Improve implementation around config (#1122)

* refactor config * fix saas config * feat(config): scanmodule for each server in config.toml * feat(config): enable to specify containersOnly in config.toml * add new keys of config.toml to discover.go * fix summary output, logging
2021-01-13 08:46:27 +09:00
parent a67052f48c
commit 0b55f94828
44 changed files with 1302 additions and 1144 deletions
--- a/models/cvecontents.go
+++ b/models/cvecontents.go
@@ -247,7 +247,7 @@ func NewCveContentType(name string) CveContentType {
 	case "microsoft":
 		return Microsoft
 	case "wordpress":
-		return WPVulnDB
+		return WpScan
 	case "amazon":
 		return Amazon
 	case "trivy":
@@ -291,8 +291,8 @@ const (
 	// Microsoft is Microsoft
 	Microsoft CveContentType = "microsoft"

-	// WPVulnDB is WordPress
-	WPVulnDB CveContentType = "wpvulndb"
+	// WpScan is WordPress
+	WpScan CveContentType = "wpscan"

 	// Trivy is Trivy
 	Trivy CveContentType = "trivy"
@@ -315,7 +315,7 @@ var AllCveContetTypes = CveContentTypes{
 	Amazon,
 	SUSE,
 	DebianSecurityTracker,
-	WPVulnDB,
+	WpScan,
 	Trivy,
 }

--- a/models/library.go
+++ b/models/library.go
@@ -30,6 +30,13 @@ func (lss LibraryScanners) Find(path, name string) map[string]types.Library {
 	return filtered
 }

+func (lss LibraryScanners) Total() (total int) {
+	for _, lib := range lss {
+		total += len(lib.Libs)
+	}
+	return
+}
+
 // LibraryScanner has libraries information
 type LibraryScanner struct {
 	Path string
--- a/models/scanresults.go
+++ b/models/scanresults.go
@@ -145,11 +145,12 @@ func (r ScanResult) FilterByCvssOver(over float64) ScanResult {

 // FilterIgnoreCves is filter function.
 func (r ScanResult) FilterIgnoreCves() ScanResult {
-
 	ignoreCves := []string{}
 	if len(r.Container.Name) == 0 {
+		//TODO pass by args
 		ignoreCves = config.Conf.Servers[r.ServerName].IgnoreCves
 	} else {
+		//TODO pass by args
 		if s, ok := config.Conf.Servers[r.ServerName]; ok {
 			if con, ok := s.Containers[r.Container.Name]; ok {
 				ignoreCves = con.IgnoreCves
@@ -176,8 +177,8 @@ func (r ScanResult) FilterIgnoreCves() ScanResult {
 }

 // FilterUnfixed is filter function.
-func (r ScanResult) FilterUnfixed() ScanResult {
-	if !config.Conf.IgnoreUnfixed {
+func (r ScanResult) FilterUnfixed(ignoreUnfixed bool) ScanResult {
+	if !ignoreUnfixed {
 		return r
 	}
 	filtered := r.ScannedCves.Find(func(v VulnInfo) bool {
@@ -199,6 +200,7 @@ func (r ScanResult) FilterUnfixed() ScanResult {
 func (r ScanResult) FilterIgnorePkgs() ScanResult {
 	var ignorePkgsRegexps []string
 	if len(r.Container.Name) == 0 {
+		//TODO pass by args
 		ignorePkgsRegexps = config.Conf.Servers[r.ServerName].IgnorePkgsRegexp
 	} else {
 		if s, ok := config.Conf.Servers[r.ServerName]; ok {
@@ -251,8 +253,8 @@ func (r ScanResult) FilterIgnorePkgs() ScanResult {
 }

 // FilterInactiveWordPressLibs is filter function.
-func (r ScanResult) FilterInactiveWordPressLibs() ScanResult {
-	if !config.Conf.Servers[r.ServerName].WordPress.IgnoreInactive {
+func (r ScanResult) FilterInactiveWordPressLibs(detectInactive bool) ScanResult {
+	if detectInactive {
 		return r
 	}

@@ -348,16 +350,23 @@ func (r ScanResult) FormatTextReportHeader() string {
 		buf.WriteString("=")
 	}

-	return fmt.Sprintf("%s\n%s\n%s, %s, %s, %s, %s, %s\n",
+	pkgs := r.FormatUpdatablePacksSummary()
+	if 0 < len(r.WordPressPackages) {
+		pkgs = fmt.Sprintf("%s, %d WordPress pkgs", pkgs, len(r.WordPressPackages))
+	}
+	if 0 < len(r.LibraryScanners) {
+		pkgs = fmt.Sprintf("%s, %d libs", pkgs, r.LibraryScanners.Total())
+	}
+
+	return fmt.Sprintf("%s\n%s\n%s, %s, %s, %s, %s\n%s\n",
 		r.ServerInfo(),
 		buf.String(),
 		r.ScannedCves.FormatCveSummary(),
 		r.ScannedCves.FormatFixedStatus(r.Packages),
-		r.FormatUpdatablePacksSummary(),
 		r.FormatExploitCveSummary(),
 		r.FormatMetasploitCveSummary(),
 		r.FormatAlertSummary(),
-	)
+		pkgs)
 }

 // FormatUpdatablePacksSummary returns a summary of updatable packages
@@ -388,7 +397,7 @@ func (r ScanResult) FormatExploitCveSummary() string {
 			nExploitCve++
 		}
 	}
-	return fmt.Sprintf("%d exploits", nExploitCve)
+	return fmt.Sprintf("%d poc", nExploitCve)
 }

 // FormatMetasploitCveSummary returns a summary of exploit cve
@@ -399,7 +408,7 @@ func (r ScanResult) FormatMetasploitCveSummary() string {
 			nMetasploitCve++
 		}
 	}
-	return fmt.Sprintf("%d modules", nMetasploitCve)
+	return fmt.Sprintf("%d exploits", nMetasploitCve)
 }

 // FormatAlertSummary returns a summary of CERT alerts
@@ -423,6 +432,7 @@ func (r ScanResult) isDisplayUpdatableNum() bool {
 	}

 	var mode config.ScanMode
+	//TODO pass by args
 	s, _ := config.Conf.Servers[r.ServerName]
 	mode = s.Mode

@@ -455,10 +465,8 @@ func (r ScanResult) IsContainer() bool {
 // IsDeepScanMode checks if the scan mode is deep scan mode.
 func (r ScanResult) IsDeepScanMode() bool {
 	for _, s := range r.Config.Scan.Servers {
-		for _, m := range s.ScanMode {
-			if m == "deep" {
-				return true
-			}
+		if ok := s.Mode.IsDeep(); ok {
+			return true
 		}
 	}
 	return false
--- a/models/scanresults_test.go
+++ b/models/scanresults_test.go
@@ -392,8 +392,7 @@ func TestFilterUnfixed(t *testing.T) {
 		},
 	}
 	for i, tt := range tests {
-		config.Conf.IgnoreUnfixed = true
-		actual := tt.in.FilterUnfixed()
+		actual := tt.in.FilterUnfixed(true)
 		if !reflect.DeepEqual(tt.out.ScannedCves, actual.ScannedCves) {
 			o := pp.Sprintf("%v", tt.out.ScannedCves)
 			a := pp.Sprintf("%v", actual.ScannedCves)
--- a/models/vulninfos.go
+++ b/models/vulninfos.go
@@ -306,7 +306,7 @@ func (v VulnInfo) Summaries(lang, myFamily string) (values []CveContentStr) {
 		})
 	}

-	if v, ok := v.CveContents[WPVulnDB]; ok {
+	if v, ok := v.CveContents[WpScan]; ok {
 		values = append(values, CveContentStr{
 			Type:  "WPVDB",
 			Value: v.Title,
@@ -810,8 +810,8 @@ const (
 	// GitHubMatchStr is a String representation of GitHubMatch
 	GitHubMatchStr = "GitHubMatch"

-	// WPVulnDBMatchStr is a String representation of WordPress VulnDB scanning
-	WPVulnDBMatchStr = "WPVulnDBMatch"
+	// WpScanMatchStr is a String representation of WordPress VulnDB scanning
+	WpScanMatchStr = "WpScanMatch"

 	// FailedToGetChangelog is a String representation of FailedToGetChangelog
 	FailedToGetChangelog = "FailedToGetChangelog"
@@ -851,6 +851,6 @@ var (
 	// GitHubMatch is a ranking how confident the CVE-ID was detected correctly
 	GitHubMatch = Confidence{97, GitHubMatchStr, 2}

-	// WPVulnDBMatch is a ranking how confident the CVE-ID was detected correctly
-	WPVulnDBMatch = Confidence{100, WPVulnDBMatchStr, 0}
+	// WpScanMatch is a ranking how confident the CVE-ID was detected correctly
+	WpScanMatch = Confidence{100, WpScanMatchStr, 0}
 )