Handle all Clair Vulnerability Data Sources in Analyzers Common Library
Problem to solve
The Analyzers Common Library only supports the following security advisory types: CVW, CWE, OSVDB, USN, WASC. The purpose of this issue is to implement parsers for all of the currently unsupported Clair Vulnerability Data Sources:
- Red Hat Security Advisory (RHSA) which have the format RHSA-2019:3892.
- Oracle Linux Security Data which have the format ELSA-2017-1101
- Possibly others?
Intended users
Further details
Some more details about the types of vulnerabilities that the clair db provides can be found here
Implementation plan
-
Add new functions to identifier.go to support the new identifier types. The code for handling these new identifier types already exists in the container scanning project so we should be able to just copy/paste that code -
Once the code has been added to identifier.go, the corresponding workaround in the container scanning project should be removed, and a new version of the container scanning tool should be tagged and pushed.
Permissions and Security
Documentation
No documentation is needed for this change.
Testing
Create a new branch in the container scanning test project and ensure that the new vulnerability types are supported.
What does success look like, and how can we measure that?
Our Klar analyzer is capable of handling all identifiers provided by Clair in the reported vulnerabilities.
What is the type of buyer?
Links / references
Edited by Adam Cohen