2023-5217",
+      "Metadata": {},
+      "Name": "CVE-2023-5217",
+      "NamespaceName": "rhel:8.6+eus",
+      "Severity": "High"
+    }
+  },
+  "schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.2.json"
+}
diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9.0+eus/cve-2023-4863.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9.0+eus/cve-2023-4863.json
@@ -0,0 +1,77 @@
+{
+  "identifier": "rhel:9.0+eus/cve-2023-4863",
+  "item": {
+    "Vulnerability": {
+      "CVSS": [
+        {
+          "base_metrics": {
+            "base_score": 9.6,
+            "base_severity": "Critical",
+            "exploitability_score": 2.8,
+            "impact_score": 6.0
+          },
+          "status": "verified",
+          "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
+          "version": "3.1"
+        }
+      ],
+      "Description": "A heap-based buffer flaw was found in the way libwebp, a library used to process \"WebP\" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.",
+      "FixedIn": [
+        {
+          "Module": null,
+          "Name": "libwebp",
+          "NamespaceName": "rhel:9.0+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2023:5204",
+                "Link": "https://access.redhat.com/errata/RHSA-2023:5204"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:1.2.0-6.el9_0",
+          "VersionFormat": "rpm"
+        },
+        {
+          "Module": null,
+          "Name": "firefox",
+          "NamespaceName": "rhel:9.0+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2023:5205",
+                "Link": "https://access.redhat.com/errata/RHSA-2023:5205"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:102.15.1-1.el9_0",
+          "VersionFormat": "rpm"
+        },
+        {
+          "Module": null,
+          "Name": "thunderbird",
+          "NamespaceName": "rhel:9.0+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2023:5223",
+                "Link": "https://access.redhat.com/errata/RHSA-2023:5223"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:102.15.1-1.el9_0",
+          "VersionFormat": "rpm"
+        }
+      ],
+      "Link": "https://access.redhat.com/security/cve/CVE-2023-4863",
+      "Metadata": {},
+      "Name": "CVE-2023-4863",
+      "NamespaceName": "rhel:9.0+eus",
+      "Severity": "High"
+    }
+  },
+  "schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.2.json"
+}
diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9.0+eus/cve-2023-5129.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9.0+eus/cve-2023-5129.json
diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9.0+eus/cve-2023-5217.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9.0+eus/cve-2023-5217.json
diff --git a/tests/unit/providers/rhel/test_rhel.py b/tests/unit/providers/rhel/test_rhel.py
