Stage/vuls
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix docker

Browse Source
This commit is contained in:
Sadayuki Matsuno
2016-09-21 11:49:27 +09:00
parent ac6fe6f9fc
commit c2eab87a3f
22 changed files with 399 additions and 313 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
setup/docker/README.ja.md
View File

@@ -1,101 +0,0 @@
# Vuls on Docker
## What's Vuls-On-Docker
- 数個のコマンドを実行するだけでVulsとvulsrepoのセットアップが出来るスクリプト
- Dockerコンテナ上にVulsと[vulsrepo](https://github.com/usiusi360/vulsrepo)をセットアップ可能
- スキャン結果をvulsrepoでブラウザで分析可能
- 脆弱性データベースの更新が可能
- モジュールのアップデートが可能
## Setting up your machine
1. [Install Docker](https://docs.docker.com/engine/installation/)
2. [Install Docker-Compose](https://docs.docker.com/compose/install/)
3. 実行前に以下のコマンドが実行可能なことを確認する
```
$ docker version
$ docker-compose version
```
4. Vulsをgit clone
```
mkdir work
cd work
git clone https://github.com/future-architect/vuls.git
cd vuls/setup/docker
```
## Start A Vuls Container
- 以下のコマンドを実行してコンテナをビルドする
```
$ docker-compose up -d
```
## Setting up Vuls
1. スキャン対象サーバのSSH秘密鍵を保存(vuls/setup/docker/conf/)する
2. config.toml(vuls/setup/docker/conf/config.toml) を環境に合わせて作成する
```
[servers]
[servers.172-31-4-82]
host = "172.31.4.82"
user = "ec2-user"
keyPath = "conf/id_rsa"
```
## Fetch Vulnerability database
- NVDから脆弱性データベースを取得する
```
$ docker exec -t vuls scripts/fetch_nvd_all.sh
```
- レポートを日本語化する場合は、JVNから脆弱性データを取得する
```
$ docker exec -t vuls scripts/fetch_jvn_all.sh
```
## Scan servers with Vuls-On-Docker
- スキャンを実行する
```
$ docker exec -t vuls vuls prepare -config=conf/config.toml
$ docker exec -t vuls scripts/scan_for_vulsrepo.sh
```
## See the results in a browser
```
http://${Vuls_Host}/vulsrepo/
```
# Update modules
- vuls, go-cve-dictionary, vulsrepoのモジュールをアップデートする
```
$ docker exec -t vuls scripts/update_modules.sh
```
# Update Vulnerability database
- NVDの過去年分の脆弱性データベースを更新する
```
$ docker exec -t vuls scripts/fetch_nvd_last2y.sh
```
- JVNの過去ヶ月分の脆弱性データベースを更新する
```
$ docker exec -t vuls scripts/fetch_jvn_month.sh
```
- JVNの過去1週間分の脆弱性データベースを更新する
```
$ docker exec -t vuls scripts/fetch_jvn_week.sh
```

167
setup/docker/README.md
View File

@@ -1,87 +1,106 @@
# Vuls on Docker
# Vuls Docker components
## What's Vuls-On-Docker
This is the Git repo of the official Docker image for vuls.
- This is a dockernized-Vuls with vulsrepo UI in it.
- It's designed to reduce the cost of installation and the dependencies that vuls requires.
- You can run install and run Vuls on your machine with only a few commands.
- The result can be viewed with a browser
# Supported tags and respective `Dockerfile` links
## Setting up your machine
1. [Install Docker](https://docs.docker.com/engine/installation/)
2. [Install Docker-Compose](https://docs.docker.com/compose/install/)
3. Make sure that you can run the following commands before you move on.
- go-cve-dictionary
- [`latest` (*go-cve-dictionary:latest Dockerfile*)]()
- vuls
- [`latest` (*vuls:latest Dockerfile*)]()
- vulsrepo
- [`latest` (*vulsrepo:latest Dockerfile*)]()
```
$ docker version
$ docker-compose version
```
4. git clone vuls
```
mkdir work
cd work
git clone https://github.com/future-architect/vuls.git
cd vuls/setup/docker
```
This image version is same as the github repository version.
# How to use this image
1. fetch nvd (vuls/go-cve-dictionary)
1. configuration (vuls/vuls)
1. prepare (vuls/vuls)
1. scan (vuls/vuls)
1. vulsrepo (vuls/vulsrepo)
## Start A Vuls Container
## Step1. Fetch NVD
- Execute the following command to build and run a Vuls Container
```
$ docker-compose up -d
```
## Setting up Vuls
1. Locate ssh-keys of target servers in (vuls/setup/docker/conf/)
2. Create and adjust config.toml(vuls/setup/docker/conf/config.toml) to your environment
```
[servers]
[servers.172-31-4-82]
host = "172.31.4.82"
user = "ec2-user"
keyPath = "conf/id_rsa"
```
## Fetch Vulnerability database
- Fetch Vulnerability database from NVD
```
$ docker exec -t vuls scripts/fetch_nvd_all.sh
```
## Scan servers with Vuls-On-Docker
- Use the embedded script to scan servers for vulsrepo(or run whatever with docker exec)
```
$ docker exec -t vuls vuls prepare -config=conf/config.toml
$ docker exec -t vuls scripts/scan_for_vulsrepo.sh
```
## See the results in a browser
```
http://${Vuls_Host}/vulsrepo/
```console
$ for i in {2002..2016}; do \
docker run --rm -it \
-v $PWD:/vuls vuls/go-cve-dictionary fetchnvd -years $i; \
done
```
# Update modules
## Step2. Configuration
- update vuls, go-cve-dictionary, vulsrepo
```
$ docker exec -t vuls scripts/update_modules.sh
```
Create config.toml referring to [this](https://github.com/future-architect/vuls#configuration).
# Update Vulnerability database
```toml
[servers]
- Fetch Vulnerability database from NVD
```
$ docker exec -t vuls scripts/fetch_nvd_last2y.sh
```
[servers.amazon]
host = "54.249.93.16"
port = "22"
user = "vuls-user"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker
```
 
```console
$ docker run --rm \
-v ~/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
vuls/vuls configtest \
-config=./config.toml # path to config.toml in docker
```
## Step3. Prepare
```console
$ docker run --rm \
-v ~/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
vuls/vuls prepare \
-config=./config.toml # path to config.toml in docker
```
## Step4. Scan
```console
$ docker run --rm -it \
-v ~/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
-v /etc/localtime:/etc/localtime:ro \
-e "TZ=Asia/Tokyo" \
vuls/vuls scan \
-cve-dictionary-dbpath=/vuls/cve.sqlite3 \
-config=./config.toml \ # path to config.toml in docker
-report-json
```
## Step5. vulsrepo
```console
$docker run -dt \
-v $PWD:/vuls \
-p 80:80 \
vuls/vulsrepo
```
# User Feedback
## Documentation
Documentation for this image is stored in the [`docker/` directory]() of the [`future-architect/vuls` GitHub repo](https://github.com/future-architect/vuls).
## Issues
If you have any problems with or questions about this image, please contact us through a [GitHub issue](https://github.com/future-architect/vuls/issues).
## Contributing
1. fork a repository: github.com/future-architect/vuls to github.com/you/repo
1. get original code: go get github.com/future-architect/vuls
1. work on original code
1. add remote to your repo: git remote add myfork https://github.com/you/repo.git
1. push your changes: git push myfork
1. create a new Pull Request

12
setup/docker/base/latest/Dockerfile Normal file
View File

@@ -0,0 +1,12 @@
FROM golang:1.7.1
MAINTAINER hikachan sadayuki-matsuno
# glide install
ENV GLIDE_VERSION 0.12.2
ENV GLIDE_DOWNLOAD_URL https://github.com/Masterminds/glide/releases/download/v$GLIDE_VERSION/glide-v$GLIDE_VERSION-linux-amd64.tar.gz
RUN curl -fsSL "$GLIDE_DOWNLOAD_URL" -o glide.tar.gz \
&& mkdir /usr/local/glide \
&& tar -C /usr/local/glide -xzf glide.tar.gz \
&& ln -s /usr/local/glide/linux-amd64/glide /usr/local/bin/ \
&& rm glide.tar.gz

14
setup/docker/base/latest/README.md Normal file
View File

@@ -0,0 +1,14 @@
# Vuls-Base-Docker
This is the Git repo of the official Docker image for vuls-base.
See the [Hub page](https://hub.docker.com/r/vuls/vuls-base/) for the full readme on how to use the Docker image and for information regarding contributing and issues.
# Supported tags and respective `Dockerfile` links
- [`0.1.0`, `latest` (*vuls-base:0.1.0 Dockerfile*)]()
# What is vuls-base?
Base images of vuls and go-cve-dictionary.

0
setup/docker/conf/.gitkeep
View File

11
setup/docker/docker-compose.yml
View File

@@ -1,11 +0,0 @@
version: '2'
services:
vuls:
container_name: vuls
build: ./dockerfile
image: vuls-docker:0.1
volumes:
- ./conf:/opt/vuls/conf
ports:
- "80:80"

73
setup/docker/dockerfile/Dockerfile
View File

@@ -1,73 +0,0 @@
FROM buildpack-deps:jessie-scm
# golang Install
RUN apt-get update && apt-get install -y --no-install-recommends \
g++ \
gcc \
libc6-dev \
make \
curl \
&& rm -rf /var/lib/apt/lists/*
ENV GOLANG_VERSION 1.6.2
ENV GOLANG_DOWNLOAD_URL https://golang.org/dl/go$GOLANG_VERSION.linux-amd64.tar.gz
ENV GOLANG_DOWNLOAD_SHA256 e40c36ae71756198478624ed1bb4ce17597b3c19d243f3f0899bb5740d56212a
RUN curl -fsSL "$GOLANG_DOWNLOAD_URL" -o golang.tar.gz \
&& echo "$GOLANG_DOWNLOAD_SHA256 golang.tar.gz" | sha256sum -c - \
&& tar -C /usr/local -xzf golang.tar.gz \
&& rm golang.tar.gz
ENV GOPATH /go
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH"
# glide install
ENV GLIDE_VERSION 0.10.2
ENV GLIDE_DOWNLOAD_URL https://github.com/Masterminds/glide/releases/download/$GLIDE_VERSION/glide-$GLIDE_VERSION-linux-amd64.tar.gz
RUN curl -fsSL "$GLIDE_DOWNLOAD_URL" -o glide.tar.gz \
&& mkdir /usr/local/glide \
&& tar -C /usr/local/glide -xzf glide.tar.gz \
&& ln -s /usr/local/glide/linux-amd64/glide /usr/local/bin/ \
&& rm glide.tar.gz
#Vuls Install
ENV VULS_ROOT /opt/vuls
RUN mkdir -p /var/log/vuls ${VULS_ROOT}/conf /root/.ssh/
RUN chmod 700 -R /var/log/vuls $VULS_ROOT
# RUN go get github.com/kotakanbe/go-cve-dictionary
# RUN go get github.com/future-architect/vuls
RUN go get -v -d github.com/kotakanbe/go-cve-dictionary \
&& cd $GOPATH/src/github.com/kotakanbe/go-cve-dictionary \
&& glide install \
&& go install
RUN go get -v -d github.com/future-architect/vuls \
&& cd $GOPATH/src/github.com/future-architect/vuls \
&& glide install \
&& go install
# Copy custom Scripts
COPY ./scripts/ ${VULS_ROOT}/scripts
RUN chmod 755 ${VULS_ROOT}/scripts/*
#Vulrepo Install
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
apache2 \
libcgi-pm-perl \
libjson-perl \
&& rm -rf /var/lib/apt/lists/* \
&& cd /var/www/html/ \
&& git clone https://github.com/usiusi360/vulsrepo \
&& mkdir /var/www/html/vulsrepo/results \
&& cp /var/www/html/vulsrepo/dist/cgi/vulsrepo.conf.sample /etc/apache2/conf-enabled/vulsrepo.conf \
&& a2enmod cgid
#Home
WORKDIR /opt/vuls
EXPOSE 80 443
ENTRYPOINT service apache2 start && tail -f /dev/null

6
setup/docker/dockerfile/scripts/fetch_jvn_all.sh
View File

@@ -1,6 +0,0 @@
#!/bin/bash
VULS_ROOT=/opt/vuls
#VULS_CONF=${VULS_ROOT}/conf
cd $VULS_ROOT
for i in {2002..2016}; do go-cve-dictionary fetchjvn -years $i; done

6
setup/docker/dockerfile/scripts/fetch_jvn_last2y.sh
View File

@@ -1,6 +0,0 @@
#!/bin/bash
VULS_ROOT=/opt/vuls
#VULS_CONF=${VULS_ROOT}/conf
cd $VULS_ROOT
go-cve-dictionary fetchjvn -last2y

5
setup/docker/dockerfile/scripts/fetch_jvn_latest.sh
View File

@@ -1,5 +0,0 @@
#!/bin/bash
VULS_ROOT=/opt/vuls
#VULS_CONF=${VULS_ROOT}/conf
cd $VULS_ROOT
go-cve-dictionary fetchjvn -latest

6
setup/docker/dockerfile/scripts/fetch_nvd_all.sh
View File

@@ -1,6 +0,0 @@
#!/bin/bash
VULS_ROOT=/opt/vuls
#VULS_CONF=${VULS_ROOT}/conf
cd $VULS_ROOT
for i in {2002..2016}; do go-cve-dictionary fetchnvd -years $i; done

6
setup/docker/dockerfile/scripts/fetch_nvd_last2y.sh
View File

@@ -1,6 +0,0 @@
#!/bin/bash
VULS_ROOT=/opt/vuls
#VULS_CONF=${VULS_ROOT}/conf
cd $VULS_ROOT
go-cve-dictionary fetchnvd -last2y

8
setup/docker/dockerfile/scripts/scan_for_vulsrepo.sh
View File

@@ -1,8 +0,0 @@
#!/bin/bash
VULS_ROOT=/opt/vuls
VULS_CONF=${VULS_ROOT}/conf
APACHE_VULSREPO_ROOT=/var/www/html/vulsrepo
cd $VULS_ROOT
vuls scan -report-json --cve-dictionary-dbpath=${VULS_ROOT}/cve.sqlite3 -config=${VULS_CONF}/config.toml
rm ${APACHE_VULSREPO_ROOT}/results/*
cp ${VULS_ROOT}/results/current/* ${APACHE_VULSREPO_ROOT}/results

16
setup/docker/dockerfile/scripts/update_modules.sh
View File

@@ -1,16 +0,0 @@
#!/bin/bash
cd $GOPATH/src/github.com/future-architect/vuls
git pull origin master
glide install
go install
cd $GOPATH/src/github.com/kotakanbe/go-cve-dictionary
git pull origin master
glide install
go install
cd /var/www/html/vulsrepo
git pull origin master

21
setup/docker/go-cve-dictionary/latest/Dockerfile Normal file
View File

@@ -0,0 +1,21 @@
FROM vuls/vuls-base:latest
MAINTAINER hikachan sadayuki-matsuno
ENV REPOSITORY github.com/kotakanbe/go-cve-dictionary
ENV WORKDIR /vuls
# go-cve-dictionary install
RUN git clone https://$REPOSITORY.git $GOPATH/src/$REPOSITORY \
&& cd $GOPATH/src/$REPOSITORY \
&& glide install \
&& go build \
&& mv $GOPATH/src/$REPOSITORY/go-cve-dictionary /usr/local/bin \
&& chmod +x /usr/local/bin/go-cve-dictionary \
&& mkdir -p /var/log/vuls
VOLUME $WORKDIR
WORKDIR $WORKDIR
ENV PWD $WORKDIR
ENTRYPOINT ["go-cve-dictionary"]
CMD ["--help"]

66
setup/docker/go-cve-dictionary/latest/README.md Normal file
View File

@@ -0,0 +1,66 @@
# go-cve-dictionary
This is the Git repo of the official Docker image for go-cve-dictionary.
See the [Hub page](https://hub.docker.com/r/vuls/go-cve-dictionary/) for the full readme on how to use the Docker image and for information regarding contributing and issues.
# Supported tags and respective `Dockerfile` links
- [`latest` (*go-cve-dictionary:latest Dockerfile*)]()
This image version is same as the github repository version.
# What is go-cve-dictionary?
This is tool to build a local copy of the NVD (National Vulnerabilities Database) [1] and the Japanese JVN [2], which contain security vulnerabilities according to their CVE identifiers [3] including exhaustive information and a risk score. The local copy is generated in sqlite format, and the tool has a server mode for easy querying.
[1] https://en.wikipedia.org/wiki/National_Vulnerability_Database
[2] https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
[3] http://jvndb.jvn.jp/apis/termsofuse.html
# How to use this image
## fetchnvd
```console
$ for i in {2002..2016}; do \
docker run --rm -it \
-v $PWD:/vuls \
vuls/go-cve-dictionary fetchnvd -years $i; \
done
```
## server
```console
$ docker run -dt \
--name go-cve-dictionary \
-v $PWD:/vuls \
--expose 1323 \
-p 1323:1323 \
vuls/go-cve-dictionary server --bind=0.0.0.0
```
Prease refer to [this](https://hub.docker.com/r/vuls/go-cve-dictionary).
## vuls
Please refer to [this](https://hub.docker.com/r/vuls/vuls/).
# User Feedback
## Documentation
Documentation for this image is stored in the [`docker/` directory]() of the [`future-architect/vuls` GitHub repo](https://github.com/future-architect/vuls).
## Issues
If you have any problems with or questions about this image, please contact us through a [GitHub issue](https://github.com/future-architect/vuls/issues).
## Contributing
1. fork a repository: github.com/future-architect/vuls to github.com/you/repo
1. get original code: go get github.com/future-architect/vuls
1. work on original code
1. add remote to your repo: git remote add myfork https://github.com/you/repo.git
1. push your changes: git push myfork
1. create a new Pull Request

21
setup/docker/vuls/latest/Dockerfile Normal file
View File

@@ -0,0 +1,21 @@
FROM vuls/vuls-base:latest
MAINTAINER hikachan sadayuki-matsuno
ENV REPOSITORY github.com/future-architect/vuls
ENV WORKDIR /vuls
# go-cve-dictionary install
RUN git clone https://$REPOSITORY.git $GOPATH/src/$REPOSITORY \
&& cd $GOPATH/src/$REPOSITORY \
&& glide install \
&& go build \
&& mv $GOPATH/src/$REPOSITORY/vuls /usr/local/bin \
&& mkdir -p /var/log/vuls \
&& chmod +x /usr/local/bin/vuls
VOLUME $WORKDIR
WORKDIR $WORKDIR
ENV PWD $WORKDIR
ENTRYPOINT ["vuls"]
CMD ["--help"]

96
setup/docker/vuls/latest/README.md Normal file
View File

@@ -0,0 +1,96 @@
# Vuls-Docker
This is the Git repo of the official Docker image for vuls.
See the [Hub page](https://hub.docker.com/r/vuls/vuls/) for the full readme on how to use the Docker image and for information regarding contributing and issues.
# Supported tags and respective `Dockerfile` links
- [`latest` (*vuls:latest Dockerfile*)]()
This image version is same as the github repository version.
# What is Vuls?
Vuls is the Vulnerability scanner for Linux/FreeBSD, agentless, written in golang.
Please see the [Documentation](https://github.com/future-architect/vuls)
![logo](https://github.com/future-architect/vuls/blob/master/img/vuls_logo.png?raw=true)
# How to use this image
## configtest
Create config.toml referring to [this](https://github.com/future-architect/vuls#configuration).
```toml
[servers]
[servers.amazon]
host = "54.249.93.16"
port = "22"
user = "vuls-user"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker
```
 
```console
$ docker run --rm \
-v ~/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
vuls/vuls configtest
```
## prepare
```console
$ docker run --rm \
-v ~/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
vuls/vuls prepare \
-config=./config.toml # path to config.toml in docker
```
## scan
```console
$ docker run --rm -it \
-v ~/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
-v /etc/localtime:/etc/localtime:ro \
vuls/vuls scan \
-cve-dictionary-dbpath=/vuls/cve.sqlite3 \
-config=./config.toml \ # path to config.toml in docker
-report-json
```
## tui
```console
$ docker run --rm -it \
-v $PWD:/vuls \
vuls/vuls tui
```
## vulsrepo
Prease refer to [this](https://hub.docker.com/r/vuls/vulsrepo/).
# User Feedback
## Documentation
Documentation for this image is stored in the [`docker/` directory]() of the [`future-architect/vuls` GitHub repo](https://github.com/future-architect/vuls).
## Issues
If you have any problems with or questions about this image, please contact us through a [GitHub issue](https://github.com/future-architect/vuls/issues).
## Contributing
1. fork a repository: github.com/future-architect/vuls to github.com/you/repo
1. get original code: go get github.com/future-architect/vuls
1. work on original code
1. add remote to your repo: git remote add myfork https://github.com/you/repo.git
1. push your changes: git push myfork
1. create a new Pull Request

31
setup/docker/vulsrepo/latest/Dockerfile Normal file
View File

@@ -0,0 +1,31 @@
FROM httpd:2.4
MAINTAINER hikachan sadayuki-matsuno
# install packages
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
vim \
git \
libcgi-pm-perl \
libjson-perl \
&& rm -r /var/lib/apt/lists/*
# env
ENV HTTPD_PREFIX /usr/local/apache2
VOLUME /vuls
WORKDIR ${HTTPD_PREFIX}/htdocs
RUN git clone https://github.com/usiusi360/vulsrepo.git \
&& echo "LoadModule cgid_module modules/mod_cgid.so" >> $HTTPD_PREFIX/conf/httpd.conf \
&& echo "<Directory \"$HTTPD_PREFIX/htdocs/vulsrepo/dist/cgi\">" >> $HTTPD_PREFIX/conf/httpd.conf \
&& echo " Options +ExecCGI +FollowSymLinks" >> $HTTPD_PREFIX/conf/httpd.conf \
&& echo " AddHandler cgi-script cgi" >> $HTTPD_PREFIX/conf/httpd.conf \
&& echo "</Directory>" >> $HTTPD_PREFIX/conf/httpd.conf \
&& sed -i -e 's/User daemon/#User/g' $HTTPD_PREFIX/conf/httpd.conf \
&& sed -i -e 's/Group daemon/#Group/g' $HTTPD_PREFIX/conf/httpd.conf \
&& ln -snf /vuls/results /usr/local/apache2/htdocs/vulsrepo/results
EXPOSE 80
CMD ["httpd-foreground"]

44
setup/docker/vulsrepo/latest/README.md Normal file
View File

@@ -0,0 +1,44 @@
# VulsRepo-Docker
This is the Git repo of the official Docker image for vulsrepo.
See the [Hub page](https://hub.docker.com/r/vuls/vulsrepo/) for the full readme on how to use the Docker image and for information regarding contributing and issues.
# Supported tags and respective `Dockerfile` links
- [`latest` (*vulsrepo:latest Dockerfile*)]()
This image version is same as the github repository version.
# What is vulsrepo?
VulsRepo is visualized based on the json report output in [vuls](https://github.com/future-architect/vuls).
# How to use this image
## vulsrepo
```console
$docker run -dt \
-v $PWD:/vuls \
-p 80:80 \
vuls/vulsrepo
```
# User Feedback
## Documentation
Documentation for this image is stored in the [`docker/` directory]() of the [`future-architect/vuls` GitHub repo](https://github.com/future-architect/vuls).
## Issues
If you have any problems with or questions about this image, please contact us through a [GitHub issue](https://github.com/future-architect/vuls/issues).
## Contributing
1. fork a repository: github.com/future-architect/vuls to github.com/you/repo
1. get original code: go get github.com/future-architect/vuls
1. work on original code
1. add remote to your repo: git remote add myfork https://github.com/you/repo.git
1. push your changes: git push myfork
1. create a new Pull Request