diff --git a/go.mod b/go.mod index 0353cafb..f4ab8555 100644 --- a/go.mod +++ b/go.mod @@ -8,16 +8,16 @@ replace ( ) require ( - github.com/Azure/azure-sdk-for-go v49.0.0+incompatible - github.com/Azure/go-autorest/autorest v0.11.13 // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.9 // indirect + github.com/Azure/azure-sdk-for-go v49.1.0+incompatible + github.com/Azure/go-autorest/autorest v0.11.15 // indirect + github.com/Azure/go-autorest/autorest/adal v0.9.10 // indirect github.com/BurntSushi/toml v0.3.1 github.com/RackSec/srslog v0.0.0-20180709174129-a4725f04ec91 - github.com/aquasecurity/fanal v0.0.0-20201214132601-ff0501eddcd1 + github.com/aquasecurity/fanal v0.0.0-20201218050947-981a0510f9cb github.com/aquasecurity/trivy v0.14.0 - github.com/aquasecurity/trivy-db v0.0.0-20201117092632-b09c30858fc2 + github.com/aquasecurity/trivy-db v0.0.0-20201220084758-2d91316c83fa github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef - github.com/aws/aws-sdk-go v1.36.7 + github.com/aws/aws-sdk-go v1.36.12 github.com/boltdb/bolt v1.3.1 github.com/briandowns/spinner v1.12.0 // indirect github.com/caarlos0/env/v6 v6.4.0 // indirect @@ -25,7 +25,6 @@ require ( github.com/d4l3k/messagediff v1.2.2-0.20190829033028-7e0a312ae40b github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 github.com/emersion/go-smtp v0.14.0 - github.com/go-redis/redis/v8 v8.4.2 // indirect github.com/goccy/go-yaml v1.8.4 // indirect github.com/golang/protobuf v1.4.3 // indirect github.com/google/subcommands v1.2.0 @@ -35,7 +34,6 @@ require ( github.com/hashicorp/go-uuid v1.0.2 github.com/hashicorp/go-version v1.2.1 github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c - github.com/inconshreveable/log15 v0.0.0-20201112154412-8562bdadbbac // indirect github.com/jesseduffield/gocui v0.3.0 github.com/k0kubun/pp v3.0.1+incompatible github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f @@ -43,11 +41,10 @@ require ( github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 github.com/knqyf263/gost v0.1.7 - github.com/kotakanbe/go-cve-dictionary v0.5.5 + github.com/kotakanbe/go-cve-dictionary v0.5.6 github.com/kotakanbe/go-pingscanner v0.1.0 github.com/kotakanbe/goval-dictionary v0.2.16 github.com/kotakanbe/logrus-prefixed-formatter v0.0.0-20180123152602-928f7356cb96 - github.com/lib/pq v1.9.0 // indirect github.com/magiconair/properties v1.8.4 // indirect github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect github.com/mitchellh/go-homedir v1.1.0 @@ -66,16 +63,13 @@ require ( github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/viper v1.7.1 // indirect github.com/takuzoo3868/go-msfdb v0.1.3 - go.opentelemetry.io/otel v0.15.0 // indirect go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.16.0 // indirect - golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9 + golang.org/x/crypto v0.0.0-20201217014255-9d1352758620 golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 // indirect - golang.org/x/net v0.0.0-20201209123823-ac852fbbde11 // indirect golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5 - golang.org/x/sys v0.0.0-20201214095126-aec9a390925b // indirect + golang.org/x/sys v0.0.0-20201218084310-7d0127a74742 // indirect golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf // indirect - golang.org/x/text v0.3.4 // indirect golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58 // indirect golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index 80d16b6d..cb55a46a 100644 --- a/go.sum +++ b/go.sum @@ -35,23 +35,23 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v49.0.0+incompatible h1:rvYYNgKNBwoxUaBFmd/+TpW3qrd805EHBBvUp5FmFso= -github.com/Azure/azure-sdk-for-go v49.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v49.1.0+incompatible h1:Sz6TnzkzwsiEgD84Vujpjo0vEox9/UMeyLVWBCkZwQ4= +github.com/Azure/azure-sdk-for-go v49.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= github.com/Azure/go-autorest/autorest v0.9.3 h1:OZEIaBbMdUE/Js+BQKlpO81XlISgipr6yDJ+PSwsgi4= github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= -github.com/Azure/go-autorest/autorest v0.11.13 h1:XKx/sB3bfadpXBBHPc7tP2XPKhzVyrdhxpDC3T0wqjs= -github.com/Azure/go-autorest/autorest v0.11.13/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= +github.com/Azure/go-autorest/autorest v0.11.15 h1:S5SDFpmgoVyvMEOcULyEDlYFrdPmu6Wl0Ic+shkEwzg= +github.com/Azure/go-autorest/autorest v0.11.15/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= github.com/Azure/go-autorest/autorest/adal v0.8.1 h1:pZdL8o72rK+avFWl+p9nE8RWi1JInZrWJYlnpfXJwHk= github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= -github.com/Azure/go-autorest/autorest/adal v0.9.9 h1:y/DT2jMCd/Bme1PJzdp5OtiE16LznXG4YSlcNBqW4Us= -github.com/Azure/go-autorest/autorest/adal v0.9.9/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= +github.com/Azure/go-autorest/autorest/adal v0.9.10 h1:r6fZHMaHD8B6LDCn0o5vyBFHIHrM6Ywwx7mb49lPItI= +github.com/Azure/go-autorest/autorest/adal v0.9.10/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= github.com/Azure/go-autorest/autorest/date v0.2.0 h1:yW+Zlqf26583pE43KhfnhFcdmSWlm5Ew6bxipnr/tbM= github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= @@ -90,6 +90,8 @@ github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAE github.com/OneOfOne/xxhash v1.2.7/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= github.com/PuerkitoBio/goquery v1.5.1 h1:PSPBGne8NIUWw+/7vFBV+kG2J/5MOjbzc7154OaKCSE= github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc= +github.com/PuerkitoBio/goquery v1.6.0 h1:j7taAbelrdcsOlGeMenZxc2AWXD5fieT1/znArdnx94= +github.com/PuerkitoBio/goquery v1.6.0/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc= github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= @@ -107,14 +109,16 @@ github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a/go.mod h1:SGn github.com/alicebob/miniredis/v2 v2.14.1/go.mod h1:uS970Sw5Gs9/iK3yBg0l9Uj9s25wXxSpQUE9EaJ/Blg= github.com/andybalholm/cascadia v1.1.0 h1:BuuO6sSfQNFRu1LppgbD25Hr2vLYW25JvxHs5zzsLTo= github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y= +github.com/andybalholm/cascadia v1.2.0 h1:vuRCkM5Ozh/BfmsaTm26kbjm0mIOM3yS5Ek/F5h18aE= +github.com/andybalholm/cascadia v1.2.0/go.mod h1:YCyR8vOZT9aZ1CHEd8ap0gMVm2aFgxBp0T0eFw1RUQY= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8= github.com/aquasecurity/fanal v0.0.0-20190819081512-f04452b627c6/go.mod h1:enEz4FFetw4XAbkffaYgyCVq1556R9Ry+noqT4rq9BE= github.com/aquasecurity/fanal v0.0.0-20201129085323-d57dde147ddc/go.mod h1:f0nFZptUaL8ivi5soRDlYnJYFdY0anxlYe4K4z9EGxs= -github.com/aquasecurity/fanal v0.0.0-20201214132601-ff0501eddcd1 h1:kOn5YtvaHSJpv0Uq8HiALTD41cBSbW3HURQJFgVlEgA= -github.com/aquasecurity/fanal v0.0.0-20201214132601-ff0501eddcd1/go.mod h1:6uAwbPPYZCXT2R4yGSspH9SHGUfyAnM8Z0MVfR0Jr/U= +github.com/aquasecurity/fanal v0.0.0-20201218050947-981a0510f9cb h1:T48y/j2wvl/xPX2IyV0ogFq+GeCLY+3548awySrUaJU= +github.com/aquasecurity/fanal v0.0.0-20201218050947-981a0510f9cb/go.mod h1:arUN1lJnuAWLL0PUQ/UYrkAomU/Mby+gCXJMU90GHlA= github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ulc/gvfWm4ylhVaR7MxOwujRjA6et7KhmUbSgUFf4= github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ= github.com/aquasecurity/go-dep-parser v0.0.0-20201028043324-889d4a92b8e0 h1:cLH3SebzhbJ+jU1GIad8A1N8p7m7OjHhtY6JePISiVc= @@ -132,6 +136,8 @@ github.com/aquasecurity/trivy v0.14.0 h1:6fbkcNos2d2fRZlM255JrrXbl2xrESLHEVZs4k0 github.com/aquasecurity/trivy v0.14.0/go.mod h1:DZz+rdEPMIPiG/9Omip294RcqRwA7u6fdIQCC08Q7kk= github.com/aquasecurity/trivy-db v0.0.0-20201117092632-b09c30858fc2 h1:AXA9aW464copH1GTKv35yCwztJsqDVZWKfCtBuMpI9U= github.com/aquasecurity/trivy-db v0.0.0-20201117092632-b09c30858fc2/go.mod h1:+3+NEz0U0NCgO87Cyk0dy3SwH7CI6J4HUeCqqPj1fvQ= +github.com/aquasecurity/trivy-db v0.0.0-20201220084758-2d91316c83fa h1:S+565O3UOLifhjMO2ONtKmbSgWtQOxrbG2/vhnMF4k8= +github.com/aquasecurity/trivy-db v0.0.0-20201220084758-2d91316c83fa/go.mod h1:+3+NEz0U0NCgO87Cyk0dy3SwH7CI6J4HUeCqqPj1fvQ= github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ= github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= @@ -147,8 +153,8 @@ github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi github.com/aws/aws-sdk-go v1.19.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.27.1 h1:MXnqY6SlWySaZAqNnXThOvjRFdiiOuKtC6i7baFdNdU= github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.36.7 h1:XoJPAjKoqvdL531XGWxKYn5eGX/xMoXzMN5fBtoyfSY= -github.com/aws/aws-sdk-go v1.36.7/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= +github.com/aws/aws-sdk-go v1.36.12 h1:YJpKFEMbqEoo+incs5qMe61n1JH3o4O1IMkMexLzJG8= +github.com/aws/aws-sdk-go v1.36.12/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= @@ -338,8 +344,8 @@ github.com/go-redis/redis v6.15.7+incompatible h1:3skhDh95XQMpnqeqNftPkQD9jL9e5e github.com/go-redis/redis v6.15.7+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-redis/redis/v8 v8.4.0 h1:J5NCReIgh3QgUJu398hUncxDExN4gMOHI11NVbVicGQ= github.com/go-redis/redis/v8 v8.4.0/go.mod h1:A1tbYoHSa1fXwN+//ljcCYYJeLmVrwL9hbQN45Jdy0M= -github.com/go-redis/redis/v8 v8.4.2 h1:gKRo1KZ+O3kXRfxeRblV5Tr470d2YJZJVIAv2/S8960= -github.com/go-redis/redis/v8 v8.4.2/go.mod h1:A1tbYoHSa1fXwN+//ljcCYYJeLmVrwL9hbQN45Jdy0M= +github.com/go-redis/redis/v8 v8.4.4 h1:fGqgxCTR1sydaKI00oQf3OmkU/DIe/I/fYXvGklCIuc= +github.com/go-redis/redis/v8 v8.4.4/go.mod h1:nA0bQuF0i5JFx4Ta9RZxGKXFrQ8cRWntra97f0196iY= github.com/go-restruct/restruct v0.0.0-20191227155143-5734170a48a1/go.mod h1:KqrpKpn4M8OLznErihXTGLlsXFGeLxHUrLRRI/1YjGk= github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs= @@ -557,8 +563,6 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o github.com/knqyf263/berkeleydb v0.0.0-20190501065933-fafe01fb9662/go.mod h1:bu1CcN4tUtoRcI/B/RFHhxMNKFHVq/c3SV+UTyduoXg= github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f h1:GvCU5GXhHq+7LeOzx/haG7HSIZokl3/0GkoUFzsRJjg= github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f/go.mod h1:q59u9px8b7UTj0nIjEjvmTWekazka6xIt6Uogz5Dm+8= -github.com/knqyf263/go-cpe v0.0.0-20180327054844-659663f6eca2 h1:9CYbtr3i56D/rD6u6jJ/Aocsic9G+MupyVu7gb+QHF4= -github.com/knqyf263/go-cpe v0.0.0-20180327054844-659663f6eca2/go.mod h1:XM58Cg7dN+g0J9UPVmKjiXWlGi55lx+9IMs0IMoFWQo= github.com/knqyf263/go-cpe v0.0.0-20201213041631-54f6ab28673f h1:vZP1dTKPOR7zSAbgqNbnTnYX77+gj3eu0QK+UmANZqE= github.com/knqyf263/go-cpe v0.0.0-20201213041631-54f6ab28673f/go.mod h1:4cVhzV/TndScEg4xMtSo3TTz3cMFhEAvhAA4igAyXZY= github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4Kn3JPupAwwWuo4AzYp16P0OyLO9d7OnMZc/c= @@ -567,6 +571,7 @@ github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 h1:HDjRqot github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0= github.com/knqyf263/go-rpmdb v0.0.0-20190501070121-10a1c42a10dc/go.mod h1:MrSSvdMpTSymaQWk1yFr9sxFSyQmKMj6jkbvGrchBV8= github.com/knqyf263/go-rpmdb v0.0.0-20201028125045-8b9bad79f21b/go.mod h1:ovL3LB9TuA8LoLiEEMNm2fusIwoh+kM+lnhD1QlWAtA= +github.com/knqyf263/go-rpmdb v0.0.0-20201215100354-a9e3110d8ee1/go.mod h1:RDPNeIkU5NWXtt0OMEoILyxwUC/DyXeRtK295wpqSi0= github.com/knqyf263/go-version v1.1.1 h1:+MpcBC9b7rk5ihag8Y/FLG8get1H2GjniwKQ+9DxI2o= github.com/knqyf263/go-version v1.1.1/go.mod h1:0tBvHvOBSf5TqGNcY+/ih9o8qo3R16iZCpB9rP0D3VM= github.com/knqyf263/gost v0.1.7 h1:mEbdwiIkEy3uU0wDBpr1y7dciAay7paxpRlGKfhEdr8= @@ -574,8 +579,8 @@ github.com/knqyf263/gost v0.1.7/go.mod h1:rlf9JZR6qMyXtnz0bqyMIexDoYhFt+on0FK+OL github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kotakanbe/go-cve-dictionary v0.5.5 h1:gXRDwmh8c0YqJqPB3S3xyCfHMVbkVA0kGhBMu5pHQTY= -github.com/kotakanbe/go-cve-dictionary v0.5.5/go.mod h1:b86juqZFH5Xh+ZASGaqiv4JV4ykFuFCy9dI7vwUbrYM= +github.com/kotakanbe/go-cve-dictionary v0.5.6 h1:xTq6AcWYkmdqHCwL5DiqH+/C0Ga4IHlZdQDWVLJeelo= +github.com/kotakanbe/go-cve-dictionary v0.5.6/go.mod h1:CtZPPDJUrU/+3TvUcD1xFHVWWlM9SSEZYRZ11pblmDQ= github.com/kotakanbe/go-pingscanner v0.1.0 h1:VG4/9l0i8WeToXclj7bIGoAZAu7a07Z3qmQiIfU0gT0= github.com/kotakanbe/go-pingscanner v0.1.0/go.mod h1:/761QZzuZFcfN8h/1QuawUA+pKukp3qcNj5mxJCOiAk= github.com/kotakanbe/goval-dictionary v0.2.16 h1:AmlzIWS5LiMnYyVDXxPqtzbGVD8LrPNGj4uSE8YrcW8= @@ -647,7 +652,8 @@ github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsO github.com/mattn/go-sqlite3 v1.11.0 h1:LDdKkqtYlom37fkvqs8rMPFKAMe8+SgjbwZ6ex1/A/Q= github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus= -github.com/mattn/go-sqlite3 v1.14.2/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus= +github.com/mattn/go-sqlite3 v1.14.5 h1:1IdxlwTNazvbKJQSxoJ5/9ECbEeaTTyeU7sEAZ5KKTQ= +github.com/mattn/go-sqlite3 v1.14.5/go.mod h1:WVKg1VTActs4Qso6iwGbiFih2UIHo0ENGwNd0Lj+XmI= github.com/mattn/go-sqlite3 v2.0.1+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U= github.com/mattn/go-sqlite3 v2.0.3+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= @@ -717,6 +723,8 @@ github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.10.3 h1:gph6h/qe9GSUw1NhH1gp+qb+h8rXD8Cy60Z32Qw3ELA= github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc= +github.com/onsi/gomega v1.10.4 h1:NiTx7EEvBzu9sFOD1zORteLSt3o8gnlvZZwSE9TnY9U= +github.com/onsi/gomega v1.10.4/go.mod h1:g/HbgYopi++010VEqkFgJHKC09uJiW9UkXvMUuKHUCQ= github.com/open-policy-agent/opa v0.21.1/go.mod h1:cZaTfhxsj7QdIiUI0U9aBtOLLTqVNe+XE60+9kZKLHw= github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0-rc1 h1:WzifXhOVOEOuFYOJAW6aQqW0TooG2iki3E3Ii+WN7gQ= @@ -961,8 +969,8 @@ golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9 h1:sYNJzB4J8toYPQTM6pAkcmBRgw9SnQKP9oXCHfgy604= -golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20201217014255-9d1352758620 h1:3wPMTskHO3+O6jqTEXyFcsnuxMQOqYSaHsDxcbUXpqA= +golang.org/x/crypto v0.0.0-20201217014255-9d1352758620/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1050,8 +1058,9 @@ golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201209123823-ac852fbbde11 h1:lwlPPsmjDKK0J6eG6xDWd5XPehI0R024zxjDnw3esPA= -golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201216054612-986b41b23924 h1:QsnDpLLOKwHBBDa8nDws4DYNc/ryVW2vCpxCs09d4PY= +golang.org/x/net v0.0.0-20201216054612-986b41b23924/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1134,8 +1143,9 @@ golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201006155630-ac719f4daadf/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201214095126-aec9a390925b h1:tv7/y4pd+sR8bcNb2D6o7BNU6zjWm0VjQLac+w7fNNM= -golang.org/x/sys v0.0.0-20201214095126-aec9a390925b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201218084310-7d0127a74742 h1:+CBz4km/0KPU3RGTwARGh/noP3bEwtHcq+0YcBQM2JQ= +golang.org/x/sys v0.0.0-20201218084310-7d0127a74742/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= diff --git a/gost/microsoft.go b/gost/microsoft.go index ea920284..05cda0aa 100644 --- a/gost/microsoft.go +++ b/gost/microsoft.go @@ -28,19 +28,20 @@ func (ms Microsoft) DetectUnfixed(driver db.DB, r *models.ScanResult, _ bool) (n if _, ok := r.ScannedCves[cveID]; !ok { continue } - cveCont := ms.ConvertToModel(&msCve) + cveCont, mitigations := ms.ConvertToModel(&msCve) v, _ := r.ScannedCves[cveID] if v.CveContents == nil { v.CveContents = models.CveContents{} } v.CveContents[models.Microsoft] = *cveCont + v.Mitigations = append(v.Mitigations, mitigations...) r.ScannedCves[cveID] = v } return len(cveIDs), nil } // ConvertToModel converts gost model to vuls model -func (ms Microsoft) ConvertToModel(cve *gostmodels.MicrosoftCVE) *models.CveContent { +func (ms Microsoft) ConvertToModel(cve *gostmodels.MicrosoftCVE) (*models.CveContent, []models.Mitigation) { v3score := 0.0 var v3Vector string for _, scoreSet := range cve.ScoreSets { @@ -82,6 +83,18 @@ func (ms Microsoft) ConvertToModel(cve *gostmodels.MicrosoftCVE) *models.CveCont option["kbids"] = strings.Join(kbids, ",") } + vendorURL := "https://msrc.microsoft.com/update-guide/vulnerability/" + cve.CveID + mitigations := []models.Mitigation{} + if cve.Mitigation != "" { + mitigations = []models.Mitigation{ + { + CveContentType: models.Microsoft, + Mitigation: cve.Mitigation, + URL: vendorURL, + }, + } + } + return &models.CveContent{ Type: models.Microsoft, CveID: cve.CveID, @@ -92,10 +105,9 @@ func (ms Microsoft) ConvertToModel(cve *gostmodels.MicrosoftCVE) *models.CveCont Cvss3Severity: v3Severity, References: refs, CweIDs: cwe, - Mitigation: cve.Mitigation, Published: cve.PublishDate, LastModified: cve.LastUpdateDate, - SourceLink: "https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/" + cve.CveID, + SourceLink: vendorURL, Optional: option, - } + }, mitigations } diff --git a/gost/redhat.go b/gost/redhat.go index 726a7dde..92e78fdf 100644 --- a/gost/redhat.go +++ b/gost/redhat.go @@ -48,7 +48,7 @@ func (red RedHat) fillFixed(driver db.DB, r *models.ScanResult) error { if redCve.ID == 0 { continue } - cveCont := red.ConvertToModel(&redCve) + cveCont, mitigations := red.ConvertToModel(&redCve) v, ok := r.ScannedCves[res.request.cveID] if ok { if v.CveContents == nil { @@ -63,6 +63,7 @@ func (red RedHat) fillFixed(driver db.DB, r *models.ScanResult) error { Confidences: models.Confidences{models.RedHatAPIMatch}, } } + v.Mitigations = append(v.Mitigations, mitigations...) r.ScannedCves[res.request.cveID] = v } } else { @@ -73,7 +74,7 @@ func (red RedHat) fillFixed(driver db.DB, r *models.ScanResult) error { if len(redCve.Name) == 0 { continue } - cveCont := red.ConvertToModel(&redCve) + cveCont, mitigations := red.ConvertToModel(&redCve) v, ok := r.ScannedCves[cveID] if ok { if v.CveContents == nil { @@ -88,6 +89,7 @@ func (red RedHat) fillFixed(driver db.DB, r *models.ScanResult) error { Confidences: models.Confidences{models.RedHatAPIMatch}, } } + v.Mitigations = append(v.Mitigations, mitigations...) r.ScannedCves[cveID] = v } } @@ -111,7 +113,7 @@ func (red RedHat) fillUnfixed(driver db.DB, r *models.ScanResult, ignoreWillNotF } for _, cve := range cves { - cveCont := red.ConvertToModel(&cve) + cveCont, mitigations := red.ConvertToModel(&cve) v, ok := r.ScannedCves[cve.Name] if ok { if v.CveContents == nil { @@ -127,6 +129,7 @@ func (red RedHat) fillUnfixed(driver db.DB, r *models.ScanResult, ignoreWillNotF } nCVEs++ } + v.Mitigations = append(v.Mitigations, mitigations...) pkgStats := red.mergePackageStates(v, cve.PackageState, r.Packages, r.Release) if 0 < len(pkgStats) { @@ -143,7 +146,7 @@ func (red RedHat) fillUnfixed(driver db.DB, r *models.ScanResult, ignoreWillNotF // CVE-ID: RedhatCVE cves := driver.GetUnfixedCvesRedhat(major(r.Release), pack.Name, ignoreWillNotFix) for _, cve := range cves { - cveCont := red.ConvertToModel(&cve) + cveCont, mitigations := red.ConvertToModel(&cve) v, ok := r.ScannedCves[cve.Name] if ok { if v.CveContents == nil { @@ -159,7 +162,7 @@ func (red RedHat) fillUnfixed(driver db.DB, r *models.ScanResult, ignoreWillNotF } nCVEs++ } - + v.Mitigations = append(v.Mitigations, mitigations...) pkgStats := red.mergePackageStates(v, cve.PackageState, r.Packages, r.Release) if 0 < len(pkgStats) { @@ -220,7 +223,7 @@ func (red RedHat) parseCwe(str string) (cwes []string) { } // ConvertToModel converts gost model to vuls model -func (red RedHat) ConvertToModel(cve *gostmodels.RedhatCVE) *models.CveContent { +func (red RedHat) ConvertToModel(cve *gostmodels.RedhatCVE) (*models.CveContent, []models.Mitigation) { cwes := red.parseCwe(cve.Cwe) details := []string{} @@ -251,6 +254,18 @@ func (red RedHat) ConvertToModel(cve *gostmodels.RedhatCVE) *models.CveContent { refs = append(refs, models.Reference{Link: r.Reference}) } + vendorURL := "https://access.redhat.com/security/cve/" + cve.Name + mitigations := []models.Mitigation{} + if cve.Mitigation != "" { + mitigations = []models.Mitigation{ + { + CveContentType: models.RedHatAPI, + Mitigation: cve.Mitigation, + URL: vendorURL, + }, + } + } + return &models.CveContent{ Type: models.RedHatAPI, CveID: cve.Name, @@ -264,8 +279,7 @@ func (red RedHat) ConvertToModel(cve *gostmodels.RedhatCVE) *models.CveContent { Cvss3Severity: v3severity, References: refs, CweIDs: cwes, - Mitigation: cve.Mitigation, Published: cve.PublicDate, - SourceLink: "https://access.redhat.com/security/cve/" + cve.Name, - } + SourceLink: vendorURL, + }, mitigations } diff --git a/models/cvecontents.go b/models/cvecontents.go index 3d44eec7..647e892e 100644 --- a/models/cvecontents.go +++ b/models/cvecontents.go @@ -42,11 +42,19 @@ func (v CveContents) Except(exceptCtypes ...CveContentType) (values CveContents) return } -// SourceLinks returns link of source -func (v CveContents) SourceLinks(lang, myFamily, cveID string) (values []CveContentStr) { - if lang == "ja" { - if cont, found := v[Jvn]; found && 0 < len(cont.SourceLink) { - values = append(values, CveContentStr{Jvn, cont.SourceLink}) +// PrimarySrcURLs returns link of source +func (v CveContents) PrimarySrcURLs(lang, myFamily, cveID string) (values []CveContentStr) { + if cveID == "" { + return + } + + if cont, found := v[Nvd]; found { + for _, r := range cont.References { + for _, t := range r.Tags { + if t == "Vendor Advisory" { + values = append(values, CveContentStr{Nvd, r.Link}) + } + } } } @@ -60,6 +68,12 @@ func (v CveContents) SourceLinks(lang, myFamily, cveID string) (values []CveCont } } + if lang == "ja" { + if cont, found := v[Jvn]; found && 0 < len(cont.SourceLink) { + values = append(values, CveContentStr{Jvn, cont.SourceLink}) + } + } + if len(values) == 0 { return []CveContentStr{{ Type: Nvd, @@ -69,6 +83,22 @@ func (v CveContents) SourceLinks(lang, myFamily, cveID string) (values []CveCont return values } +// PrimarySrcURLs returns link of source +func (v CveContents) PatchURLs() (urls []string) { + cont, found := v[Nvd] + if !found { + return + } + for _, r := range cont.References { + for _, t := range r.Tags { + if t == "Patch" { + urls = append(urls, r.Link) + } + } + } + return +} + /* // Severities returns Severities func (v CveContents) Severities(myFamily string) (values []CveContentStr) { @@ -184,7 +214,6 @@ type CveContent struct { CweIDs []string `json:"cweIDs,omitempty"` Published time.Time `json:"published"` LastModified time.Time `json:"lastModified"` - Mitigation string `json:"mitigation"` // RedHat API Optional map[string]string `json:"optional,omitempty"` } @@ -234,7 +263,7 @@ const ( // NvdXML is NvdXML NvdXML CveContentType = "nvdxml" - // Nvd is Nvd + // Nvd is Nvd JSON Nvd CveContentType = "nvd" // Jvn is Jvn @@ -324,7 +353,8 @@ type References []Reference // Reference has a related link of the CVE type Reference struct { - Source string `json:"source"` - Link string `json:"link"` - RefID string `json:"refID"` + Link string `json:"link,omitempty"` + Source string `json:"source,omitempty"` + RefID string `json:"refID,omitempty"` + Tags []string `json:"tags,omitempty"` } diff --git a/models/cvecontents_test.go b/models/cvecontents_test.go index 822be472..db61bbe2 100644 --- a/models/cvecontents_test.go +++ b/models/cvecontents_test.go @@ -56,12 +56,34 @@ func TestSourceLinks(t *testing.T) { Type: NvdXML, SourceLink: "https://nvd.nist.gov/vuln/detail/CVE-2017-6074", }, + Nvd: { + Type: Nvd, + References: []Reference{ + { + Link: "https://lists.apache.org/thread.html/765be3606d865de513f6df9288842c3cf58b09a987c617a535f2b99d@%3Cusers.tapestry.apache.org%3E", + Source: "", + RefID: "", + Tags: []string{"Vendor Advisory"}, + }, + { + Link: "http://yahoo.com", + Source: "", + RefID: "", + Tags: []string{"Vendor"}, + }, + }, + SourceLink: "https://nvd.nist.gov/vuln/detail/CVE-2017-6074", + }, }, }, out: []CveContentStr{ { - Type: Jvn, - Value: "https://jvn.jp/vu/JVNVU93610402/", + Type: Nvd, + Value: "https://lists.apache.org/thread.html/765be3606d865de513f6df9288842c3cf58b09a987c617a535f2b99d@%3Cusers.tapestry.apache.org%3E", + }, + { + Type: Nvd, + Value: "https://nvd.nist.gov/vuln/detail/CVE-2017-6074", }, { Type: NvdXML, @@ -71,6 +93,10 @@ func TestSourceLinks(t *testing.T) { Type: RedHat, Value: "https://access.redhat.com/security/cve/CVE-2017-6074", }, + { + Type: Jvn, + Value: "https://jvn.jp/vu/JVNVU93610402/", + }, }, }, // lang: en @@ -120,71 +146,9 @@ func TestSourceLinks(t *testing.T) { }, } for i, tt := range tests { - actual := tt.in.cont.SourceLinks(tt.in.lang, "redhat", tt.in.cveID) + actual := tt.in.cont.PrimarySrcURLs(tt.in.lang, "redhat", tt.in.cveID) if !reflect.DeepEqual(tt.out, actual) { t.Errorf("\n[%d] expected: %v\n actual: %v\n", i, tt.out, actual) } } } - -func TestVendorLink(t *testing.T) { - type in struct { - family string - vinfo VulnInfo - } - var tests = []struct { - in in - out map[string]string - }{ - { - in: in{ - family: "redhat", - vinfo: VulnInfo{ - CveID: "CVE-2017-6074", - CveContents: CveContents{ - Jvn: { - Type: Jvn, - SourceLink: "https://jvn.jp/vu/JVNVU93610402/", - }, - RedHat: { - Type: RedHat, - SourceLink: "https://access.redhat.com/security/cve/CVE-2017-6074", - }, - NvdXML: { - Type: NvdXML, - SourceLink: "https://nvd.nist.gov/vuln/detail/CVE-2017-6074", - }, - }, - }, - }, - out: map[string]string{ - "RHEL-CVE": "https://access.redhat.com/security/cve/CVE-2017-6074", - }, - }, - { - in: in{ - family: "ubuntu", - vinfo: VulnInfo{ - CveID: "CVE-2017-6074", - CveContents: CveContents{ - RedHat: { - Type: Ubuntu, - SourceLink: "https://access.redhat.com/security/cve/CVE-2017-6074", - }, - }, - }, - }, - out: map[string]string{ - "Ubuntu-CVE": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6074", - }, - }, - } - for _, tt := range tests { - actual := tt.in.vinfo.VendorLinks(tt.in.family) - for k := range tt.out { - if tt.out[k] != actual[k] { - t.Errorf("\nexpected: %s\n actual: %s\n", tt.out[k], actual[k]) - } - } - } -} diff --git a/models/utils.go b/models/utils.go index 2b76ae52..a7b82558 100644 --- a/models/utils.go +++ b/models/utils.go @@ -49,9 +49,9 @@ func ConvertJvnToModel(cveID string, jvn *cvedict.Jvn) *CveContent { } // ConvertNvdJSONToModel convert NVD to CveContent -func ConvertNvdJSONToModel(cveID string, nvd *cvedict.NvdJSON) (*CveContent, []Exploit) { +func ConvertNvdJSONToModel(cveID string, nvd *cvedict.NvdJSON) (*CveContent, []Exploit, []Mitigation) { if nvd == nil { - return nil, nil + return nil, nil, nil } // var cpes = []Cpe{} // for _, c := range nvd.Cpes { @@ -63,17 +63,27 @@ func ConvertNvdJSONToModel(cveID string, nvd *cvedict.NvdJSON) (*CveContent, []E refs := []Reference{} exploits := []Exploit{} + mitigations := []Mitigation{} for _, r := range nvd.References { refs = append(refs, Reference{ Link: r.Link, Source: r.Source, + Tags: strings.Split(r.Tags, ","), }) if strings.Contains(r.Tags, "Exploit") { exploits = append(exploits, Exploit{ - ExploitType: "NVD", + //TODO Add const to here + // https://github.com/vulsio/go-exploitdb/blob/master/models/exploit.go#L13-L18 + ExploitType: "nvd", URL: r.Link, }) } + if strings.Contains(r.Tags, "Mitigation") { + mitigations = append(mitigations, Mitigation{ + CveContentType: Nvd, + URL: r.Link, + }) + } } cweIDs := []string{} @@ -102,5 +112,5 @@ func ConvertNvdJSONToModel(cveID string, nvd *cvedict.NvdJSON) (*CveContent, []E References: refs, Published: nvd.PublishedDate, LastModified: nvd.LastModifiedDate, - }, exploits + }, exploits, mitigations } diff --git a/models/vulninfos.go b/models/vulninfos.go index 8009238b..536333d5 100644 --- a/models/vulninfos.go +++ b/models/vulninfos.go @@ -151,6 +151,7 @@ type VulnInfo struct { CveContents CveContents `json:"cveContents,omitempty"` Exploits []Exploit `json:"exploits,omitempty"` Metasploits []Metasploit `json:"metasploits,omitempty"` + Mitigations []Mitigation `json:"mitigations,omitempty"` AlertDict AlertDict `json:"alertDict,omitempty"` CpeURIs []string `json:"cpeURIs,omitempty"` // CpeURIs related to this CVE defined in config.toml GitHubSecurityAlerts GitHubSecurityAlerts `json:"gitHubSecurityAlerts,omitempty"` @@ -322,27 +323,6 @@ func (v VulnInfo) Summaries(lang, myFamily string) (values []CveContentStr) { return } -// Mitigations returns mitigations -func (v VulnInfo) Mitigations(myFamily string) (values []CveContentStr) { - order := CveContentTypes{RedHatAPI} - for _, ctype := range order { - if cont, found := v.CveContents[ctype]; found && 0 < len(cont.Mitigation) { - values = append(values, CveContentStr{ - Type: ctype, - Value: cont.Mitigation, - }) - } - } - - if len(values) == 0 { - return []CveContentStr{{ - Type: Unknown, - Value: "-", - }} - } - return -} - // Cvss2Scores returns CVSS V2 Scores func (v VulnInfo) Cvss2Scores(myFamily string) (values []CveContentCvss) { order := []CveContentType{Nvd, NvdXML, RedHatAPI, RedHat, Jvn} @@ -680,70 +660,6 @@ func (v VulnInfo) FormatMaxCvssScore() string { max.Type) } -// Cvss2CalcURL returns CVSS v2 caluclator's URL -func (v VulnInfo) Cvss2CalcURL() string { - return "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=" + v.CveID -} - -// Cvss3CalcURL returns CVSS v3 caluclator's URL -func (v VulnInfo) Cvss3CalcURL() string { - return "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=" + v.CveID -} - -// VendorLinks returns links of vendor support's URL -func (v VulnInfo) VendorLinks(family string) map[string]string { - links := map[string]string{} - if strings.HasPrefix(v.CveID, "WPVDBID") { - links["WPVulnDB"] = fmt.Sprintf("https://wpscan.com/vulnerabilities/%s", - strings.TrimPrefix(v.CveID, "WPVDBID-")) - return links - } - - switch family { - case config.RedHat, config.CentOS: - links["RHEL-CVE"] = "https://access.redhat.com/security/cve/" + v.CveID - for _, advisory := range v.DistroAdvisories { - aidURL := strings.Replace(advisory.AdvisoryID, ":", "-", -1) - links[advisory.AdvisoryID] = fmt.Sprintf("https://rhn.redhat.com/errata/%s.html", aidURL) - } - return links - case config.Oracle: - links["Oracle-CVE"] = fmt.Sprintf("https://linux.oracle.com/cve/%s.html", v.CveID) - for _, advisory := range v.DistroAdvisories { - links[advisory.AdvisoryID] = - fmt.Sprintf("https://linux.oracle.com/errata/%s.html", advisory.AdvisoryID) - } - return links - case config.Amazon: - links["RHEL-CVE"] = "https://access.redhat.com/security/cve/" + v.CveID - for _, advisory := range v.DistroAdvisories { - if strings.HasPrefix(advisory.AdvisoryID, "ALAS2") { - links[advisory.AdvisoryID] = - fmt.Sprintf("https://alas.aws.amazon.com/AL2/%s.html", - strings.Replace(advisory.AdvisoryID, "ALAS2", "ALAS", -1)) - } else { - links[advisory.AdvisoryID] = - fmt.Sprintf("https://alas.aws.amazon.com/%s.html", advisory.AdvisoryID) - } - } - return links - case config.Ubuntu: - links["Ubuntu-CVE"] = "http://people.ubuntu.com/~ubuntu-security/cve/" + v.CveID - return links - case config.Debian: - links["Debian-CVE"] = "https://security-tracker.debian.org/tracker/" + v.CveID - case config.SUSEEnterpriseServer: - links["SUSE-CVE"] = "https://www.suse.com/security/cve/" + v.CveID - case config.FreeBSD: - for _, advisory := range v.DistroAdvisories { - links["FreeBSD-VuXML"] = fmt.Sprintf("https://vuxml.freebsd.org/freebsd/%s.html", advisory.AdvisoryID) - - } - return links - } - return links -} - // DistroAdvisories is a list of DistroAdvisory type DistroAdvisories []DistroAdvisory @@ -800,6 +716,13 @@ type Metasploit struct { URLs []string `json:",omitempty"` } +// Mitigation has a link and content +type Mitigation struct { + CveContentType CveContentType `json:"cveContentType,omitempty"` + Mitigation string `json:"mitigation,omitempty"` + URL string `json:"url,omitempty"` +} + // AlertDict has target cve JPCERT and USCERT alert data type AlertDict struct { Ja []Alert `json:"ja"` diff --git a/report/report.go b/report/report.go index e753b5af..e608f330 100644 --- a/report/report.go +++ b/report/report.go @@ -184,6 +184,9 @@ func DetectPkgCves(dbclient DBClient, r *models.ScanResult) error { } // To keep backward compatibility + // Newer versions use ListenPortStats, + // but older versions of Vuls are set to ListenPorts. + // Set ListenPorts to ListenPortStats to allow newer Vuls to report old results. for i, pkg := range r.Packages { for j, proc := range pkg.AffectedProcs { for _, ipPort := range proc.ListenPorts { @@ -277,7 +280,7 @@ func FillCveInfo(dbclient DBClient, r *models.ScanResult) error { return nil } -// fillCvesWithNvdJvn fetches NVD, JVN from CVE Database +// fillCvesWithNvdJvn fills CVE detail with NVD, JVN func fillCvesWithNvdJvn(driver cvedb.DB, r *models.ScanResult) error { cveIDs := []string{} for _, v := range r.ScannedCves { @@ -289,7 +292,7 @@ func fillCvesWithNvdJvn(driver cvedb.DB, r *models.ScanResult) error { return err } for _, d := range ds { - nvd, exploits := models.ConvertNvdJSONToModel(d.CveID, d.NvdJSON) + nvd, exploits, mitigations := models.ConvertNvdJSONToModel(d.CveID, d.NvdJSON) jvn := models.ConvertJvnToModel(d.CveID, d.Jvn) alerts := fillCertAlerts(&d) @@ -305,6 +308,7 @@ func fillCvesWithNvdJvn(driver cvedb.DB, r *models.ScanResult) error { } vinfo.AlertDict = alerts vinfo.Exploits = append(vinfo.Exploits, exploits...) + vinfo.Mitigations = append(vinfo.Mitigations, mitigations...) r.ScannedCves[cveID] = vinfo break } diff --git a/report/slack.go b/report/slack.go index 3b0e3c87..1974c543 100644 --- a/report/slack.go +++ b/report/slack.go @@ -277,9 +277,8 @@ func attachmentText(vinfo models.VulnInfo, osFamily string, cweDict map[string]m } else { if 0 < len(vinfo.DistroAdvisories) { links := []string{} - for k, v := range vinfo.VendorLinks(osFamily) { - links = append(links, fmt.Sprintf("<%s|%s>", - v, k)) + for _, v := range vinfo.CveContents.PrimarySrcURLs(config.Conf.Lang, osFamily, vinfo.CveID) { + links = append(links, fmt.Sprintf("<%s|%s>", v.Value, v.Type)) } v := fmt.Sprintf("<%s|%s> %s (%s)", @@ -303,9 +302,8 @@ func attachmentText(vinfo models.VulnInfo, osFamily string, cweDict map[string]m } mitigation := "" - if vinfo.Mitigations(osFamily)[0].Type != models.Unknown { - mitigation = fmt.Sprintf("\nMitigation:\n```%s```\n", - vinfo.Mitigations(osFamily)[0].Value) + for _, m := range vinfo.Mitigations { + mitigation = fmt.Sprintf("\nMitigation:\n<%s|%s>", m.URL, m.CveContentType) } return fmt.Sprintf("*%4.1f (%s)* %s %s\n%s\n```\n%s\n```%s\n%s\n", diff --git a/report/tui.go b/report/tui.go index 8abc4463..ef13c9ff 100644 --- a/report/tui.go +++ b/report/tui.go @@ -866,6 +866,7 @@ type dataForTmpl struct { Metasploits []models.Metasploit Summary string Mitigation string + PatchURLs []string Confidences models.Confidences Cwes []models.CweDictEntry Alerts []models.Alert @@ -894,14 +895,8 @@ func detailLines() (string, error) { vinfo := vinfos[currentVinfo] links := []string{} - if strings.HasPrefix(vinfo.CveID, "CVE-") { - links = append(links, vinfo.CveContents.SourceLinks( - config.Conf.Lang, r.Family, vinfo.CveID)[0].Value, - vinfo.Cvss2CalcURL(), - vinfo.Cvss3CalcURL()) - } - for _, url := range vinfo.VendorLinks(r.Family) { - links = append(links, url) + for _, r := range vinfo.CveContents.PrimarySrcURLs(config.Conf.Lang, r.Family, vinfo.CveID) { + links = append(links, r.Value) } refsMap := map[string]models.Reference{} @@ -924,7 +919,20 @@ func detailLines() (string, error) { } summary := vinfo.Summaries(r.Lang, r.Family)[0] - mitigation := vinfo.Mitigations(r.Family)[0] + + mitigations := []string{} + for _, m := range vinfo.Mitigations { + switch m.CveContentType { + case models.RedHatAPI, models.Microsoft: + mitigations = append(mitigations, + fmt.Sprintf("%s (%s)", m.Mitigation, m.CveContentType)) + case models.Nvd: + mitigations = append(mitigations, + fmt.Sprintf("* %s (%s)", m.URL, m.CveContentType)) + default: + util.Log.Errorf("Unknown CveContentType: %s", m) + } + } table := uitable.New() table.MaxColWidth = maxColWidth @@ -962,7 +970,8 @@ func detailLines() (string, error) { CveID: vinfo.CveID, Cvsses: fmt.Sprintf("%s\n", table), Summary: fmt.Sprintf("%s (%s)", summary.Value, summary.Type), - Mitigation: fmt.Sprintf("%s (%s)", mitigation.Value, mitigation.Type), + Mitigation: strings.Join(mitigations, "\n"), + PatchURLs: vinfo.CveContents.PatchURLs(), Confidences: vinfo.Confidences, Cwes: cwes, Links: util.Distinct(links), @@ -991,13 +1000,18 @@ Summary Mitigation ----------- - {{.Mitigation }} +{{.Mitigation }} -Links +Primary Src ----------- {{range $link := .Links -}} * {{$link}} {{end}} +Patch +----------- +{{range $url := .PatchURLs -}} +* {{$url}} +{{end}} CWE ----------- {{range .Cwes -}} diff --git a/report/util.go b/report/util.go index 0435658f..e6063855 100644 --- a/report/util.go +++ b/report/util.go @@ -217,38 +217,18 @@ No CVE-IDs are found in updatable packages. data = append(data, []string{"Summary", vuln.Summaries( config.Conf.Lang, r.Family)[0].Value}) - mitigation := vuln.Mitigations(r.Family)[0] - if mitigation.Type != models.Unknown { - data = append(data, []string{"Mitigation", mitigation.Value}) + for _, m := range vuln.Mitigations { + data = append(data, []string{"Mitigation", m.URL}) } - cweURLs, top10URLs := []string{}, []string{} - cweTop25URLs, sansTop25URLs := []string{}, []string{} - for _, v := range vuln.CveContents.UniqCweIDs(r.Family) { - name, url, top10Rank, top10URL, cweTop25Rank, cweTop25URL, sansTop25Rank, sansTop25URL := r.CweDict.Get(v.Value, r.Lang) - if top10Rank != "" { - data = append(data, []string{"CWE", - fmt.Sprintf("[OWASP Top%s] %s: %s (%s)", - top10Rank, v.Value, name, v.Type)}) - top10URLs = append(top10URLs, top10URL) - } - if cweTop25Rank != "" { - data = append(data, []string{"CWE", - fmt.Sprintf("[CWE Top%s] %s: %s (%s)", - cweTop25Rank, v.Value, name, v.Type)}) - cweTop25URLs = append(cweTop25URLs, cweTop25URL) - } - if sansTop25Rank != "" { - data = append(data, []string{"CWE", - fmt.Sprintf("[CWE/SANS Top%s] %s: %s (%s)", - sansTop25Rank, v.Value, name, v.Type)}) - sansTop25URLs = append(sansTop25URLs, sansTop25URL) - } - if top10Rank == "" && cweTop25Rank == "" && sansTop25Rank == "" { - data = append(data, []string{"CWE", fmt.Sprintf("%s: %s (%s)", - v.Value, name, v.Type)}) - } - cweURLs = append(cweURLs, url) + links := vuln.CveContents.PrimarySrcURLs( + config.Conf.Lang, r.Family, vuln.CveID) + for _, link := range links { + data = append(data, []string{"Primary Src", link.Value}) + } + + for _, url := range vuln.CveContents.PatchURLs() { + data = append(data, []string{"Patch", url}) } vuln.AffectedPackages.Sort() @@ -324,23 +304,35 @@ No CVE-IDs are found in updatable packages. data = append(data, []string{"Confidence", confidence.String()}) } - if strings.HasPrefix(vuln.CveID, "CVE-") { - links := vuln.CveContents.SourceLinks( - config.Conf.Lang, r.Family, vuln.CveID) - data = append(data, []string{"Source", links[0].Value}) - - if 0 < len(vuln.Cvss2Scores(r.Family)) { - data = append(data, []string{"CVSSv2 Calc", vuln.Cvss2CalcURL()}) + cweURLs, top10URLs := []string{}, []string{} + cweTop25URLs, sansTop25URLs := []string{}, []string{} + for _, v := range vuln.CveContents.UniqCweIDs(r.Family) { + name, url, top10Rank, top10URL, cweTop25Rank, cweTop25URL, sansTop25Rank, sansTop25URL := r.CweDict.Get(v.Value, r.Lang) + if top10Rank != "" { + data = append(data, []string{"CWE", + fmt.Sprintf("[OWASP Top%s] %s: %s (%s)", + top10Rank, v.Value, name, v.Type)}) + top10URLs = append(top10URLs, top10URL) } - if 0 < len(vuln.Cvss3Scores()) { - data = append(data, []string{"CVSSv3 Calc", vuln.Cvss3CalcURL()}) + if cweTop25Rank != "" { + data = append(data, []string{"CWE", + fmt.Sprintf("[CWE Top%s] %s: %s (%s)", + cweTop25Rank, v.Value, name, v.Type)}) + cweTop25URLs = append(cweTop25URLs, cweTop25URL) } + if sansTop25Rank != "" { + data = append(data, []string{"CWE", + fmt.Sprintf("[CWE/SANS Top%s] %s: %s (%s)", + sansTop25Rank, v.Value, name, v.Type)}) + sansTop25URLs = append(sansTop25URLs, sansTop25URL) + } + if top10Rank == "" && cweTop25Rank == "" && sansTop25Rank == "" { + data = append(data, []string{"CWE", fmt.Sprintf("%s: %s (%s)", + v.Value, name, v.Type)}) + } + cweURLs = append(cweURLs, url) } - vlinks := vuln.VendorLinks(r.Family) - for name, url := range vlinks { - data = append(data, []string{name, url}) - } for _, url := range cweURLs { data = append(data, []string{"CWE", url}) }