fix(report): enable to report without NVD, exit if no OVAL data (#900)

* feat(report): enable to report without NVD * fix(report): enable to report without NVD and exit if no OVAL data * update deps * go mod tidy * fix err msg
2019-09-09 21:00:34 +09:00
parent 8877db1979
commit cc13b6a27c
4 changed files with 17 additions and 10 deletions
--- a/config/config.go
+++ b/config/config.go
@@ -239,11 +239,6 @@ func (c Config) ValidateOnReportDB() bool {
 	if err := validateDB("cvedb", c.CveDict.Type, c.CveDict.SQLite3Path, c.CveDict.URL); err != nil {
 		errs = append(errs, err)
 	}
-	if c.CveDict.Type == "sqlite3" {
-		if _, err := os.Stat(c.CveDict.SQLite3Path); os.IsNotExist(err) {
-			errs = append(errs, xerrors.Errorf("SQLite3 DB path (%s) is not exist: %s", "cvedb", c.CveDict.SQLite3Path))
-		}
-	}

 	if err := validateDB("ovaldb", c.OvalDict.Type, c.OvalDict.SQLite3Path, c.OvalDict.URL); err != nil {
 		errs = append(errs, err)
--- a/report/cve_client.go
+++ b/report/cve_client.go
@@ -71,6 +71,9 @@ type response struct {

 func (api cvedictClient) FetchCveDetails(driver cvedb.DB, cveIDs []string) (cveDetails []cve.CveDetail, err error) {
 	if !config.Conf.CveDict.IsFetchViaHTTP() {
+		if driver == nil {
+			return
+		}
 		for _, cveID := range cveIDs {
 			cveDetail, err := driver.Get(cveID)
 			if err != nil {
--- a/report/db_client.go
+++ b/report/db_client.go
@@ -83,6 +83,10 @@ func NewCveDB(cnf DBClientConf) (driver cvedb.DB, locked bool, err error) {
 	path := cnf.CveDictCnf.URL
 	if cnf.CveDictCnf.Type == "sqlite3" {
 		path = cnf.CveDictCnf.SQLite3Path
+		if _, err := os.Stat(path); os.IsNotExist(err) {
+			util.Log.Warnf("--cvedb-path=%s file not found. [CPE-scan](https://vuls.io/docs/en/usage-scan-non-os-packages.html#cpe-scan) needs cve-dictionary. if you specify cpe in config.toml, fetch cve-dictionary before reporting. For details, see `https://github.com/kotakanbe/go-cve-dictionary#deploy-go-cve-dictionary`", path)
+			return nil, false, nil
+		}
 	}

 	util.Log.Debugf("Open cve-dictionary db (%s): %s", cnf.CveDictCnf.Type, path)
@@ -104,7 +108,7 @@ func NewOvalDB(cnf DBClientConf) (driver ovaldb.DB, locked bool, err error) {
 		path = cnf.OvalDictCnf.SQLite3Path

 		if _, err := os.Stat(path); os.IsNotExist(err) {
-			util.Log.Warnf("--ovaldb-path=%s is not found. It's recommended to use OVAL to improve scanning accuracy. For details, see https://github.com/kotakanbe/goval-dictionary#usage", path)
+			util.Log.Warnf("--ovaldb-path=%s file not found", path)
 			return nil, false, nil
 		}
 	}
@@ -131,7 +135,7 @@ func NewGostDB(cnf DBClientConf) (driver gostdb.DB, locked bool, err error) {
 		path = cnf.GostCnf.SQLite3Path

 		if _, err := os.Stat(path); os.IsNotExist(err) {
-			util.Log.Warnf("--gostdb-path=%s is not found. If the scan target server is Debian, RHEL or CentOS, it's recommended to use gost to improve scanning accuracy. To use gost database, see https://github.com/knqyf263/gost#fetch-redhat", path)
+			util.Log.Warnf("--gostdb-path=%s file not found. Vuls can detect `patch-not-released-CVE-ID` using gost if the scan target server is Debian, RHEL or CentOS, For details, see `https://github.com/knqyf263/gost#fetch-redhat`", path)
 			return nil, false, nil
 		}
 	}
@@ -157,7 +161,7 @@ func NewExploitDB(cnf DBClientConf) (driver exploitdb.DB, locked bool, err error
 		path = cnf.ExploitCnf.SQLite3Path

 		if _, err := os.Stat(path); os.IsNotExist(err) {
-			util.Log.Warnf("--exploitdb-path=%s is not found. It's recommended to use exploit to improve scanning accuracy. To use exploit db database, see https://github.com/mozqnet/go-exploitdb", path)
+			util.Log.Warnf("--exploitdb-path=%s file not found. Fetch go-exploit-db before reporting if you want to display exploit codes of detected CVE-IDs. For details, see `https://github.com/mozqnet/go-exploitdb`", path)
 			return nil, false, nil
 		}
 	}
--- a/report/report.go
+++ b/report/report.go
@@ -312,7 +312,7 @@ func FillWithOval(driver ovaldb.DB, r *models.ScanResult) (nCVEs int, err error)

 	if !c.Conf.OvalDict.IsFetchViaHTTP() {
 		if driver == nil {
-			return 0, nil
+			return 0, xerrors.Errorf("You have to fetch OVAL data for %s before reporting. For details, see `https://github.com/kotakanbe/goval-dictionary#usage`", r.Family)
 		}
 		if err = driver.NewOvalDB(ovalFamily); err != nil {
 			return 0, xerrors.Errorf("Failed to New Oval DB. err: %w", err)
@@ -325,7 +325,7 @@ func FillWithOval(driver ovaldb.DB, r *models.ScanResult) (nCVEs int, err error)
 		return 0, err
 	}
 	if !ok {
-		return 0, xerrors.Errorf("OVAL entries of %s %s are not found. Fetch OVAL before reporting. For details, see https://github.com/kotakanbe/goval-dictionary#usage", ovalFamily, r.Release)
+		return 0, xerrors.Errorf("OVAL entries of %s %s are not found. Fetch OVAL before reporting. For details, see `https://github.com/kotakanbe/goval-dictionary#usage`", ovalFamily, r.Release)
 	}

 	_, err = ovalClient.CheckIfOvalFresh(driver, ovalFamily, r.Release)
@@ -354,6 +354,11 @@ func FillWithExploit(driver exploitdb.DB, r *models.ScanResult) (nExploitCve int
 }

 func fillVulnByCpeURIs(driver cvedb.DB, r *models.ScanResult, cpeURIs []string) (nCVEs int, err error) {
+	if len(cpeURIs) != 0 && driver == nil && !config.Conf.CveDict.IsFetchViaHTTP() {
+		return 0, xerrors.Errorf("cpeURIs %s specified, but cve-dictionary DB not found. Fetch cve-dictionary beofre reporting. For details, see `https://github.com/kotakanbe/go-cve-dictionary#deploy-go-cve-dictionary`",
+			cpeURIs)
+	}
+
 	for _, name := range cpeURIs {
 		details, err := CveClient.FetchCveDetailsByCpeName(driver, name)
 		if err != nil {