From cc13b6a27c09565e7aa154473df9120806653d22 Mon Sep 17 00:00:00 2001 From: Kota Kanbe Date: Mon, 9 Sep 2019 21:00:34 +0900 Subject: [PATCH] fix(report): enable to report without NVD, exit if no OVAL data (#900) * feat(report): enable to report without NVD * fix(report): enable to report without NVD and exit if no OVAL data * update deps * go mod tidy * fix err msg --- config/config.go | 5 ----- report/cve_client.go | 3 +++ report/db_client.go | 10 +++++++--- report/report.go | 9 +++++++-- 4 files changed, 17 insertions(+), 10 deletions(-) diff --git a/config/config.go b/config/config.go index 6d1d07f1..15c4cadc 100644 --- a/config/config.go +++ b/config/config.go @@ -239,11 +239,6 @@ func (c Config) ValidateOnReportDB() bool { if err := validateDB("cvedb", c.CveDict.Type, c.CveDict.SQLite3Path, c.CveDict.URL); err != nil { errs = append(errs, err) } - if c.CveDict.Type == "sqlite3" { - if _, err := os.Stat(c.CveDict.SQLite3Path); os.IsNotExist(err) { - errs = append(errs, xerrors.Errorf("SQLite3 DB path (%s) is not exist: %s", "cvedb", c.CveDict.SQLite3Path)) - } - } if err := validateDB("ovaldb", c.OvalDict.Type, c.OvalDict.SQLite3Path, c.OvalDict.URL); err != nil { errs = append(errs, err) diff --git a/report/cve_client.go b/report/cve_client.go index da081951..644456d9 100644 --- a/report/cve_client.go +++ b/report/cve_client.go @@ -71,6 +71,9 @@ type response struct { func (api cvedictClient) FetchCveDetails(driver cvedb.DB, cveIDs []string) (cveDetails []cve.CveDetail, err error) { if !config.Conf.CveDict.IsFetchViaHTTP() { + if driver == nil { + return + } for _, cveID := range cveIDs { cveDetail, err := driver.Get(cveID) if err != nil { diff --git a/report/db_client.go b/report/db_client.go index c5a54b53..c06bf855 100644 --- a/report/db_client.go +++ b/report/db_client.go @@ -83,6 +83,10 @@ func NewCveDB(cnf DBClientConf) (driver cvedb.DB, locked bool, err error) { path := cnf.CveDictCnf.URL if cnf.CveDictCnf.Type == "sqlite3" { path = cnf.CveDictCnf.SQLite3Path + if _, err := os.Stat(path); os.IsNotExist(err) { + util.Log.Warnf("--cvedb-path=%s file not found. [CPE-scan](https://vuls.io/docs/en/usage-scan-non-os-packages.html#cpe-scan) needs cve-dictionary. if you specify cpe in config.toml, fetch cve-dictionary before reporting. For details, see `https://github.com/kotakanbe/go-cve-dictionary#deploy-go-cve-dictionary`", path) + return nil, false, nil + } } util.Log.Debugf("Open cve-dictionary db (%s): %s", cnf.CveDictCnf.Type, path) @@ -104,7 +108,7 @@ func NewOvalDB(cnf DBClientConf) (driver ovaldb.DB, locked bool, err error) { path = cnf.OvalDictCnf.SQLite3Path if _, err := os.Stat(path); os.IsNotExist(err) { - util.Log.Warnf("--ovaldb-path=%s is not found. It's recommended to use OVAL to improve scanning accuracy. For details, see https://github.com/kotakanbe/goval-dictionary#usage", path) + util.Log.Warnf("--ovaldb-path=%s file not found", path) return nil, false, nil } } @@ -131,7 +135,7 @@ func NewGostDB(cnf DBClientConf) (driver gostdb.DB, locked bool, err error) { path = cnf.GostCnf.SQLite3Path if _, err := os.Stat(path); os.IsNotExist(err) { - util.Log.Warnf("--gostdb-path=%s is not found. If the scan target server is Debian, RHEL or CentOS, it's recommended to use gost to improve scanning accuracy. To use gost database, see https://github.com/knqyf263/gost#fetch-redhat", path) + util.Log.Warnf("--gostdb-path=%s file not found. Vuls can detect `patch-not-released-CVE-ID` using gost if the scan target server is Debian, RHEL or CentOS, For details, see `https://github.com/knqyf263/gost#fetch-redhat`", path) return nil, false, nil } } @@ -157,7 +161,7 @@ func NewExploitDB(cnf DBClientConf) (driver exploitdb.DB, locked bool, err error path = cnf.ExploitCnf.SQLite3Path if _, err := os.Stat(path); os.IsNotExist(err) { - util.Log.Warnf("--exploitdb-path=%s is not found. It's recommended to use exploit to improve scanning accuracy. To use exploit db database, see https://github.com/mozqnet/go-exploitdb", path) + util.Log.Warnf("--exploitdb-path=%s file not found. Fetch go-exploit-db before reporting if you want to display exploit codes of detected CVE-IDs. For details, see `https://github.com/mozqnet/go-exploitdb`", path) return nil, false, nil } } diff --git a/report/report.go b/report/report.go index b2be89fa..041746d5 100644 --- a/report/report.go +++ b/report/report.go @@ -312,7 +312,7 @@ func FillWithOval(driver ovaldb.DB, r *models.ScanResult) (nCVEs int, err error) if !c.Conf.OvalDict.IsFetchViaHTTP() { if driver == nil { - return 0, nil + return 0, xerrors.Errorf("You have to fetch OVAL data for %s before reporting. For details, see `https://github.com/kotakanbe/goval-dictionary#usage`", r.Family) } if err = driver.NewOvalDB(ovalFamily); err != nil { return 0, xerrors.Errorf("Failed to New Oval DB. err: %w", err) @@ -325,7 +325,7 @@ func FillWithOval(driver ovaldb.DB, r *models.ScanResult) (nCVEs int, err error) return 0, err } if !ok { - return 0, xerrors.Errorf("OVAL entries of %s %s are not found. Fetch OVAL before reporting. For details, see https://github.com/kotakanbe/goval-dictionary#usage", ovalFamily, r.Release) + return 0, xerrors.Errorf("OVAL entries of %s %s are not found. Fetch OVAL before reporting. For details, see `https://github.com/kotakanbe/goval-dictionary#usage`", ovalFamily, r.Release) } _, err = ovalClient.CheckIfOvalFresh(driver, ovalFamily, r.Release) @@ -354,6 +354,11 @@ func FillWithExploit(driver exploitdb.DB, r *models.ScanResult) (nExploitCve int } func fillVulnByCpeURIs(driver cvedb.DB, r *models.ScanResult, cpeURIs []string) (nCVEs int, err error) { + if len(cpeURIs) != 0 && driver == nil && !config.Conf.CveDict.IsFetchViaHTTP() { + return 0, xerrors.Errorf("cpeURIs %s specified, but cve-dictionary DB not found. Fetch cve-dictionary beofre reporting. For details, see `https://github.com/kotakanbe/go-cve-dictionary#deploy-go-cve-dictionary`", + cpeURIs) + } + for _, name := range cpeURIs { details, err := CveClient.FetchCveDetailsByCpeName(driver, name) if err != nil {