Bump up version

Fix parse yum check update

CHANGELOG.md

@@ -1,11 +1,28 @@
 # Change Log
 
+## [v0.1.2](https://github.com/future-architect/vuls/tree/v0.1.2) (2016-04-12)
+[Full Changelog](https://github.com/future-architect/vuls/compare/v0.1.1...v0.1.2)
+
+**Fixed bugs:**
+
+- Maximum 6 nodes available to scan [\#12](https://github.com/future-architect/vuls/issues/12)
+- panic: runtime error: index out of range [\#5](https://github.com/future-architect/vuls/issues/5)
+- Fix sudo option on RedHat like Linux and change some messages. [\#20](https://github.com/future-architect/vuls/pull/20) ([kotakanbe](https://github.com/kotakanbe))
+- Typo fix and updated readme [\#19](https://github.com/future-architect/vuls/pull/19) ([Euan-Kerr](https://github.com/Euan-Kerr))
+- remove a period at the end of error messages. [\#18](https://github.com/future-architect/vuls/pull/18) ([kotakanbe](https://github.com/kotakanbe))
+- fix error while yum updateinfo --security update on rhel@aws [\#17](https://github.com/future-architect/vuls/pull/17) ([kotakanbe](https://github.com/kotakanbe))
+- Fixed typos [\#15](https://github.com/future-architect/vuls/pull/15) ([radarhere](https://github.com/radarhere))
+- Typo fix in error messages [\#14](https://github.com/future-architect/vuls/pull/14) ([Bregor](https://github.com/Bregor))
+- Fix index out of range error when the number of servers is over 6. \#12 [\#13](https://github.com/future-architect/vuls/pull/13) ([kotakanbe](https://github.com/kotakanbe))
+- Revise small grammar mistakes in serverapi.go [\#9](https://github.com/future-architect/vuls/pull/9) ([cpobrien](https://github.com/cpobrien))
+- Fix error handling in HTTP backoff function [\#7](https://github.com/future-architect/vuls/pull/7) ([kotakanbe](https://github.com/kotakanbe))
+
 ## [v0.1.1](https://github.com/future-architect/vuls/tree/v0.1.1) (2016-04-06)
 [Full Changelog](https://github.com/future-architect/vuls/compare/v0.1.0...v0.1.1)
 
-**Merged pull requests:**
+**Fixed bugs:**
 
-- Typo in Example [\#6](https://github.com/future-architect/vuls/pull/6) ([toli](https://github.com/toli))
+- Typo in Exapmle [\#6](https://github.com/future-architect/vuls/pull/6) ([toli](https://github.com/toli))
 
 ## [v0.1.0](https://github.com/future-architect/vuls/tree/v0.1.0) (2016-04-04)
 **Merged pull requests:**
@@ -16,4 +33,4 @@
 
 
 
-\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
+\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*

README.fr.md

@@ -0,0 +1,652 @@
+
+# Vuls: VULnerability Scanner
+
+[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](http://goo.gl/forms/xm5KFo35tu)
+
+Scanneur de vulnérabilité Linux, sans agent, écrit en golang
+
+Nous avons une équipe Slack. [Rejoignez notre Slack Team](http://goo.gl/forms/xm5KFo35tu)  
+
+[README en Japonais](https://github.com/future-architect/vuls/blob/master/README.ja.md)  
+
+[![asciicast](https://asciinema.org/a/3y9zrf950agiko7klg8abvyck.png)](https://asciinema.org/a/3y9zrf950agiko7klg8abvyck)
+
+![Vuls-slack](img/vuls-slack-en.png)
+
+
+
+----
+
+# Résumé
+
+Effectuer des recherches de vulnérabilités et des mises à jour quotidiennes peut etre un fardeau pour un administrateur système.
+Afin d'éviter des interruptions systèmes dans un environnement de production, il est fréquent pour un administrateur système de choisir de ne pas utiliser la fonction de mise à jour automatique proposée par le gestionnaire de paquets et d'effecter ces mises à jour manuellement.
+Ce qui implique les problèmes suivants :
+- L'administrateur système devra surveiller constamment toutes les nouvelles vulnérabilités dans NVD (National Vulnerability Database) etc.
+- Il pourrait être impossible pour un administrateur système de surveiller tous les logiciels installés sur un serveur.
+- Il est coûteux d'effectuer une analyse pour déterminer quels sont les serveurs affectés par de nouvelles vulnérabilités. La possibilité de négliger un serveur ou deux est bien présente.
+
+Vuls est un outil crée pour palier aux problèmes listés ci-dessus. Voici ses caractéristiques.
+- Informer les utilisateurs des vulnérabilités système.
+- Informer les utilisateurs des systèmes concernés. 
+- La détection de vulnérabilités est effectuée automatiquement pour éviter toute négligence.
+- Les rapports sont générés régulièrement via CRON pour mieux gérer ces vulnérabilités.
+
+![Vuls-Motivation](img/vuls-motivation.png)
+
+----
+
+# Caractéristiques principales
+
+- Recherche de vulnérabilités sur des serveurs Linux
+    - Supporte Ubuntu, Debian, CentOS, Amazon Linux, RHEL
+    - Cloud, auto-hébergement, Docker
+- Scan d'intergiciels non inclus dans le gestionnaire de paquets de l'OS
+    - Scan d'intergiciels, de libraries de language de programmation et framework pour des vulnérabilités
+    - Supporte les logiciels inscrits au CPE
+- Architecture sans agent
+    - L'utilisateur doit seulement mettre en place VULS sur une seule machine qui se connectera aux autres via SSH
+- Génération automatique des fichiers de configuration
+    - Auto detection de serveurs via CIDR et génération de configuration
+- Email et notification Slack possibles (supporte le Japonais) 
+- Les résultats d'un scan sont accessibles dans un shell via TUI Viewer terminal.
+
+----
+
+# Ce que Vuls ne fait pas
+
+- Vuls ne met pas à jour les programmes affectés par les vulnérabilités découvertes.
+
+----
+
+# Hello Vuls 
+
+Ce tutoriel décrit la recherche de vulnérabilités sur une machine locale avec Vuls.
+Voici les étapes à suivre. 
+
+1. Démrarrage d'Amazon Linux
+1. Autoriser les connexions SSH depuis localhost
+1. Installation des prérequis
+1. Déploiement de go-cve-dictionary
+1. Deploiement de Vuls
+1. Configuration
+1. Préparation
+1. Scan
+1. TUI(Terminal-Based User Interface)
+
+## Step1. Démrarrage d'Amazon Linux
+
+- Nous utilisons dans cette exemple une vieille AMI (amzn-ami-hvm-2015.09.1.x86_64-gp2 - ami-383c1956)
+- Taille de l'instance : t2.medium
+    - La première fois, t2.medium et plus sont requis pour la récupération des CVE depuis NVD (2.3GB de mémoire utilisé)
+    - Une fois la récupération initiale des données NVD terminée vous pouvez passer sur une instance t2.nano.
+- Ajoutez la configuration suivante au cloud-init, afin d'éviter une mise à jour automatique lors du premier démarrage.
+
+    - [Q: How do I disable the automatic installation of critical and important security updates on initial launch?](https://aws.amazon.com/amazon-linux-ami/faqs/?nc1=h_ls)
+    ```
+    #cloud-config
+    repo_upgrade: none
+    ```
+
+## Step2. Paramètres SSH
+
+Il est obligatoire que le serveur puisse se connecter à son propre serveur SSH
+
+Générez une paire de clés SSH et ajoutez la clé publique dans le fichier authorized_keys
+```bash
+$ ssh-keygen -t rsa
+$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
+$ chmod 600 ~/.ssh/authorized_keys
+```
+
+## Step3. Installation des prérequis
+
+Vuls requiert l'installation des paquets suivants : 
+
+- sqlite
+- git
+- gcc
+- go v1.6
+    - https://golang.org/doc/install
+
+```bash
+$ ssh ec2-user@52.100.100.100  -i ~/.ssh/private.pem
+$ sudo yum -y install sqlite git gcc
+$ wget https://storage.googleapis.com/golang/go1.6.linux-amd64.tar.gz
+$ sudo tar -C /usr/local -xzf go1.6.linux-amd64.tar.gz
+$ mkdir $HOME/go
+```
+Ajoutez les lignes suivantes dans /etc/profile.d/goenv.sh
+
+```bash
+export GOROOT=/usr/local/go
+export GOPATH=$HOME/go
+export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
+```
+
+Ajoutons ces nouvelles variables d’environnement au shell
+```bash
+$ source /etc/profile.d/goenv.sh
+```
+
+## Step4. Déploiement de [go-cve-dictionary](https://github.com/kotakanbe/go-cve-dictionary)
+
+go get
+
+```bash
+$ sudo mkdir /var/log/vuls
+$ sudo chown ec2-user /var/log/vuls
+$ sudo chmod 700 /var/log/vuls
+$ go get github.com/kotakanbe/go-cve-dictionary
+```
+
+Démarrez go-cve-dictionary en mode serveur.
+Lors de son premier démarrage go-cve-dictionary récupère la liste des vulnérabilités depuis NVD
+Cette opération prend environ 10 minutes (sur AWS).  
+
+```bash
+$ go-cve-dictionary server
+... Fetching ...
+$ ls -alh cve.sqlite3
+-rw-r--r-- 1 ec2-user ec2-user 7.0M Mar 24 13:20 cve.sqlite3
+```
+
+Une fois les informations de vulnérabilités collectées redémarrez le mode serveur.
+```bash
+$ go-cve-dictionary server
+[Mar 24 15:21:55]  INFO Opening DB. datafile: /home/ec2-user/cve.sqlite3
+[Mar 24 15:21:55]  INFO Migrating DB
+[Mar 24 15:21:56]  INFO Starting HTTP Sever...
+[Mar 24 15:21:56]  INFO Listening on 127.0.0.1:1323
+```
+
+## Step5. Déploiement de Vuls
+
+Ouvrez un second terminal, connectez vous à l'instance ec2 via SSH
+
+go get
+```
+$ go get github.com/future-architect/vuls
+```
+
+## Step6. Configuration
+
+Créez un fichier de configuration (TOML format).
+
+```
+$ cat config.toml
+[servers]
+
+[servers.172-31-4-82]
+host         = "172.31.4.82"
+port        = "22"
+user        = "ec2-user"
+keyPath     = "/home/ec2-user/.ssh/id_rsa"
+```
+
+## Step7. Configuration des serveurs cibles vuls  
+
+```
+$ vuls prepare
+```
+
+## Step8. Scan
+
+```
+$ vuls scan
+INFO[0000] Begin scanning (config: /home/ec2-user/config.toml)
+
+... snip ...
+
+172-31-4-82 (amazon 2015.09)
+============================
+CVE-2016-0494   10.0    Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle
+                        Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to
+                        affect confidentiality, integrity, and availability via unknown vectors related to
+                        2D.
+... snip ...
+
+CVE-2016-0494
+-------------
+Score           10.0 (High)
+Vector          (AV:N/AC:L/Au:N/C:C/I:C/A:C)
+Summary         Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105,
+                7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality,
+                integrity, and availability via unknown vectors related to 2D.
+NVD             https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0494
+MITRE           https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494
+CVE Details     http://www.cvedetails.com/cve/CVE-2016-0494
+CVSS Claculator https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2016-0494&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C)
+RHEL-CVE        https://access.redhat.com/security/cve/CVE-2016-0494
+ALAS-2016-643   https://alas.aws.amazon.com/ALAS-2016-643.html
+Package/CPE     java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1 -> java-1.7.0-openjdk-1:1.7.0.95-2.6.4.0.65.amzn1
+
+```
+
+## Step9. TUI
+
+Les résultats de Vuls peuvent etre affichés dans un Shell via TUI (Terminal-Based User Interface).
+
+```
+$ vuls tui
+```
+
+![Vuls-TUI](img/hello-vuls-tui.png)
+
+
+----
+
+# Architecture
+
+![Vuls-Architecture](img/vuls-architecture.png)
+
+## go-cve-dictinary  
+- Collecte les informations de vulnérabilités depuis NVD, JVN(Japonais), et les envoie dans SQLite.
+
+## Vuls
+- Scan de vulnérabilités sur serveurs et création d'une liste contenant les CVE ID
+- Pour des informations plus détaillés sur une CVE, envoie une requete HTTP à go-cve-dictinary 
+- Rapport à Slack et par Email
+- L'administrateur système peut voir les résultats du dernier rapport dans le terminal
+
+----
+
+# Exemples d'utilisation
+
+## Scan de tous les serverus
+
+![Vuls-Usecase1](img/vuls-usecase-elb-rails-rds-all.png)
+
+## Scan d'un seul serveur
+
+web/app server in the same configuration under the load balancer
+
+![Vuls-Usecase2](img/vuls-usecase-elb-rails-rds-single.png)
+
+----
+
+# OS supportés 
+
+| Distribution|            Release |
+|:------------|-------------------:|
+| Ubuntu      |          12, 14, 16|
+| Debian      |                7, 8|
+| RHEL        |          4, 5, 6, 7|
+| CentOS      |             5, 6, 7|
+| Amazon Linux|                All |
+
+----
+
+
+# Usage: Détection Automatique de Serveurs 
+
+La sous-commande Discovery permet de détecter les serveurs actifs dans un range d'IP CIDR, les résultas sont directement affichés dans le terminal en respectant le format du fichier de configuration (TOML format).
+
+```
+$ vuls discover -help
+discover:
+        discover 192.168.0.0/24
+```
+
+## Exemple
+
+```
+$ vuls discover 172.31.4.0/24
+# Create config.toml using below and then ./vuls --config=/path/to/config.toml
+
+[slack]
+hookURL      = "https://hooks.slack.com/services/abc123/defghijklmnopqrstuvwxyz"
+channel      = "#channel-name"
+#channel      = "#{servername}"
+iconEmoji    = ":ghost:"
+authUser     = "username"
+notifyUsers  = ["@username"]
+
+[mail]
+smtpAddr      = "smtp.gmail.com"
+smtpPort      = 465
+user          = "username"
+password      = "password"
+from          = "from@address.com"
+to            = ["to@address.com"]
+cc            = ["cc@address.com"]
+subjectPrefix = "[vuls]"
+
+[default]
+#port        = "22"
+#user        = "username"
+#password    = "password"
+#keyPath     = "/home/username/.ssh/id_rsa"
+#keyPassword = "password"
+
+[servers]
+
+[servers.172-31-4-82]
+host         = "172.31.4.82"
+#port        = "22"
+#user        = "root"
+#password    = "password"
+#keyPath     = "/home/username/.ssh/id_rsa"
+#keyPassword = "password"
+#cpeNames = [
+#  "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
+#]
+```
+
+Vous pouvez customiser votre configuration en utilisant ce modèle.
+
+----
+
+# Configuration
+
+- Slack section
+    ```
+    [slack]
+    hookURL      = "https://hooks.slack.com/services/abc123/defghijklmnopqrstuvwxyz"
+    channel      = "#channel-name"
+    #channel      = "#{servername}"
+    iconEmoji    = ":ghost:"
+    authUser     = "username"
+    notifyUsers  = ["@username"]
+    ```
+
+    - hookURL : Incomming webhook's URL  
+    - channel : channel name.  
+    If you set #{servername} to channel, the report will be sent to #servername channel.  
+    In the following example, the report will be sent to the #server1 and #server2.  
+    Be sure to create these channels before scanning.
+      ```
+      [slack]
+      channel      = "#{servername}"
+      ...snip...
+
+      [servers]
+
+      [servers.server1]
+      host         = "172.31.4.82"
+      ...snip...
+
+      [servers.server2]
+      host         = "172.31.4.83"
+      ...snip...
+      ```
+
+    - iconEmoji: emoji
+    - authUser: username of the slack team
+    - notifyUsers: a list of Slack usernames to send Slack notifications.
+      If you set ["@foo", "@bar"] to notifyUsers, @foo @bar will be included in text.  
+      So @foo, @bar can receive mobile push notifications on their smartphone.  
+
+- Mail section
+    ```
+    [mail]
+    smtpAddr      = "smtp.gmail.com"
+    smtpPort      = 465
+    user          = "username"
+    password      = "password"
+    from          = "from@address.com"
+    to            = ["to@address.com"]
+    cc            = ["cc@address.com"]
+    subjectPrefix = "[vuls]"
+    ```
+
+- Default section
+    ```
+    [default]
+    #port        = "22"
+    #user        = "username"
+    #password    = "password"
+    #keyPath     = "/home/username/.ssh/id_rsa"
+    #keyPassword = "password"
+    ```
+    Items of the default section will be used if not specified.
+
+- servers section
+    ```
+    [servers]
+
+    [servers.172-31-4-82]
+    host         = "172.31.4.82"
+    #port        = "22"
+    #user        = "root"
+    #password    = "password"
+    #keyPath     = "/home/username/.ssh/id_rsa"
+    #keyPassword = "password"
+    #cpeNames = [
+    #  "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
+    #]
+    ```
+    Vous pouvez remplacer les valeurs par défaut indiquées en modifiant la section default
+    Vuls supporte plusieurs méthodes d'authentification SSH :
+    - SSH agent
+    - SSH authentication par clés (avec mot de passe ou sans mot de passe)
+    - Authentification par mot de passe
+
+----
+
+# Utilisation : Prepare
+
+La sous-commande prepare installe tous les paquets nécessaires sur chaque serveur.
+
+| Distribution|            Release | Requirements |
+|:------------|-------------------:|:-------------|
+| Ubuntu      |          12, 14, 16| -            |
+| Debian      |                7, 8| apptitude    |
+| CentOS      |                   5| yum-plugin-security, yum-changelog |
+| CentOS      |                6, 7| yum-plugin-security, yum-plugin-changelog |
+| Amazon      |                All | -            |
+| RHEL        |         4, 5, 6, 7 | -            |
+
+
+```
+$ vuls prepare -help
+prepare:
+        prepare [-config=/path/to/config.toml] [-debug]
+
+  -config string
+        /path/to/toml (default "$PWD/config.toml")
+  -debug
+        debug mode
+  -use-unattended-upgrades
+        [Deprecated] For Ubuntu, install unattended-upgrades
+```
+
+----
+
+# Utilisation : Scan
+
+```
+$ vuls scan -help
+scan:
+        scan
+                [-lang=en|ja]
+                [-config=/path/to/config.toml]
+                [-dbpath=/path/to/vuls.sqlite3]
+                [-cve-dictionary-url=http://127.0.0.1:1323]
+                [-cvss-over=7]
+                [-report-slack]
+                [-report-mail]
+                [-http-proxy=http://192.168.0.1:8080]
+                [-debug]
+                [-debug-sql]
+  -config string
+        /path/to/toml (default "$PWD/config.toml")
+  -cve-dictionary-url string
+        http://CVE.Dictionary (default "http://127.0.0.1:1323")
+  -cvss-over float
+        -cvss-over=6.5 means reporting CVSS Score 6.5 and over (default: 0 (means report all))
+  -dbpath string
+        /path/to/sqlite3 (default "$PWD/vuls.sqlite3")
+  -debug
+        debug mode
+  -debug-sql
+        SQL debug mode
+  -http-proxy string
+        http://proxy-url:port (default: empty)
+  -lang string
+        [en|ja] (default "en")
+  -report-mail
+        Email report
+  -report-slack
+        Slack report
+  -use-unattended-upgrades
+        [Deprecated] For Ubuntu. Scan by unattended-upgrades or not (use apt-get upgrade --dry-run by default)
+  -use-yum-plugin-security
+        [Deprecated] For CentOS 5. Scan by yum-plugin-security or not (use yum check-update by default)
+
+```
+
+## exemple
+
+Lancez go-cve-dictionary en mode serveur avant de lancer un scan
+```
+$ go-cve-dictionary server
+```
+
+### Scan tous les serveurs identifiés dans le fichier de configuration
+```
+$ vuls scan --report-slack --report-mail --cvss-over=7
+```
+Via cette simple commande Vuls va : ..
+- Scanner tous les serveurs identifiés dans le fichier de configuration
+- Envoyer les résultas du scan à slack et par email
+- Ne rapporter que les CVE dont la note CVSS est au dessus de 7
+- Afficher les résultats du scan dans le terminal
+
+### Scan de serveurs spécifiques
+```
+$ vuls scan server1 server2
+```
+Via cette simple commande Vuls va : ..
+- Scanner seulement 2 serveurs. (server1, server2)
+- Afficher les résultats du scan dans le terminal
+
+----
+
+# Utilisation : Recherche de vulnérabilités sur des paquets non compris dans l'OS
+
+Il est possible de détecter des vulnérabilités sur des programmes que vous avez compilés, des lors que les libraries et frameworks ont été enregistré dans [CPE](https://nvd.nist.gov/cpe.cfm).
+
+-  Comment rechercher dans CPE via le nom du programme
+    - [NVD: Search Common Platform Enumerations (CPE)](https://web.nvd.nist.gov/view/cpe/search)  
+    **Check CPE Naming Format: 2.2**
+
+- Configuration  
+Pour détecter des vulnérabilités sur Ruby on Rails v4.2.1, cpeNames doit etre déclaré dans la section servers.
+    ```
+    [servers]
+
+    [servers.172-31-4-82]
+    host         = "172.31.4.82"
+    user        = "ec2-user"
+    keyPath     = "/home/username/.ssh/id_rsa"
+    cpeNames = [
+      "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
+    ]
+    ```
+
+# Utilisation : Mise à jour des données NVD.
+
+```
+$ go-cve-dictionary fetchnvd -h
+fetchnvd:
+        fetchnvd
+                [-last2y]
+                [-dbpath=/path/to/cve.sqlite3]
+                [-debug]
+                [-debug-sql]
+
+  -dbpath string
+        /path/to/sqlite3 (default "$PWD/cve.sqlite3")
+  -debug
+        debug mode
+  -debug-sql
+        SQL debug mode
+  -last2y
+        Refresh NVD data in the last two years.
+```
+
+- Récupérer toutes les données jusqu'à aujourd'hui
+
+```
+$ go-cve-dictionary fetchnvd -entire
+```
+
+- Reçupérer les données des 2 denières années
+
+```
+$ go-cve-dictionary fetchnvd -last2y
+```
+
+----
+
+# Misc
+
+- HTTP Proxy Support  
+If your system is behind HTTP proxy, you have to specify --http-proxy option.
+
+- How to Daemonize go-cve-dictionary  
+Use Systemd, Upstart or supervisord, daemontools...
+
+- How to Enable Automatic-Update of Vunerability Data.  
+Use job scheduler like Cron (with -last2y option).
+
+- How to cross compile
+    ```bash
+    $ cd /path/to/your/local-git-reporsitory/vuls
+    $ GOOS=linux GOARCH=amd64 go build -o vuls.amd64
+    ```
+
+- Logging  
+Log wrote to under /var/log/vuls/
+
+- Debug  
+Run with --debug, --sql-debug option.
+
+- Ajusting Open File Limit  
+[Riak docs](http://docs.basho.com/riak/latest/ops/tuning/open-files-limit/) is awesome.
+
+- Does Vuls accept ssh connections with fish-shell or old zsh as the login shell?  
+No, Vuls needs a user on the server for bash login. see also [#8](/../../issues/8)
+
+- Windows  
+Use Microsoft Baseline Security Analyzer. [MBSA](https://technet.microsoft.com/en-us/security/cc184924.aspx)
+
+----
+
+# Data Source
+
+- [NVD](https://nvd.nist.gov/)
+- [JVN(Japanese)](http://jvndb.jvn.jp/apis/myjvn/)
+
+
+# Authors
+
+kotakanbe ([@kotakanbe](https://twitter.com/kotakanbe)) created vuls and [these fine people](https://github.com/future-architect/vuls/graphs/contributors) have contributed.
+
+----
+
+# Contribute
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+----
+
+# Change Log
+
+Please see [CHANGELOG](https://github.com/future-architect/vuls/blob/master/CHANGELOG.md).
+
+----
+
+# Licence
+
+Please see [LICENSE](https://github.com/future-architect/vuls/blob/master/LICENSE).
+
+
+[![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/future-architect/vuls/trend.png)](https://bitdeli.com/free "Bitdeli Badge")
+
+

README.md

@@ -8,6 +8,7 @@ Vulnerability scanner for Linux, agentless, written in golang.
 We have a slack team. [Join slack team](http://goo.gl/forms/xm5KFo35tu)  
 
 [README in Japanese](https://github.com/future-architect/vuls/blob/master/README.ja.md)  
+[README in French](https://github.com/future-architect/vuls/blob/master/README.fr.md)  
 
 [![asciicast](https://asciinema.org/a/3y9zrf950agiko7klg8abvyck.png)](https://asciinema.org/a/3y9zrf950agiko7klg8abvyck)
 
@@ -78,17 +79,15 @@ This can be done in the following steps.
 ## Step1. Launch Amazon Linux
 
 - We are using the old AMI (amzn-ami-hvm-2015.09.1.x86_64-gp2 - ami-383c1956) for this example
-- Instance size: t2.medium
-    - For the first time, t2.medium and above is required for the data fetch from NVD(about 2.3GB of memory needed)
-    - You can switch to t2.nano after the initial data fetch.
 - Add the following to the cloud-init, to avoid auto-update at the first launch.
 
-    - [Q: How do I disable the automatic installation of critical and important security updates on initial launch?](https://aws.amazon.com/amazon-linux-ami/faqs/?nc1=h_ls)
     ```
     #cloud-config
     repo_upgrade: none
     ```
 
+    - [Q: How do I disable the automatic installation of critical and important security updates on initial launch?](https://aws.amazon.com/amazon-linux-ami/faqs/?nc1=h_ls)
+    
 ## Step2. SSH setting
 
 This is required to ssh to itself.
@@ -104,7 +103,7 @@ $ chmod 600 ~/.ssh/authorized_keys
 
 Vuls requires the following packages.
 
-- sqlite
+- SQLite3
 - git
 - gcc
 - go v1.6
@@ -141,18 +140,17 @@ $ sudo chmod 700 /var/log/vuls
 $ go get github.com/kotakanbe/go-cve-dictionary
 ```
 
-Start go-cve-dictionary as server mode.  
-For the first time, go-cve-dictionary fetches vulnerability data from NVD.  
+Fetch vulnerability data from NVD.  
 It takes about 10 minutes (on AWS).  
 
 ```bash
-$ go-cve-dictionary server
-... Fetching ...
+$ for i in {2002..2016}; do go-cve-dictionary fetchnvd -years $i; done
+... snip ...
 $ ls -alh cve.sqlite3
 -rw-r--r-- 1 ec2-user ec2-user 7.0M Mar 24 13:20 cve.sqlite3
 ```
 
-Now we successfully collected vulnerbility data, then start as server mode again.
+Now we successfully collected vulnerbility data, then start as server.  
 ```bash
 $ go-cve-dictionary server
 [Mar 24 15:21:55]  INFO Opening DB. datafile: /home/ec2-user/cve.sqlite3
@@ -190,6 +188,7 @@ keyPath     = "/home/ec2-user/.ssh/id_rsa"
 ```
 $ vuls prepare
 ```
+see [Usage: Prepare](https://github.com/future-architect/vuls#usage-prepare)
 
 ## Step8. Start Scanning
 
@@ -235,14 +234,20 @@ $ vuls tui
 ![Vuls-TUI](img/hello-vuls-tui.png)
 
 
+----
+
+# Hello Vuls in a docker container
+
+see https://github.com/future-architect/vuls/tree/master/docker
+
 ----
 
 # Architecture
 
 ![Vuls-Architecture](img/vuls-architecture.png)
 
-## go-cve-dictinary  
-- Fetch vulnerability information from NVD, JVN(Japanese), then insert into SQLite.
+## [go-cve-dictinary](https://github.com/kotakanbe/go-cve-dictionary)  
+- Fetch vulnerability information from NVD, JVN(Japanese), then insert into SQLite3.
 
 ## Vuls
 - Scan vulnerabilities on the servers and create a list of the CVE ID
@@ -316,9 +321,7 @@ subjectPrefix = "[vuls]"
 [default]
 #port        = "22"
 #user        = "username"
-#password    = "password"
 #keyPath     = "/home/username/.ssh/id_rsa"
-#keyPassword = "password"
 
 [servers]
 
@@ -326,9 +329,7 @@ subjectPrefix = "[vuls]"
 host         = "172.31.4.82"
 #port        = "22"
 #user        = "root"
-#password    = "password"
 #keyPath     = "/home/username/.ssh/id_rsa"
-#keyPassword = "password"
 #cpeNames = [
 #  "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
 #]
@@ -396,9 +397,7 @@ You can customize your configuration using this template.
     [default]
     #port        = "22"
     #user        = "username"
-    #password    = "password"
     #keyPath     = "/home/username/.ssh/id_rsa"
-    #keyPassword = "password"
     ```
     Items of the default section will be used if not specified.
 
@@ -410,9 +409,7 @@ You can customize your configuration using this template.
     host         = "172.31.4.82"
     #port        = "22"
     #user        = "root"
-    #password    = "password"
     #keyPath     = "/home/username/.ssh/id_rsa"
-    #keyPassword = "password"
     #cpeNames = [
     #  "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
     #]
@@ -432,7 +429,7 @@ Prepare subcommand installs required packages on each server.
 | Distribution|            Release | Requirements |
 |:------------|-------------------:|:-------------|
 | Ubuntu      |          12, 14, 16| -            |
-| Debian      |                7, 8| apptitude    |
+| Debian      |                7, 8| aptitude     |
 | CentOS      |                   5| yum-plugin-security, yum-changelog |
 | CentOS      |                6, 7| yum-plugin-security, yum-plugin-changelog |
 | Amazon      |                All | -            |
@@ -441,9 +438,15 @@ Prepare subcommand installs required packages on each server.
 
 ```
 $ vuls prepare -help
-prepare:
-        prepare [-config=/path/to/config.toml] [-debug]
+prepare
+                        [-config=/path/to/config.toml] [-debug]
+                        [-ask-sudo-password]
+                        [-ask-key-password]
 
+  -ask-key-password
+        Ask ssh privatekey password before scanning
+  -ask-sudo-password
+        Ask sudo password of target servers before scanning
   -config string
         /path/to/toml (default "$PWD/config.toml")
   -debug
@@ -457,6 +460,7 @@ prepare:
 # Usage: Scan
 
 ```
+
 $ vuls scan -help
 scan:
         scan
@@ -468,8 +472,14 @@ scan:
                 [-report-slack]
                 [-report-mail]
                 [-http-proxy=http://192.168.0.1:8080]
+                [-ask-sudo-password]
+                [-ask-key-password]
                 [-debug]
                 [-debug-sql]
+  -ask-key-password
+        Ask ssh privatekey password before scanning
+  -ask-sudo-password
+        Ask sudo password of target servers before scanning
   -config string
         /path/to/toml (default "$PWD/config.toml")
   -cve-dictionary-url string
@@ -497,6 +507,21 @@ scan:
 
 ```
 
+## ask-key-password option 
+
+| SSH key password |  -ask-key-password | |
+|:-----------------|:-------------------|:----|
+| empty password   |                 -  | |
+| with password    |           required | or use ssh-agent |
+
+## ask-sudo-password option
+
+| sudo password on target servers | -ask-sudo-password | |
+|:-----------------|:-------|:------|
+| NOPASSWORD       | - | defined as NOPASSWORD in /etc/sudoers on target servers |
+| with password    | required | . |
+
+
 ## example
 
 Run go-cve-dictionary as server mode before scanning.
@@ -506,9 +531,10 @@ $ go-cve-dictionary server
 
 ### Scan all servers defined in config file
 ```
-$ vuls scan --report-slack --report-mail --cvss-over=7
+$ vuls scan --report-slack --report-mail --cvss-over=7 -ask-sudo-password -ask-key-password
 ```
 With this sample command, it will ..
+- Ask sudo password and ssh key passsword before scanning
 - Scan all servers defined in config file
 - Send scan results to slack and email
 - Only Report CVEs that CVSS score is over 7
@@ -519,7 +545,9 @@ With this sample command, it will ..
 $ vuls scan server1 server2
 ```
 With this sample command, it will ..
-- Scan only 2 servers. (server1, server2)
+- Use SSH Key-Based authentication with empty password (without -ask-key-password option)
+- Sudo with no password (without -ask-sudo-password option)
+- Scan only 2 servers (server1, server2)
 - Print scan result to terminal
 
 ----
@@ -532,6 +560,9 @@ It is possible to detect vulnerabilities something you compiled by yourself, the
     - [NVD: Search Common Platform Enumerations (CPE)](https://web.nvd.nist.gov/view/cpe/search)  
     **Check CPE Naming Format: 2.2**
 
+    - [go-cpe-dictionary](https://github.com/kotakanbe/go-cpe-dictionary) is a good choice for geeks.   
+    You can search a CPE name by the application name incremenally.
+
 - Configuration  
 To detect the vulnerbility of Ruby on Rails v4.2.1, cpeNames needs to be set in the servers section.
     ```
@@ -589,9 +620,14 @@ If your system is behind HTTP proxy, you have to specify --http-proxy option.
 - How to Daemonize go-cve-dictionary  
 Use Systemd, Upstart or supervisord, daemontools...
 
-- How to update vulnerability data automatically.
+- How to Enable Automatic-Update of Vunerability Data.  
 Use job scheduler like Cron (with -last2y option).
 
+- How to Enable Automatic-Scan.  
+Use job scheduler like Cron.  
+Set NOPASSWORD option in /etc/sudoers on target servers.  
+Use SSH Key-Based Authentication with empty password or ssh-agent.
+
 - How to cross compile
     ```bash
     $ cd /path/to/your/local-git-reporsitory/vuls
@@ -607,6 +643,9 @@ Run with --debug, --sql-debug option.
 - Ajusting Open File Limit  
 [Riak docs](http://docs.basho.com/riak/latest/ops/tuning/open-files-limit/) is awesome.
 
+- Does Vuls accept ssh connections with fish-shell or old zsh as the login shell?  
+No, Vuls needs a user on the server for bash login. see also [#8](/../../issues/8)
+
 - Windows  
 Use Microsoft Baseline Security Analyzer. [MBSA](https://technet.microsoft.com/en-us/security/cc184924.aspx)
 

commands/cmdutil.go

@@ -0,0 +1,21 @@
+package commands
+
+import (
+	"fmt"
+
+	"github.com/howeyc/gopass"
+)
+
+func getPasswd(prompt string) (string, error) {
+	for {
+		fmt.Print(prompt)
+		pass, err := gopass.GetPasswdMasked()
+		if err != nil {
+			return "", fmt.Errorf("Failed to read password")
+		}
+		if 0 < len(pass) {
+			return string(pass[:]), nil
+		}
+	}
+
+}

commands/discover.go

@@ -111,9 +111,7 @@ subjectPrefix = "[vuls]"
 [default]
 #port        = "22"
 #user        = "username"
-#password    = "password"
 #keyPath     = "/home/username/.ssh/id_rsa"
-#keyPassword = "password"
 
 [servers]
 {{- $names:=  .Names}}
@@ -122,9 +120,7 @@ subjectPrefix = "[vuls]"
 host         = "{{$ip}}"
 #port        = "22"
 #user        = "root"
-#password    = "password"
 #keyPath     = "/home/username/.ssh/id_rsa"
-#keyPassword = "password"
 #cpeNames = [
 #  "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
 #]

commands/prepare.go

@@ -34,6 +34,9 @@ type PrepareCmd struct {
 	debug      bool
 	configPath string
 
+	askSudoPassword bool
+	askKeyPassword  bool
+
 	useUnattendedUpgrades bool
 }
 
@@ -55,7 +58,11 @@ func (*PrepareCmd) Synopsis() string {
 // Usage return usage
 func (*PrepareCmd) Usage() string {
 	return `prepare:
-	prepare [-config=/path/to/config.toml] [-debug]
+	prepare
+			[-config=/path/to/config.toml]
+			[-ask-sudo-password]
+			[-ask-key-password]
+			[-debug]
 
 `
 }
@@ -68,6 +75,20 @@ func (p *PrepareCmd) SetFlags(f *flag.FlagSet) {
 	defaultConfPath := os.Getenv("PWD") + "/config.toml"
 	f.StringVar(&p.configPath, "config", defaultConfPath, "/path/to/toml")
 
+	f.BoolVar(
+		&p.askKeyPassword,
+		"ask-key-password",
+		false,
+		"Ask ssh privatekey password before scanning",
+	)
+
+	f.BoolVar(
+		&p.askSudoPassword,
+		"ask-sudo-password",
+		false,
+		"Ask sudo password of target servers before scanning",
+	)
+
 	f.BoolVar(
 		&p.useUnattendedUpgrades,
 		"use-unattended-upgrades",
@@ -78,14 +99,30 @@ func (p *PrepareCmd) SetFlags(f *flag.FlagSet) {
 
 // Execute execute
 func (p *PrepareCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}) subcommands.ExitStatus {
-	logrus.Infof("Start Preparing (config: %s)", p.configPath)
+	var keyPass, sudoPass string
+	var err error
+	if p.askKeyPassword {
+		prompt := "SSH key password: "
+		if keyPass, err = getPasswd(prompt); err != nil {
+			logrus.Error(err)
+			return subcommands.ExitFailure
+		}
+	}
+	if p.askSudoPassword {
+		prompt := "sudo password: "
+		if sudoPass, err = getPasswd(prompt); err != nil {
+			logrus.Error(err)
+			return subcommands.ExitFailure
+		}
+	}
 
-	err := c.Load(p.configPath)
+	err = c.Load(p.configPath, keyPass, sudoPass)
 	if err != nil {
 		logrus.Errorf("Error loading %s, %s", p.configPath, err)
 		return subcommands.ExitUsageError
 	}
 
+	logrus.Infof("Start Preparing (config: %s)", p.configPath)
 	target := make(map[string]c.ServerInfo)
 	for _, arg := range f.Args() {
 		found := false

commands/scan.go

@@ -45,12 +45,15 @@ type ScanCmd struct {
 	cvssScoreOver    float64
 	httpProxy        string
 
-	useYumPluginSecurity  bool
-	useUnattendedUpgrades bool
-
 	// reporting
 	reportSlack bool
 	reportMail  bool
+
+	askSudoPassword bool
+	askKeyPassword  bool
+
+	useYumPluginSecurity  bool
+	useUnattendedUpgrades bool
 }
 
 // Name return subcommand name
@@ -71,6 +74,8 @@ func (*ScanCmd) Usage() string {
 		[-report-slack]
 		[-report-mail]
 		[-http-proxy=http://192.168.0.1:8080]
+		[-ask-sudo-password]
+		[-ask-key-password]
 		[-debug]
 		[-debug-sql]
 `
@@ -111,6 +116,20 @@ func (p *ScanCmd) SetFlags(f *flag.FlagSet) {
 	f.BoolVar(&p.reportSlack, "report-slack", false, "Slack report")
 	f.BoolVar(&p.reportMail, "report-mail", false, "Email report")
 
+	f.BoolVar(
+		&p.askKeyPassword,
+		"ask-key-password",
+		false,
+		"Ask ssh privatekey password before scanning",
+	)
+
+	f.BoolVar(
+		&p.askSudoPassword,
+		"ask-sudo-password",
+		false,
+		"Ask sudo password of target servers before scanning",
+	)
+
 	f.BoolVar(
 		&p.useYumPluginSecurity,
 		"use-yum-plugin-security",
@@ -129,14 +148,30 @@ func (p *ScanCmd) SetFlags(f *flag.FlagSet) {
 
 // Execute execute
 func (p *ScanCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}) subcommands.ExitStatus {
+	var keyPass, sudoPass string
+	var err error
+	if p.askKeyPassword {
+		prompt := "SSH key password: "
+		if keyPass, err = getPasswd(prompt); err != nil {
+			logrus.Error(err)
+			return subcommands.ExitFailure
+		}
+	}
+	if p.askSudoPassword {
+		prompt := "sudo password: "
+		if sudoPass, err = getPasswd(prompt); err != nil {
+			logrus.Error(err)
+			return subcommands.ExitFailure
+		}
+	}
 
-	logrus.Infof("Start scanning (config: %s)", p.configPath)
-	err := c.Load(p.configPath)
+	err = c.Load(p.configPath, keyPass, sudoPass)
 	if err != nil {
 		logrus.Errorf("Error loading %s, %s", p.configPath, err)
 		return subcommands.ExitUsageError
 	}
 
+	logrus.Infof("Start scanning (config: %s)", p.configPath)
 	target := make(map[string]c.ServerInfo)
 	for _, arg := range f.Args() {
 		found := false

config/jsonloader.go

@@ -24,6 +24,6 @@ type JSONLoader struct {
 }
 
 // Load load the configuraiton JSON file specified by path arg.
-func (c JSONLoader) Load(path string) (err error) {
+func (c JSONLoader) Load(path, sudoPass, keyPass string) (err error) {
 	return fmt.Errorf("Not implement yet")
 }

config/loader.go

@@ -18,16 +18,14 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 package config
 
 // Load loads configuration
-func Load(path string) error {
-
-	//TODO if path's suffix .toml
+func Load(path, keyPass, sudoPass string) error {
 	var loader Loader
 	loader = TOMLLoader{}
 
-	return loader.Load(path)
+	return loader.Load(path, keyPass, sudoPass)
 }
 
 // Loader is interface of concrete loader
 type Loader interface {
-	Load(string) error
+	Load(string, string, string) error
 }

config/tomlloader.go

@@ -31,7 +31,7 @@ type TOMLLoader struct {
 }
 
 // Load load the configuraiton TOML file specified by path arg.
-func (c TOMLLoader) Load(pathToToml string) (err error) {
+func (c TOMLLoader) Load(pathToToml, keyPass, sudoPass string) (err error) {
 	var conf Config
 	if _, err := toml.DecodeFile(pathToToml, &conf); err != nil {
 		log.Error("Load config failed", err)
@@ -45,14 +45,28 @@ func (c TOMLLoader) Load(pathToToml string) (err error) {
 	Conf.Default = d
 	servers := make(map[string]ServerInfo)
 
+	if keyPass != "" {
+		d.KeyPassword = keyPass
+	}
+
+	if sudoPass != "" {
+		d.Password = sudoPass
+	}
+
 	i := 0
 	for name, v := range conf.Servers {
+
+		if 0 < len(v.KeyPassword) || 0 < len(v.Password) {
+			log.Warn("[Depricated] password and keypassword in config file are unsecure. Remove them immediately for a security reason. They will be removed in a future release.")
+		}
+
 		s := ServerInfo{ServerName: name}
 		s.User = v.User
 		if s.User == "" {
 			s.User = d.User
 		}
 
+		//  s.Password = sudoPass
 		s.Password = v.Password
 		if s.Password == "" {
 			s.Password = d.Password
@@ -76,6 +90,7 @@ func (c TOMLLoader) Load(pathToToml string) (err error) {
 			}
 		}
 
+		//  s.KeyPassword = keyPass
 		s.KeyPassword = v.KeyPassword
 		if s.KeyPassword == "" {
 			s.KeyPassword = d.KeyPassword

cveapi/cve_client.go

@@ -131,7 +131,8 @@ func (api cvedictClient) httpGet(key, url string, resChan chan<- response, errCh
 	var errs []error
 	var resp *http.Response
 	f := func() (err error) {
-		resp, body, errs = gorequest.New().SetDebug(config.Conf.Debug).Get(url).End()
+		//  resp, body, errs = gorequest.New().SetDebug(config.Conf.Debug).Get(url).End()
+		resp, body, errs = gorequest.New().Get(url).End()
 		if len(errs) > 0 || resp.StatusCode != 200 {
 			return fmt.Errorf("HTTP GET error: %v, code: %d, url: %s", errs, resp.StatusCode, url)
 		}

docker/Dockerfile

@@ -0,0 +1,14 @@
+FROM golang:1.6
+RUN apt-get update \
+    && apt-get upgrade -y \
+    && apt-get install -y git openssh-client gcc
+WORKDIR /app
+RUN go get github.com/kotakanbe/go-cve-dictionary
+RUN go get github.com/future-architect/vuls
+COPY fetch.sh .
+RUN /bin/bash /app/fetch.sh
+COPY config.toml .
+COPY run.sh .
+ENTRYPOINT ["/bin/bash", "/app/run.sh"]
+COPY id_rsa .
+COPY id_rsa.pub .

docker/README.md

@@ -0,0 +1,2 @@
+# Must do
+* Edit your config.toml to match your infrastructure

docker/config.toml

@@ -0,0 +1 @@
+

docker/fetch.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+ for i in {2002..2016}; do go-cve-dictionary fetchnvd -years $i ; done

docker/id_rsa

@@ -0,0 +1 @@
+

docker/id_rsa.pub

@@ -0,0 +1 @@
+

docker/run.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+go-cve-dictionary server &
+sleep 2
+vuls scan -config /app/config.toml -report-slack

scan/redhat.go

@@ -129,6 +129,7 @@ func (o *redhat) installYumPluginSecurity() error {
 		return nil
 	}
 
+	o.log.Info("Installing yum-plugin-security...")
 	cmd := util.PrependProxyEnv("yum install -y yum-plugin-security")
 	if r := o.ssh(cmd, sudo); !r.isSuccess() {
 		return fmt.Errorf(
@@ -139,7 +140,6 @@ func (o *redhat) installYumPluginSecurity() error {
 }
 
 func (o *redhat) installYumChangelog() error {
-	o.log.Info("Installing yum-plugin-security...")
 
 	if o.Family == "centos" {
 		var majorVersion int
@@ -164,6 +164,7 @@ func (o *redhat) installYumChangelog() error {
 			return nil
 		}
 
+		o.log.Infof("Installing %s...", packName)
 		cmd = util.PrependProxyEnv("yum install -y " + packName)
 		if r := o.ssh(cmd, sudo); !r.isSuccess() {
 			return fmt.Errorf(
@@ -245,7 +246,7 @@ func (o *redhat) scanInstalledPackages() (installedPackages models.PackageInfoLi
 		for _, line := range lines {
 			if trimed := strings.TrimSpace(line); len(trimed) != 0 {
 				var packinfo models.PackageInfo
-				if packinfo, err = o.parseScanedPackagesLine(line); err != nil {
+				if packinfo, err = o.parseScannedPackagesLine(line); err != nil {
 					return
 				}
 				installedPackages = append(installedPackages, packinfo)
@@ -259,17 +260,17 @@ func (o *redhat) scanInstalledPackages() (installedPackages models.PackageInfoLi
 		r.ExitStatus, r.Stdout, r.Stderr)
 }
 
-func (o *redhat) parseScanedPackagesLine(line string) (pack models.PackageInfo, err error) {
-	re, _ := regexp.Compile(`^([^\t']+)\t([^\t]+)\t(.+)$`)
-	result := re.FindStringSubmatch(line)
-	if len(result) == 4 {
-		pack.Name = result[1]
-		pack.Version = result[2]
-		pack.Release = strings.TrimSpace(result[3])
-	} else {
-		err = fmt.Errorf("redhat: Failed to parse package line: %s", line)
+func (o *redhat) parseScannedPackagesLine(line string) (models.PackageInfo, error) {
+	fields := strings.Fields(line)
+	if len(fields) != 3 {
+		return models.PackageInfo{},
+			fmt.Errorf("Failed to parse package line: %s", line)
 	}
-	return
+	return models.PackageInfo{
+		Name:    fields[0],
+		Version: fields[1],
+		Release: fields[2],
+	}, nil
 }
 
 func (o *redhat) scanUnsecurePackages() ([]CvePacksInfo, error) {
@@ -300,7 +301,7 @@ func (o *redhat) scanUnsecurePackagesUsingYumCheckUpdate() (CvePacksList, error)
 	if err != nil {
 		return nil, fmt.Errorf("Failed to parse %s. err: %s", cmd, err)
 	}
-	o.log.Debugf("%s", pp.Sprintf("%s", packInfoList))
+	o.log.Debugf("%s", pp.Sprintf("%v", packInfoList))
 
 	// Collect CVE-IDs in changelog
 	type PackInfoCveIDs struct {
@@ -311,7 +312,7 @@ func (o *redhat) scanUnsecurePackagesUsingYumCheckUpdate() (CvePacksList, error)
 	for i, packInfo := range packInfoList {
 		changelog, err := o.getChangelog(packInfo.Name)
 		if err != nil {
-			o.log.Errorf("Failed to collect CVE. err: %s", err)
+			o.log.Errorf("Failed to collect CVE IDs. err: %s", err)
 			return nil, err
 		}
 
@@ -409,16 +410,20 @@ func (o *redhat) parseYumCheckUpdateLines(stdout string) (results models.Package
 			continue
 		}
 		if needToParse {
+			if strings.HasPrefix(line, "Obsoleting") {
+				continue
+			}
 			candidate, err := o.parseYumCheckUpdateLine(line)
 			if err != nil {
-				return models.PackageInfoList{}, err
+				return results, err
 			}
 
 			installed, found := o.Packages.FindByName(candidate.Name)
 			if !found {
-				return models.PackageInfoList{}, fmt.Errorf(
-					"Failed to parse yum check update line: %s-%s-%s",
+				o.log.Warnf("Not found the package in rpm -qa. candidate: %s-%s-%s",
 					candidate.Name, candidate.Version, candidate.Release)
+				results = append(results, candidate)
+				continue
 			}
 			installed.NewVersion = candidate.NewVersion
 			installed.NewRelease = candidate.NewRelease
@@ -455,7 +460,10 @@ func (o *redhat) parseYumCheckUpdateLine(line string) (models.PackageInfo, error
 }
 
 func (o *redhat) getChangelog(packageNames string) (stdout string, err error) {
-	command := "echo N | "
+	command := ""
+	if o.ServerInfo.User == "root" {
+		command = "yes no | "
+	}
 	if 0 < len(config.Conf.HTTPProxy) {
 		command += util.ProxyEnv()
 	}
@@ -504,7 +512,8 @@ func (o *redhat) scanUnsecurePackagesUsingYumPluginSecurity() (CvePacksList, err
 	advIDPackNamesList, err := o.parseYumUpdateinfoListAvailable(r.Stdout)
 
 	// get package name, version, rel to be upgrade.
-	cmd = "yum check-update --security"
+	//  cmd = "yum check-update --security"
+	cmd = "yum check-update"
 	r = o.ssh(util.PrependProxyEnv(cmd), sudo)
 	if !r.isSuccess(0, 100) {
 		//returns an exit code of 100 if there are available updates.
@@ -512,26 +521,17 @@ func (o *redhat) scanUnsecurePackagesUsingYumPluginSecurity() (CvePacksList, err
 			"Failed to %s. status: %d, stdout: %s, stderr: %s",
 			cmd, r.ExitStatus, r.Stdout, r.Stderr)
 	}
-	vulnerablePackInfoList, err := o.parseYumCheckUpdateLines(r.Stdout)
+	updatable, err := o.parseYumCheckUpdateLines(r.Stdout)
 	if err != nil {
 		return nil, fmt.Errorf("Failed to parse %s. err: %s", cmd, err)
 	}
-	o.log.Debugf("%s", pp.Sprintf("%v", vulnerablePackInfoList))
-	for i, packInfo := range vulnerablePackInfoList {
-		installedPack, found := o.Packages.FindByName(packInfo.Name)
-		if !found {
-			return nil, fmt.Errorf(
-				"Parsed package not found. packInfo: %#v", packInfo)
-		}
-		vulnerablePackInfoList[i].Version = installedPack.Version
-		vulnerablePackInfoList[i].Release = installedPack.Release
-	}
+	o.log.Debugf("%s", pp.Sprintf("%v", updatable))
 
 	dict := map[string][]models.PackageInfo{}
 	for _, advIDPackNames := range advIDPackNamesList {
 		packInfoList := models.PackageInfoList{}
 		for _, packName := range advIDPackNames.PackNames {
-			packInfo, found := vulnerablePackInfoList.FindByName(packName)
+			packInfo, found := updatable.FindByName(packName)
 			if !found {
 				return nil, fmt.Errorf(
 					"PackInfo not found. packInfo: %#v", packName)

scan/redhat_test.go

@@ -48,10 +48,18 @@ func TestParseScanedPackagesLineRedhat(t *testing.T) {
 				Release: "30.el6.11",
 			},
 		},
+		{
+			"Percona-Server-shared-56 5.6.19 rel67.0.el6",
+			models.PackageInfo{
+				Name:    "Percona-Server-shared-56",
+				Version: "5.6.19",
+				Release: "rel67.0.el6",
+			},
+		},
 	}
 
 	for _, tt := range packagetests {
-		p, _ := r.parseScanedPackagesLine(tt.in)
+		p, _ := r.parseScannedPackagesLine(tt.in)
 		if p.Name != tt.pack.Name {
 			t.Errorf("name: expected %s, actual %s", tt.pack.Name, p.Name)
 		}
@@ -556,7 +564,11 @@ Loading mirror speeds from cached hostfile
 
 audit-libs.x86_64              2.3.7-5.el6                   base
 bash.x86_64                    4.1.2-33.el6_7.1              updates
-	`
+Obsoleting Packages
+python-libs.i686    2.6.6-64.el6   rhui-REGION-rhel-server-releases
+    python-ordereddict.noarch     1.1-3.el6ev    installed
+`
+
 	r.Packages = []models.PackageInfo{
 		{
 			Name:    "audit-libs",
@@ -568,6 +580,16 @@ bash.x86_64                    4.1.2-33.el6_7.1              updates
 			Version: "4.1.1",
 			Release: "33",
 		},
+		{
+			Name:    "python-libs",
+			Version: "2.6.0",
+			Release: "1.1-0",
+		},
+		{
+			Name:    "python-ordereddict",
+			Version: "1.0",
+			Release: "1",
+		},
 	}
 	var tests = []struct {
 		in  string
@@ -590,6 +612,20 @@ bash.x86_64                    4.1.2-33.el6_7.1              updates
 					NewVersion: "4.1.2",
 					NewRelease: "33.el6_7.1",
 				},
+				{
+					Name:       "python-libs",
+					Version:    "2.6.0",
+					Release:    "1.1-0",
+					NewVersion: "2.6.6",
+					NewRelease: "64.el6",
+				},
+				{
+					Name:       "python-ordereddict",
+					Version:    "1.0",
+					Release:    "1",
+					NewVersion: "1.1",
+					NewRelease: "3.el6ev",
+				},
 			},
 		},
 	}
@@ -774,39 +810,6 @@ updateinfo list done`
 	}
 }
 
-func TestParseYumUpdateinfoToGetUpdateID(t *testing.T) {
-
-	r := newRedhat(config.ServerInfo{})
-
-	var packagetests = []struct {
-		in   string
-		pack models.PackageInfo
-	}{
-		{
-			"openssl	1.0.1e	30.el6.11",
-			models.PackageInfo{
-				Name:    "openssl",
-				Version: "1.0.1e",
-				Release: "30.el6.11",
-			},
-		},
-	}
-
-	for _, tt := range packagetests {
-		p, _ := r.parseScanedPackagesLine(tt.in)
-		if p.Name != tt.pack.Name {
-			t.Errorf("name: expected %s, actual %s", tt.pack.Name, p.Name)
-		}
-		if p.Version != tt.pack.Version {
-			t.Errorf("version: expected %s, actual %s", tt.pack.Version, p.Version)
-		}
-		if p.Release != tt.pack.Release {
-			t.Errorf("release: expected %s, actual %s", tt.pack.Release, p.Release)
-		}
-	}
-
-}
-
 func TestExtractPackNameVerRel(t *testing.T) {
 	r := newRedhat(config.ServerInfo{})
 	var tests = []struct {

scan/serverapi.go

@@ -7,7 +7,6 @@ import (
 	"github.com/Sirupsen/logrus"
 	"github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/models"
-	"github.com/k0kubun/pp"
 	cve "github.com/kotakanbe/go-cve-dictionary/models"
 )
 
@@ -110,8 +109,6 @@ func InitServers(localLogger *logrus.Entry) (err error) {
 	Log = localLogger
 	if servers, err = detectServersOS(); err != nil {
 		err = fmt.Errorf("Failed to detect the type of OS. err: %s", err)
-	} else {
-		Log.Debugf("%s", pp.Sprintf("%s", servers))
 	}
 	return
 }

scan/sshutil.go

@@ -137,7 +137,8 @@ func sshExec(c conf.ServerInfo, cmd string, sudo bool, log ...*logrus.Entry) (re
 	// set pipefail option.
 	// http://unix.stackexchange.com/questions/14270/get-exit-status-of-process-thats-piped-to-another
 	cmd = fmt.Sprintf("set -o pipefail; %s", cmd)
-	logger.Debugf("Command: %s", strings.Replace(cmd, "\n", "", -1))
+	logger.Debugf("Command: %s",
+		strings.Replace(maskPassword(cmd, c.Password), "\n", "", -1))
 
 	var client *ssh.Client
 	client, err = sshConnect(c)
@@ -189,7 +190,7 @@ func sshExec(c conf.ServerInfo, cmd string, sudo bool, log ...*logrus.Entry) (re
 
 	logger.Debugf(
 		"SSH executed. cmd: %s, status: %#v\nstdout: \n%s\nstderr: \n%s",
-		cmd, err, result.Stdout, result.Stderr)
+		maskPassword(cmd, c.Password), err, result.Stdout, result.Stderr)
 
 	return
 }
@@ -225,7 +226,8 @@ func sshConnect(c conf.ServerInfo) (client *ssh.Client, err error) {
 
 	var auths = []ssh.AuthMethod{}
 	if auths, err = addKeyAuth(auths, c.KeyPath, c.KeyPassword); err != nil {
-		logrus.Fatalf("Failed to add keyAuth. err: %s", err)
+		logrus.Fatalf("Failed to add keyAuth. %s@%s:%s err: %s",
+			c.User, c.Host, c.Port, err)
 	}
 
 	if c.Password != "" {
@@ -237,12 +239,10 @@ func sshConnect(c conf.ServerInfo) (client *ssh.Client, err error) {
 		User: c.User,
 		Auth: auths,
 	}
-	//  log.Debugf("config: %s", pp.Sprintf("%v", config))
 
 	notifyFunc := func(e error, t time.Duration) {
-		logrus.Warnf("Failed to ssh %s@%s:%s. err: %s, Retrying in %s...",
+		logrus.Warnf("Failed to ssh %s@%s:%s err: %s, Retrying in %s...",
 			c.User, c.Host, c.Port, e, t)
-		logrus.Debugf("sshConInfo: %s", pp.Sprintf("%v", c))
 	}
 	err = backoff.RetryNotify(func() error {
 		if client, err = ssh.Dial("tcp", c.Host+":"+c.Port, config); err != nil {
@@ -309,3 +309,8 @@ func parsePemBlock(block *pem.Block) (interface{}, error) {
 		return nil, fmt.Errorf("rtop: unsupported key type %q", block.Type)
 	}
 }
+
+// ref golang.org/x/crypto/ssh/keys.go#ParseRawPrivateKey.
+func maskPassword(cmd, sudoPass string) string {
+	return strings.Replace(cmd, fmt.Sprintf("echo %s", sudoPass), "echo *****", -1)
+}

version.go

@@ -21,4 +21,4 @@ package main
 const Name string = "vuls"
 
 // Version of Vuls
-const Version string = "0.1.2"
+const Version string = "0.1.3"