fix(cpescan): CpeVendorProductMatch not set when Redis Backend (#1273)

* fix(cpescan): CpeVendorProductMatch not set when Redis Backend * fix(integration): deprecated CPE URI * fix(integration-test): add a test case for CpeVendorProductMatch * fix review * update deps go-cve-dict v0.6.2
2021-07-19 08:43:58 +09:00
parent f0b3a8b1db
commit 543dc99ecd
7 changed files with 27 additions and 149 deletions
--- a/10
+++ b/10
@@ -89,7 +89,7 @@ NOW=$(shell date --iso-8601=seconds)
 NOW_JSON_DIR := '${BASE_DIR}/$(NOW)'
 ONE_SEC_AFTER=$(shell date -d '+1 second' --iso-8601=seconds)
 ONE_SEC_AFTER_JSON_DIR := '${BASE_DIR}/$(ONE_SEC_AFTER)'
-LIBS := 'gemfile' 'pipfile' 'poetry' 'composer' 'packagelock' 'yarn' 'cargo' 'gomod'
+LIBS := 'gemfile' 'pipfile' 'poetry' 'composer' 'packagelock' 'yarn' 'cargo' 'gomod' 'rails' 'cpe_vendor_product_match'

 diff:
 	# git clone git@github.com:vulsio/vulsctl.git
@@ -108,14 +108,14 @@ endif
 	sleep 1
 	./vuls.old scan -config=./integration/int-config.toml --results-dir=${BASE_DIR} ${LIBS}
 	cp ${BASE_DIR}/current/*.json ${NOW_JSON_DIR}
-	cp integration/data/results/*.json ${NOW_JSON_DIR}
+	- cp integration/data/results/*.json ${NOW_JSON_DIR}
 	./vuls.old report --format-json --refresh-cve --results-dir=${BASE_DIR} -config=./integration/int-config.toml ${NOW}

 	mkdir -p ${ONE_SEC_AFTER_JSON_DIR}
 	sleep 1
 	./vuls.new scan -config=./integration/int-config.toml --results-dir=${BASE_DIR} ${LIBS}
 	cp ${BASE_DIR}/current/*.json ${ONE_SEC_AFTER_JSON_DIR}
-	cp integration/data/results/*.json ${ONE_SEC_AFTER_JSON_DIR}
+	- cp integration/data/results/*.json ${ONE_SEC_AFTER_JSON_DIR}
 	./vuls.new report --format-json --refresh-cve --results-dir=${BASE_DIR} -config=./integration/int-config.toml ${ONE_SEC_AFTER}

 	$(call sed-d)
@@ -141,14 +141,14 @@ endif
 	sleep 1
 	./vuls.old scan -config=./integration/int-config.toml --results-dir=${BASE_DIR} ${LIBS}
 	cp -f ${BASE_DIR}/current/*.json ${NOW_JSON_DIR}
-	cp integration/data/results/*.json ${NOW_JSON_DIR}
+	- cp integration/data/results/*.json ${NOW_JSON_DIR}
 	./vuls.old report --format-json --refresh-cve --results-dir=${BASE_DIR} -config=./integration/int-redis-config.toml ${NOW}

 	mkdir -p ${ONE_SEC_AFTER_JSON_DIR}
 	sleep 1
 	./vuls.new scan -config=./integration/int-config.toml --results-dir=${BASE_DIR} ${LIBS}
 	cp -f ${BASE_DIR}/current/*.json ${ONE_SEC_AFTER_JSON_DIR}
-	cp integration/data/results/*.json ${ONE_SEC_AFTER_JSON_DIR}
+	- cp integration/data/results/*.json ${ONE_SEC_AFTER_JSON_DIR}
 	./vuls.new report --format-json --refresh-cve --results-dir=${BASE_DIR} -config=./integration/int-redis-config.toml ${ONE_SEC_AFTER}

 	$(call sed-d)
--- a/detector/detector.go
+++ b/detector/detector.go
@@ -419,10 +419,11 @@ func DetectCpeURIsCves(r *models.ScanResult, cpeURIs []string, cnf config.GoCveD
 		if err != nil {
 			return err
 		}
-		for _, detail := range details {

+		for _, detail := range details {
 			confidence := models.CpeVersionMatch
-			if detail.IsJvn() {
+			if detail.HasJvn() && !detail.HasNvd() {
+				// In the case of CpeVendorProduct-match, only the JVN is set(Nvd is not set).
 				confidence = models.CpeVendorProductMatch
 			}

--- a/go.mod
+++ b/go.mod
@@ -33,8 +33,8 @@ require (
 	github.com/knqyf263/go-cpe v0.0.0-20201213041631-54f6ab28673f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
-	github.com/kotakanbe/go-cve-dictionary v0.6.0
 	github.com/knqyf263/gost v0.2.0
+	github.com/kotakanbe/go-cve-dictionary v0.6.2
 	github.com/kotakanbe/go-pingscanner v0.1.0
 	github.com/kotakanbe/goval-dictionary v0.3.6-0.20210625044258-9be85404d7dd
 	github.com/kotakanbe/logrus-prefixed-formatter v0.0.0-20180123152602-928f7356cb96
@@ -54,8 +54,8 @@ require (
 	github.com/spf13/viper v1.8.1 // indirect
 	github.com/takuzoo3868/go-msfdb v0.1.5
 	github.com/vulsio/go-exploitdb v0.1.8-0.20210625021845-e5081ca67229
-	golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e // indirect
-	golang.org/x/net v0.0.0-20210614182718-04defd469f4e // indirect
+	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
+	golang.org/x/net v0.0.0-20210716203947-853a461950ff // indirect
 	golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
--- a/go.sum
+++ b/go.sum
@@ -928,8 +928,8 @@ github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4g
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kotakanbe/go-cve-dictionary v0.6.0 h1:HNSzAJ8gRDmM9heKLUhYx68V+i+dHMnXyKg8ZcvI+ac=
-github.com/kotakanbe/go-cve-dictionary v0.6.0/go.mod h1:Ht9ESpkhbQtdVRoo/lEPZ6B8j6lVUsfRkxpfl6FlwD8=
+github.com/kotakanbe/go-cve-dictionary v0.6.2 h1:XpTzqVt9IN6mcfWM9v/oJBboyY6GlqukBsKpcIM/OpE=
+github.com/kotakanbe/go-cve-dictionary v0.6.2/go.mod h1:Ht9ESpkhbQtdVRoo/lEPZ6B8j6lVUsfRkxpfl6FlwD8=
 github.com/kotakanbe/go-pingscanner v0.1.0 h1:VG4/9l0i8WeToXclj7bIGoAZAu7a07Z3qmQiIfU0gT0=
 github.com/kotakanbe/go-pingscanner v0.1.0/go.mod h1:/761QZzuZFcfN8h/1QuawUA+pKukp3qcNj5mxJCOiAk=
 github.com/kotakanbe/goval-dictionary v0.3.6-0.20210625044258-9be85404d7dd h1:hnkOzwlknmNU64P5UaQzAZcyNnuSsCz/PIt/P/ZPKYg=
@@ -1529,8 +1529,8 @@ golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e h1:gsTQYXdTw2Gq7RBsWvlQ91b+aEQ6bXFUngBGuR8sPpI=
-golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 h1:/UOmuWzQfxxo9UtlXMwuQU8CMgg1eZXqTRwkSQJWKOI=
+golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1631,8 +1631,8 @@ golang.org/x/net v0.0.0-20210220033124-5f55cee0dc0d/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q=
-golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210716203947-853a461950ff h1:j2EK/QoxYNBsXI4R7fQkkRUk8y6wnOBI+6hgPdP/6Ds=
+golang.org/x/net v0.0.0-20210716203947-853a461950ff/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180724155351-3d292e4d0cdc/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
--- a/integration/data/results/rails.json
+++ b/integration/data/results/rails.json
@@ -1,131 +0,0 @@
-{
-    "jsonVersion": 4,
-    "lang": "",
-    "serverUUID": "",
-    "serverName": "rails",
-    "family": "pseudo",
-    "release": "",
-    "container": {
-        "containerID": "",
-        "name": "",
-        "image": "",
-        "type": "",
-        "uuid": ""
-    },
-    "platform": {
-        "name": "other",
-        "instanceID": ""
-    },
-    "scannedAt": "2021-03-31T12:22:26.428630183+09:00",
-    "scanMode": "fast mode",
-    "scannedVersion": "v0.15.9",
-    "scannedRevision": "build-20210331_121257_1a58c94",
-    "scannedBy": "dev",
-    "scannedVia": "pseudo",
-    "scannedIpv4Addrs": [
-        "172.19.0.1",
-        "172.17.0.1",
-        "172.27.0.1"
-    ],
-    "reportedAt": "0001-01-01T00:00:00Z",
-    "reportedVersion": "",
-    "reportedRevision": "",
-    "reportedBy": "",
-    "errors": [],
-    "warnings": [],
-    "scannedCves": {},
-    "runningKernel": {
-        "release": "",
-        "version": "",
-        "rebootRequired": false
-    },
-    "packages": {},
-    "config": {
-        "scan": {
-            "logDir": "/var/log/vuls",
-            "resultsDir": "/home/ubuntu/go/src/github.com/future-architect/vuls/results",
-            "default": {
-                "port": "22",
-                "scanMode": [
-                    "fast"
-                ]
-            },
-            "servers": {
-                "rails": {
-                    "serverName": "rails",
-                    "cpeNames": [
-                        "cpe:/a:rubyonrails:ruby_on_rails:3.0.1"
-                    ],
-                    "scanMode": [
-                        "fast"
-                    ],
-                    "type": "pseudo",
-                    "wordpress": {}
-                }
-            },
-            "cveDict": {
-                "Name": "cveDict",
-                "Type": "sqlite3",
-                "SQLite3Path": "/home/ubuntu/go/src/github.com/kotakanbe/go-cve-dictionary/cve.sqlite3",
-                "DebugSQL": false
-            },
-            "ovalDict": {
-                "Name": "ovalDict",
-                "Type": "sqlite3",
-                "SQLite3Path": "/home/ubuntu/go/src/github.com/kotakanbe/goval-dictionary/oval.sqlite3",
-                "DebugSQL": false
-            },
-            "gost": {
-                "Name": "gost",
-                "Type": "sqlite3",
-                "SQLite3Path": "/home/ubuntu/go/src/github.com/future-architect/vuls/gost.sqlite3",
-                "DebugSQL": false
-            },
-            "exploit": {
-                "Name": "exploit",
-                "Type": "sqlite3",
-                "SQLite3Path": "/home/ubuntu/go/src/github.com/vulsio/go-exploitdb/go-exploitdb.sqlite3",
-                "DebugSQL": false
-            },
-            "metasploit": {
-                "Name": "metasploit",
-                "Type": "sqlite3",
-                "SQLite3Path": "/home/ubuntu/go/src/github.com/takuzoo3868/go-msfdb/go-msfdb.sqlite3",
-                "DebugSQL": false
-            }
-        },
-        "report": {
-            "default": {},
-            "cveDict": {
-                "Name": "",
-                "Type": "",
-                "SQLite3Path": "",
-                "DebugSQL": false
-            },
-            "ovalDict": {
-                "Name": "",
-                "Type": "",
-                "SQLite3Path": "",
-                "DebugSQL": false
-            },
-            "gost": {
-                "Name": "",
-                "Type": "",
-                "SQLite3Path": "",
-                "DebugSQL": false
-            },
-            "exploit": {
-                "Name": "",
-                "Type": "",
-                "SQLite3Path": "",
-                "DebugSQL": false
-            },
-            "metasploit": {
-                "Name": "",
-                "Type": "",
-                "SQLite3Path": "",
-                "DebugSQL": false
-            }
-        }
-    }
-}
--- a/integration/int-config.toml
+++ b/integration/int-config.toml
@@ -24,7 +24,11 @@

 [servers.rails]
 type = "pseudo"
-cpeNames = [ "cpe:/a:rubyonrails:ruby_on_rails:3.0.1" ]
+cpeNames = [ "cpe:/a:rubyonrails:rails:3.0.1" ]
+
+[servers.cpe_vendor_product_match]
+type = "pseudo"
+cpeNames = ["cpe:/a:hitachi_abb_power_grids:afs660"]

 [servers.gemfile]
 type = "pseudo"
--- a/integration/int-redis-config.toml
+++ b/integration/int-redis-config.toml
@@ -24,7 +24,11 @@ Url = "redis://127.0.0.1/3"

 [servers.rails]
 type = "pseudo"
-cpeNames       = [ "cpe:/a:rubyonrails:ruby_on_rails:3.0.1" ]
+cpeNames = [ "cpe:/a:rubyonrails:rails:3.0.1" ]
+
+[servers.cpe_vendor_product_match]
+type = "pseudo"
+cpeNames = ["cpe:/a:hitachi_abb_power_grids:afs660"]

 [servers.gemfile]
 type = "pseudo"