Rename linux.go to base.go

2016-06-16 10:37:49 +09:00
parent d9d0e629fd
commit c3deb93489
6 changed files with 24 additions and 24 deletions
--- a/scan/base.go
+++ b/scan/base.go
@@ -0,0 +1,284 @@
+/* Vuls - Vulnerability Scanner
+Copyright (C) 2016  Future Architect, Inc. Japan.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package scan
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/future-architect/vuls/config"
+	"github.com/future-architect/vuls/cveapi"
+	"github.com/future-architect/vuls/models"
+)
+
+type base struct {
+	ServerInfo config.ServerInfo
+
+	Family   string
+	Release  string
+	Platform models.Platform
+	osPackages
+
+	log  *logrus.Entry
+	errs []error
+}
+
+func (l *base) ssh(cmd string, sudo bool) sshResult {
+	return sshExec(l.ServerInfo, cmd, sudo, l.log)
+}
+
+func (l *base) setServerInfo(c config.ServerInfo) {
+	l.ServerInfo = c
+}
+
+func (l base) getServerInfo() config.ServerInfo {
+	return l.ServerInfo
+}
+
+func (l *base) setDistributionInfo(fam, rel string) {
+	l.Family = fam
+	l.Release = rel
+}
+
+func (l base) getDistributionInfo() string {
+	return fmt.Sprintf("%s %s", l.Family, l.Release)
+}
+
+func (l *base) setPlatform(p models.Platform) {
+	l.Platform = p
+}
+
+func (l base) getPlatform() models.Platform {
+	return l.Platform
+}
+
+func (l base) allContainers() (containers []config.Container, err error) {
+	switch l.ServerInfo.Container.Type {
+	case "", "docker":
+		stdout, err := l.dockerPs("-a --format '{{.ID}} {{.Names}}'")
+		if err != nil {
+			return containers, err
+		}
+		return l.parseDockerPs(stdout)
+	default:
+		return containers, fmt.Errorf(
+			"Not supported yet: %s", l.ServerInfo.Container.Type)
+	}
+}
+
+func (l *base) runningContainers() (containers []config.Container, err error) {
+	switch l.ServerInfo.Container.Type {
+	case "", "docker":
+		stdout, err := l.dockerPs("--format '{{.ID}} {{.Names}}'")
+		if err != nil {
+			return containers, err
+		}
+		return l.parseDockerPs(stdout)
+	default:
+		return containers, fmt.Errorf(
+			"Not supported yet: %s", l.ServerInfo.Container.Type)
+	}
+}
+
+func (l *base) exitedContainers() (containers []config.Container, err error) {
+	switch l.ServerInfo.Container.Type {
+	case "", "docker":
+		stdout, err := l.dockerPs("--filter 'status=exited' --format '{{.ID}} {{.Names}}'")
+		if err != nil {
+			return containers, err
+		}
+		return l.parseDockerPs(stdout)
+	default:
+		return containers, fmt.Errorf(
+			"Not supported yet: %s", l.ServerInfo.Container.Type)
+	}
+}
+
+func (l *base) dockerPs(option string) (string, error) {
+	cmd := fmt.Sprintf("docker ps %s", option)
+	r := l.ssh(cmd, noSudo)
+	if !r.isSuccess() {
+		return "", fmt.Errorf(
+			"Failed to %s. status: %d, stdout: %s, stderr: %s",
+			cmd, r.ExitStatus, r.Stdout, r.Stderr)
+	}
+	return r.Stdout, nil
+}
+
+func (l *base) parseDockerPs(stdout string) (containers []config.Container, err error) {
+	lines := strings.Split(stdout, "\n")
+	for _, line := range lines {
+		fields := strings.Fields(line)
+		if len(fields) == 0 {
+			break
+		}
+		if len(fields) != 2 {
+			return containers, fmt.Errorf("Unknown format: %s", line)
+		}
+		containers = append(containers, config.Container{
+			ContainerID: fields[0],
+			Name:        fields[1],
+		})
+	}
+	return
+}
+
+func (l *base) detectPlatform() error {
+	ok, instanceID, err := l.detectRunningOnAws()
+	if err != nil {
+		return err
+	}
+	if ok {
+		l.setPlatform(models.Platform{
+			Name:       "aws",
+			InstanceID: instanceID,
+		})
+		return nil
+	}
+
+	//TODO Azure, GCP...
+	l.setPlatform(models.Platform{
+		Name: "other",
+	})
+	return nil
+}
+
+func (l base) detectRunningOnAws() (ok bool, instanceID string, err error) {
+	if r := l.ssh("type curl", noSudo); r.isSuccess() {
+		cmd := "curl --max-time 1 --retry 3 --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/instance-id"
+		if r := l.ssh(cmd, noSudo); r.isSuccess() {
+			id := strings.TrimSpace(r.Stdout)
+			return true, id, nil
+		} else if r.ExitStatus == 28 || r.ExitStatus == 7 {
+			// Not running on AWS
+			//  7   Failed to connect to host.
+			// 28  operation timeout.
+			return false, "", nil
+		}
+	}
+
+	if r := l.ssh("type wget", noSudo); r.isSuccess() {
+		cmd := "wget --tries=3 --timeout=1 --no-proxy -q -O - http://169.254.169.254/latest/meta-data/instance-id"
+		if r := l.ssh(cmd, noSudo); r.isSuccess() {
+			id := strings.TrimSpace(r.Stdout)
+			return true, id, nil
+		} else if r.ExitStatus == 4 {
+			// Not running on AWS
+			// 4   Network failure
+			return false, "", nil
+		}
+	}
+	return false, "", fmt.Errorf(
+		"Failed to curl or wget to AWS instance metadata on %s. container: %s",
+		l.ServerInfo.ServerName, l.ServerInfo.Container.Name)
+}
+
+func (l *base) convertToModel() (models.ScanResult, error) {
+	var scoredCves, unscoredCves models.CveInfos
+	for _, p := range l.UnsecurePackages {
+		if p.CveDetail.CvssScore(config.Conf.Lang) <= 0 {
+			unscoredCves = append(unscoredCves, models.CveInfo{
+				CveDetail:        p.CveDetail,
+				Packages:         p.Packs,
+				DistroAdvisories: p.DistroAdvisories, // only Amazon Linux
+			})
+			continue
+		}
+
+		cpenames := []models.CpeName{}
+		for _, cpename := range p.CpeNames {
+			cpenames = append(cpenames,
+				models.CpeName{Name: cpename})
+		}
+
+		cve := models.CveInfo{
+			CveDetail:        p.CveDetail,
+			Packages:         p.Packs,
+			DistroAdvisories: p.DistroAdvisories, // only Amazon Linux
+			CpeNames:         cpenames,
+		}
+		scoredCves = append(scoredCves, cve)
+	}
+
+	container := models.Container{
+		ContainerID: l.ServerInfo.Container.ContainerID,
+		Name:        l.ServerInfo.Container.Name,
+	}
+
+	sort.Sort(scoredCves)
+	sort.Sort(unscoredCves)
+
+	return models.ScanResult{
+		ServerName:  l.ServerInfo.ServerName,
+		Family:      l.Family,
+		Release:     l.Release,
+		Container:   container,
+		Platform:    l.Platform,
+		KnownCves:   scoredCves,
+		UnknownCves: unscoredCves,
+	}, nil
+}
+
+// scanVulnByCpeName search vulnerabilities that specified in config file.
+func (l *base) scanVulnByCpeName() error {
+	unsecurePacks := CvePacksList{}
+
+	serverInfo := l.getServerInfo()
+	cpeNames := serverInfo.CpeNames
+
+	// remove duplicate
+	set := map[string]CvePacksInfo{}
+
+	for _, name := range cpeNames {
+		details, err := cveapi.CveClient.FetchCveDetailsByCpeName(name)
+		if err != nil {
+			return err
+		}
+		for _, detail := range details {
+			if val, ok := set[detail.CveID]; ok {
+				names := val.CpeNames
+				names = append(names, name)
+				val.CpeNames = names
+				set[detail.CveID] = val
+			} else {
+				set[detail.CveID] = CvePacksInfo{
+					CveID:     detail.CveID,
+					CveDetail: detail,
+					CpeNames:  []string{name},
+				}
+			}
+		}
+	}
+
+	for key := range set {
+		unsecurePacks = append(unsecurePacks, set[key])
+	}
+	unsecurePacks = append(unsecurePacks, l.UnsecurePackages...)
+	l.setUnsecurePackages(unsecurePacks)
+	return nil
+}
+
+func (l *base) setErrs(errs []error) {
+	l.errs = errs
+}
+
+func (l base) getErrs() []error {
+	return l.errs
+}