From 23dfe53885ac5fed5d17eb29b14eda6e18c192ee Mon Sep 17 00:00:00 2001 From: Kota Kanbe Date: Mon, 28 Jun 2021 08:29:16 +0900 Subject: [PATCH 1/5] chore: update go-exploitdb (#1262) --- go.mod | 5 +++-- go.sum | 24 +++++++++++++++--------- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index 2bb6311a..f63a6dac 100644 --- a/go.mod +++ b/go.mod @@ -51,9 +51,10 @@ require ( github.com/sirupsen/logrus v1.8.0 github.com/spf13/afero v1.6.0 github.com/spf13/cobra v1.1.3 - github.com/spf13/viper v1.8.0 // indirect + github.com/spf13/viper v1.8.1 // indirect github.com/takuzoo3868/go-msfdb v0.1.5 - github.com/vulsio/go-exploitdb v0.1.7 + github.com/vulsio/go-exploitdb v0.1.8-0.20210625021845-e5081ca67229 + go.opentelemetry.io/otel/internal/metric v0.21.0 // indirect golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e // indirect golang.org/x/net v0.0.0-20210614182718-04defd469f4e // indirect golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602 diff --git a/go.sum b/go.sum index b27f6129..6a7d57df 100644 --- a/go.sum +++ b/go.sum @@ -625,8 +625,9 @@ github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-containerregistry v0.0.0-20191010200024-a3d713f9b7f8/go.mod h1:KyKXa9ciM8+lgMXwOVsXi7UxGrsf9mM61Mzs+xKUrKE= github.com/google/go-containerregistry v0.0.0-20200331213917-3d03ed9b1ca2/go.mod h1:pD1UFYs7MCAx+ZLShBdttcaOSbyc8F9Na/9IZLNwJeA= github.com/google/go-containerregistry v0.1.2/go.mod h1:GPivBPgdAyd2SU+vf6EpsgOtWDuPqjW0hJZt4rNdTZ4= @@ -1332,8 +1333,8 @@ github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/y github.com/spf13/viper v1.6.1/go.mod h1:t3iDnF5Jlj76alVNuyFBk5oUMCvsrkbvZK0WQdfDi5k= github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= -github.com/spf13/viper v1.8.0 h1:QRwDgoG8xX+kp69di68D+YYTCWfYEckbZRfUlEIAal0= -github.com/spf13/viper v1.8.0/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= +github.com/spf13/viper v1.8.1 h1:Kq1fyeebqsBfbjZj4EL7gj2IO0mMaiyjYUWcUsl2O44= +github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI= github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= @@ -1416,8 +1417,8 @@ github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6Ac github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= -github.com/vulsio/go-exploitdb v0.1.7 h1:wdq+6H/PvGGnUiyAaLQ3DtczsLy3rrBQgmNOiXH62z0= -github.com/vulsio/go-exploitdb v0.1.7/go.mod h1:4strSWuNtCTz76QB8RuxpMQmYifArGKiHKBFCMOTxY4= +github.com/vulsio/go-exploitdb v0.1.8-0.20210625021845-e5081ca67229 h1:fgwhSbKAPf0wnGwmrkjWyfUi48lMJhS6y8rqGPyHyJE= +github.com/vulsio/go-exploitdb v0.1.8-0.20210625021845-e5081ca67229/go.mod h1:4strSWuNtCTz76QB8RuxpMQmYifArGKiHKBFCMOTxY4= github.com/wasmerio/go-ext-wasm v0.3.1/go.mod h1:VGyarTzasuS7k5KhSIGpM3tciSZlkP31Mp9VJTHMMeI= github.com/willf/bitset v1.1.10/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= @@ -1471,17 +1472,22 @@ go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opentelemetry.io/otel v0.14.0/go.mod h1:vH5xEuwy7Rts0GNtsCW3HYQoZDY+OmBJ6t1bFGGlxgw= go.opentelemetry.io/otel v0.16.0/go.mod h1:e4GKElweB8W2gWUqbghw0B8t5MCTccc9212eNHnOHwA= go.opentelemetry.io/otel v0.19.0/go.mod h1:j9bF567N9EfomkSidSfmMwIwIBuP37AMAIzVW85OxSg= -go.opentelemetry.io/otel v0.20.0 h1:eaP0Fqu7SXHwvjiqDq83zImeehOHX8doTvU9AwXON8g= go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= +go.opentelemetry.io/otel v1.0.0-RC1 h1:4CeoX93DNTWt8awGK9JmNXzF9j7TyOu9upscEdtcdXc= +go.opentelemetry.io/otel v1.0.0-RC1/go.mod h1:x9tRa9HK4hSSq7jf2TKbqFbtt58/TGk0f9XiEYISI1I= +go.opentelemetry.io/otel/internal/metric v0.21.0 h1:gZlIBo5O51hZOOZz8vEcuRx/l5dnADadKfpT70AELoo= +go.opentelemetry.io/otel/internal/metric v0.21.0/go.mod h1:iOfAaY2YycsXfYD4kaRSbLx2LKmfpKObWBEv9QK5zFo= go.opentelemetry.io/otel/metric v0.19.0/go.mod h1:8f9fglJPRnXuskQmKpnad31lcLJ2VmNNqIsx/uIwBSc= -go.opentelemetry.io/otel/metric v0.20.0 h1:4kzhXFP+btKm4jwxpjIqjs41A7MakRFUS86bqLHTIw8= go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= +go.opentelemetry.io/otel/metric v0.21.0 h1:ZtcJlHqVE4l8Su0WOLOd9fEPheJuYEiQ0wr9wv2p25I= +go.opentelemetry.io/otel/metric v0.21.0/go.mod h1:JWCt1bjivC4iCrz/aCrM1GSw+ZcvY44KCbaeeRhzHnc= go.opentelemetry.io/otel/oteltest v0.19.0/go.mod h1:tI4yxwh8U21v7JD6R3BcA/2+RBoTKFexE/PJ/nSO7IA= -go.opentelemetry.io/otel/oteltest v0.20.0 h1:HiITxCawalo5vQzdHfKeZurV8x7ljcqAgiWzF6Vaeaw= go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw= +go.opentelemetry.io/otel/oteltest v1.0.0-RC1/go.mod h1:+eoIG0gdEOaPNftuy1YScLr1Gb4mL/9lpDkZ0JjMRq4= go.opentelemetry.io/otel/trace v0.19.0/go.mod h1:4IXiNextNOpPnRlI4ryK69mn5iC84bjBWZQA5DXz/qg= -go.opentelemetry.io/otel/trace v0.20.0 h1:1DL6EXUdcg95gukhuRRvLDO/4X5THh/5dIV52lqtnbw= go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= +go.opentelemetry.io/otel/trace v1.0.0-RC1 h1:jrjqKJZEibFrDz+umEASeU3LvdVyWKlnTh7XEfwrT58= +go.opentelemetry.io/otel/trace v1.0.0-RC1/go.mod h1:86UHmyHWFEtWjfWPSbu0+d0Pf9Q6e1U+3ViBOc+NXAg= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= From 0e0e5ce4bef881e2dac189a71dc3c90643eb591e Mon Sep 17 00:00:00 2001 From: Shigechika AIKAWA Date: Mon, 28 Jun 2021 10:28:54 +0900 Subject: [PATCH 2/5] feat: Support Ubuntu21 (#1231) --- oval/debian.go | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/oval/debian.go b/oval/debian.go index c0926a23..d461336b 100644 --- a/oval/debian.go +++ b/oval/debian.go @@ -342,6 +342,47 @@ func (o Ubuntu) FillWithOval(r *models.ScanResult) (nCVEs int, err error) { "linux", } return o.fillWithOval(r, kernelNamesInOval) + case "21": + kernelNamesInOval := []string{ + "linux-aws", + "linux-base-sgx", + "linux-base", + "linux-cloud-tools-common", + "linux-cloud-tools-generic", + "linux-cloud-tools-lowlatency", + "linux-cloud-tools-virtual", + "linux-gcp", + "linux-generic", + "linux-gke", + "linux-headers-aws", + "linux-headers-gcp", + "linux-headers-gke", + "linux-headers-oracle", + "linux-image-aws", + "linux-image-extra-virtual", + "linux-image-gcp", + "linux-image-generic", + "linux-image-gke", + "linux-image-lowlatency", + "linux-image-oracle", + "linux-image-virtual", + "linux-lowlatency", + "linux-modules-extra-aws", + "linux-modules-extra-gcp", + "linux-modules-extra-gke", + "linux-oracle", + "linux-tools-aws", + "linux-tools-common", + "linux-tools-gcp", + "linux-tools-generic", + "linux-tools-gke", + "linux-tools-host", + "linux-tools-lowlatency", + "linux-tools-oracle", + "linux-tools-virtual", + "linux-virtual", + } + return o.fillWithOval(r, kernelNamesInOval) } return 0, fmt.Errorf("Ubuntu %s is not support for now", r.Release) } From 1c8e074c9d2dbfe8ce0196084ffa609c5cd58b99 Mon Sep 17 00:00:00 2001 From: Shigechika AIKAWA Date: Fri, 2 Jul 2021 05:32:00 +0900 Subject: [PATCH 3/5] Feat report googlechat (#1257) (#1258) * feat: Support Ubuntu21 * feat(report): Send report via Google Chat * feat(report): Send report via Google Chat * Snip too long message as (The rest is omitted). * sorry for mixed feat-ubuntu21 branch. exlucded it * append diff, attack vector and exploits info * add ServerName filter by regexp * rename variables and rewrite validators * fix renaming miss * fix renaming miss, again --- config/config.go | 22 +++++---- config/googlechatconf.go | 32 ++++++++++++ reporter/googlechat.go | 102 +++++++++++++++++++++++++++++++++++++++ subcmds/discover.go | 7 +++ subcmds/report.go | 26 ++++++---- 5 files changed, 170 insertions(+), 19 deletions(-) create mode 100644 config/googlechatconf.go create mode 100644 reporter/googlechat.go diff --git a/config/config.go b/config/config.go index d65ef294..2edc9a14 100644 --- a/config/config.go +++ b/config/config.go @@ -42,16 +42,17 @@ type Config struct { Exploit ExploitConf `json:"exploit,omitempty"` Metasploit MetasploitConf `json:"metasploit,omitempty"` - Slack SlackConf `json:"-"` - EMail SMTPConf `json:"-"` - HTTP HTTPConf `json:"-"` - Syslog SyslogConf `json:"-"` - AWS AWSConf `json:"-"` - Azure AzureConf `json:"-"` - ChatWork ChatWorkConf `json:"-"` - Telegram TelegramConf `json:"-"` - WpScan WpScanConf `json:"-"` - Saas SaasConf `json:"-"` + Slack SlackConf `json:"-"` + EMail SMTPConf `json:"-"` + HTTP HTTPConf `json:"-"` + Syslog SyslogConf `json:"-"` + AWS AWSConf `json:"-"` + Azure AzureConf `json:"-"` + ChatWork ChatWorkConf `json:"-"` + GoogleChat GoogleChatConf `json:"-"` + Telegram TelegramConf `json:"-"` + WpScan WpScanConf `json:"-"` + Saas SaasConf `json:"-"` ReportOpts } @@ -157,6 +158,7 @@ func (c *Config) ValidateOnReport() bool { &c.EMail, &c.Slack, &c.ChatWork, + &c.GoogleChat, &c.Telegram, &c.Syslog, &c.HTTP, diff --git a/config/googlechatconf.go b/config/googlechatconf.go new file mode 100644 index 00000000..5c5bad50 --- /dev/null +++ b/config/googlechatconf.go @@ -0,0 +1,32 @@ +package config + +import ( + "github.com/asaskevich/govalidator" + "golang.org/x/xerrors" +) + +// GoogleChatConf is GoogleChat config +type GoogleChatConf struct { + WebHookURL string `valid:"url" json:"-" toml:"webHookURL,omitempty"` + SkipIfNoCve bool `valid:"type(bool)" json:"-" toml:"skipIfNoCve"` + ServerNameRegexp string `valid:"type(string)" json:"-" toml:"serverNameRegexp,omitempty"` + Enabled bool `valid:"type(bool)" json:"-" toml:"-"` +} + +// Validate validates configuration +func (c *GoogleChatConf) Validate() (errs []error) { + if !c.Enabled { + return + } + if len(c.WebHookURL) == 0 { + errs = append(errs, xerrors.New("googleChatConf.webHookURL must not be empty")) + } + if !govalidator.IsRegex(c.ServerNameRegexp) { + errs = append(errs, xerrors.New("googleChatConf.serverNameRegexp must be regex")) + } + _, err := govalidator.ValidateStruct(c) + if err != nil { + errs = append(errs, err) + } + return +} diff --git a/reporter/googlechat.go b/reporter/googlechat.go new file mode 100644 index 00000000..2c9fc680 --- /dev/null +++ b/reporter/googlechat.go @@ -0,0 +1,102 @@ +package reporter + +import ( + "bytes" + "context" + "fmt" + "net/http" + "regexp" + "strings" + "time" + + "github.com/future-architect/vuls/config" + "github.com/future-architect/vuls/models" + "github.com/future-architect/vuls/util" + "golang.org/x/xerrors" +) + +// GoogleChatWriter send report to GoogleChat +type GoogleChatWriter struct { + Cnf config.GoogleChatConf + Proxy string +} + +func (w GoogleChatWriter) Write(rs ...models.ScanResult) (err error) { + re := regexp.MustCompile(w.Cnf.ServerNameRegexp) + + for _, r := range rs { + if re.Match([]byte(r.FormatServerName())) { + continue + } + msgs := []string{fmt.Sprintf("*%s*\n%s\t%s\t%s", + r.ServerInfo(), + r.ScannedCves.FormatCveSummary(), + r.ScannedCves.FormatFixedStatus(r.Packages), + r.FormatUpdatablePkgsSummary())} + for _, vinfo := range r.ScannedCves.ToSortedSlice() { + max := vinfo.MaxCvssScore().Value.Score + + exploits := "" + if 0 < len(vinfo.Exploits) || 0 < len(vinfo.Metasploits) { + exploits = "*PoC*" + } + + link := "" + if strings.HasPrefix(vinfo.CveID, "CVE-") { + link = fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", vinfo.CveID) + } else if strings.HasPrefix(vinfo.CveID, "WPVDBID-") { + link = fmt.Sprintf("https://wpscan.com/vulnerabilities/%s", strings.TrimPrefix(vinfo.CveID, "WPVDBID-")) + } + + msgs = append(msgs, fmt.Sprintf(`%s %s %4.1f %5s %s`, + vinfo.CveIDDiffFormat(), + link, + max, + vinfo.AttackVector(), + exploits)) + if len(msgs) == 50 { + msgs = append(msgs, "(The rest is omitted.)") + break + } + } + if len(msgs) == 1 && w.Cnf.SkipIfNoCve { + msgs = []string{} + } + if len(msgs) != 0 { + if err = w.postMessage(strings.Join(msgs, "\n")); err != nil { + return err + } + } + } + return nil +} + +func (w GoogleChatWriter) postMessage(message string) error { + uri := fmt.Sprintf("%s", w.Cnf.WebHookURL) + payload := `{"text": "` + message + `" }` + + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) + req, err := http.NewRequestWithContext(ctx, http.MethodPost, uri, bytes.NewBuffer([]byte(payload))) + defer cancel() + if err != nil { + return err + } + req.Header.Add("Content-Type", "application/json; charset=utf-8") + client, err := util.GetHTTPClient(w.Proxy) + if err != nil { + return err + } + resp, err := client.Do(req) + if checkResponse(resp) != nil && err != nil { + return err + } + defer resp.Body.Close() + return nil +} + +func (w GoogleChatWriter) checkResponse(r *http.Response) error { + if c := r.StatusCode; 200 <= c && c <= 299 { + return nil + } + return xerrors.Errorf("API call to %s failed: %s", r.Request.URL.String(), r.Status) +} diff --git a/subcmds/discover.go b/subcmds/discover.go index 7268e415..3d2b350a 100644 --- a/subcmds/discover.go +++ b/subcmds/discover.go @@ -157,6 +157,13 @@ func printConfigToml(ips []string) (err error) { #room = "xxxxxxxxxxx" #apiToken = "xxxxxxxxxxxxxxxxxx" +# https://vuls.io/docs/en/config.toml.html#googlechat-section +#[googlechat] +#webHookURL = "https://chat.googleapis.com/v1/spaces/xxxxxxxxxx/messages?key=yyyyyyyyyy&token=zzzzzzzzzz%3D" +#skipIfNoCve = false +#serverNameRegexp = "^(\\[Reboot Required\\] )?((spam|ham).*|.*(egg)$)" # include spamonigiri, hamburger, boiledegg +#serverNameRegexp = "^(\\[Reboot Required\\] )?(?:(spam|ham).*|.*(?:egg)$)" # exclude spamonigiri, hamburger, boiledegg + # https://vuls.io/docs/en/config.toml.html#telegram-section #[telegram] #chatID = "xxxxxxxxxxx" diff --git a/subcmds/report.go b/subcmds/report.go index 3a0818f2..671aebd4 100644 --- a/subcmds/report.go +++ b/subcmds/report.go @@ -30,15 +30,16 @@ type ReportCmd struct { formatList bool gzip bool - toSlack bool - toChatWork bool - toTelegram bool - toEmail bool - toSyslog bool - toLocalFile bool - toS3 bool - toAzureBlob bool - toHTTP bool + toSlack bool + toChatWork bool + toGoogleChat bool + toTelegram bool + toEmail bool + toSyslog bool + toLocalFile bool + toS3 bool + toAzureBlob bool + toHTTP bool } // Name return subcommand name @@ -67,6 +68,7 @@ func (*ReportCmd) Usage() string { [-to-http] [-to-slack] [-to-chatwork] + [-to-googlechat] [-to-telegram] [-to-localfile] [-to-s3] @@ -146,6 +148,7 @@ func (p *ReportCmd) SetFlags(f *flag.FlagSet) { f.BoolVar(&p.toSlack, "to-slack", false, "Send report via Slack") f.BoolVar(&p.toChatWork, "to-chatwork", false, "Send report via chatwork") + f.BoolVar(&p.toGoogleChat, "to-googlechat", false, "Send report via Google Chat") f.BoolVar(&p.toTelegram, "to-telegram", false, "Send report via Telegram") f.BoolVar(&p.toEmail, "to-email", false, "Send report via Email") f.BoolVar(&p.toSyslog, "to-syslog", false, "Send report via Syslog") @@ -173,6 +176,7 @@ func (p *ReportCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{} } config.Conf.Slack.Enabled = p.toSlack config.Conf.ChatWork.Enabled = p.toChatWork + config.Conf.GoogleChat.Enabled = p.toGoogleChat config.Conf.Telegram.Enabled = p.toTelegram config.Conf.EMail.Enabled = p.toEmail config.Conf.Syslog.Enabled = p.toSyslog @@ -261,6 +265,10 @@ func (p *ReportCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{} reports = append(reports, reporter.ChatWorkWriter{Cnf: config.Conf.ChatWork, Proxy: config.Conf.HTTPProxy}) } + if p.toGoogleChat { + reports = append(reports, reporter.GoogleChatWriter{Cnf: config.Conf.GoogleChat, Proxy: config.Conf.HTTPProxy}) + } + if p.toTelegram { reports = append(reports, reporter.TelegramWriter{Cnf: config.Conf.Telegram}) } From 5755b00576ee2cb58ed4762b3f778b1e57f6c73d Mon Sep 17 00:00:00 2001 From: kazuminn Date: Fri, 2 Jul 2021 05:35:47 +0900 Subject: [PATCH 4/5] feat(os) : support Rocky linux (#1260) * support rocky linux scan * fix miss * lint --- constant/constant.go | 3 ++ scanner/redhatbase.go | 21 ++++++++ scanner/rocky.go | 118 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 142 insertions(+) create mode 100644 scanner/rocky.go diff --git a/constant/constant.go b/constant/constant.go index f394aad3..e0d2e1f0 100644 --- a/constant/constant.go +++ b/constant/constant.go @@ -17,6 +17,9 @@ const ( // CentOS is CentOS = "centos" + // Rocky is + Rocky = "Rocky" + // Fedora is // Fedora = "fedora" diff --git a/scanner/redhatbase.go b/scanner/redhatbase.go index b467f523..60d481f6 100644 --- a/scanner/redhatbase.go +++ b/scanner/redhatbase.go @@ -64,6 +64,27 @@ func detectRedhat(c config.ServerInfo) (bool, osTypeInterface) { } } + if r := exec(c, "ls /etc/rocky-release", noSudo); r.isSuccess() { + if r := exec(c, "cat /etc/rocky-release", noSudo); r.isSuccess() { + re := regexp.MustCompile(`(.*) release (\d[\d\.]*)`) + result := re.FindStringSubmatch(strings.TrimSpace(r.Stdout)) + if len(result) != 3 { + logging.Log.Warnf("Failed to parse Rocky version: %s", r) + return true, newRocky(c) + } + + release := result[2] + switch strings.ToLower(result[1]) { + case "rocky", "rocky linux": + rocky := newRocky(c) + rocky.setDistro(constant.Rocky, release) + return true, rocky + default: + logging.Log.Warnf("Failed to parse Rocky: %s", r) + } + } + } + if r := exec(c, "ls /etc/redhat-release", noSudo); r.isSuccess() { // https://www.rackaid.com/blog/how-to-determine-centos-or-red-hat-version/ // e.g. diff --git a/scanner/rocky.go b/scanner/rocky.go new file mode 100644 index 00000000..922ff71b --- /dev/null +++ b/scanner/rocky.go @@ -0,0 +1,118 @@ +package scanner + +import ( + "github.com/future-architect/vuls/config" + "github.com/future-architect/vuls/logging" + "github.com/future-architect/vuls/models" +) + +// inherit OsTypeInterface +type rocky struct { + redhatBase +} + +// NewAmazon is constructor +func newRocky(c config.ServerInfo) *rocky { + r := &rocky{ + redhatBase{ + base: base{ + osPackages: osPackages{ + Packages: models.Packages{}, + VulnInfos: models.VulnInfos{}, + }, + }, + sudo: rootPrivRocky{}, + }, + } + r.log = logging.NewNormalLogger() + r.setServerInfo(c) + return r +} + +func (o *rocky) checkScanMode() error { + return nil +} + +func (o *rocky) checkDeps() error { + if o.getServerInfo().Mode.IsFast() { + return o.execCheckDeps(o.depsFast()) + } else if o.getServerInfo().Mode.IsFastRoot() { + return o.execCheckDeps(o.depsFastRoot()) + } else { + return o.execCheckDeps(o.depsDeep()) + } +} + +func (o *rocky) depsFast() []string { + if o.getServerInfo().Mode.IsOffline() { + return []string{} + } + + // repoquery + // `rpm -qa` shows dnf-utils as yum-utils on RHEL8, CentOS8, Rocky + return []string{"yum-utils"} +} + +func (o *rocky) depsFastRoot() []string { + if o.getServerInfo().Mode.IsOffline() { + return []string{} + } + + // repoquery + // `rpm -qa` shows dnf-utils as yum-utils on RHEL8, CentOS8, Rocky + return []string{"yum-utils"} +} + +func (o *rocky) depsDeep() []string { + return o.depsFastRoot() +} + +func (o *rocky) checkIfSudoNoPasswd() error { + if o.getServerInfo().Mode.IsFast() { + return o.execCheckIfSudoNoPasswd(o.sudoNoPasswdCmdsFast()) + } else if o.getServerInfo().Mode.IsFastRoot() { + return o.execCheckIfSudoNoPasswd(o.sudoNoPasswdCmdsFastRoot()) + } else { + return o.execCheckIfSudoNoPasswd(o.sudoNoPasswdCmdsDeep()) + } +} + +func (o *rocky) sudoNoPasswdCmdsFast() []cmd { + return []cmd{} +} + +func (o *rocky) sudoNoPasswdCmdsFastRoot() []cmd { + if !o.ServerInfo.IsContainer() { + return []cmd{ + {"repoquery -h", exitStatusZero}, + {"needs-restarting", exitStatusZero}, + {"which which", exitStatusZero}, + {"stat /proc/1/exe", exitStatusZero}, + {"ls -l /proc/1/exe", exitStatusZero}, + {"cat /proc/1/maps", exitStatusZero}, + {"lsof -i -P", exitStatusZero}, + } + } + return []cmd{ + {"repoquery -h", exitStatusZero}, + {"needs-restarting", exitStatusZero}, + } +} + +func (o *rocky) sudoNoPasswdCmdsDeep() []cmd { + return o.sudoNoPasswdCmdsFastRoot() +} + +type rootPrivRocky struct{} + +func (o rootPrivRocky) repoquery() bool { + return false +} + +func (o rootPrivRocky) yumMakeCache() bool { + return false +} + +func (o rootPrivRocky) yumPS() bool { + return false +} From 0ea4d58c63a0f85dc248e64de29e9620ffd29e62 Mon Sep 17 00:00:00 2001 From: Peter Sedgewick Date: Thu, 1 Jul 2021 23:18:44 +0200 Subject: [PATCH 5/5] fix(gost): Use DBDriver ctx in Psuedo (#1264) --- gost/gost.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gost/gost.go b/gost/gost.go index 8489723e..b9093340 100644 --- a/gost/gost.go +++ b/gost/gost.go @@ -72,7 +72,7 @@ func NewClient(cnf config.GostConf, family string) (Client, error) { case constant.Windows: return Microsoft{Base{DBDriver: driver}}, nil default: - return Pseudo{}, nil + return Pseudo{Base{DBDriver: driver}}, nil } }