Fedora vulnerability scanner in EC2 instances with Cartography

[heryxpc]

Fedora vulnerability scanner in EC2 instances with Cartography

Description

We are deprecating an internal intelmodule we used to determine vulnerabilities in Fedora systems. Rather than killing the code, we would prefer to share it with the community as a new set of intelmodules:

• OSQuery Packages transform- adds a parser to read JSON files from an OSQuery query that parses packages information.
• Fedora Packages information get - Uses official Fedora mirrors to gather a group of Fedora releases packages information and assign a severity based on Fedora security erratas.
• RedHat security advisories get - queries RedHat security data API to gather CVEs and their severity.
• Compute Fedora Affected Packages - calculate which packages are deployed to an EC2 instance and determine which vulnerabilities affect hence the instance. The code will require some refactor to adapt to latest changes in Cartography (data model, match pattern for Trivy scanner, etc.), but this can be done in phases.

Motivation

We wouldn't like this code to be forgotten, specially since so much work was taken to make it stable. Besides, there aren't many open source package vulnerability scanners for Fedora.

Alternatives Considered

• Don't push this code at all, as AWS Amazon Inspector already supports Fedora scanning
• Wait until Trivy finally accepts to support Fedora OS
• Use other static vulnerability scanners like https://github.com/future-architect/vuls

Relevant Links

Might be something similar to https://github.com/cartography-cncf/cartography/pull/1737