v0.5.0 (no backwards compatibility) (#478)

* Change config.toml, Auto-generate UUIDs, change structure of optional field

* Detect processes affected by update using yum-ps (#482)

Detect processes affected by update using yum-ps

* Detect processes needs restart using checkrestart on Debian and Ubuntu.

* pass cpename by args when calling FillCveInfo (#513)

* fix new db (#502)

* Include Version,Revision in JSON

* Include hostname in JSON

* Update goval-dictionary's commit hash in Gopkg.lock

* Remove README.ja.md

* update packages (#596)

* fix: change ControlPath to .vuls of SSH option (#618)

* feat: checkrestart for Ubuntu and Debian (#622)

* feat: checkrestart for Ubuntu and Debian

* fix: dependencies check logic of configtest

* feat: need-restarting on RedHat

* refactor: Process.ProcName to Process.Name

* feat: detect a systemd service name of need-restarting-process

* feat: detect a systemd service name of need-restarting-process on Ubuntu

* feat: fill a service name of need-restarting-process, init-system

* Support NVD JSON and CVSS3 of JVN (#605)

* fix: compile errors

* fix: Show CVSS3 on TUI

* fix: test cases

* fix: Avoid null in JSON

* Fix maxCvssScore (#621)

* Fix maxCvssScore

* Update vulninfos.go

* fix(init): remove unnecessary log initialization

* refactor(nvd): use only json feed if exists json data. if not, use xml feed

* fix(scan): make Confidence slice

* feat(CWE): Display CWE name to TUI

* feat(cwe): import CWE defs in Japanese

* feat(cwe): add OWASP Top 10 ranking to CWE if applicable

* feat(scan): add -fast-root mode, implement scan/amazon.go

* refactor(const): change const name JVN to Jvn

* feat(scan): add -fast-root mode, implement scan/centos.go

* refactor(dep): update deps

* fix(amazon): deps check

* feat(scan): add -fast-root mode, implement scan/rhel.go

* feat(scan): add -fast-root mode, implement scan/oracle.go

* fix complile err

* feat(scan): add -fast-root mode, implement scan/debian.go

* fix testcase

* fix(amazon): scan using yum

* fix(configtest): change error message, status when no scannnable servers

* Fix(scan): detect init process logic

* fix(tui): display cvss as table format

* fix(scan): parse a output of reboot-notifier on CentOS6.9

* fix(tui): don't display score, vector when score is zero

* fix(scan): add -offline mode to suse scanner

* fix(scan): fix help message

* feat(scan): enable to define scan mode for each servers in config.toml #510

* refactor(config): chagne cpeNames to cpeURIs

* refactor(config): change dependencyCheckXMLPath to owaspDCXMLPath

* fix(config): containers -> containersIncluded, Excluded, containerType

* feature(report): enable to define cpeURIs for each contaner

* feature(report): enable to specify owasp dc xml path for each container

* fix(discover): fix a template displayed at the end of discover

* feature(report): add ignorePkgsRegexp #665

* feature(report): enable to define ignoreCves for each container #666

* fix(report): Displayed nothing in TUI detail area when CweID is nil

* Gopkg.toml diet

* feat(server): support server mode (#678)

* feat(server): support server mode

* Lock go version

* Use the latest kernel release among the installed release when the running kernel release is unknown

* Add TestViaHTTP

* Set logger to go-cve-dictionary client

* Add -to-localfile

* Add -to-http option to report

* Load -to-http conf from config.toml

* Support gost (#676)

* feat(gost): Support RedHat API

* feat(gost): Support Debian Security Tracker

* feat(db): display error msg when SQLite3 is locked at the beginning of reporting.

* feat(gost): TUI

* Only use RedHat information of installed packages

* feat(tui): show mitigation on TUI

* feat(gost): support redis backend

* fix test case

* fix nil pointer when db is nil

* fix(gost): detect vulns of src packages for Debian

* feat(gost): implement redis backend for gost redhat api

* feat(report): display fixState of unfixed pkgs

* fix(report): display distincted cweIDs

* feat(slack): display gost info

* feat(slack): display mitigation

* feat(report): display available patch state as fixed/total

* fix(tui): display - if source of reference is empty

* update deps

* fix(report): key in ScanResult JSON be lowerCamelcase.

* some keys to lower camel

* fix(configtest): dep check logic of yum-plugin-ps

* fix(tui): format

* feat(report): add -format-list option

* fix(report): -format-full-text

* fix(report): report -format-full-text

* fix(report): display v3 score detected by gost

* fix(scan): scan in fast mode if not defined in config.toml

* fix(gost): fetch RedHat data for fixed CVEs

* feat(report): show number of cves detected in each database

* fix(report): show new version as `Unknown` in offline and fast scan mode

* fix(report): fix num of upadtable and fixed

* fix(report): set `Not fixed yet` if packageStatus is empty

* refact(gost): make convertToModel public

* fix(test): fix test case

* update deps

* fix(report): include gost score in MaxCvssScore

* [WIP] feat(config): enable to set options in config.toml instead of cmd opt (#690)

* feat(config): enable to set options in config.toml instead of cmd opt

* fix(config): change Conf.Report.Slack to Conf.Slack

* fix(discover): change tempalte

* fix(report): fix config.toml auto-generate with -uuid

* Add endpoint for health check and change endpoint

* refact(cmd): refactor flag set

* fix(report): enable to specify opts with cmd arg and env value

* fix(scan): enable to parse the release version of amazon linux 2

* add(report) add -to-saas option (#695)

* add(report) add -to-saas option

* ignore other writer if -to-saas

* fix(saas) fix bug

* fix(scan): need-restarting needs internet connection

* fix(scan,configtest): check scan mode

* refactor(scan): change func name

* fix(suse): support offline mode, bug fix on AWS, zypper --no-color

* fix(tui): fix nil pointer when no vulns in tui

* feat(report): enable to define CPE FS format in config.toml

* fix(vet): fix warnings of go vet

* fix(travis): go version to 1.11

* update deps

report/util.go

@@ -18,6 +18,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 package report
 
 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -33,9 +34,10 @@ import (
 	"github.com/future-architect/vuls/models"
 	"github.com/future-architect/vuls/util"
 	"github.com/gosuri/uitable"
+	"github.com/olekukonko/tablewriter"
 )
 
-const maxColWidth = 80
+const maxColWidth = 100
 
 func formatScanSummary(rs ...models.ScanResult) string {
 	table := uitable.New()
@@ -47,7 +49,7 @@ func formatScanSummary(rs ...models.ScanResult) string {
 			cols = []interface{}{
 				r.FormatServerName(),
 				fmt.Sprintf("%s%s", r.Family, r.Release),
-				r.Packages.FormatUpdatablePacksSummary(),
+				r.FormatUpdatablePacksSummary(),
 			}
 		} else {
 			cols = []interface{}{
@@ -72,7 +74,8 @@ func formatOneLineSummary(rs ...models.ScanResult) string {
 			cols = []interface{}{
 				r.FormatServerName(),
 				r.ScannedCves.FormatCveSummary(),
-				r.Packages.FormatUpdatablePacksSummary(),
+				r.ScannedCves.FormatFixedStatus(r.Packages),
+				r.FormatUpdatablePacksSummary(),
 			}
 		} else {
 			cols = []interface{}{
@@ -86,7 +89,7 @@ func formatOneLineSummary(rs ...models.ScanResult) string {
 	return fmt.Sprintf("%s\n", table)
 }
 
-func formatShortPlainText(r models.ScanResult) string {
+func formatList(r models.ScanResult) string {
 	header := r.FormatTextReportHeadedr()
 	if len(r.Errors) != 0 {
 		return fmt.Sprintf(
@@ -99,63 +102,49 @@ func formatShortPlainText(r models.ScanResult) string {
 %s
 No CVE-IDs are found in updatable packages.
 %s
-	 `, header, r.Packages.FormatUpdatablePacksSummary())
+	 `, header, r.FormatUpdatablePacksSummary())
 	}
 
-	stable := uitable.New()
-	stable.MaxColWidth = maxColWidth
-	stable.Wrap = true
-	for _, vuln := range r.ScannedCves.ToSortedSlice() {
-		summaries := vuln.Summaries(config.Conf.Lang, r.Family)
-		links := vuln.CveContents.SourceLinks(
-			config.Conf.Lang, r.Family, vuln.CveID)
+	data := [][]string{}
+	for _, vinfo := range r.ScannedCves.ToSortedSlice() {
+		max := vinfo.MaxCvssScore().Value.Score
+		// v2max := vinfo.MaxCvss2Score().Value.Score
+		// v3max := vinfo.MaxCvss3Score().Value.Score
 
-		vlinks := []string{}
-		for name, url := range vuln.VendorLinks(r.Family) {
-			vlinks = append(vlinks, fmt.Sprintf("%s (%s)", url, name))
-		}
+		// packname := vinfo.AffectedPackages.FormatTuiSummary()
+		// packname += strings.Join(vinfo.CpeURIs, ", ")
 
-		cvsses := ""
-		for _, cvss := range vuln.Cvss2Scores() {
-			cvsses += fmt.Sprintf("%s (%s)\n", cvss.Value.Format(), cvss.Type)
-		}
-		cvsses += vuln.Cvss2CalcURL() + "\n"
-		for _, cvss := range vuln.Cvss3Scores() {
-			cvsses += fmt.Sprintf("%s (%s)\n", cvss.Value.Format(), cvss.Type)
-		}
-		if 0 < len(vuln.Cvss3Scores()) {
-			cvsses += vuln.Cvss3CalcURL() + "\n"
-		}
-
-		maxCvss := vuln.FormatMaxCvssScore()
-		rightCol := fmt.Sprintf(`%s
-%s
----
-%s
-%s
-%sConfidence: %v`,
-			maxCvss,
-			summaries[0].Value,
-			links[0].Value,
-			strings.Join(vlinks, "\n"),
-			cvsses,
-			//  packsVer,
-			vuln.Confidence,
-		)
-
-		leftCol := fmt.Sprintf("%s", vuln.CveID)
-		scols := []string{leftCol, rightCol}
-		cols := make([]interface{}, len(scols))
-		for i := range cols {
-			cols[i] = scols[i]
-		}
-		stable.AddRow(cols...)
-		stable.AddRow("")
+		data = append(data, []string{
+			vinfo.CveID,
+			fmt.Sprintf("%4.1f", max),
+			// fmt.Sprintf("%4.1f", v2max),
+			// fmt.Sprintf("%4.1f", v3max),
+			fmt.Sprintf("%8s", vinfo.AttackVector()),
+			fmt.Sprintf("%7s", vinfo.PatchStatus(r.Packages)),
+			// packname,
+			fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", vinfo.CveID),
+		})
 	}
-	return fmt.Sprintf("%s\n%s\n", header, stable)
+
+	b := bytes.Buffer{}
+	table := tablewriter.NewWriter(&b)
+	table.SetHeader([]string{
+		"CVE-ID",
+		"CVSS",
+		// "v3",
+		// "v2",
+		"Attack",
+		"Fixed",
+		// "Pkg",
+		"NVD",
+	})
+	table.SetBorder(true)
+	table.AppendBulk(data)
+	table.Render()
+	return fmt.Sprintf("%s\n%s", header, b.String())
 }
 
-func formatFullPlainText(r models.ScanResult) string {
+func formatFullPlainText(r models.ScanResult) (lines string) {
 	header := r.FormatTextReportHeadedr()
 	if len(r.Errors) != 0 {
 		return fmt.Sprintf(
@@ -168,62 +157,117 @@ func formatFullPlainText(r models.ScanResult) string {
 %s
 No CVE-IDs are found in updatable packages.
 %s
-	 `, header, r.Packages.FormatUpdatablePacksSummary())
+	 `, header, r.FormatUpdatablePacksSummary())
 	}
 
-	table := uitable.New()
-	table.MaxColWidth = maxColWidth
-	table.Wrap = true
+	lines = header + "\n"
+
 	for _, vuln := range r.ScannedCves.ToSortedSlice() {
-		table.AddRow(vuln.CveID)
-		table.AddRow("----------------")
-		table.AddRow("Max Score", vuln.FormatMaxCvssScore())
-		for _, cvss := range vuln.Cvss2Scores() {
-			table.AddRow(cvss.Type, cvss.Value.Format())
-		}
+		data := [][]string{}
+		data = append(data, []string{"Max Score", vuln.FormatMaxCvssScore()})
 		for _, cvss := range vuln.Cvss3Scores() {
-			table.AddRow(cvss.Type, cvss.Value.Format())
-		}
-		if 0 < len(vuln.Cvss2Scores()) {
-			table.AddRow("CVSSv2 Calc", vuln.Cvss2CalcURL())
-		}
-		if 0 < len(vuln.Cvss3Scores()) {
-			table.AddRow("CVSSv3 Calc", vuln.Cvss3CalcURL())
-		}
-		table.AddRow("Summary", vuln.Summaries(
-			config.Conf.Lang, r.Family)[0].Value)
-
-		links := vuln.CveContents.SourceLinks(
-			config.Conf.Lang, r.Family, vuln.CveID)
-		table.AddRow("Source", links[0].Value)
-
-		vlinks := vuln.VendorLinks(r.Family)
-		for name, url := range vlinks {
-			table.AddRow(name, url)
+			if cvssstr := cvss.Value.Format(); cvssstr != "" {
+				data = append(data, []string{string(cvss.Type), cvssstr})
+			}
 		}
 
-		for _, v := range vuln.CveContents.CweIDs(r.Family) {
-			table.AddRow(fmt.Sprintf("%s (%s)", v.Value, v.Type), cweURL(v.Value))
+		for _, cvss := range vuln.Cvss2Scores(r.Family) {
+			if cvssstr := cvss.Value.Format(); cvssstr != "" {
+				data = append(data, []string{string(cvss.Type), cvssstr})
+			}
+		}
+
+		data = append(data, []string{"Summary", vuln.Summaries(
+			config.Conf.Lang, r.Family)[0].Value})
+
+		mitigation := vuln.Mitigations(r.Family)[0]
+		if mitigation.Type != models.Unknown {
+			data = append(data, []string{"Mitigation", mitigation.Value})
+		}
+
+		cweURLs, top10URLs := []string{}, []string{}
+		for _, v := range vuln.CveContents.UniqCweIDs(r.Family) {
+			name, url, top10Rank, top10URL := r.CweDict.Get(v.Value, r.Lang)
+			if top10Rank != "" {
+				data = append(data, []string{"CWE",
+					fmt.Sprintf("[OWASP Top%s] %s: %s (%s)",
+						top10Rank, v.Value, name, v.Type)})
+				top10URLs = append(top10URLs, top10URL)
+			} else {
+				data = append(data, []string{"CWE", fmt.Sprintf("%s: %s (%s)",
+					v.Value, name, v.Type)})
+			}
+			cweURLs = append(cweURLs, url)
 		}
 
-		packsVer := []string{}
 		vuln.AffectedPackages.Sort()
 		for _, affected := range vuln.AffectedPackages {
 			if pack, ok := r.Packages[affected.Name]; ok {
-				packsVer = append(packsVer, pack.FormatVersionFromTo(affected.NotFixedYet))
+				data = append(data, []string{"Affected PKG",
+					pack.FormatVersionFromTo(affected.NotFixedYet, affected.FixState)})
+				if len(pack.AffectedProcs) != 0 {
+					for _, p := range pack.AffectedProcs {
+						data = append(data, []string{"",
+							fmt.Sprintf("  - PID: %s %s", p.PID, p.Name)})
+					}
+				}
 			}
 		}
-		sort.Strings(vuln.CpeNames)
-		for _, name := range vuln.CpeNames {
-			packsVer = append(packsVer, name)
+		sort.Strings(vuln.CpeURIs)
+		for _, name := range vuln.CpeURIs {
+			data = append(data, []string{"CPE", name})
 		}
-		table.AddRow("Package/CPE", strings.Join(packsVer, "\n"))
-		table.AddRow("Confidence", vuln.Confidence)
 
-		table.AddRow("\n")
+		for _, confidence := range vuln.Confidences {
+			data = append(data, []string{"Confidence", confidence.String()})
+		}
+
+		links := vuln.CveContents.SourceLinks(
+			config.Conf.Lang, r.Family, vuln.CveID)
+		data = append(data, []string{"Source", links[0].Value})
+
+		if 0 < len(vuln.Cvss2Scores(r.Family)) {
+			data = append(data, []string{"CVSSv2 Calc", vuln.Cvss2CalcURL()})
+		}
+		if 0 < len(vuln.Cvss3Scores()) {
+			data = append(data, []string{"CVSSv3 Calc", vuln.Cvss3CalcURL()})
+		}
+
+		vlinks := vuln.VendorLinks(r.Family)
+		for name, url := range vlinks {
+			data = append(data, []string{name, url})
+		}
+		for _, url := range cweURLs {
+			data = append(data, []string{"CWE", url})
+		}
+		for _, url := range top10URLs {
+			data = append(data, []string{"OWASP Top10", url})
+		}
+
+		// for _, rr := range vuln.CveContents.References(r.Family) {
+		// for _, ref := range rr.Value {
+		// data = append(data, []string{ref.Source, ref.Link})
+		// }
+		// }
+
+		b := bytes.Buffer{}
+		table := tablewriter.NewWriter(&b)
+		table.SetColWidth(80)
+		table.SetHeaderAlignment(tablewriter.ALIGN_LEFT)
+		table.SetHeader([]string{
+			vuln.CveID,
+			"",
+		})
+		table.SetBorder(true)
+		table.SetHeaderColor(
+			tablewriter.Colors{tablewriter.Normal},
+			tablewriter.Colors{tablewriter.Normal},
+		)
+		table.AppendBulk(data)
+		table.Render()
+		lines += b.String() + "\n"
 	}
-
-	return fmt.Sprintf("%s\n%s", header, table)
+	return
 }
 
 func cweURL(cweID string) string {
@@ -387,8 +431,8 @@ func isCveFixed(current models.VulnInfo, previous models.ScanResult) bool {
 
 func isCveInfoUpdated(cveID string, previous, current models.ScanResult) bool {
 	cTypes := []models.CveContentType{
-		models.NVD,
-		models.JVN,
+		models.NvdXML,
+		models.Jvn,
 		models.NewCveContentType(current.Family),
 	}