fix(fast-root): affectedProcs, ports bug (#1067)

* change ignore loop back address on remote scan

* fix test case

* change append simple

* fix format

* set golangci-lint timeout

* Revert "set golangci-lint timeout"

This reverts commit 56b1c7089a.

scan/base.go

@@ -740,7 +740,7 @@ func (l *base) scanPorts() (err error) {
 	return nil
 }
 
-func (l *base) detectScanDest() []string {
+func (l *base) detectScanDest() map[string][]string {
 	scanIPPortsMap := map[string][]string{}
 
 	for _, p := range l.osPackages.Packages {
@@ -757,43 +757,47 @@ func (l *base) detectScanDest() []string {
 		}
 	}
 
-	scanDestIPPorts := []string{}
+	scanDestIPPorts := map[string][]string{}
 	for addr, ports := range scanIPPortsMap {
 		if addr == "*" {
 			for _, addr := range l.ServerInfo.IPv4Addrs {
-				for _, port := range ports {
-					scanDestIPPorts = append(scanDestIPPorts, addr+":"+port)
-				}
+				scanDestIPPorts[addr] = append(scanDestIPPorts[addr], ports...)
 			}
 		} else {
-			for _, port := range ports {
-				scanDestIPPorts = append(scanDestIPPorts, addr+":"+port)
-			}
+			scanDestIPPorts[addr] = append(scanDestIPPorts[addr], ports...)
 		}
 	}
 
-	m := map[string]bool{}
-	uniqScanDestIPPorts := []string{}
-	for _, e := range scanDestIPPorts {
-		if !m[e] {
-			m[e] = true
-			uniqScanDestIPPorts = append(uniqScanDestIPPorts, e)
+	uniqScanDestIPPorts := map[string][]string{}
+	for i, scanDest := range scanDestIPPorts {
+		m := map[string]bool{}
+		for _, e := range scanDest {
+			if !m[e] {
+				m[e] = true
+				uniqScanDestIPPorts[i] = append(uniqScanDestIPPorts[i], e)
+			}
 		}
 	}
 
 	return uniqScanDestIPPorts
 }
 
-func (l *base) execPortsScan(scanDestIPPorts []string) ([]string, error) {
+func (l *base) execPortsScan(scanDestIPPorts map[string][]string) ([]string, error) {
 	listenIPPorts := []string{}
 
-	for _, ipPort := range scanDestIPPorts {
-		conn, err := net.DialTimeout("tcp", ipPort, time.Duration(1)*time.Second)
-		if err != nil {
+	for ip, ports := range scanDestIPPorts {
+		if !isLocalExec(l.ServerInfo.Port, l.ServerInfo.Host) && net.ParseIP(ip).IsLoopback() {
 			continue
 		}
-		conn.Close()
-		listenIPPorts = append(listenIPPorts, ipPort)
+		for _, port := range ports {
+			scanDest := ip + ":" + port
+			conn, err := net.DialTimeout("tcp", scanDest, time.Duration(1)*time.Second)
+			if err != nil {
+				continue
+			}
+			conn.Close()
+			listenIPPorts = append(listenIPPorts, scanDest)
+		}
 	}
 
 	return listenIPPorts, nil
@@ -894,13 +898,13 @@ func (l *base) lsOfListen() (stdout string, err error) {
 	cmd := `lsof -i -P -n | grep LISTEN`
 	r := l.exec(util.PrependProxyEnv(cmd), sudo)
 	if !r.isSuccess(0, 1) {
-		return "", xerrors.Errorf("Failed to SSH: %s", r)
+		return "", xerrors.Errorf("Failed to lsof: %s", r)
 	}
 	return r.Stdout, nil
 }
 
-func (l *base) parseLsOf(stdout string) map[string]string {
-	portPid := map[string]string{}
+func (l *base) parseLsOf(stdout string) map[string][]string {
+	portPids := map[string][]string{}
 	scanner := bufio.NewScanner(strings.NewReader(stdout))
 	for scanner.Scan() {
 		ss := strings.Fields(scanner.Text())
@@ -908,9 +912,9 @@ func (l *base) parseLsOf(stdout string) map[string]string {
 			continue
 		}
 		pid, ipPort := ss[1], ss[8]
-		portPid[ipPort] = pid
+		portPids[ipPort] = util.AppendIfMissing(portPids[ipPort], pid)
 	}
-	return portPid
+	return portPids
 }
 
 func (l *base) parseListenPorts(port string) models.ListenPort {

scan/base_test.go

@@ -244,7 +244,7 @@ func Test_base_parseLsOf(t *testing.T) {
 	tests := []struct {
 		name        string
 		args        args
-		wantPortPid map[string]string
+		wantPortPid map[string][]string
 	}{
 		{
 			name: "lsof",
@@ -257,13 +257,34 @@ node       1498          ubuntu   21u  IPv6  20132      0t0  TCP *:35401 (LISTEN
 node       1498          ubuntu   22u  IPv6  20133      0t0  TCP *:44801 (LISTEN)
 docker-pr  9135            root    4u  IPv6 297133      0t0  TCP *:6379 (LISTEN)`,
 			},
-			wantPortPid: map[string]string{
-				"localhost:53": "474",
-				"*:22":         "644",
-				"*:3128":       "959",
-				"*:35401":      "1498",
-				"*:44801":      "1498",
-				"*:6379":       "9135",
+			wantPortPid: map[string][]string{
+				"localhost:53": {"474"},
+				"*:22":         {"644"},
+				"*:3128":       {"959"},
+				"*:35401":      {"1498"},
+				"*:44801":      {"1498"},
+				"*:6379":       {"9135"},
+			},
+		},
+		{
+			name: "lsof-duplicate-port",
+			args: args{
+				stdout: `sshd      832   root    3u  IPv4  15731      0t0  TCP *:22 (LISTEN)
+sshd      832   root    4u  IPv6  15740      0t0  TCP *:22 (LISTEN)
+master   1099   root   13u  IPv4  16657      0t0  TCP 127.0.0.1:25 (LISTEN)
+master   1099   root   14u  IPv6  16658      0t0  TCP [::1]:25 (LISTEN)
+httpd   32250   root    4u  IPv6 334982      0t0  TCP *:80 (LISTEN)
+httpd   32251 apache    4u  IPv6 334982      0t0  TCP *:80 (LISTEN)
+httpd   32252 apache    4u  IPv6 334982      0t0  TCP *:80 (LISTEN)
+httpd   32253 apache    4u  IPv6 334982      0t0  TCP *:80 (LISTEN)
+httpd   32254 apache    4u  IPv6 334982      0t0  TCP *:80 (LISTEN)
+httpd   32255 apache    4u  IPv6 334982      0t0  TCP *:80 (LISTEN)`,
+			},
+			wantPortPid: map[string][]string{
+				"*:22":         {"832"},
+				"127.0.0.1:25": {"1099"},
+				"[::1]:25":     {"1099"},
+				"*:80":         {"32250", "32251", "32252", "32253", "32254", "32255"},
 			},
 		},
 	}
@@ -281,7 +302,7 @@ func Test_detectScanDest(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   base
-		expect []string
+		expect map[string][]string
 	}{
 		{
 			name: "empty",
@@ -292,7 +313,7 @@ func Test_detectScanDest(t *testing.T) {
 					NewVersion: "7.64.0-4+deb10u1",
 				}},
 			}},
-			expect: []string{},
+			expect: map[string][]string{},
 		},
 		{
 			name: "single-addr",
@@ -306,10 +327,10 @@ func Test_detectScanDest(t *testing.T) {
 				},
 				}},
 			},
-			expect: []string{"127.0.0.1:22"},
+			expect: map[string][]string{"127.0.0.1": {"22"}},
 		},
 		{
-			name: "dup-addr",
+			name: "dup-addr-port",
 			args: base{osPackages: osPackages{
 				Packages: models.Packages{"libaudit1": models.Package{
 					Name:       "libaudit1",
@@ -320,7 +341,7 @@ func Test_detectScanDest(t *testing.T) {
 				},
 				}},
 			},
-			expect: []string{"127.0.0.1:22"},
+			expect: map[string][]string{"127.0.0.1": {"22"}},
 		},
 		{
 			name: "multi-addr",
@@ -330,11 +351,11 @@ func Test_detectScanDest(t *testing.T) {
 					Version:    "1:2.8.4-3",
 					NewVersion: "1:2.8.4-3",
 					AffectedProcs: []models.AffectedProcess{
-						{PID: "21", Name: "sshd", ListenPorts: []models.ListenPort{{Address: "127.0.0.1", Port: "22"}}}, {PID: "21", Name: "sshd", ListenPorts: []models.ListenPort{{Address: "192.168.1.1", Port: "22"}}}},
+						{PID: "21", Name: "sshd", ListenPorts: []models.ListenPort{{Address: "127.0.0.1", Port: "22"}}}, {PID: "21", Name: "sshd", ListenPorts: []models.ListenPort{{Address: "192.168.1.1", Port: "22"}}}, {PID: "6261", Name: "nginx", ListenPorts: []models.ListenPort{{Address: "127.0.0.1", Port: "80"}}}},
 				},
 				}},
 			},
-			expect: []string{"127.0.0.1:22", "192.168.1.1:22"},
+			expect: map[string][]string{"127.0.0.1": {"22", "80"}, "192.168.1.1": {"22"}},
 		},
 		{
 			name: "asterisk",
@@ -352,7 +373,7 @@ func Test_detectScanDest(t *testing.T) {
 					IPv4Addrs: []string{"127.0.0.1", "192.168.1.1"},
 				},
 			},
-			expect: []string{"127.0.0.1:22", "192.168.1.1:22"},
+			expect: map[string][]string{"127.0.0.1": {"22"}, "192.168.1.1": {"22"}},
 		}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

scan/debian.go

@@ -1299,9 +1299,11 @@ func (o *debian) dpkgPs() error {
 	if err != nil {
 		return xerrors.Errorf("Failed to ls of: %w", err)
 	}
-	portPid := o.parseLsOf(stdout)
-	for port, pid := range portPid {
-		pidListenPorts[pid] = append(pidListenPorts[pid], o.parseListenPorts(port))
+	portPids := o.parseLsOf(stdout)
+	for port, pids := range portPids {
+		for _, pid := range pids {
+			pidListenPorts[pid] = append(pidListenPorts[pid], o.parseListenPorts(port))
+		}
 	}
 
 	for pid, loadedFiles := range pidLoadedFiles {

scan/redhatbase.go

@@ -361,7 +361,7 @@ func (o *redhatBase) scanUpdatablePackages() (models.Packages, error) {
 		return nil, xerrors.Errorf("Failed to SSH: %s", r)
 	}
 
-	// Collect Updateble packages, installed, candidate version and repository.
+	// Collect Updatable packages, installed, candidate version and repository.
 	return o.parseUpdatablePacksLines(r.Stdout)
 }
 
@@ -496,9 +496,11 @@ func (o *redhatBase) yumPs() error {
 	if err != nil {
 		return xerrors.Errorf("Failed to ls of: %w", err)
 	}
-	portPid := o.parseLsOf(stdout)
-	for port, pid := range portPid {
-		pidListenPorts[pid] = append(pidListenPorts[pid], o.parseListenPorts(port))
+	portPids := o.parseLsOf(stdout)
+	for port, pids := range portPids {
+		for _, pid := range pids {
+			pidListenPorts[pid] = append(pidListenPorts[pid], o.parseListenPorts(port))
+		}
 	}
 
 	for pid, loadedFiles := range pidLoadedFiles {
@@ -630,8 +632,8 @@ func (o *redhatBase) procPathToFQPN(execCommand string) (string, error) {
 func (o *redhatBase) getPkgName(paths []string) (pkgNames []string, err error) {
 	cmd := o.rpmQf(o.Distro) + strings.Join(paths, " ")
 	r := o.exec(util.PrependProxyEnv(cmd), noSudo)
-	if !r.isSuccess() {
-		return nil, xerrors.Errorf("Failed to SSH: %s", r)
+	if !r.isSuccess(0, 2, 4, 8) {
+		return nil, xerrors.Errorf("Failed to rpm -qf: %s, cmd: %s", r, cmd)
 	}
 
 	scanner := bufio.NewScanner(strings.NewReader(r.Stdout))

scan/serverapi.go

@@ -635,15 +635,12 @@ func GetScanResults(scannedAt time.Time, timeoutSec int) (results models.ScanRes
 		if err = o.scanLibraries(); err != nil {
 			return xerrors.Errorf("Failed to scan Library: %w", err)
 		}
+		if err = o.scanPorts(); err != nil {
+			return xerrors.Errorf("Failed to scan Ports: %w", err)
+		}
 		return nil
 	}, timeoutSec)
 
-	for _, s := range servers {
-		if err = s.scanPorts(); err != nil {
-			util.Log.Errorf("Failed to scan Ports: %+v", err)
-		}
-	}
-
 	hostname, _ := os.Hostname()
 	ipv4s, ipv6s, err := util.IP()
 	if err != nil {