fix: improve kerberos checker

ffontaine · ffontaine · commit fcdbd4a3141e · 2023-01-24T11:14:27.000+01:00
- Drop mit:kerberos and get_version as NVD NIST has deprecated this unusual versioning since January 2020: https://nvd.nist.gov/products/cpe/detail/335C9545-32F8-4473-97BD-636F1532525F?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Amit%3Akerberos%3A5-1.5.1%3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED - Add debian and openwrt test packages Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
diff --git a/cve_bin_tool/checkers/README.md b/cve_bin_tool/checkers/README.md
@@ -531,7 +531,7 @@ return following dictionary.
 
 In most of the cases, Just providing above five class attributes will be enough.
 But sometimes, you need to override this method to correctly detect version of
-the product. We have done this in the checkers of `python`, `sqlite` and `kerberos`.
+the product. We have done this in the checkers of `python` and`sqlite`.
 
 ## Updating checker table
 
diff --git a/cve_bin_tool/checkers/kerberos.py b/cve_bin_tool/checkers/kerberos.py
@@ -6,7 +6,7 @@
 CVE checker for kerberos (CLI/library)
 
 References:
-https://www.cvedetails.com/vulnerability-list/vendor_id-42/product_id-61/MIT-Kerberos.html
+https://www.cvedetails.com/product/12666/MIT-Kerberos-5.html?vendor_id=42
 """
 from cve_bin_tool.checkers import Checker
 
@@ -18,27 +18,4 @@ class KerberosChecker(Checker):
         r"KRB5_BRAND: krb5-(\d+\.\d+\.?\d?)-final",
         r"kerberos 5[_-][apl-]*(1+\.[0-9]+(\.[0-9]+)*)",
     ]
-    VENDOR_PRODUCT = [("mit", "kerberos"), ("mit", "kerberos_5")]
-
-    def get_version(self, lines, filename):
-        version_info = super().get_version(lines, filename)
-
-        # currently we're only detecting kerberos 5, so return a double-version_info list
-        # if we ever detect kerberos that's not 5, this if statement will change
-        if "is_or_contains" in version_info:
-            version_info5 = [dict(), dict()]
-            version_info5[0] = version_info
-            version_info5[1] = dict()
-            version_info5[1]["is_or_contains"] = version_info["is_or_contains"]
-            version_info5[1]["productname"] = "kerberos_5"
-
-            # strip the leading "5-" off the version for 'kerberos_5' if there is one
-            # or conversely, add one to the 'kerberos' listing if there isn't
-            if version_info["version"][:2] == "5-":
-                version_info5[1]["version"] = version_info["version"][2:]
-            else:
-                version_info5[1]["version"] = version_info["version"]
-                version_info5[0]["version"] = "5-{}".format(version_info["version"])
-            return version_info5
-
-        return version_info
+    VENDOR_PRODUCT = [("mit", "kerberos_5")]
diff --git a/test/condensed-downloads/krb5-libs_1.17-2_x86_64.ipk.tar.gz b/test/condensed-downloads/krb5-libs_1.17-2_x86_64.ipk.tar.gz
diff --git a/test/condensed-downloads/libkrb5-3_1.12.1+dfsg-19+deb8u4_amd64.deb.tar.gz b/test/condensed-downloads/libkrb5-3_1.12.1+dfsg-19+deb8u4_amd64.deb.tar.gz
diff --git a/test/json/bad_intermediate.json b/test/json/bad_intermediate.json
@@ -52,15 +52,6 @@
             "cve_number": "",
             "severity": ""
         },
-        {
-            "vendor": "mit",
-            "product": "kerberos",
-            "version": "1.15.1",
-            "remarks": "",
-            "comments": "",
-            "cve_number": "",
-            "severity": ""
-        },
         {
             "vendor": "sun",
             "product": "sunos",
@@ -80,4 +71,4 @@
             "severity": ""
         }
     ]
-}
+}
diff --git a/test/json/bad_metadata.json b/test/json/bad_metadata.json
@@ -54,16 +54,6 @@
             "severity": "",
             "paths": ""
         },
-        {
-            "vendor": "mit",
-            "product": "kerberos",
-            "version": "1.15.1",
-            "remarks": "",
-            "comments": "",
-            "cve_number": "",
-            "severity": "",
-            "paths": ""
-        },
         {
             "vendor": "sun",
             "product": "sunos",
@@ -85,4 +75,4 @@
             "paths": ""
         }
     ]
-}
+}
diff --git a/test/json/test_triage.json b/test/json/test_triage.json
@@ -44,15 +44,6 @@
     "cve_number": "",
     "severity": ""
   },
-  {
-    "vendor": "mit",
-    "product": "kerberos",
-    "version": "1.15.1",
-    "remarks": "",
-    "comments": "",
-    "cve_number": "",
-    "severity": ""
-  },
   {
     "vendor": "sun",
     "product": "sunos",
@@ -71,4 +62,4 @@
     "cve_number": "",
     "severity": ""
   }
-]
+]
diff --git a/test/test_checkers.py b/test/test_checkers.py
@@ -74,7 +74,7 @@ def setup_class(cls):
                 "international_components_for_unicode.o",
                 ["international_components_for_unicode"],
             ),
-            ("kerberos", "kerberos", ["kerberos", "kerberos_5"]),
+            ("kerberos", "kerberos", ["kerberos_5"]),
             ("libcurl", "libcurl.so.2.0", ["libcurl"]),
             ("libdb", "libdb-2.0.so", ["libdb"]),
             ("libgcrypt", "libgcrypt.so.1.0", ["libgcrypt"]),
diff --git a/test/test_csv2cve.py b/test/test_csv2cve.py
@@ -31,7 +31,6 @@ async def test_csv2cve_valid_file(self, caplog):
         ) in caplog.record_tuples
 
         for cve_count, product in [
-            [3, "mit.kerberos v1.15.1"],
             [60, "haxx.curl v7.34.0"],
             [10, "mit.kerberos_5 v1.15.1"],
         ]:
diff --git a/test/test_data/kerberos.py b/test/test_data/kerberos.py
@@ -1,26 +1,46 @@
 # Copyright (C) 2021 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-from __future__ import annotations
-
 mapping_test_data = [
     {
-        "product": "kerberos",
-        "version": "5-1.15.1",
+        "product": "kerberos_5",
+        "version": "1.15.1",
         "version_strings": [
             "An unknown option was passed in to kerberos",
             "CLIENT kerberos 5-1.15.1",
             "KRB5_BRAND: ",
         ],
     },
     {
-        "product": "kerberos",
-        "version": "5-1.15.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1",
+        "product": "kerberos_5",
+        "version": "1.15.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1",
         "version_strings": [
             "An unknown option was passed in to kerberos",
             "CLIENT kerberos 5-1.15.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1",
             "KRB5_BRAND: ",
         ],
     },
 ]
-package_test_data: list[dict] = []
+package_test_data = [
+    {
+        "url": "http://mirror.centos.org/centos/7/os/x86_64/Packages/",
+        "package_name": "krb5-libs-1.15.1-50.el7.x86_64.rpm",
+        "product": "kerberos_5",
+        "version": "1.15.1",
+        "other_products": [],
+    },
+    {
+        "url": "http://ftp.fr.debian.org/debian/pool/main/k/krb5/",
+        "package_name": "libkrb5-3_1.12.1+dfsg-19+deb8u4_amd64.deb",
+        "product": "kerberos_5",
+        "version": "1.12.1",
+        "other_products": [],
+    },
+    {
+        "url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/packages/",
+        "package_name": "krb5-libs_1.17-2_x86_64.ipk",
+        "product": "kerberos_5",
+        "version": "1.17",
+        "other_products": [],
+    },
+]
diff --git a/test/test_data/kerberos_5.py b/test/test_data/kerberos_5.py
diff --git a/test/test_input_engine.py b/test/test_input_engine.py
@@ -46,11 +46,7 @@ class TestInputEngine:
             },
             "paths": {""},
         },
-        ProductInfo("mit", "kerberos", "1.15.1"): {
-            "default": {"comments": "", "remarks": Remarks.Unexplored, "severity": ""},
-            "paths": {""},
-        },
-        ProductInfo("mit", "kerberos_5", "5-1.15.1"): {
+        ProductInfo("mit", "kerberos_5", "1.15.1"): {
             "default": {"comments": "", "remarks": Remarks.Confirmed, "severity": ""},
             "paths": {""},
         },
