diff --git a/GNUmakefile b/GNUmakefile index 296a6893..bf9dc4cb 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -89,7 +89,7 @@ NOW=$(shell date --iso-8601=seconds) NOW_JSON_DIR := '${BASE_DIR}/$(NOW)' ONE_SEC_AFTER=$(shell date -d '+1 second' --iso-8601=seconds) ONE_SEC_AFTER_JSON_DIR := '${BASE_DIR}/$(ONE_SEC_AFTER)' -LIBS := 'gemfile' 'pipfile' 'poetry' 'composer' 'packagelock' 'yarn' 'cargo' 'gomod' +LIBS := 'gemfile' 'pipfile' 'poetry' 'composer' 'packagelock' 'yarn' 'cargo' 'gomod' 'rails' 'cpe_vendor_product_match' diff: # git clone git@github.com:vulsio/vulsctl.git @@ -108,14 +108,14 @@ endif sleep 1 ./vuls.old scan -config=./integration/int-config.toml --results-dir=${BASE_DIR} ${LIBS} cp ${BASE_DIR}/current/*.json ${NOW_JSON_DIR} - cp integration/data/results/*.json ${NOW_JSON_DIR} + - cp integration/data/results/*.json ${NOW_JSON_DIR} ./vuls.old report --format-json --refresh-cve --results-dir=${BASE_DIR} -config=./integration/int-config.toml ${NOW} mkdir -p ${ONE_SEC_AFTER_JSON_DIR} sleep 1 ./vuls.new scan -config=./integration/int-config.toml --results-dir=${BASE_DIR} ${LIBS} cp ${BASE_DIR}/current/*.json ${ONE_SEC_AFTER_JSON_DIR} - cp integration/data/results/*.json ${ONE_SEC_AFTER_JSON_DIR} + - cp integration/data/results/*.json ${ONE_SEC_AFTER_JSON_DIR} ./vuls.new report --format-json --refresh-cve --results-dir=${BASE_DIR} -config=./integration/int-config.toml ${ONE_SEC_AFTER} $(call sed-d) @@ -141,14 +141,14 @@ endif sleep 1 ./vuls.old scan -config=./integration/int-config.toml --results-dir=${BASE_DIR} ${LIBS} cp -f ${BASE_DIR}/current/*.json ${NOW_JSON_DIR} - cp integration/data/results/*.json ${NOW_JSON_DIR} + - cp integration/data/results/*.json ${NOW_JSON_DIR} ./vuls.old report --format-json --refresh-cve --results-dir=${BASE_DIR} -config=./integration/int-redis-config.toml ${NOW} mkdir -p ${ONE_SEC_AFTER_JSON_DIR} sleep 1 ./vuls.new scan -config=./integration/int-config.toml --results-dir=${BASE_DIR} ${LIBS} cp -f ${BASE_DIR}/current/*.json ${ONE_SEC_AFTER_JSON_DIR} - cp integration/data/results/*.json ${ONE_SEC_AFTER_JSON_DIR} + - cp integration/data/results/*.json ${ONE_SEC_AFTER_JSON_DIR} ./vuls.new report --format-json --refresh-cve --results-dir=${BASE_DIR} -config=./integration/int-redis-config.toml ${ONE_SEC_AFTER} $(call sed-d) diff --git a/detector/detector.go b/detector/detector.go index 7557dfaa..9cdd2f46 100644 --- a/detector/detector.go +++ b/detector/detector.go @@ -419,10 +419,11 @@ func DetectCpeURIsCves(r *models.ScanResult, cpeURIs []string, cnf config.GoCveD if err != nil { return err } - for _, detail := range details { + for _, detail := range details { confidence := models.CpeVersionMatch - if detail.IsJvn() { + if detail.HasJvn() && !detail.HasNvd() { + // In the case of CpeVendorProduct-match, only the JVN is set(Nvd is not set). confidence = models.CpeVendorProductMatch } diff --git a/go.mod b/go.mod index a4ec122b..3ccd9d52 100644 --- a/go.mod +++ b/go.mod @@ -33,8 +33,8 @@ require ( github.com/knqyf263/go-cpe v0.0.0-20201213041631-54f6ab28673f github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 - github.com/kotakanbe/go-cve-dictionary v0.6.0 github.com/knqyf263/gost v0.2.0 + github.com/kotakanbe/go-cve-dictionary v0.6.2 github.com/kotakanbe/go-pingscanner v0.1.0 github.com/kotakanbe/goval-dictionary v0.3.6-0.20210625044258-9be85404d7dd github.com/kotakanbe/logrus-prefixed-formatter v0.0.0-20180123152602-928f7356cb96 @@ -54,8 +54,8 @@ require ( github.com/spf13/viper v1.8.1 // indirect github.com/takuzoo3868/go-msfdb v0.1.5 github.com/vulsio/go-exploitdb v0.1.8-0.20210625021845-e5081ca67229 - golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e // indirect - golang.org/x/net v0.0.0-20210614182718-04defd469f4e // indirect + golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect + golang.org/x/net v0.0.0-20210716203947-853a461950ff // indirect golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect diff --git a/go.sum b/go.sum index 7314dff8..279133fb 100644 --- a/go.sum +++ b/go.sum @@ -928,8 +928,8 @@ github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4g github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kotakanbe/go-cve-dictionary v0.6.0 h1:HNSzAJ8gRDmM9heKLUhYx68V+i+dHMnXyKg8ZcvI+ac= -github.com/kotakanbe/go-cve-dictionary v0.6.0/go.mod h1:Ht9ESpkhbQtdVRoo/lEPZ6B8j6lVUsfRkxpfl6FlwD8= +github.com/kotakanbe/go-cve-dictionary v0.6.2 h1:XpTzqVt9IN6mcfWM9v/oJBboyY6GlqukBsKpcIM/OpE= +github.com/kotakanbe/go-cve-dictionary v0.6.2/go.mod h1:Ht9ESpkhbQtdVRoo/lEPZ6B8j6lVUsfRkxpfl6FlwD8= github.com/kotakanbe/go-pingscanner v0.1.0 h1:VG4/9l0i8WeToXclj7bIGoAZAu7a07Z3qmQiIfU0gT0= github.com/kotakanbe/go-pingscanner v0.1.0/go.mod h1:/761QZzuZFcfN8h/1QuawUA+pKukp3qcNj5mxJCOiAk= github.com/kotakanbe/goval-dictionary v0.3.6-0.20210625044258-9be85404d7dd h1:hnkOzwlknmNU64P5UaQzAZcyNnuSsCz/PIt/P/ZPKYg= @@ -1529,8 +1529,8 @@ golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWP golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= -golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e h1:gsTQYXdTw2Gq7RBsWvlQ91b+aEQ6bXFUngBGuR8sPpI= -golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 h1:/UOmuWzQfxxo9UtlXMwuQU8CMgg1eZXqTRwkSQJWKOI= +golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1631,8 +1631,8 @@ golang.org/x/net v0.0.0-20210220033124-5f55cee0dc0d/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q= -golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210716203947-853a461950ff h1:j2EK/QoxYNBsXI4R7fQkkRUk8y6wnOBI+6hgPdP/6Ds= +golang.org/x/net v0.0.0-20210716203947-853a461950ff/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180724155351-3d292e4d0cdc/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= diff --git a/integration/data/results/rails.json b/integration/data/results/rails.json deleted file mode 100644 index 0288da00..00000000 --- a/integration/data/results/rails.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "jsonVersion": 4, - "lang": "", - "serverUUID": "", - "serverName": "rails", - "family": "pseudo", - "release": "", - "container": { - "containerID": "", - "name": "", - "image": "", - "type": "", - "uuid": "" - }, - "platform": { - "name": "other", - "instanceID": "" - }, - "scannedAt": "2021-03-31T12:22:26.428630183+09:00", - "scanMode": "fast mode", - "scannedVersion": "v0.15.9", - "scannedRevision": "build-20210331_121257_1a58c94", - "scannedBy": "dev", - "scannedVia": "pseudo", - "scannedIpv4Addrs": [ - "172.19.0.1", - "172.17.0.1", - "172.27.0.1" - ], - "reportedAt": "0001-01-01T00:00:00Z", - "reportedVersion": "", - "reportedRevision": "", - "reportedBy": "", - "errors": [], - "warnings": [], - "scannedCves": {}, - "runningKernel": { - "release": "", - "version": "", - "rebootRequired": false - }, - "packages": {}, - "config": { - "scan": { - "logDir": "/var/log/vuls", - "resultsDir": "/home/ubuntu/go/src/github.com/future-architect/vuls/results", - "default": { - "port": "22", - "scanMode": [ - "fast" - ] - }, - "servers": { - "rails": { - "serverName": "rails", - "cpeNames": [ - "cpe:/a:rubyonrails:ruby_on_rails:3.0.1" - ], - "scanMode": [ - "fast" - ], - "type": "pseudo", - "wordpress": {} - } - }, - "cveDict": { - "Name": "cveDict", - "Type": "sqlite3", - "SQLite3Path": "/home/ubuntu/go/src/github.com/kotakanbe/go-cve-dictionary/cve.sqlite3", - "DebugSQL": false - }, - "ovalDict": { - "Name": "ovalDict", - "Type": "sqlite3", - "SQLite3Path": "/home/ubuntu/go/src/github.com/kotakanbe/goval-dictionary/oval.sqlite3", - "DebugSQL": false - }, - "gost": { - "Name": "gost", - "Type": "sqlite3", - "SQLite3Path": "/home/ubuntu/go/src/github.com/future-architect/vuls/gost.sqlite3", - "DebugSQL": false - }, - "exploit": { - "Name": "exploit", - "Type": "sqlite3", - "SQLite3Path": "/home/ubuntu/go/src/github.com/vulsio/go-exploitdb/go-exploitdb.sqlite3", - "DebugSQL": false - }, - "metasploit": { - "Name": "metasploit", - "Type": "sqlite3", - "SQLite3Path": "/home/ubuntu/go/src/github.com/takuzoo3868/go-msfdb/go-msfdb.sqlite3", - "DebugSQL": false - } - }, - "report": { - "default": {}, - "cveDict": { - "Name": "", - "Type": "", - "SQLite3Path": "", - "DebugSQL": false - }, - "ovalDict": { - "Name": "", - "Type": "", - "SQLite3Path": "", - "DebugSQL": false - }, - "gost": { - "Name": "", - "Type": "", - "SQLite3Path": "", - "DebugSQL": false - }, - "exploit": { - "Name": "", - "Type": "", - "SQLite3Path": "", - "DebugSQL": false - }, - "metasploit": { - "Name": "", - "Type": "", - "SQLite3Path": "", - "DebugSQL": false - } - } - } -} \ No newline at end of file diff --git a/integration/int-config.toml b/integration/int-config.toml index a6a9855a..448f6a2e 100755 --- a/integration/int-config.toml +++ b/integration/int-config.toml @@ -24,7 +24,11 @@ [servers.rails] type = "pseudo" -cpeNames = [ "cpe:/a:rubyonrails:ruby_on_rails:3.0.1" ] +cpeNames = [ "cpe:/a:rubyonrails:rails:3.0.1" ] + +[servers.cpe_vendor_product_match] +type = "pseudo" +cpeNames = ["cpe:/a:hitachi_abb_power_grids:afs660"] [servers.gemfile] type = "pseudo" diff --git a/integration/int-redis-config.toml b/integration/int-redis-config.toml index b3bb3c82..db49aa2a 100755 --- a/integration/int-redis-config.toml +++ b/integration/int-redis-config.toml @@ -24,7 +24,11 @@ Url = "redis://127.0.0.1/3" [servers.rails] type = "pseudo" -cpeNames = [ "cpe:/a:rubyonrails:ruby_on_rails:3.0.1" ] +cpeNames = [ "cpe:/a:rubyonrails:rails:3.0.1" ] + +[servers.cpe_vendor_product_match] +type = "pseudo" +cpeNames = ["cpe:/a:hitachi_abb_power_grids:afs660"] [servers.gemfile] type = "pseudo"