Stage/vuls
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Stage:v0.9.0
Branches Tags
Stage:master Stage:MaineK00n/trivy-to-vuls-cvssv4.0 Stage:MaineK00n/al2023-kernel-livepatch Stage:nightly Stage:collect-selfbulid-jar Stage:detect-pkg-deps
Stage:v0.26.0 Stage:v0.26.0-rc2 Stage:v0.26.0-alpha3 Stage:v0.25.4 Stage:v0.25.3 Stage:v0.25.2 Stage:v0.25.1 Stage:v0.25.1-beta2 Stage:v0.25.1-beta1 Stage:v0.25.0 Stage:v0.24.9 Stage:v0.24.8 Stage:v0.24.7 Stage:v0.24.6 Stage:v0.24.5 Stage:v0.24.4 Stage:v0.24.3 Stage:v0.24.2 Stage:v0.24.1 Stage:v0.24.0 Stage:v0.23.4 Stage:v0.23.3 Stage:v0.23.2 Stage:v0.23.1 Stage:v0.23.0 Stage:v0.22.2 Stage:v0.22.1 Stage:v0.23.0-beta Stage:v0.22.0 Stage:v0.21.1 Stage:v0.21.0 Stage:v0.20.5 Stage:v0.20.4 Stage:v0.20.3 Stage:v0.20.2 Stage:v0.20.1 Stage:v0.20.0 Stage:v0.19.8 Stage:v0.19.7 Stage:v0.19.6 Stage:v0.19.5 Stage:v0.19.4 Stage:v0.19.3 Stage:v0.19.2 Stage:v0.19.1 Stage:v0.19.0 Stage:v0.18.1 Stage:v0.18.0 Stage:v0.17.1 Stage:v0.17.0 Stage:v0.16.0 Stage:v0.15.14 Stage:v0.15.13 Stage:v0.15.12 Stage:v0.15.11 Stage:v0.15.10 Stage:v0.15.9 Stage:v0.15.8 Stage:v0.15.7 Stage:v0.15.6 Stage:v0.15.5 Stage:v0.15.4 Stage:v0.15.3 Stage:v0.15.2 Stage:v0.15.1 Stage:v0.15.0 Stage:v0.14.1 Stage:v0.14.0 Stage:v0.13.9 Stage:v0.13.8 Stage:v0.13.7 Stage:v0.13.6 Stage:v0.13.5 Stage:v0.13.4 Stage:v0.13.3 Stage:v0.13.2 Stage:v0.13.1 Stage:v0.13.0 Stage:v0.12.3 Stage:v0.12.2 Stage:v0.12.1 Stage:v0.12.0 Stage:v0.11.3 Stage:v0.11.2 Stage:v0.11.1 Stage:v0.11.0 Stage:v0.10.0 Stage:v0.9.8 Stage:v0.9.7 Stage:v0.9.6 Stage:v0.9.5 Stage:v0.9.4 Stage:v0.9.3 Stage:v0.9.2 Stage:v0.9.1 Stage:v0.9.0 Stage:v0.8.5 Stage:v0.8.4 Stage:v0.8.3 Stage:v0.8.2 Stage:v0.8.1 Stage:v0.8.0 Stage:v0.7.0 Stage:v0.6.3 Stage:v0.6.2 Stage:v0.6.1 Stage:v0.6.0 Stage:v0.5.0 Stage:v0.4.2 Stage:v0.4.1 Stage:v0.4.0 Stage:v0.3.0 Stage:v0.2.0 Stage:v0.1.7 Stage:v0.1.6 Stage:v0.1.5 Stage:v0.1.4 Stage:v0.1.3 Stage:v0.1.2 Stage:v0.1.1 Stage:v0.1.0
...
compare: Stage:v0.9.5
Branches Tags
Stage:master Stage:MaineK00n/trivy-to-vuls-cvssv4.0 Stage:MaineK00n/al2023-kernel-livepatch Stage:nightly Stage:collect-selfbulid-jar Stage:detect-pkg-deps
Stage:v0.26.0 Stage:v0.26.0-rc2 Stage:v0.26.0-alpha3 Stage:v0.25.4 Stage:v0.25.3 Stage:v0.25.2 Stage:v0.25.1 Stage:v0.25.1-beta2 Stage:v0.25.1-beta1 Stage:v0.25.0 Stage:v0.24.9 Stage:v0.24.8 Stage:v0.24.7 Stage:v0.24.6 Stage:v0.24.5 Stage:v0.24.4 Stage:v0.24.3 Stage:v0.24.2 Stage:v0.24.1 Stage:v0.24.0 Stage:v0.23.4 Stage:v0.23.3 Stage:v0.23.2 Stage:v0.23.1 Stage:v0.23.0 Stage:v0.22.2 Stage:v0.22.1 Stage:v0.23.0-beta Stage:v0.22.0 Stage:v0.21.1 Stage:v0.21.0 Stage:v0.20.5 Stage:v0.20.4 Stage:v0.20.3 Stage:v0.20.2 Stage:v0.20.1 Stage:v0.20.0 Stage:v0.19.8 Stage:v0.19.7 Stage:v0.19.6 Stage:v0.19.5 Stage:v0.19.4 Stage:v0.19.3 Stage:v0.19.2 Stage:v0.19.1 Stage:v0.19.0 Stage:v0.18.1 Stage:v0.18.0 Stage:v0.17.1 Stage:v0.17.0 Stage:v0.16.0 Stage:v0.15.14 Stage:v0.15.13 Stage:v0.15.12 Stage:v0.15.11 Stage:v0.15.10 Stage:v0.15.9 Stage:v0.15.8 Stage:v0.15.7 Stage:v0.15.6 Stage:v0.15.5 Stage:v0.15.4 Stage:v0.15.3 Stage:v0.15.2 Stage:v0.15.1 Stage:v0.15.0 Stage:v0.14.1 Stage:v0.14.0 Stage:v0.13.9 Stage:v0.13.8 Stage:v0.13.7 Stage:v0.13.6 Stage:v0.13.5 Stage:v0.13.4 Stage:v0.13.3 Stage:v0.13.2 Stage:v0.13.1 Stage:v0.13.0 Stage:v0.12.3 Stage:v0.12.2 Stage:v0.12.1 Stage:v0.12.0 Stage:v0.11.3 Stage:v0.11.2 Stage:v0.11.1 Stage:v0.11.0 Stage:v0.10.0 Stage:v0.9.8 Stage:v0.9.7 Stage:v0.9.6 Stage:v0.9.5 Stage:v0.9.4 Stage:v0.9.3 Stage:v0.9.2 Stage:v0.9.1 Stage:v0.9.0 Stage:v0.8.5 Stage:v0.8.4 Stage:v0.8.3 Stage:v0.8.2 Stage:v0.8.1 Stage:v0.8.0 Stage:v0.7.0 Stage:v0.6.3 Stage:v0.6.2 Stage:v0.6.1 Stage:v0.6.0 Stage:v0.5.0 Stage:v0.4.2 Stage:v0.4.1 Stage:v0.4.0 Stage:v0.3.0 Stage:v0.2.0 Stage:v0.1.7 Stage:v0.1.6 Stage:v0.1.5 Stage:v0.1.4 Stage:v0.1.3 Stage:v0.1.2 Stage:v0.1.1 Stage:v0.1.0

43 Commits
v0.9.0 ... v0.9.5

Author SHA1 Message Date
Kota Kanbe
466ec93d8e bump up version 2020-05-08 17:15:25 +09:00
Kota Kanbe
3f5bb6ab29 fix(scan): alpine detection #965 (#966) 
* fix(scan): alpine detection #965

* use knqyf263/go-apk-version
 2020-05-08 16:12:01 +09:00
Kota Kanbe
ebe5f858c8 update trivy, and unsupport image scanning feature (#971) 
* update trivy, fanal. unsupport image scanning

* Update models/library.go

Co-authored-by: Teppei Fukuda <teppei@elab.ic.i.u-tokyo.ac.jp>

* add -no-progress flag to report/tui cmd

* Display trivy vuln info to tui/report

* add detection method to vulninfo detected by trivy

* fix(uuid): change uuid lib to go-uuid #929 (#969)

* update trivy, fanal. unsupport image scanning

* Update models/library.go

Co-authored-by: Teppei Fukuda <teppei@elab.ic.i.u-tokyo.ac.jp>

* add -no-progress flag to report/tui cmd

* Display trivy vuln info to tui/report

* add detection method to vulninfo detected by trivy

* unique ref links in TUI

* download trivy DB only when lock file is specified in config.toml

Co-authored-by: Teppei Fukuda <teppei@elab.ic.i.u-tokyo.ac.jp>
 2020-05-08 15:24:39 +09:00
Kota Kanbe
9dd025437b fix(uuid): change uuid lib to go-uuid #929 (#969) 2020-05-06 14:14:07 +09:00
Wagde Zabit
c0ebac305a composer.lock insteaad of composer.json (#973) 
Co-authored-by: Wagde Zabit <wagde@orcasecurity.io>
 2020-05-01 15:20:33 +09:00
Kota Kanbe
1f23ab7ba4 Bump up version 2020-04-28 14:27:46 +09:00
Kota Kanbe
ea3b63998d fix(report): GitHub Security Alerts Integration (#970) 2020-04-28 14:26:37 +09:00
Kota Kanbe
3093426458 fix(logging): panic if no write permission #949 (#968) 2020-04-27 17:37:30 +09:00
Kota Kanbe
37716feac7 refactor(lint): fix lint warnings (#967) 2020-04-27 17:02:27 +09:00
Kota Kanbe
56b12c38d2 fix(config): not working with empty config #962 (#963) 2020-04-23 10:50:35 +09:00
Kota Kanbe
749ead5d4a update go mod (#960) 2020-04-20 21:33:11 +09:00
Kota Kanbe
3be50ab8da bump up version 2020-04-19 09:06:01 +09:00
Kota Kanbe
649f4a6991 fix(report): kernel vulns detection BUG in Ubuntu (#958) 
* fix(report): kernel vulns detection in Ubuntu

* fix(ubuntu): remove linux-* to detect only running kernel vulns
 2020-04-19 09:04:08 +09:00
Kota Kanbe
0ff7641471 feat(report): display "fixed" when updatable even in fast mode (#957) 2020-04-13 18:20:32 +09:00
Kota Kanbe
1679bfae20 Update FUNDING.yml 2020-04-10 21:25:10 +09:00
Kota Kanbe
45aa364436 Update FUNDING.yml 2020-04-10 21:24:24 +09:00
Kota Kanbe
778516c4d9 Create FUNDING.yml 2020-04-10 21:21:30 +09:00
Kota Kanbe
464d523c42 Display fixed-in version for each package in report (#801) 
* refactor(model): PackageFixStatus.Name to BinName

* refacotr(oval): change var name

* feat(report): Add FixedIn in JSON

* refactor(tui): chage args

* display fixedin in report

* refactor(model): change fileld name

* remove unused field of PackageFixStatus
 2020-04-08 21:26:34 +09:00
Kota Kanbe
0f6a1987d4 fix(configtest): yum-utils instead of dnf-utils on RHEL8, Cent8 (#948) 2020-04-06 19:40:05 +09:00
Shigechika AIKAWA
20c6247ce5 fix CentOS8 configtest always failed (#947) 2020-04-06 15:47:08 +09:00
gy741
a10dd67e0f Fix typo in models/scanresults.go (#942) 2020-04-06 15:00:43 +09:00
segatomo
5729ad6026 Add CWE Top25 and SANS Top25 (#925) 
* add top25 rank

* add CweTop25 and SansTop25

* fix report

* add cwetop25 and sanstop25 url

* fix condition branch

* fix condition branch
 2020-03-03 17:33:06 +09:00
Tomoya Amachi
9aa0d87a21 feat : scan with image digest (#939) 2020-03-03 16:51:06 +09:00
ishiDACo
fe3f1b9924 Update OWASP Dependency Check parser for dependency-check.2.2.xsd schema (#936) 2020-02-27 10:08:26 +09:00
Kota Kanbe
00e52a88fa Update README.md 2020-02-01 09:27:17 +09:00
Kota Kanbe
5811dffe7a fix(report): Support CVSS 3.1 for Red Hat OVAL #930 (#932) 2020-01-30 22:48:04 +09:00
sadayuki-matsuno
7278982af4 update fanal (#931) 2020-01-30 20:40:49 +09:00
nyao
c17b4154ec fix(config): fix double checking ResultsDir Path (#927) 2019-12-12 09:29:12 +09:00
Kota Kanbe
d6e74cce08 bump up version (#923) 2019-11-26 09:54:30 +09:00
Kota Kanbe
3f80749241 Merge branch 'master' of github.com:future-architect/vuls 2019-11-26 09:44:10 +09:00
Kota Kanbe
7f72b6ac69 Warn no ip (#922) 
* fix(scan): ignore wp-cli stderr messages (#825) (#915)

* fix(scan): warn if unable to get ip address on the scan tareget server

* fix test case
 2019-11-26 09:40:38 +09:00
Kota Kanbe
03e7b90b9f Merge branch 'master' of github.com:future-architect/vuls 2019-11-26 08:53:03 +09:00
Kota Kanbe
7936b3533b Fill Red Hat CVE data for all distros (#920) 
* fix(scan): ignore wp-cli stderr messages (#825) (#915)

* refactor

* feat(report): fill Red Hat CVE data for all distros

* fix lint err

* fix cve judgment (#921)
 2019-11-25 17:01:18 +09:00
Shigechika AIKAWA
bd7e61d7cc fix(scan): ignore wp-cli stderr messages (#825) (#915) 2019-11-22 20:58:24 +09:00
Shigechika AIKAWA
69214e0c22 fix(scan): ignore wp-cli stderr messages (#825) (#915) 2019-11-01 10:01:50 +09:00
Wagde Zabit
45bff26558 Consider grep return value 1 as success (#907) 
* Allow Offline scanning on Alpine

* Consider grep return value 1 as success
 2019-09-18 23:26:37 +09:00
Kota Kanbe
b2e429ccc6 fix(log): add .log extension to vuls logfile (#910) 2019-09-18 23:21:06 +09:00
Kota Kanbe
76363c227b fix(report): enable to report when the sshkey not exist (#909) 2019-09-18 22:40:36 +09:00
Kota Kanbe
d5a3e5c2c5 fix(report): fix cert key in result json ja to jp (#908) 2019-09-18 19:30:32 +09:00
Kota Kanbe
2b02807ef0 fix(report): ignore exploits of no-cve-id vulns (#906) 2019-09-13 12:49:57 +09:00
Kota Kanbe
be659ae094 fix(docker): add git to image (#905) 2019-09-13 01:10:27 +09:00
Kota Kanbe
b2c105adbc fix(tui): enable to exec tui mode without cve.sqlite3 (#904) 2019-09-12 18:35:21 +09:00
Kota Kanbe
c61f462948 fix(report): show POC, CERT in tui and format-list. use vendor summary over NVD (#902) 
* fix(report): show POC, CERT in tui and format-list. show vendor summary

* fix test case
 2019-09-10 10:00:17 +09:00
53 changed files with 1904 additions and 1049 deletions
Expand all files Collapse all files

3
.github/FUNDING.yml vendored Normal file
View File

@@ -0,0 +1,3 @@
# These are supported funding model platforms
github: kotakanbe

1
Dockerfile
View File

@@ -21,6 +21,7 @@ ENV WORKDIR /vuls
RUN apk add --no-cache \
openssh-client \
ca-certificates \
git \
&& mkdir -p $WORKDIR $LOGDIR
COPY --from=builder /go/bin/vuls /usr/local/bin/

16
README.md
View File

@@ -136,14 +136,16 @@ Vuls uses multiple vulnerability databases
### **Static** Analysis
Vuls v0.8.0 can scan Docker images using [knqyf263/trivy](https://github.com/knqyf263/trivy).
Following Registry supported.
**Image scan function is no longer supported from Vuls v0.9.5. Use Trivy directry**
- ECR
- GCR
- Local Image
~~Vuls v0.8.0 can scan Docker images using [knqyf263/trivy](https://github.com/knqyf263/trivy).
Following Registry supported.~~
For details, see [Scan docker image](https://vuls.io/docs/en/tutorial-scan-docker-image.html)
- ~~ECR~~
- ~~GCR~~
- ~~Local Image~~
~~For details, see [Scan docker image](https://vuls.io/docs/en/tutorial-scan-docker-image.html)~~
### Scan vulnerabilities of non-OS-packages
@@ -170,7 +172,7 @@ Vuls has some options to detect the vulnerabilities
- Auto-generation of configuration file template
- Auto-detection of servers set using CIDR, generate configuration file template
- Email and Slack notification is possible (supports Japanese language)
- Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/future-architect/vulsrepo)).
- Scan result is viewable on accessory software, TUI Viewer in a terminal or Web UI ([VulsRepo](https://github.com/ishiDACo/vulsrepo)).
----

7
commands/report.go
View File

@@ -6,6 +6,7 @@ import (
"os"
"path/filepath"
"github.com/aquasecurity/trivy/pkg/utils"
c "github.com/future-architect/vuls/config"
"github.com/future-architect/vuls/exploit"
"github.com/future-architect/vuls/gost"
@@ -71,6 +72,7 @@ func (*ReportCmd) Usage() string {
[-debug]
[-debug-sql]
[-quiet]
[-no-progress]
[-pipe]
[-cvedb-type=sqlite3|mysql|postgres|redis|http]
[-cvedb-sqlite3-path=/path/to/cve.sqlite3]
@@ -85,6 +87,7 @@ func (*ReportCmd) Usage() string {
[-exploitdb-sqlite3-path=/path/to/exploitdb.sqlite3]
[-exploitdb-url=http://127.0.0.1:1326 or DB connection string]
[-http="http://vuls-report-server"]
[-trivy-cachedb-dir=/path/to/dir]
[RFC3339 datetime format under results dir]
`
@@ -95,8 +98,8 @@ func (p *ReportCmd) SetFlags(f *flag.FlagSet) {
f.StringVar(&c.Conf.Lang, "lang", "en", "[en|ja]")
f.BoolVar(&c.Conf.Debug, "debug", false, "debug mode")
f.BoolVar(&c.Conf.DebugSQL, "debug-sql", false, "SQL debug mode")
f.BoolVar(&c.Conf.Quiet, "quiet", false, "Quiet mode. No output on stdout")
f.BoolVar(&c.Conf.NoProgress, "no-progress", false, "Suppress progress bar")
wd, _ := os.Getwd()
defaultConfPath := filepath.Join(wd, "config.toml")
@@ -187,6 +190,8 @@ func (p *ReportCmd) SetFlags(f *flag.FlagSet) {
f.StringVar(&p.httpConf.URL, "http", "", "-to-http http://vuls-report")
f.StringVar(&c.Conf.TrivyCacheDBDir, "trivy-cachedb-dir",
utils.DefaultCacheDir(), "/path/to/dir")
}
// Execute execute

4
commands/scan.go
View File

@@ -41,7 +41,6 @@ func (*ScanCmd) Usage() string {
[-ssh-native-insecure]
[-ssh-config]
[-containers-only]
[-images-only]
[-libs-only]
[-wordpress-only]
[-skip-broken]
@@ -86,9 +85,6 @@ func (p *ScanCmd) SetFlags(f *flag.FlagSet) {
f.BoolVar(&c.Conf.ContainersOnly, "containers-only", false,
"Scan running containers only. Default: Scan both of hosts and running containers")
f.BoolVar(&c.Conf.ImagesOnly, "images-only", false,
"Scan container images only. Default: Scan both of hosts and images")
f.BoolVar(&c.Conf.LibsOnly, "libs-only", false,
"Scan libraries (lock files) specified in config.toml only.")

8
commands/tui.go
View File

@@ -6,6 +6,7 @@ import (
"os"
"path/filepath"
"github.com/aquasecurity/trivy/pkg/utils"
c "github.com/future-architect/vuls/config"
"github.com/future-architect/vuls/exploit"
"github.com/future-architect/vuls/gost"
@@ -46,6 +47,8 @@ func (*TuiCmd) Usage() string {
[-log-dir=/path/to/log]
[-debug]
[-debug-sql]
[-quiet]
[-no-progress]
[-pipe]
[-cvedb-type=sqlite3|mysql|postgres|redis|http]
[-cvedb-sqlite3-path=/path/to/cve.sqlite3]
@@ -59,6 +62,7 @@ func (*TuiCmd) Usage() string {
[-exploitdb-type=sqlite3|mysql|redis|http]
[-exploitdb-sqlite3-path=/path/to/exploitdb.sqlite3]
[-exploitdb-url=http://127.0.0.1:1326 or DB connection string]
[-trivy-cachedb-dir=/path/to/dir]
`
}
@@ -68,6 +72,8 @@ func (p *TuiCmd) SetFlags(f *flag.FlagSet) {
// f.StringVar(&p.lang, "lang", "en", "[en|ja]")
f.BoolVar(&c.Conf.DebugSQL, "debug-sql", false, "debug SQL")
f.BoolVar(&c.Conf.Debug, "debug", false, "debug mode")
f.BoolVar(&c.Conf.Quiet, "quiet", false, "Quiet mode. No output on stdout")
f.BoolVar(&c.Conf.NoProgress, "no-progress", false, "Suppress progress bar")
defaultLogDir := util.GetDefaultLogDir()
f.StringVar(&c.Conf.LogDir, "log-dir", defaultLogDir, "/path/to/log")
@@ -121,6 +127,8 @@ func (p *TuiCmd) SetFlags(f *flag.FlagSet) {
f.StringVar(&p.exploitConf.URL, "exploitdb-url", "",
"http://exploit.com:1326 or DB connection string")
f.StringVar(&c.Conf.TrivyCacheDBDir, "trivy-cachedb-dir",
utils.DefaultCacheDir(), "/path/to/dir")
}
// Execute execute

61
config/config.go
View File

@@ -10,14 +10,13 @@ import (
"strings"
syslog "github.com/RackSec/srslog"
"github.com/aquasecurity/fanal/types"
valid "github.com/asaskevich/govalidator"
log "github.com/sirupsen/logrus"
"golang.org/x/xerrors"
)
// Version of Vuls
var Version = "0.7.0"
var Version = "0.9.5"
// Revision of Git
var Revision string
@@ -90,6 +89,7 @@ type Config struct {
ResultsDir string `json:"resultsDir,omitempty"`
Pipe bool `json:"pipe,omitempty"`
Quiet bool `json:"quiet,omitempty"`
NoProgress bool `json:"noProgress,omitempty"`
Default ServerInfo `json:"default,omitempty"`
Servers map[string]ServerInfo `json:"servers,omitempty"`
@@ -103,15 +103,16 @@ type Config struct {
SSHConfig bool `json:"sshConfig,omitempty"`
ContainersOnly bool `json:"containersOnly,omitempty"`
ImagesOnly bool `json:"imagesOnly,omitempty"`
LibsOnly bool `json:"libsOnly,omitempty"`
WordPressOnly bool `json:"wordpressOnly,omitempty"`
SkipBroken bool `json:"skipBroken,omitempty"`
CacheDBPath string `json:"cacheDBPath,omitempty"`
Vvv bool `json:"vvv,omitempty"`
UUID bool `json:"uuid,omitempty"`
DetectIPS bool `json:"detectIps,omitempty"`
CacheDBPath string `json:"cacheDBPath,omitempty"`
TrivyCacheDBDir string `json:"trivyCacheDBDir,omitempty"`
SkipBroken bool `json:"skipBroken,omitempty"`
Vvv bool `json:"vvv,omitempty"`
UUID bool `json:"uuid,omitempty"`
DetectIPS bool `json:"detectIps,omitempty"`
CveDict GoCveDictConf `json:"cveDict,omitempty"`
OvalDict GovalDictConf `json:"ovalDict,omitempty"`
@@ -155,7 +156,7 @@ type Config struct {
// ValidateOnConfigtest validates
func (c Config) ValidateOnConfigtest() bool {
errs := []error{}
errs := c.checkSSHKeyExist()
if runtime.GOOS == "windows" && !c.SSHNative {
errs = append(errs, xerrors.New("-ssh-native-insecure is needed on windows"))
@@ -175,14 +176,7 @@ func (c Config) ValidateOnConfigtest() bool {
// ValidateOnScan validates configuration
func (c Config) ValidateOnScan() bool {
errs := []error{}
if len(c.ResultsDir) != 0 {
if ok, _ := valid.IsFilePath(c.ResultsDir); !ok {
errs = append(errs, xerrors.Errorf(
"JSON base directory must be a *Absolute* file path. -results-dir: %s", c.ResultsDir))
}
}
errs := c.checkSSHKeyExist()
if runtime.GOOS == "windows" && !c.SSHNative {
errs = append(errs, xerrors.New("-ssh-native-insecure is needed on windows"))
@@ -215,6 +209,21 @@ func (c Config) ValidateOnScan() bool {
return len(errs) == 0
}
func (c Config) checkSSHKeyExist() (errs []error) {
for serverName, v := range c.Servers {
if v.Type == ServerTypePseudo {
continue
}
if v.KeyPath != "" {
if _, err := os.Stat(v.KeyPath); err != nil {
errs = append(errs, xerrors.Errorf(
"%s is invalid. keypath: %s not exists", serverName, v.KeyPath))
}
}
}
return errs
}
// ValidateOnReportDB validates configuration
func (c Config) ValidateOnReportDB() bool {
errs := []error{}
@@ -315,11 +324,6 @@ func (c Config) ValidateOnTui() bool {
if err := validateDB("cvedb", c.CveDict.Type, c.CveDict.SQLite3Path, c.CveDict.URL); err != nil {
errs = append(errs, err)
}
if c.CveDict.Type == "sqlite3" {
if _, err := os.Stat(c.CveDict.SQLite3Path); os.IsNotExist(err) {
errs = append(errs, xerrors.Errorf("SQLite3 DB path (%s) is not exist: %s", "cvedb", c.CveDict.SQLite3Path))
}
}
for _, err := range errs {
log.Error(err)
@@ -1044,7 +1048,6 @@ type ServerInfo struct {
IgnoreCves []string `toml:"ignoreCves,omitempty" json:"ignoreCves,omitempty"`
IgnorePkgsRegexp []string `toml:"ignorePkgsRegexp,omitempty" json:"ignorePkgsRegexp,omitempty"`
GitHubRepos map[string]GitHubConf `toml:"githubs" json:"githubs,omitempty"` // key: owner/repo
Images map[string]Image `toml:"images" json:"images,omitempty"`
UUIDs map[string]string `toml:"uuids,omitempty" json:"uuids,omitempty"`
Memo string `toml:"memo,omitempty" json:"memo,omitempty"`
Enablerepo []string `toml:"enablerepo,omitempty" json:"enablerepo,omitempty"` // For CentOS, RHEL, Amazon
@@ -1062,7 +1065,6 @@ type ServerInfo struct {
LogMsgAnsiColor string `toml:"-" json:"-"` // DebugLog Color
Container Container `toml:"-" json:"-"`
Image Image `toml:"-" json:"-"`
Distro Distro `toml:"-" json:"-"`
Mode ScanMode `toml:"-" json:"-"`
}
@@ -1084,17 +1086,6 @@ type WordPressConf struct {
IgnoreInactive bool `json:"ignoreInactive,omitempty"`
}
// Image is a scan container image info
type Image struct {
Name string `json:"name"`
Tag string `json:"tag"`
DockerOption types.DockerOption `json:"dockerOption,omitempty"`
Cpes []string `json:"cpes,omitempty"`
OwaspDCXMLPath string `json:"owaspDCXMLPath"`
IgnorePkgsRegexp []string `json:"ignorePkgsRegexp,omitempty"`
IgnoreCves []string `json:"ignoreCves,omitempty"`
}
// GitHubConf is used for GitHub integration
type GitHubConf struct {
Token string `json:"-"`

29
config/tomlloader.go
View File

@@ -1,7 +1,6 @@
package config
import (
"os"
"regexp"
"strings"
@@ -52,16 +51,6 @@ func (c TOMLLoader) Load(pathToToml, keyPass string) error {
}
s := ServerInfo{ServerName: serverName}
s.Images = make(map[string]Image)
// image are able to set any server type
for name, image := range v.Images {
if err := IsValidImage(image); err != nil {
return err
}
s.Images[name] = image
}
if v.Type != ServerTypePseudo {
s.Host = v.Host
if len(s.Host) == 0 {
@@ -92,13 +81,6 @@ func (c TOMLLoader) Load(pathToToml, keyPass string) error {
if len(s.KeyPath) == 0 {
s.KeyPath = d.KeyPath
}
if s.KeyPath != "" {
if _, err := os.Stat(s.KeyPath); err != nil {
return xerrors.Errorf(
"%s is invalid. keypath: %s not exists", serverName, s.KeyPath)
}
}
s.KeyPassword = v.KeyPassword
if len(s.KeyPassword) == 0 {
s.KeyPassword = d.KeyPassword
@@ -300,14 +282,3 @@ func toCpeURI(cpename string) (string, error) {
}
return "", xerrors.Errorf("Unknow CPE format: %s", cpename)
}
// IsValidImage checks a container configuration
func IsValidImage(c Image) error {
if c.Name == "" {
return xerrors.New("Invalid arguments : no image name")
}
if c.Tag == "" {
return xerrors.New("Invalid arguments : no image tag")
}
return nil
}

21
contrib/owasp-dependency-check/parser/parser.go
View File

@@ -6,6 +6,7 @@ import (
"os"
"strings"
"github.com/knqyf263/go-cpe/naming"
log "github.com/sirupsen/logrus"
"golang.org/x/xerrors"
)
@@ -15,12 +16,11 @@ type analysis struct {
}
type dependency struct {
Identifiers []identifier `xml:"identifiers>identifier"`
Identifiers []vulnerabilityID `xml:"identifiers>vulnerabilityIds"`
}
type identifier struct {
Name string `xml:"name"`
Type string `xml:"type,attr"`
type vulnerabilityID struct {
ID string `xml:"id"`
}
func appendIfMissing(slice []string, str string) []string {
@@ -55,11 +55,16 @@ func Parse(path string) ([]string, error) {
cpes := []string{}
for _, d := range anal.Dependencies {
for _, ident := range d.Identifiers {
if ident.Type == "cpe" {
name := strings.TrimPrefix(ident.Name, "(")
name = strings.TrimSuffix(name, ")")
cpes = appendIfMissing(cpes, name)
id := ident.ID // Start with cpe:2.3:
// Convert from CPE 2.3 to CPE 2.2
if strings.HasPrefix(id, "cpe:2.3:") {
wfn, err := naming.UnbindFS(id)
if err != nil {
return []string{}, err
}
id = naming.BindToURI(wfn)
}
cpes = appendIfMissing(cpes, id)
}
}
return cpes, nil

33
cwe/cwe.go Normal file
View File

@@ -0,0 +1,33 @@
package cwe
// CweTopTwentyfive2019 has CWE-ID in CWE Top 25
var CweTopTwentyfive2019 = map[string]string{
"119": "1",
"79": "2",
"20": "3",
"200": "4",
"125": "5",
"89": "6",
"416": "7",
"190": "8",
"352": "9",
"22": "10",
"78": "11",
"787": "12",
"287": "13",
"476": "14",
"732": "16",
"434": "16",
"611": "17",
"94": "18",
"798": "19",
"400": "20",
"772": "21",
"426": "22",
"502": "23",
"269": "24",
"295": "25",
}
// CweTopTwentyfive2019URL has CWE Top25 links
var CweTopTwentyfive2019URL = "https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html"

33
cwe/sans.go Normal file
View File

@@ -0,0 +1,33 @@
package cwe
// SansTopTwentyfive has CWE-ID in CWE/SANS Top 25
var SansTopTwentyfive = map[string]string{
"89": "1",
"78": "2",
"120": "3",
"79": "4",
"306": "5",
"862": "6",
"798": "7",
"311": "8",
"434": "9",
"807": "10",
"250": "11",
"352": "12",
"22": "13",
"494": "14",
"863": "15",
"829": "16",
"732": "17",
"676": "18",
"327": "19",
"131": "20",
"307": "21",
"601": "22",
"134": "23",
"190": "24",
"759": "25",
}
// SansTopTwentyfiveURL is a URL of sans 25
var SansTopTwentyfiveURL = "https://www.sans.org/top25-software-errors/"

3
exploit/exploit.go
View File

@@ -44,6 +44,9 @@ func FillWithExploit(driver db.DB, r *models.ScanResult) (nExploitCve int, err e
return 0, nil
}
for cveID, vuln := range r.ScannedCves {
if cveID == "" {
continue
}
es := driver.GetExploitByCveID(cveID)
if len(es) == 0 {
continue

129
github/github.go
View File

@@ -5,14 +5,13 @@ import (
"context"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"time"
"github.com/future-architect/vuls/config"
"github.com/future-architect/vuls/errof"
"github.com/future-architect/vuls/models"
"github.com/future-architect/vuls/util"
"github.com/k0kubun/pp"
"golang.org/x/oauth2"
)
@@ -25,8 +24,9 @@ func FillGitHubSecurityAlerts(r *models.ScanResult, owner, repo, token string) (
httpClient := oauth2.NewClient(context.Background(), src)
// TODO Use `https://github.com/shurcooL/githubv4` if the tool supports vulnerabilityAlerts Endpoint
// Memo : https://developer.github.com/v4/explorer/
const jsonfmt = `{"query":
"query { repository(owner:\"%s\", name:\"%s\") { url, vulnerabilityAlerts(first: %d, %s) { pageInfo{ endCursor, hasNextPage, startCursor}, edges { node { id, externalIdentifier, externalReference, fixedIn, packageName, dismissReason, dismissedAt } } } } }"}`
"query { repository(owner:\"%s\", name:\"%s\") { url vulnerabilityAlerts(first: %d, %s) { pageInfo { endCursor hasNextPage startCursor } edges { node { id dismissReason dismissedAt securityVulnerability{ package { name ecosystem } severity vulnerableVersionRange firstPatchedVersion { identifier } } securityAdvisory { description ghsaId permalink publishedAt summary updatedAt withdrawnAt origin severity references { url } identifiers { type value } } } } } } } "}`
after := ""
for {
@@ -43,7 +43,7 @@ func FillGitHubSecurityAlerts(r *models.ScanResult, owner, repo, token string) (
// To toggle this preview and access data, need to provide a custom media type in the Accept header:
// MEMO: I tried to get the affected version via GitHub API. Bit it seems difficult to determin the affected version if there are multiple dependency files such as package.json.
// TODO remove this header if it is no longer preview status in the future.
req.Header.Set("Accept", "application/vnd.github.vixen-preview+json")
req.Header.Set("Accept", "application/vnd.github.package-deletes-preview+json")
req.Header.Set("Content-Type", "application/json")
resp, err := httpClient.Do(req)
@@ -51,16 +51,23 @@ func FillGitHubSecurityAlerts(r *models.ScanResult, owner, repo, token string) (
return 0, err
}
defer resp.Body.Close()
alerts := SecurityAlerts{}
if json.NewDecoder(resp.Body).Decode(&alerts); err != nil {
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return 0, err
}
util.Log.Debugf("%s", pp.Sprint(alerts))
alerts := SecurityAlerts{}
if json.Unmarshal(body, &alerts); err != nil {
return 0, err
}
// util.Log.Debugf("%s", pp.Sprint(alerts))
// util.Log.Debugf("%s", string(body))
if alerts.Data.Repository.URL == "" {
return 0, errof.New(
errof.ErrFailedToAccessGithubAPI,
fmt.Sprintf("Failed to access to GitHub API. Response: %#v", alerts),
fmt.Sprintf("Failed to access to GitHub API. Response: %s", string(body)),
)
}
@@ -70,31 +77,45 @@ func FillGitHubSecurityAlerts(r *models.ScanResult, owner, repo, token string) (
}
pkgName := fmt.Sprintf("%s %s",
alerts.Data.Repository.URL, v.Node.PackageName)
alerts.Data.Repository.URL, v.Node.SecurityVulnerability.Package.Name)
m := models.GitHubSecurityAlert{
PackageName: pkgName,
FixedIn: v.Node.FixedIn,
AffectedRange: v.Node.AffectedRange,
FixedIn: v.Node.SecurityVulnerability.FirstPatchedVersion.Identifier,
AffectedRange: v.Node.SecurityVulnerability.VulnerableVersionRange,
Dismissed: len(v.Node.DismissReason) != 0,
DismissedAt: v.Node.DismissedAt,
DismissReason: v.Node.DismissReason,
}
cveID := v.Node.ExternalIdentifier
if val, ok := r.ScannedCves[cveID]; ok {
val.GitHubSecurityAlerts = val.GitHubSecurityAlerts.Add(m)
r.ScannedCves[cveID] = val
nCVEs++
} else {
v := models.VulnInfo{
CveID: cveID,
Confidences: models.Confidences{models.GitHubMatch},
GitHubSecurityAlerts: models.GitHubSecurityAlerts{m},
cveIDs, other := []string{}, []string{}
for _, identifier := range v.Node.SecurityAdvisory.Identifiers {
if identifier.Type == "CVE" {
cveIDs = append(cveIDs, identifier.Value)
} else {
other = append(other, identifier.Value)
}
}
// If CVE-ID has not been assigned, use the GHSA ID etc as a ID.
if len(cveIDs) == 0 {
cveIDs = other
}
for _, cveID := range cveIDs {
if val, ok := r.ScannedCves[cveID]; ok {
val.GitHubSecurityAlerts = val.GitHubSecurityAlerts.Add(m)
r.ScannedCves[cveID] = val
nCVEs++
} else {
v := models.VulnInfo{
CveID: cveID,
Confidences: models.Confidences{models.GitHubMatch},
GitHubSecurityAlerts: models.GitHubSecurityAlerts{m},
}
r.ScannedCves[cveID] = v
nCVEs++
}
r.ScannedCves[cveID] = v
nCVEs++
}
}
if !alerts.Data.Repository.VulnerabilityAlerts.PageInfo.HasNextPage {
@@ -109,26 +130,50 @@ func FillGitHubSecurityAlerts(r *models.ScanResult, owner, repo, token string) (
type SecurityAlerts struct {
Data struct {
Repository struct {
URL string `json:"url,omitempty"`
URL string `json:"url"`
VulnerabilityAlerts struct {
PageInfo struct {
EndCursor string `json:"endCursor,omitempty"`
HasNextPage bool `json:"hasNextPage,omitempty"`
StartCursor string `json:"startCursor,omitempty"`
} `json:"pageInfo,omitempty"`
EndCursor string `json:"endCursor"`
HasNextPage bool `json:"hasNextPage"`
StartCursor string `json:"startCursor"`
} `json:"pageInfo"`
Edges []struct {
Node struct {
ID string `json:"id,omitempty"`
ExternalIdentifier string `json:"externalIdentifier,omitempty"`
ExternalReference string `json:"externalReference,omitempty"`
FixedIn string `json:"fixedIn,omitempty"`
AffectedRange string `json:"affectedRange,omitempty"`
PackageName string `json:"packageName,omitempty"`
DismissReason string `json:"dismissReason,omitempty"`
DismissedAt time.Time `json:"dismissedAt,omitempty"`
} `json:"node,omitempty"`
} `json:"edges,omitempty"`
} `json:"vulnerabilityAlerts,omitempty"`
} `json:"repository,omitempty"`
} `json:"data,omitempty"`
ID string `json:"id"`
DismissReason string `json:"dismissReason"`
DismissedAt time.Time `json:"dismissedAt"`
SecurityVulnerability struct {
Package struct {
Name string `json:"name"`
Ecosystem string `json:"ecosystem"`
} `json:"package"`
Severity string `json:"severity"`
VulnerableVersionRange string `json:"vulnerableVersionRange"`
FirstPatchedVersion struct {
Identifier string `json:"identifier"`
} `json:"firstPatchedVersion"`
} `json:"securityVulnerability"`
SecurityAdvisory struct {
Description string `json:"description"`
GhsaID string `json:"ghsaId"`
Permalink string `json:"permalink"`
PublishedAt time.Time `json:"publishedAt"`
Summary string `json:"summary"`
UpdatedAt time.Time `json:"updatedAt"`
WithdrawnAt time.Time `json:"withdrawnAt"`
Origin string `json:"origin"`
Severity string `json:"severity"`
References []struct {
URL string `json:"url"`
} `json:"references"`
Identifiers []struct {
Type string `json:"type"`
Value string `json:"value"`
} `json:"identifiers"`
} `json:"securityAdvisory"`
} `json:"node"`
} `json:"edges"`
} `json:"vulnerabilityAlerts"`
} `json:"repository"`
} `json:"data"`
}

55
go.mod
View File

@@ -3,56 +3,51 @@ module github.com/future-architect/vuls
go 1.13
replace (
github.com/genuinetools/reg => github.com/tomoyamachi/reg v0.16.1-0.20190706172545-2a2250fd7c00
gopkg.in/mattn/go-colorable.v0 => github.com/mattn/go-colorable v0.1.0
gopkg.in/mattn/go-isatty.v0 => github.com/mattn/go-isatty v0.0.6
)
require (
github.com/Azure/azure-sdk-for-go v33.1.0+incompatible
github.com/Azure/go-autorest/autorest v0.9.1 // indirect
github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect
github.com/Azure/azure-sdk-for-go v42.0.0+incompatible
github.com/BurntSushi/toml v0.3.1
github.com/RackSec/srslog v0.0.0-20180709174129-a4725f04ec91
github.com/aquasecurity/fanal v0.0.0-20190819081512-f04452b627c6
github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
github.com/aquasecurity/trivy v0.1.6
github.com/aquasecurity/fanal v0.0.0-20200427221647-c3528846e21c
github.com/aquasecurity/go-dep-parser v0.0.0-20200123140603-4dc0125084da // indirect
github.com/aquasecurity/trivy v0.6.0
github.com/aquasecurity/trivy-db v0.0.0-20200427221211-19fb3b7a88b5
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
github.com/aws/aws-sdk-go v1.23.17
github.com/aws/aws-sdk-go v1.30.16
github.com/boltdb/bolt v1.3.1
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/dnaeon/go-vcr v1.0.1 // indirect
github.com/elazarl/goproxy v0.0.0-20190711103511-473e67f1d7d2 // indirect
github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2 // indirect
github.com/google/subcommands v1.0.1
github.com/gosuri/uitable v0.0.3
github.com/google/subcommands v1.2.0
github.com/gosuri/uitable v0.0.4
github.com/hashicorp/go-uuid v1.0.2
github.com/hashicorp/go-version v1.2.0
github.com/hashicorp/uuid v0.0.0-20160311170451-ebb0a03e909c
github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c
github.com/jroimartin/gocui v0.4.0
github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88 // indirect
github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c
github.com/jesseduffield/gocui v0.3.0
github.com/k0kubun/pp v3.0.1+incompatible
github.com/knqyf263/go-apk-version v0.0.0-20200507080916-9f84b1e3c54c
github.com/knqyf263/go-cpe v0.0.0-20180327054844-659663f6eca2
github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
github.com/knqyf263/go-version v1.1.1
github.com/knqyf263/gost v0.1.2
github.com/kotakanbe/go-cve-dictionary v0.4.0
github.com/knqyf263/gost v0.1.3
github.com/kotakanbe/go-cve-dictionary v0.4.2
github.com/kotakanbe/go-pingscanner v0.1.0
github.com/kotakanbe/goval-dictionary v0.2.2
github.com/kotakanbe/goval-dictionary v0.2.5
github.com/kotakanbe/logrus-prefixed-formatter v0.0.0-20180123152602-928f7356cb96
github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
github.com/mitchellh/go-homedir v1.1.0
github.com/mozqnet/go-exploitdb v0.0.0-20190426034301-a055cc2c195d
github.com/mozqnet/go-exploitdb v0.0.0-20190911093644-f647f17ea8ca
github.com/nlopes/slack v0.6.0
github.com/nsf/termbox-go v0.0.0-20190817171036-93860e161317 // indirect
github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a
github.com/parnurzeal/gorequest v0.2.15
github.com/nsf/termbox-go v0.0.0-20200418040025-38ba6e5628f1 // indirect
github.com/olekukonko/tablewriter v0.0.4
github.com/parnurzeal/gorequest v0.2.16
github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5
github.com/satori/go.uuid v1.2.0 // indirect
github.com/sirupsen/logrus v1.4.2
github.com/smartystreets/goconvey v0.0.0-20190731233626-505e41936337 // indirect
golang.org/x/crypto v0.0.0-20190909091759-094676da4a83
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7
github.com/sirupsen/logrus v1.5.0
github.com/spf13/afero v1.2.2
golang.org/x/crypto v0.0.0-20200427165652-729f1e841bcc
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
k8s.io/utils v0.0.0-20191114184206-e782cd3c129f
)

580
go.sum
View File

File diff suppressed because it is too large Load Diff

51
gost/base.go Normal file
View File

@@ -0,0 +1,51 @@
package gost
import (
"fmt"
"net/http"
cnf "github.com/future-architect/vuls/config"
"github.com/future-architect/vuls/models"
"github.com/knqyf263/gost/db"
"github.com/parnurzeal/gorequest"
"golang.org/x/xerrors"
)
// Base is a base struct
type Base struct {
}
// FillCVEsWithRedHat fills cve information that has in Gost
func (b Base) FillCVEsWithRedHat(driver db.DB, r *models.ScanResult) error {
return RedHat{}.fillFixed(driver, r)
}
// CheckHTTPHealth do health check
func (b Base) CheckHTTPHealth() error {
if !cnf.Conf.Gost.IsFetchViaHTTP() {
return nil
}
url := fmt.Sprintf("%s/health", cnf.Conf.Gost.URL)
var errs []error
var resp *http.Response
resp, _, errs = gorequest.New().Get(url).End()
// resp, _, errs = gorequest.New().SetDebug(config.Conf.Debug).Get(url).End()
// resp, _, errs = gorequest.New().Proxy(api.httpProxy).Get(url).End()
if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
return xerrors.Errorf("Failed to connect to gost server. url: %s, errs: %w", url, errs)
}
return nil
}
// CheckIfGostFetched checks if oval entries are in DB by family, release.
func (b Base) CheckIfGostFetched(driver db.DB, osFamily string) (fetched bool, err error) {
//TODO
return true, nil
}
// CheckIfGostFresh checks if oval entries are fresh enough
func (b Base) CheckIfGostFresh(driver db.DB, osFamily string) (ok bool, err error) {
//TODO
return true, nil
}

4
gost/debian.go
View File

@@ -21,8 +21,8 @@ type packCves struct {
cves []models.CveContent
}
// FillWithGost fills cve information that has in Gost
func (deb Debian) FillWithGost(driver db.DB, r *models.ScanResult, _ bool) (nCVEs int, err error) {
// DetectUnfixed fills cve information that has in Gost
func (deb Debian) DetectUnfixed(driver db.DB, r *models.ScanResult, _ bool) (nCVEs int, err error) {
linuxImage := "linux-image-" + r.RunningKernel.Release
// Add linux and set the version of running kernel to search OVAL.
if r.Container.ContainerID == "" {

58
gost/gost.go
View File

@@ -1,20 +1,15 @@
package gost
import (
"fmt"
"net/http"
"strings"
cnf "github.com/future-architect/vuls/config"
"github.com/future-architect/vuls/models"
"github.com/knqyf263/gost/db"
"github.com/parnurzeal/gorequest"
"golang.org/x/xerrors"
)
// Client is the interface of OVAL client.
type Client interface {
FillWithGost(db.DB, *models.ScanResult, bool) (int, error)
DetectUnfixed(db.DB, *models.ScanResult, bool) (int, error)
FillCVEsWithRedHat(db.DB, *models.ScanResult) error
//TODO implement
// CheckHTTPHealth() error
@@ -36,52 +31,3 @@ func NewClient(family string) Client {
return Pseudo{}
}
}
// Base is a base struct
type Base struct {
family string
}
// CheckHTTPHealth do health check
func (b Base) CheckHTTPHealth() error {
if !cnf.Conf.Gost.IsFetchViaHTTP() {
return nil
}
url := fmt.Sprintf("%s/health", cnf.Conf.Gost.URL)
var errs []error
var resp *http.Response
resp, _, errs = gorequest.New().Get(url).End()
// resp, _, errs = gorequest.New().SetDebug(config.Conf.Debug).Get(url).End()
// resp, _, errs = gorequest.New().Proxy(api.httpProxy).Get(url).End()
if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
return xerrors.Errorf("Failed to connect to gost server. url: %s, errs: %w", url, errs)
}
return nil
}
// CheckIfGostFetched checks if oval entries are in DB by family, release.
func (b Base) CheckIfGostFetched(driver db.DB, osFamily string) (fetched bool, err error) {
//TODO
return true, nil
}
// CheckIfGostFresh checks if oval entries are fresh enough
func (b Base) CheckIfGostFresh(driver db.DB, osFamily string) (ok bool, err error) {
//TODO
return true, nil
}
// Pseudo is Gost client except for RedHat family and Debian
type Pseudo struct {
Base
}
// FillWithGost fills cve information that has in Gost
func (pse Pseudo) FillWithGost(driver db.DB, r *models.ScanResult, _ bool) (int, error) {
return 0, nil
}
func major(osVer string) (majorVersion string) {
return strings.Split(osVer, ".")[0]
}

4
gost/microsoft.go
View File

@@ -13,8 +13,8 @@ type Microsoft struct {
Base
}
// FillWithGost fills cve information that has in Gost
func (ms Microsoft) FillWithGost(driver db.DB, r *models.ScanResult, _ bool) (nCVEs int, err error) {
// DetectUnfixed fills cve information that has in Gost
func (ms Microsoft) DetectUnfixed(driver db.DB, r *models.ScanResult, _ bool) (nCVEs int, err error) {
if driver == nil {
return 0, nil
}

21
gost/pseudo.go Normal file
View File

@@ -0,0 +1,21 @@
package gost
import (
"github.com/future-architect/vuls/models"
"github.com/knqyf263/gost/db"
"strings"
)
// Pseudo is Gost client except for RedHat family and Debian
type Pseudo struct {
Base
}
// DetectUnfixed fills cve information that has in Gost
func (pse Pseudo) DetectUnfixed(driver db.DB, r *models.ScanResult, _ bool) (int, error) {
return 0, nil
}
func major(osVer string) (majorVersion string) {
return strings.Split(osVer, ".")[0]
}

11
gost/redhat.go
View File

@@ -17,12 +17,9 @@ type RedHat struct {
Base
}
// FillWithGost fills cve information that has in Gost
func (red RedHat) FillWithGost(driver db.DB, r *models.ScanResult, ignoreWillNotFix bool) (nCVEs int, err error) {
if nCVEs, err = red.fillUnfixed(driver, r, ignoreWillNotFix); err != nil {
return 0, err
}
return nCVEs, red.fillFixed(driver, r)
// DetectUnfixed fills cve information that has in Gost
func (red RedHat) DetectUnfixed(driver db.DB, r *models.ScanResult, ignoreWillNotFix bool) (nCVEs int, err error) {
return red.fillUnfixed(driver, r, ignoreWillNotFix)
}
func (red RedHat) fillFixed(driver db.DB, r *models.ScanResult) error {
@@ -71,7 +68,7 @@ func (red RedHat) fillFixed(driver db.DB, r *models.ScanResult) error {
return nil
}
for cveID, redCve := range driver.GetRedhatMulti(cveIDs) {
if redCve.ID == 0 {
if len(redCve.Name) == 0 {
continue
}
cveCont := red.ConvertToModel(&redCve)

78
libmanager/libManager.go
View File

@@ -1,33 +1,103 @@
package libmanager
import (
"github.com/aquasecurity/trivy/pkg/db"
"github.com/aquasecurity/trivy/pkg/log"
"context"
db2 "github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy/pkg/db"
"github.com/aquasecurity/trivy/pkg/github"
"github.com/aquasecurity/trivy/pkg/indicator"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/spf13/afero"
"golang.org/x/xerrors"
"k8s.io/utils/clock"
"github.com/future-architect/vuls/config"
"github.com/future-architect/vuls/models"
"github.com/future-architect/vuls/util"
)
// FillLibrary fills LibraryScanner informations
func FillLibrary(r *models.ScanResult) (totalCnt int, err error) {
if len(r.LibraryScanners) == 0 {
return
}
// initialize trivy's logger and db
err = log.InitLogger(false, false)
if err != nil {
return 0, err
}
if err := db.Init(); err != nil {
util.Log.Info("Updating library db...")
if err := downloadDB(config.Version, config.Conf.TrivyCacheDBDir, config.Conf.NoProgress, false, false); err != nil {
return 0, err
}
if err := db2.Init(config.Conf.TrivyCacheDBDir); err != nil {
return 0, err
}
defer db2.Close()
for _, lib := range r.LibraryScanners {
vinfos, err := lib.Scan()
if err != nil {
return 0, err
}
for _, vinfo := range vinfos {
vinfo.Confidences.AppendIfMissing(models.TrivyMatch)
r.ScannedCves[vinfo.CveID] = vinfo
}
totalCnt += len(vinfos)
}
db.Close()
return totalCnt, nil
}
func downloadDB(appVersion, cacheDir string, quiet, light, skipUpdate bool) error {
client := initializeDBClient(cacheDir, quiet)
ctx := context.Background()
needsUpdate, err := client.NeedsUpdate(appVersion, light, skipUpdate)
if err != nil {
return xerrors.Errorf("database error: %w", err)
}
if needsUpdate {
util.Log.Info("Need to update DB")
util.Log.Info("Downloading DB...")
if err := client.Download(ctx, cacheDir, light); err != nil {
return xerrors.Errorf("failed to download vulnerability DB: %w", err)
}
if err = client.UpdateMetadata(cacheDir); err != nil {
return xerrors.Errorf("unable to update database metadata: %w", err)
}
}
// for debug
if err := showDBInfo(cacheDir); err != nil {
return xerrors.Errorf("failed to show database info: %w", err)
}
return nil
}
func initializeDBClient(cacheDir string, quiet bool) db.Client {
config := db2.Config{}
client := github.NewClient()
progressBar := indicator.NewProgressBar(quiet)
realClock := clock.RealClock{}
fs := afero.NewOsFs()
metadata := db.NewMetadata(fs, cacheDir)
dbClient := db.NewClient(config, client, progressBar, realClock, metadata)
return dbClient
}
func showDBInfo(cacheDir string) error {
m := db.NewMetadata(afero.NewOsFs(), cacheDir)
metadata, err := m.Get()
if err != nil {
return xerrors.Errorf("something wrong with DB: %w", err)
}
util.Log.Debugf("DB Schema: %d, Type: %d, UpdatedAt: %s, NextUpdate: %s",
metadata.Version, metadata.Type, metadata.UpdatedAt, metadata.NextUpdate)
return nil
}

56
models/cvecontents.go
View File

@@ -3,7 +3,7 @@ package models
import (
"time"
"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
)
// CveContents has CveContent
@@ -223,16 +223,18 @@ func NewCveContentType(name string) CveContentType {
return WPVulnDB
case "amazon":
return Amazon
case vulnerability.NodejsSecurityWg:
return NodeSec
case vulnerability.PythonSafetyDB:
return PythonSec
case vulnerability.RustSec:
return RustSec
case vulnerability.PhpSecurityAdvisories:
return PhpSec
case vulnerability.RubySec:
return RubySec
case "trivy":
return Trivy
// case vulnerability.NodejsSecurityWg:
// return NodeSec
// case vulnerability.PythonSafetyDB:
// return PythonSec
// case vulnerability.RustSec:
// return RustSec
// case vulnerability.PhpSecurityAdvisories:
// return PhpSec
// case vulnerability.RubySec:
// return RubySec
default:
return Unknown
}
@@ -278,20 +280,23 @@ const (
// WPVulnDB is WordPress
WPVulnDB CveContentType = "wpvulndb"
// Trivy is Trivy
Trivy CveContentType = "trivy"
// NodeSec : for JS
NodeSec CveContentType = "node"
// NodeSec CveContentType = "node"
// PythonSec : for PHP
PythonSec CveContentType = "python"
// // PythonSec : for PHP
// PythonSec CveContentType = "python"
// PhpSec : for PHP
PhpSec CveContentType = "php"
// // PhpSec : for PHP
// PhpSec CveContentType = "php"
// RubySec : for Ruby
RubySec CveContentType = "ruby"
// // RubySec : for Ruby
// RubySec CveContentType = "ruby"
// RustSec : for Rust
RustSec CveContentType = "rust"
// // RustSec : for Rust
// RustSec CveContentType = "rust"
// Unknown is Unknown
Unknown CveContentType = "unknown"
@@ -313,11 +318,12 @@ var AllCveContetTypes = CveContentTypes{
SUSE,
DebianSecurityTracker,
WPVulnDB,
NodeSec,
PythonSec,
PhpSec,
RubySec,
RustSec,
Trivy,
// NodeSec,
// PythonSec,
// PhpSec,
// RubySec,
// RustSec,
}
// Except returns CveContentTypes except for given args

103
models/library.go
View File

@@ -3,15 +3,35 @@ package models
import (
"path/filepath"
"github.com/aquasecurity/trivy/pkg/scanner/library"
"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy-db/pkg/db"
trivyDBTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library"
"github.com/aquasecurity/trivy/pkg/types"
"github.com/future-architect/vuls/util"
"golang.org/x/xerrors"
"github.com/aquasecurity/go-dep-parser/pkg/types"
// "github.com/aquasecurity/go-dep-parser/pkg/types"
"github.com/knqyf263/go-version"
)
// LibraryScanners is an array of LibraryScanner
type LibraryScanners []LibraryScanner
// Find : find by name
func (lss LibraryScanners) Find(name string) map[string]types.Library {
filtered := map[string]types.Library{}
for _, ls := range lss {
for _, lib := range ls.Libs {
if lib.Name == name {
filtered[ls.Path] = lib
break
}
}
}
return filtered
}
// LibraryScanner has libraries information
type LibraryScanner struct {
Path string
@@ -20,17 +40,11 @@ type LibraryScanner struct {
// Scan : scan target library
func (s LibraryScanner) Scan() ([]VulnInfo, error) {
scanner := library.NewScanner(filepath.Base(string(s.Path)))
scanner := library.DriverFactory{}.NewDriver(filepath.Base(string(s.Path)))
if scanner == nil {
return nil, xerrors.New("unknown file type")
}
util.Log.Info("Updating library db...")
err := scanner.UpdateDB()
if err != nil {
return nil, xerrors.Errorf("failed to update %s advisories: %w", scanner.Type(), err)
}
var vulnerabilities []VulnInfo
for _, pkg := range s.Libs {
v, err := version.NewVersion(pkg.Version)
@@ -43,6 +57,9 @@ func (s LibraryScanner) Scan() ([]VulnInfo, error) {
if err != nil {
return nil, xerrors.Errorf("failed to detect %s vulnerabilities: %w", scanner.Type(), err)
}
if len(tvulns) == 0 {
continue
}
vulns := s.convertFanalToVuln(tvulns)
vulnerabilities = append(vulnerabilities, vulns...)
@@ -51,25 +68,27 @@ func (s LibraryScanner) Scan() ([]VulnInfo, error) {
return vulnerabilities, nil
}
func (s LibraryScanner) convertFanalToVuln(tvulns []vulnerability.DetectedVulnerability) (vulns []VulnInfo) {
func (s LibraryScanner) convertFanalToVuln(tvulns []types.DetectedVulnerability) (vulns []VulnInfo) {
for _, tvuln := range tvulns {
vinfo, _ := s.getVulnDetail(tvuln)
vinfo, err := s.getVulnDetail(tvuln)
if err != nil {
util.Log.Debugf("failed to getVulnDetail. err: %s, tvun: %#v", err, tvuln)
continue
}
vulns = append(vulns, vinfo)
}
return vulns
}
func (s LibraryScanner) getVulnDetail(tvuln vulnerability.DetectedVulnerability) (vinfo VulnInfo, err error) {
details, err := vulnerability.Get(tvuln.VulnerabilityID)
func (s LibraryScanner) getVulnDetail(tvuln types.DetectedVulnerability) (vinfo VulnInfo, err error) {
vul, err := db.Config{}.GetVulnerability(tvuln.VulnerabilityID)
if err != nil {
return vinfo, err
} else if len(details) == 0 {
return vinfo, xerrors.Errorf("Unknown vulnID : %s", tvuln.VulnerabilityID)
}
vinfo.CveID = tvuln.VulnerabilityID
vinfo.CveContents = getCveContents(details)
if tvuln.FixedVersion != "" {
vinfo.CveID = tvuln.VulnerabilityID
vinfo.CveContents = getCveContents(tvuln.VulnerabilityID, vul)
if tvuln.FixedVersion != "" {
vinfo.LibraryFixedIns = []LibraryFixedIn{
{
Key: s.GetLibraryKey(),
@@ -81,38 +100,22 @@ func (s LibraryScanner) getVulnDetail(tvuln vulnerability.DetectedVulnerability)
return vinfo, nil
}
func getCveContents(details map[string]vulnerability.Vulnerability) (contents map[CveContentType]CveContent) {
func getCveContents(cveID string, vul trivyDBTypes.Vulnerability) (contents map[CveContentType]CveContent) {
contents = map[CveContentType]CveContent{}
for source, detail := range details {
refs := []Reference{}
for _, refURL := range detail.References {
refs = append(refs, Reference{Source: refURL, Link: refURL})
}
content := CveContent{
Type: NewCveContentType(source),
CveID: detail.ID,
Title: detail.Title,
Summary: detail.Description,
Cvss3Score: detail.CvssScoreV3,
Cvss3Severity: string(detail.SeverityV3),
Cvss2Score: detail.CvssScore,
Cvss2Severity: string(detail.Severity),
References: refs,
//SourceLink string `json:"sourceLink"`
//Cvss2Vector string `json:"cvss2Vector"`
//Cvss3Vector string `json:"cvss3Vector"`
//Cvss3Severity string `json:"cvss3Severity"`
//Cpes []Cpe `json:"cpes,omitempty"`
//CweIDs []string `json:"cweIDs,omitempty"`
//Published time.Time `json:"published"`
//LastModified time.Time `json:"lastModified"`
//Mitigation string `json:"mitigation"` // RedHat API
//Optional map[string]string `json:"optional,omitempty"`
}
contents[NewCveContentType(source)] = content
refs := []Reference{}
for _, refURL := range vul.References {
refs = append(refs, Reference{Source: "trivy", Link: refURL})
}
content := CveContent{
Type: Trivy,
CveID: cveID,
Title: vul.Title,
Summary: vul.Description,
Cvss3Severity: string(vul.Severity),
References: refs,
}
contents[Trivy] = content
return contents
}
@@ -122,7 +125,7 @@ var LibraryMap = map[string]string{
"yarn.lock": "node",
"Gemfile.lock": "ruby",
"Cargo.lock": "rust",
"composer.json": "php",
"composer.lock": "php",
"Pipfile.lock": "python",
"poetry.lock": "python",
}

104
models/library_test.go
View File

@@ -1,21 +1,23 @@
package models
import (
"reflect"
"testing"
godeptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
"github.com/aquasecurity/trivy/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/types"
"github.com/aquasecurity/trivy/pkg/utils"
)
func TestScan(t *testing.T) {
var tests = []struct {
path string
pkgs []godeptypes.Library
pkgs []types.Library
}{
{
path: "app/package-lock.json",
pkgs: []godeptypes.Library{
pkgs: []types.Library{
{
Name: "jquery",
Version: "2.2.4",
@@ -32,7 +34,8 @@ func TestScan(t *testing.T) {
t.Errorf("trivy logger failed")
}
if err := db.Init(); err != nil {
cacheDir := utils.DefaultCacheDir()
if err := db.Init(cacheDir); err != nil {
t.Errorf("trivy db.Init failed")
}
for _, v := range tests {
@@ -50,3 +53,94 @@ func TestScan(t *testing.T) {
}
db.Close()
}
func TestLibraryScanners_Find(t *testing.T) {
type args struct {
name string
}
tests := []struct {
name string
lss LibraryScanners
args args
want map[string]types.Library
}{
{
name: "single file",
lss: LibraryScanners{
{
Path: "/pathA",
Libs: []types.Library{
{
Name: "libA",
Version: "1.0.0",
},
},
},
},
args: args{"libA"},
want: map[string]types.Library{
"/pathA": {
Name: "libA",
Version: "1.0.0",
},
},
},
{
name: "multi file",
lss: LibraryScanners{
{
Path: "/pathA",
Libs: []types.Library{
{
Name: "libA",
Version: "1.0.0",
},
},
},
{
Path: "/pathB",
Libs: []types.Library{
{
Name: "libA",
Version: "1.0.5",
},
},
},
},
args: args{"libA"},
want: map[string]types.Library{
"/pathA": {
Name: "libA",
Version: "1.0.0",
},
"/pathB": {
Name: "libA",
Version: "1.0.5",
},
},
},
{
name: "miss",
lss: LibraryScanners{
{
Path: "/pathA",
Libs: []types.Library{
{
Name: "libA",
Version: "1.0.0",
},
},
},
},
args: args{"libB"},
want: map[string]types.Library{},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := tt.lss.Find(tt.args.name); !reflect.DeepEqual(got, tt.want) {
t.Errorf("LibraryScanners.Find() = %v, want %v", got, tt.want)
}
})
}
}

15
models/packages.go
View File

@@ -120,18 +120,23 @@ func (p Package) FormatNewVer() string {
}
// FormatVersionFromTo formats installed and new package version
func (p Package) FormatVersionFromTo(notFixedYet bool, status string) string {
func (p Package) FormatVersionFromTo(stat PackageFixStatus) string {
to := p.FormatNewVer()
if notFixedYet {
if status != "" {
to = status
if stat.NotFixedYet {
if stat.FixState != "" {
to = stat.FixState
} else {
to = "Not Fixed Yet"
}
} else if p.NewVersion == "" {
to = "Unknown"
}
return fmt.Sprintf("%s-%s -> %s", p.Name, p.FormatVer(), to)
var fixedIn string
if stat.FixedIn != "" {
fixedIn = fmt.Sprintf(" (FixedIn: %s)", stat.FixedIn)
}
return fmt.Sprintf("%s-%s -> %s%s",
p.Name, p.FormatVer(), to, fixedIn)
}
// FormatChangelog formats the changelog

122
models/packages_test.go
View File

@@ -175,3 +175,125 @@ func TestFindByBinName(t *testing.T) {
}
}
}
func TestPackage_FormatVersionFromTo(t *testing.T) {
type fields struct {
Name string
Version string
Release string
NewVersion string
NewRelease string
Arch string
Repository string
Changelog Changelog
AffectedProcs []AffectedProcess
NeedRestartProcs []NeedRestartProcess
}
type args struct {
stat PackageFixStatus
}
tests := []struct {
name string
fields fields
args args
want string
}{
{
name: "fixed",
fields: fields{
Name: "packA",
Version: "1.0.0",
Release: "a",
NewVersion: "1.0.1",
NewRelease: "b",
},
args: args{
stat: PackageFixStatus{
NotFixedYet: false,
FixedIn: "1.0.1-b",
},
},
want: "packA-1.0.0-a -> 1.0.1-b (FixedIn: 1.0.1-b)",
},
{
name: "nfy",
fields: fields{
Name: "packA",
Version: "1.0.0",
Release: "a",
},
args: args{
stat: PackageFixStatus{
NotFixedYet: true,
},
},
want: "packA-1.0.0-a -> Not Fixed Yet",
},
{
name: "nfy",
fields: fields{
Name: "packA",
Version: "1.0.0",
Release: "a",
},
args: args{
stat: PackageFixStatus{
NotFixedYet: false,
FixedIn: "1.0.1-b",
},
},
want: "packA-1.0.0-a -> Unknown (FixedIn: 1.0.1-b)",
},
{
name: "nfy2",
fields: fields{
Name: "packA",
Version: "1.0.0",
Release: "a",
},
args: args{
stat: PackageFixStatus{
NotFixedYet: true,
FixedIn: "1.0.1-b",
FixState: "open",
},
},
want: "packA-1.0.0-a -> open (FixedIn: 1.0.1-b)",
},
{
name: "nfy3",
fields: fields{
Name: "packA",
Version: "1.0.0",
Release: "a",
},
args: args{
stat: PackageFixStatus{
NotFixedYet: true,
FixedIn: "1.0.1-b",
FixState: "open",
},
},
want: "packA-1.0.0-a -> open (FixedIn: 1.0.1-b)",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
p := Package{
Name: tt.fields.Name,
Version: tt.fields.Version,
Release: tt.fields.Release,
NewVersion: tt.fields.NewVersion,
NewRelease: tt.fields.NewRelease,
Arch: tt.fields.Arch,
Repository: tt.fields.Repository,
Changelog: tt.fields.Changelog,
AffectedProcs: tt.fields.AffectedProcs,
NeedRestartProcs: tt.fields.NeedRestartProcs,
}
if got := p.FormatVersionFromTo(tt.args.stat); got != tt.want {
t.Errorf("Package.FormatVersionFromTo() = %v, want %v", got, tt.want)
}
})
}
}

44
models/scanresults.go
View File

@@ -24,7 +24,6 @@ type ScanResult struct {
Family string `json:"family"`
Release string `json:"release"`
Container Container `json:"container"`
Image Image `json:"image"`
Platform Platform `json:"platform"`
IPv4Addrs []string `json:"ipv4Addrs,omitempty"` // only global unicast address (https://golang.org/pkg/net/#IP.IsGlobalUnicast)
IPv6Addrs []string `json:"ipv6Addrs,omitempty"` // only global unicast address (https://golang.org/pkg/net/#IP.IsGlobalUnicast)
@@ -49,7 +48,7 @@ type ScanResult struct {
Packages Packages `json:"packages"`
SrcPackages SrcPackages `json:",omitempty"`
WordPressPackages *WordPressPackages `json:",omitempty"`
LibraryScanners []LibraryScanner `json:"libScanners"`
LibraryScanners LibraryScanners `json:"libraries,omitempty"`
CweDict CweDict `json:"cweDict,omitempty"`
Optional map[string]interface{} `json:",omitempty"`
Config struct {
@@ -62,7 +61,7 @@ type ScanResult struct {
type CweDict map[string]CweDictEntry
// Get the name, url, top10URL for the specified cweID, lang
func (c CweDict) Get(cweID, lang string) (name, url, top10Rank, top10URL string) {
func (c CweDict) Get(cweID, lang string) (name, url, top10Rank, top10URL, cweTop25Rank, cweTop25URL, sansTop25Rank, sansTop25URL string) {
cweNum := strings.TrimPrefix(cweID, "CWE-")
switch config.Conf.Lang {
case "ja":
@@ -70,6 +69,14 @@ func (c CweDict) Get(cweID, lang string) (name, url, top10Rank, top10URL string)
top10Rank = dict.OwaspTopTen2017
top10URL = cwe.OwaspTopTen2017GitHubURLJa[dict.OwaspTopTen2017]
}
if dict, ok := c[cweNum]; ok && dict.CweTopTwentyfive2019 != "" {
cweTop25Rank = dict.CweTopTwentyfive2019
cweTop25URL = cwe.CweTopTwentyfive2019URL
}
if dict, ok := c[cweNum]; ok && dict.SansTopTwentyfive != "" {
sansTop25Rank = dict.SansTopTwentyfive
sansTop25URL = cwe.SansTopTwentyfiveURL
}
if dict, ok := cwe.CweDictJa[cweNum]; ok {
name = dict.Name
url = fmt.Sprintf("http://jvndb.jvn.jp/ja/cwe/%s.html", cweID)
@@ -84,6 +91,14 @@ func (c CweDict) Get(cweID, lang string) (name, url, top10Rank, top10URL string)
top10Rank = dict.OwaspTopTen2017
top10URL = cwe.OwaspTopTen2017GitHubURLEn[dict.OwaspTopTen2017]
}
if dict, ok := c[cweNum]; ok && dict.CweTopTwentyfive2019 != "" {
cweTop25Rank = dict.CweTopTwentyfive2019
cweTop25URL = cwe.CweTopTwentyfive2019URL
}
if dict, ok := c[cweNum]; ok && dict.SansTopTwentyfive != "" {
sansTop25Rank = dict.SansTopTwentyfive
sansTop25URL = cwe.SansTopTwentyfiveURL
}
url = fmt.Sprintf("https://cwe.mitre.org/data/definitions/%s.html", cweID)
if dict, ok := cwe.CweDictEn[cweNum]; ok {
name = dict.Name
@@ -94,9 +109,11 @@ func (c CweDict) Get(cweID, lang string) (name, url, top10Rank, top10URL string)
// CweDictEntry is a entry of CWE
type CweDictEntry struct {
En *cwe.Cwe `json:"en,omitempty"`
Ja *cwe.Cwe `json:"ja,omitempty"`
OwaspTopTen2017 string `json:"owaspTopTen2017"`
En *cwe.Cwe `json:"en,omitempty"`
Ja *cwe.Cwe `json:"ja,omitempty"`
OwaspTopTen2017 string `json:"owaspTopTen2017"`
CweTopTwentyfive2019 string `json:"cweTopTwentyfive2019"`
SansTopTwentyfive string `json:"sansTopTwentyfive"`
}
// Kernel has the Release, version and whether need restart
@@ -255,7 +272,7 @@ func (r ScanResult) FilterInactiveWordPressLibs() ScanResult {
return r
}
// ReportFileName returns the filename on localhost without extention
// ReportFileName returns the filename on localhost without extension
func (r ScanResult) ReportFileName() (name string) {
if len(r.Container.ContainerID) == 0 {
return fmt.Sprintf("%s", r.ServerName)
@@ -263,7 +280,7 @@ func (r ScanResult) ReportFileName() (name string) {
return fmt.Sprintf("%s@%s", r.Container.Name, r.ServerName)
}
// ReportKeyName returns the name of key on S3, Azure-Blob without extention
// ReportKeyName returns the name of key on S3, Azure-Blob without extension
func (r ScanResult) ReportKeyName() (name string) {
timestr := r.ScannedAt.Format(time.RFC3339)
if len(r.Container.ContainerID) == 0 {
@@ -417,11 +434,6 @@ func (r ScanResult) IsContainer() bool {
return 0 < len(r.Container.ContainerID)
}
// IsImage returns whether this ServerInfo is about container
func (r ScanResult) IsImage() bool {
return 0 < len(r.Image.Name)
}
// IsDeepScanMode checks if the scan mode is deep scan mode.
func (r ScanResult) IsDeepScanMode() bool {
for _, s := range r.Config.Scan.Servers {
@@ -443,12 +455,6 @@ type Container struct {
UUID string `json:"uuid"`
}
// Image has Container information
type Image struct {
Name string `json:"name"`
Tag string `json:"tag"`
}
// Platform has platform information
type Platform struct {
Name string `json:"name"` // aws or azure or gcp or other...

61
models/vulninfos.go
View File

@@ -136,9 +136,10 @@ func (ps PackageFixStatuses) Sort() {
// PackageFixStatus has name and other status abount the package
type PackageFixStatus struct {
Name string `json:"name"`
NotFixedYet bool `json:"notFixedYet"`
FixState string `json:"fixState"`
Name string `json:"name,omitempty"`
NotFixedYet bool `json:"notFixedYet,omitempty"`
FixState string `json:"fixState,omitempty"`
FixedIn string `json:"fixedIn,omitempty"`
}
// VulnInfo has a vulnerability information and unsecure packages
@@ -199,6 +200,14 @@ type GitHubSecurityAlert struct {
// LibraryFixedIns is a list of Library's FixedIn
type LibraryFixedIns []LibraryFixedIn
// Names return a slice of names
func (lfs LibraryFixedIns) Names() (names []string) {
for _, lf := range lfs {
names = append(names, lf.Name)
}
return names
}
// WpPackageFixStats is a list of WpPackageFixStatus
type WpPackageFixStats []WpPackageFixStatus
@@ -236,7 +245,7 @@ func (v VulnInfo) Titles(lang, myFamily string) (values []CveContentStr) {
values = append(values, CveContentStr{RedHatAPI, cont.Title})
}
order := CveContentTypes{Nvd, NvdXML, NewCveContentType(myFamily)}
order := CveContentTypes{Trivy, Nvd, NvdXML, NewCveContentType(myFamily)}
order = append(order, AllCveContetTypes.Except(append(order, Jvn)...)...)
for _, ctype := range order {
// Only JVN has meaningful title. so return first 100 char of summary
@@ -276,7 +285,7 @@ func (v VulnInfo) Summaries(lang, myFamily string) (values []CveContentStr) {
}
}
order := CveContentTypes{Nvd, NvdXML, NewCveContentType(myFamily)}
order := CveContentTypes{Trivy, NewCveContentType(myFamily), Nvd, NvdXML}
order = append(order, AllCveContetTypes.Except(append(order, Jvn)...)...)
for _, ctype := range order {
if cont, found := v.CveContents[ctype]; found && 0 < len(cont.Summary) {
@@ -414,6 +423,18 @@ func (v VulnInfo) Cvss3Scores() (values []CveContentCvss) {
})
}
}
if cont, found := v.CveContents[Trivy]; found && cont.Cvss3Severity != "" {
values = append(values, CveContentCvss{
Type: Trivy,
Value: Cvss{
Type: CVSS3,
Score: severityToV2ScoreRoughly(cont.Cvss3Severity),
Severity: strings.ToUpper(cont.Cvss3Severity),
},
})
}
return
}
@@ -534,16 +555,17 @@ func (v VulnInfo) MaxCvss2Score() CveContentCvss {
func (v VulnInfo) AttackVector() string {
for _, cnt := range v.CveContents {
if strings.HasPrefix(cnt.Cvss2Vector, "AV:N") ||
strings.HasPrefix(cnt.Cvss3Vector, "CVSS:3.0/AV:N") {
return "N"
strings.Contains(cnt.Cvss3Vector, "AV:N") {
return "AV:N"
} else if strings.HasPrefix(cnt.Cvss2Vector, "AV:A") ||
strings.HasPrefix(cnt.Cvss3Vector, "CVSS:3.0/AV:A") {
return "A"
strings.Contains(cnt.Cvss3Vector, "AV:A") {
return "AV:A"
} else if strings.HasPrefix(cnt.Cvss2Vector, "AV:L") ||
strings.HasPrefix(cnt.Cvss3Vector, "CVSS:3.0/AV:L") {
return "L"
} else if strings.HasPrefix(cnt.Cvss3Vector, "CVSS:3.0/AV:P") {
return "P"
strings.Contains(cnt.Cvss3Vector, "AV:L") {
return "AV:L"
} else if strings.Contains(cnt.Cvss3Vector, "AV:P") {
// no AV:P in CVSS v2
return "AV:P"
}
}
if cont, found := v.CveContents[DebianSecurityTracker]; found {
@@ -565,6 +587,13 @@ func (v VulnInfo) PatchStatus(packs Packages) string {
return "unfixed"
}
// Fast and offline mode can not get the candidate version.
// Vuls can be considered as 'fixed' if not-fixed-yet==true and
// the fixed-in-version (information in the oval) is not an empty.
if p.FixedIn != "" {
continue
}
// fast, offline mode doesn't have new version
if pack, ok := packs[p.Name]; ok {
if pack.NewVersion == "" {
@@ -846,6 +875,9 @@ const (
// DebianSecurityTrackerMatchStr is a String representation of DebianSecurityTrackerMatch
DebianSecurityTrackerMatchStr = "DebianSecurityTrackerMatch"
// TrivyMatchStr is a String representation of Trivy
TrivyMatchStr = "TrivyMatch"
// ChangelogExactMatchStr is a String representation of ChangelogExactMatch
ChangelogExactMatchStr = "ChangelogExactMatch"
@@ -884,6 +916,9 @@ var (
// DebianSecurityTrackerMatch ranking how confident the CVE-ID was deteted correctly
DebianSecurityTrackerMatch = Confidence{100, DebianSecurityTrackerMatchStr, 0}
// TrivyMatch ranking how confident the CVE-ID was deteted correctly
TrivyMatch = Confidence{100, TrivyMatchStr, 0}
// ChangelogExactMatch is a ranking how confident the CVE-ID was deteted correctly
ChangelogExactMatch = Confidence{95, ChangelogExactMatchStr, 3}

99
models/vulninfos_test.go
View File

@@ -143,14 +143,14 @@ func TestSummaries(t *testing.T) {
Type: Jvn,
Value: "Title JVN\nSummary JVN",
},
{
Type: NvdXML,
Value: "Summary NVD",
},
{
Type: RedHat,
Value: "Summary RedHat",
},
{
Type: NvdXML,
Value: "Summary NVD",
},
},
},
// lang: en
@@ -177,14 +177,14 @@ func TestSummaries(t *testing.T) {
},
},
out: []CveContentStr{
{
Type: NvdXML,
Value: "Summary NVD",
},
{
Type: RedHat,
Value: "Summary RedHat",
},
{
Type: NvdXML,
Value: "Summary NVD",
},
},
},
// lang: empty
@@ -1080,3 +1080,86 @@ func TestDistroAdvisories_AppendIfMissing(t *testing.T) {
})
}
}
func TestVulnInfo_AttackVector(t *testing.T) {
type fields struct {
CveContents CveContents
}
tests := []struct {
name string
fields fields
want string
}{
{
name: "2.0:N",
fields: fields{
CveContents: NewCveContents(
CveContent{
Type: "foo",
Cvss2Vector: "AV:N/AC:L/Au:N/C:C/I:C/A:C",
},
),
},
want: "AV:N",
},
{
name: "2.0:A",
fields: fields{
CveContents: NewCveContents(
CveContent{
Type: "foo",
Cvss2Vector: "AV:A/AC:L/Au:N/C:C/I:C/A:C",
},
),
},
want: "AV:A",
},
{
name: "2.0:L",
fields: fields{
CveContents: NewCveContents(
CveContent{
Type: "foo",
Cvss2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
},
),
},
want: "AV:L",
},
{
name: "3.0:N",
fields: fields{
CveContents: NewCveContents(
CveContent{
Type: "foo",
Cvss3Vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
},
),
},
want: "AV:N",
},
{
name: "3.1:N",
fields: fields{
CveContents: NewCveContents(
CveContent{
Type: "foo",
Cvss3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
},
),
},
want: "AV:N",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
v := VulnInfo{
CveContents: tt.fields.CveContents,
}
if got := v.AttackVector(); got != tt.want {
t.Errorf("VulnInfo.AttackVector() = %v, want %v", got, tt.want)
}
})
}
}

207
oval/debian.go
View File

@@ -2,6 +2,7 @@ package oval
import (
"fmt"
"strings"
"github.com/future-architect/vuls/config"
"github.com/future-architect/vuls/models"
@@ -42,17 +43,28 @@ func (o DebianBase) update(r *models.ScanResult, defPacks defPacks) {
vinfo.CveContents = cveContents
}
// uniq(vinfo.PackNames + defPacks.actuallyAffectedPackNames)
// uniq(vinfo.PackNames + defPacks.binpkgStat)
for _, pack := range vinfo.AffectedPackages {
defPacks.actuallyAffectedPackNames[pack.Name] = pack.NotFixedYet
defPacks.binpkgFixstat[pack.Name] = fixStat{
notFixedYet: pack.NotFixedYet,
fixedIn: pack.FixedIn,
isSrcPack: false,
}
}
// update notFixedYet of SrcPackage
for binName := range defPacks.actuallyAffectedPackNames {
// Update package status of source packages.
// In the case of Debian based Linux, sometimes source package name is difined as affected package in OVAL.
// To display binary package name showed in apt-get, need to convert source name to binary name.
for binName := range defPacks.binpkgFixstat {
if srcPack, ok := r.SrcPackages.FindByBinName(binName); ok {
for _, p := range defPacks.def.AffectedPacks {
if p.Name == srcPack.Name {
defPacks.actuallyAffectedPackNames[binName] = p.NotFixedYet
defPacks.binpkgFixstat[binName] = fixStat{
notFixedYet: p.NotFixedYet,
fixedIn: p.Version,
isSrcPack: true,
srcPackName: srcPack.Name,
}
}
}
}
@@ -134,9 +146,9 @@ func (o Debian) FillWithOval(driver db.DB, r *models.ScanResult) (nCVEs int, err
for _, defPacks := range relatedDefs.entries {
// Remove "linux" added above for oval search
// linux is not a real package name (key of affected packages in OVAL)
if notFixedYet, ok := defPacks.actuallyAffectedPackNames["linux"]; ok {
defPacks.actuallyAffectedPackNames[linuxImage] = notFixedYet
delete(defPacks.actuallyAffectedPackNames, "linux")
if notFixedYet, ok := defPacks.binpkgFixstat["linux"]; ok {
defPacks.binpkgFixstat[linuxImage] = notFixedYet
delete(defPacks.binpkgFixstat, "linux")
for i, p := range defPacks.def.AffectedPacks {
if p.Name == "linux" {
p.Name = linuxImage
@@ -178,61 +190,107 @@ func (o Ubuntu) FillWithOval(driver db.DB, r *models.ScanResult) (nCVEs int, err
switch major(r.Release) {
case "14":
kernelNamesInOval := []string{
"linux",
"linux-aws",
"linux-azure",
"linux-firmware",
"linux-lts-utopic",
"linux-lts-vivid",
"linux-lts-wily",
"linux-lts-xenial",
"linux-meta",
"linux-meta-aws",
"linux-meta-azure",
"linux-meta-lts-xenial",
"linux-signed",
"linux-signed-azure",
"linux-signed-lts-xenial",
"linux",
}
return o.fillWithOval(driver, r, kernelNamesInOval)
case "16":
kernelNamesInOval := []string{
"linux-image-aws",
"linux-image-aws-hwe",
"linux-image-azure",
"linux-image-extra-virtual",
"linux-image-extra-virtual-lts-utopic",
"linux-image-extra-virtual-lts-vivid",
"linux-image-extra-virtual-lts-wily",
"linux-image-extra-virtual-lts-xenial",
"linux-image-gcp",
"linux-image-generic-lpae",
"linux-image-generic-lpae-hwe-16.04",
"linux-image-generic-lpae-lts-utopic",
"linux-image-generic-lpae-lts-vivid",
"linux-image-generic-lpae-lts-wily",
"linux-image-generic-lpae-lts-xenial",
"linux-image-generic-lts-utopic",
"linux-image-generic-lts-vivid",
"linux-image-generic-lts-wily",
"linux-image-generic-lts-xenial",
"linux-image-gke",
"linux-image-hwe-generic-trusty",
"linux-image-hwe-virtual-trusty",
"linux-image-kvm",
"linux-image-lowlatency",
"linux-image-lowlatency-lts-utopic",
"linux-image-lowlatency-lts-vivid",
"linux-image-lowlatency-lts-wily",
"linux-aws",
"linux-aws-hwe",
"linux-azure",
"linux-euclid",
"linux-flo",
"linux-gcp",
"linux-gke",
"linux-goldfish",
"linux-hwe",
"linux-kvm",
"linux-mako",
"linux-meta",
"linux-meta-aws",
"linux-meta-aws-hwe",
"linux-meta-azure",
"linux-meta-gcp",
"linux-meta-hwe",
"linux-meta-kvm",
"linux-meta-oracle",
"linux-meta-raspi2",
"linux-meta-snapdragon",
"linux-oem",
"linux-oracle",
"linux-raspi2",
"linux-signed",
"linux-signed-azure",
"linux-signed-gcp",
"linux-signed-hwe",
"linux-signed-oracle",
"linux-snapdragon",
"linux",
}
return o.fillWithOval(driver, r, kernelNamesInOval)
case "18":
kernelNamesInOval := []string{
"linux-image-aws",
"linux-image-azure",
"linux-image-extra-virtual",
"linux-image-gcp",
"linux-image-generic-lpae",
"linux-image-kvm",
"linux-image-lowlatency",
"linux-image-oem",
"linux-image-oracle",
"linux-image-raspi2",
"linux-image-snapdragon",
"linux-image-virtual",
"linux-aws",
"linux-aws-5.0",
"linux-azure",
"linux-gcp",
"linux-gcp-5.3",
"linux-gke-4.15",
"linux-gke-5.0",
"linux-gke-5.3",
"linux-hwe",
"linux-kvm",
"linux-meta",
"linux-meta-aws",
"linux-meta-aws-5.0",
"linux-meta-azure",
"linux-meta-gcp",
"linux-meta-gcp-5.3",
"linux-meta-gke-4.15",
"linux-meta-gke-5.0",
"linux-meta-gke-5.3",
"linux-meta-hwe",
"linux-meta-kvm",
"linux-meta-oem",
"linux-meta-oem-osp1",
"linux-meta-oracle",
"linux-meta-oracle-5.0",
"linux-meta-oracle-5.3",
"linux-meta-raspi2",
"linux-meta-raspi2-5.3",
"linux-meta-snapdragon",
"linux-oem",
"linux-oem-osp1",
"linux-oracle",
"linux-oracle-5.0",
"linux-oracle-5.3",
"linux-raspi2",
"linux-raspi2-5.3",
"linux-signed",
"linux-signed-azure",
"linux-signed-gcp",
"linux-signed-gcp-5.3",
"linux-signed-gke-4.15",
"linux-signed-gke-5.0",
"linux-signed-gke-5.3",
"linux-signed-hwe",
"linux-signed-oem",
"linux-signed-oem-osp1",
"linux-signed-oracle",
"linux-signed-oracle-5.0",
"linux-signed-oracle-5.3",
"linux-snapdragon",
"linux",
}
return o.fillWithOval(driver, r, kernelNamesInOval)
}
@@ -240,12 +298,12 @@ func (o Ubuntu) FillWithOval(driver db.DB, r *models.ScanResult) (nCVEs int, err
}
func (o Ubuntu) fillWithOval(driver db.DB, r *models.ScanResult, kernelNamesInOval []string) (nCVEs int, err error) {
// kernel names in OVAL except for linux-image-generic
linuxImage := "linux-image-" + r.RunningKernel.Release
runningKernelVersion := ""
kernelPkgInOVAL := ""
isOVALKernelPkgAdded := true
isOVALKernelPkgAdded := false
unusedKernels := []models.Package{}
copiedSourcePkgs := models.SrcPackages{}
if r.Container.ContainerID == "" {
if v, ok := r.Packages[linuxImage]; ok {
@@ -270,17 +328,31 @@ func (o Ubuntu) fillWithOval(driver db.DB, r *models.ScanResult, kernelNamesInOv
}
}
if kernelPkgInOVAL == "" {
if r.Release == "14" {
kernelPkgInOVAL = "linux"
} else if _, ok := r.Packages["linux-image-generic"]; !ok {
util.Log.Warnf("The OVAL name of the running kernel image %s is not found. So vulns of linux-image-generic wll be detected. server: %s",
r.RunningKernel.Version, r.ServerName)
kernelPkgInOVAL = "linux-image-generic"
} else {
isOVALKernelPkgAdded = false
// Remove linux-* in order to detect only vulnerabilities in the running kernel.
for n := range r.Packages {
if n != kernelPkgInOVAL && strings.HasPrefix(n, "linux-") {
unusedKernels = append(unusedKernels, r.Packages[n])
delete(r.Packages, n)
}
}
for srcPackName, srcPack := range r.SrcPackages {
copiedSourcePkgs[srcPackName] = srcPack
targetBianryNames := []string{}
for _, n := range srcPack.BinaryNames {
if n == kernelPkgInOVAL || !strings.HasPrefix(n, "linux-") {
targetBianryNames = append(targetBianryNames, n)
}
}
srcPack.BinaryNames = targetBianryNames
r.SrcPackages[srcPackName] = srcPack
}
if kernelPkgInOVAL == "" {
util.Log.Warnf("The OVAL name of the running kernel image %+v is not found. So vulns of `linux` wll be detected. server: %s",
r.RunningKernel, r.ServerName)
kernelPkgInOVAL = "linux"
isOVALKernelPkgAdded = true
}
if runningKernelVersion != "" {
r.Packages[kernelPkgInOVAL] = models.Package{
@@ -307,13 +379,14 @@ func (o Ubuntu) fillWithOval(driver db.DB, r *models.ScanResult, kernelNamesInOv
for _, p := range unusedKernels {
r.Packages[p.Name] = p
}
r.SrcPackages = copiedSourcePkgs
for _, defPacks := range relatedDefs.entries {
// Remove "linux" added above to search for oval
// Remove "linux" added above for searching oval
// "linux" is not a real package name (key of affected packages in OVAL)
if nfy, ok := defPacks.actuallyAffectedPackNames[kernelPkgInOVAL]; isOVALKernelPkgAdded && ok {
defPacks.actuallyAffectedPackNames[linuxImage] = nfy
delete(defPacks.actuallyAffectedPackNames, kernelPkgInOVAL)
if nfy, ok := defPacks.binpkgFixstat[kernelPkgInOVAL]; isOVALKernelPkgAdded && ok {
defPacks.binpkgFixstat[linuxImage] = nfy
delete(defPacks.binpkgFixstat, kernelPkgInOVAL)
for i, p := range defPacks.def.AffectedPacks {
if p.Name == kernelPkgInOVAL {
p.Name = linuxImage

11
oval/debian_test.go
View File

@@ -33,8 +33,11 @@ func TestPackNamesOfUpdateDebian(t *testing.T) {
CveID: "CVE-2000-1000",
},
},
actuallyAffectedPackNames: map[string]bool{
"packB": true,
binpkgFixstat: map[string]fixStat{
"packB": {
notFixedYet: true,
fixedIn: "1.0.0",
},
},
},
out: models.ScanResult{
@@ -42,7 +45,7 @@ func TestPackNamesOfUpdateDebian(t *testing.T) {
"CVE-2000-1000": models.VulnInfo{
AffectedPackages: models.PackageFixStatuses{
{Name: "packA"},
{Name: "packB", NotFixedYet: true},
{Name: "packB", NotFixedYet: true, FixedIn: "1.0.0"},
{Name: "packC"},
},
},
@@ -57,7 +60,7 @@ func TestPackNamesOfUpdateDebian(t *testing.T) {
e := tt.out.ScannedCves["CVE-2000-1000"].AffectedPackages
a := tt.in.ScannedCves["CVE-2000-1000"].AffectedPackages
if !reflect.DeepEqual(a, e) {
t.Errorf("[%d] expected: %v\n actual: %v\n", i, e, a)
t.Errorf("[%d] expected: %#v\n actual: %#v\n", i, e, a)
}
}
}

29
oval/redhat.go
View File

@@ -120,10 +120,16 @@ func (o RedHatBase) update(r *models.ScanResult, defPacks defPacks) (nCVEs int)
// uniq(vinfo.PackNames + defPacks.actuallyAffectedPackNames)
for _, pack := range vinfo.AffectedPackages {
if nfy, ok := defPacks.actuallyAffectedPackNames[pack.Name]; !ok {
defPacks.actuallyAffectedPackNames[pack.Name] = pack.NotFixedYet
} else if nfy {
defPacks.actuallyAffectedPackNames[pack.Name] = true
if stat, ok := defPacks.binpkgFixstat[pack.Name]; !ok {
defPacks.binpkgFixstat[pack.Name] = fixStat{
notFixedYet: pack.NotFixedYet,
fixedIn: pack.FixedIn,
}
} else if stat.notFixedYet {
defPacks.binpkgFixstat[pack.Name] = fixStat{
notFixedYet: true,
fixedIn: pack.FixedIn,
}
}
}
vinfo.AffectedPackages = defPacks.toPackStatuses()
@@ -219,12 +225,17 @@ func (o RedHatBase) parseCvss2(scoreVector string) (score float64, vector string
// 5.6/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
func (o RedHatBase) parseCvss3(scoreVector string) (score float64, vector string) {
var err error
ss := strings.Split(scoreVector, "/CVSS:3.0/")
if 1 < len(ss) {
if score, err = strconv.ParseFloat(ss[0], 64); err != nil {
return 0, ""
for _, s := range []string{
"/CVSS:3.0/",
"/CVSS:3.1/",
} {
ss := strings.Split(scoreVector, s)
if 1 < len(ss) {
if score, err = strconv.ParseFloat(ss[0], 64); err != nil {
return 0, ""
}
return score, strings.TrimPrefix(s, "/") + ss[1]
}
return score, fmt.Sprintf("CVSS:3.0/%s", ss[1])
}
return 0, ""
}

14
oval/redhat_test.go
View File

@@ -59,6 +59,13 @@ func TestParseCvss3(t *testing.T) {
vector: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
},
},
{
in: "6.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
out: out{
score: 6.1,
vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
},
},
{
in: "",
out: out{
@@ -103,8 +110,11 @@ func TestPackNamesOfUpdate(t *testing.T) {
},
},
},
actuallyAffectedPackNames: map[string]bool{
"packB": true,
binpkgFixstat: map[string]fixStat{
"packB": {
notFixedYet: true,
fixedIn: "1.0.0",
},
},
},
out: models.ScanResult{

5
oval/suse.go
View File

@@ -75,7 +75,10 @@ func (o SUSE) update(r *models.ScanResult, defPacks defPacks) {
// uniq(vinfo.PackNames + defPacks.actuallyAffectedPackNames)
for _, pack := range vinfo.AffectedPackages {
defPacks.actuallyAffectedPackNames[pack.Name] = pack.NotFixedYet
defPacks.binpkgFixstat[pack.Name] = fixStat{
notFixedYet: pack.NotFixedYet,
fixedIn: pack.FixedIn,
}
}
vinfo.AffectedPackages = defPacks.toPackStatuses()
vinfo.AffectedPackages.Sort()

106
oval/util.go
View File

@@ -11,6 +11,7 @@ import (
"github.com/future-architect/vuls/config"
"github.com/future-architect/vuls/models"
"github.com/future-architect/vuls/util"
apkver "github.com/knqyf263/go-apk-version"
debver "github.com/knqyf263/go-deb-version"
rpmver "github.com/knqyf263/go-rpm-version"
"github.com/kotakanbe/goval-dictionary/db"
@@ -27,32 +28,42 @@ type defPacks struct {
def ovalmodels.Definition
// BinaryPackageName : NotFixedYet
actuallyAffectedPackNames map[string]bool
binpkgFixstat map[string]fixStat
}
type fixStat struct {
notFixedYet bool
fixedIn string
isSrcPack bool
srcPackName string
}
func (e defPacks) toPackStatuses() (ps models.PackageFixStatuses) {
for name, notFixedYet := range e.actuallyAffectedPackNames {
for name, stat := range e.binpkgFixstat {
ps = append(ps, models.PackageFixStatus{
Name: name,
NotFixedYet: notFixedYet,
NotFixedYet: stat.notFixedYet,
FixedIn: stat.fixedIn,
})
}
return
}
func (e *ovalResult) upsert(def ovalmodels.Definition, packName string, notFixedYet bool) (upserted bool) {
func (e *ovalResult) upsert(def ovalmodels.Definition, packName string, fstat fixStat) (upserted bool) {
// alpine's entry is empty since Alpine secdb is not OVAL format
if def.DefinitionID != "" {
for i, entry := range e.entries {
if entry.def.DefinitionID == def.DefinitionID {
e.entries[i].actuallyAffectedPackNames[packName] = notFixedYet
e.entries[i].binpkgFixstat[packName] = fstat
return true
}
}
}
e.entries = append(e.entries, defPacks{
def: def,
actuallyAffectedPackNames: map[string]bool{packName: notFixedYet},
def: def,
binpkgFixstat: map[string]fixStat{
packName: fstat,
},
})
return false
@@ -134,17 +145,27 @@ func getDefsByPackNameViaHTTP(r *models.ScanResult) (
select {
case res := <-resChan:
for _, def := range res.defs {
affected, notFixedYet := isOvalDefAffected(def, res.request, r.Family, r.RunningKernel)
affected, notFixedYet, fixedIn := isOvalDefAffected(def, res.request, r.Family, r.RunningKernel)
if !affected {
continue
}
if res.request.isSrcPack {
for _, n := range res.request.binaryPackNames {
relatedDefs.upsert(def, n, false)
fs := fixStat{
srcPackName: res.request.packName,
isSrcPack: true,
notFixedYet: notFixedYet,
fixedIn: fixedIn,
}
relatedDefs.upsert(def, n, fs)
}
} else {
relatedDefs.upsert(def, res.request.packName, notFixedYet)
fs := fixStat{
notFixedYet: notFixedYet,
fixedIn: fixedIn,
}
relatedDefs.upsert(def, res.request.packName, fs)
}
}
case err := <-errChan:
@@ -227,17 +248,27 @@ func getDefsByPackNameFromOvalDB(driver db.DB, r *models.ScanResult) (relatedDef
return relatedDefs, xerrors.Errorf("Failed to get %s OVAL info by package: %#v, err: %w", r.Family, req, err)
}
for _, def := range definitions {
affected, notFixedYet := isOvalDefAffected(def, req, r.Family, r.RunningKernel)
affected, notFixedYet, fixedIn := isOvalDefAffected(def, req, r.Family, r.RunningKernel)
if !affected {
continue
}
if req.isSrcPack {
for _, n := range req.binaryPackNames {
relatedDefs.upsert(def, n, false)
for _, binName := range req.binaryPackNames {
fs := fixStat{
notFixedYet: false,
isSrcPack: true,
fixedIn: fixedIn,
srcPackName: req.packName,
}
relatedDefs.upsert(def, binName, fs)
}
} else {
relatedDefs.upsert(def, req.packName, notFixedYet)
fs := fixStat{
notFixedYet: notFixedYet,
fixedIn: fixedIn,
}
relatedDefs.upsert(def, req.packName, fs)
}
}
}
@@ -255,7 +286,7 @@ func major(version string) string {
return ver[0:strings.Index(ver, ".")]
}
func isOvalDefAffected(def ovalmodels.Definition, req request, family string, running models.Kernel) (affected, notFixedYet bool) {
func isOvalDefAffected(def ovalmodels.Definition, req request, family string, running models.Kernel) (affected, notFixedYet bool, fixedIn string) {
for _, ovalPack := range def.AffectedPacks {
if req.packName != ovalPack.Name {
continue
@@ -274,7 +305,7 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
}
if ovalPack.NotFixedYet {
return true, true
return true, true, ovalPack.Version
}
// Compare between the installed version vs the version in OVAL
@@ -282,9 +313,14 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
if err != nil {
util.Log.Debugf("Failed to parse versions: %s, Ver: %#v, OVAL: %#v, DefID: %s",
err, req.versionRelease, ovalPack, def.DefinitionID)
return false, false
return false, false, ovalPack.Version
}
if less {
if req.isSrcPack {
// Unable to judge whether fixed or not-fixed of src package(Ubuntu, Debian)
return true, false, ovalPack.Version
}
// If the version of installed is less than in OVAL
switch family {
case config.RedHat,
@@ -293,7 +329,7 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
config.Debian,
config.Ubuntu:
// Use fixed state in OVAL for these distros.
return true, false
return true, false, ovalPack.Version
}
// But CentOS can't judge whether fixed or unfixed.
@@ -304,7 +340,7 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
// In these mode, the blow field was set empty.
// Vuls can not judge fixed or unfixed.
if req.newVersionRelease == "" {
return true, false
return true, false, ovalPack.Version
}
// compare version: newVer vs oval
@@ -312,26 +348,37 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
if err != nil {
util.Log.Debugf("Failed to parse versions: %s, NewVer: %#v, OVAL: %#v, DefID: %s",
err, req.newVersionRelease, ovalPack, def.DefinitionID)
return false, false
return false, false, ovalPack.Version
}
return true, less
return true, less, ovalPack.Version
}
}
return false, false
return false, false, ""
}
var centosVerPattern = regexp.MustCompile(`\.[es]l(\d+)(?:_\d+)?(?:\.centos)?`)
var esVerPattern = regexp.MustCompile(`\.el(\d+)(?:_\d+)?`)
func lessThan(family, versionRelease string, packB ovalmodels.Package) (bool, error) {
func lessThan(family, newVer string, packInOVAL ovalmodels.Package) (bool, error) {
switch family {
case config.Debian,
config.Ubuntu:
vera, err := debver.NewVersion(versionRelease)
vera, err := debver.NewVersion(newVer)
if err != nil {
return false, err
}
verb, err := debver.NewVersion(packB.Version)
verb, err := debver.NewVersion(packInOVAL.Version)
if err != nil {
return false, err
}
return vera.LessThan(verb), nil
case config.Alpine:
vera, err := apkver.NewVersion(newVer)
if err != nil {
return false, err
}
verb, err := apkver.NewVersion(packInOVAL.Version)
if err != nil {
return false, err
}
@@ -339,16 +386,15 @@ func lessThan(family, versionRelease string, packB ovalmodels.Package) (bool, er
case config.Oracle,
config.SUSEEnterpriseServer,
config.Alpine,
config.Amazon:
vera := rpmver.NewVersion(versionRelease)
verb := rpmver.NewVersion(packB.Version)
vera := rpmver.NewVersion(newVer)
verb := rpmver.NewVersion(packInOVAL.Version)
return vera.LessThan(verb), nil
case config.RedHat,
config.CentOS:
vera := rpmver.NewVersion(centosVerPattern.ReplaceAllString(versionRelease, ".el$1"))
verb := rpmver.NewVersion(esVerPattern.ReplaceAllString(packB.Version, ".el$1"))
vera := rpmver.NewVersion(centosVerPattern.ReplaceAllString(newVer, ".el$1"))
verb := rpmver.NewVersion(esVerPattern.ReplaceAllString(packInOVAL.Version, ".el$1"))
return vera.LessThan(verb), nil
default:

121
oval/util_test.go
View File

@@ -12,12 +12,12 @@ import (
func TestUpsert(t *testing.T) {
var tests = []struct {
res ovalResult
def ovalmodels.Definition
packName string
notFixedYet bool
upserted bool
out ovalResult
res ovalResult
def ovalmodels.Definition
packName string
fixStat fixStat
upserted bool
out ovalResult
}{
//insert
{
@@ -25,17 +25,23 @@ func TestUpsert(t *testing.T) {
def: ovalmodels.Definition{
DefinitionID: "1111",
},
packName: "pack1",
notFixedYet: true,
upserted: false,
packName: "pack1",
fixStat: fixStat{
notFixedYet: true,
fixedIn: "1.0.0",
},
upserted: false,
out: ovalResult{
[]defPacks{
{
def: ovalmodels.Definition{
DefinitionID: "1111",
},
actuallyAffectedPackNames: map[string]bool{
"pack1": true,
binpkgFixstat: map[string]fixStat{
"pack1": {
notFixedYet: true,
fixedIn: "1.0.0",
},
},
},
},
@@ -49,16 +55,22 @@ func TestUpsert(t *testing.T) {
def: ovalmodels.Definition{
DefinitionID: "1111",
},
actuallyAffectedPackNames: map[string]bool{
"pack1": true,
binpkgFixstat: map[string]fixStat{
"pack1": {
notFixedYet: true,
fixedIn: "1.0.0",
},
},
},
{
def: ovalmodels.Definition{
DefinitionID: "2222",
},
actuallyAffectedPackNames: map[string]bool{
"pack3": true,
binpkgFixstat: map[string]fixStat{
"pack3": {
notFixedYet: true,
fixedIn: "2.0.0",
},
},
},
},
@@ -66,26 +78,38 @@ func TestUpsert(t *testing.T) {
def: ovalmodels.Definition{
DefinitionID: "1111",
},
packName: "pack2",
notFixedYet: false,
upserted: true,
packName: "pack2",
fixStat: fixStat{
notFixedYet: false,
fixedIn: "3.0.0",
},
upserted: true,
out: ovalResult{
[]defPacks{
{
def: ovalmodels.Definition{
DefinitionID: "1111",
},
actuallyAffectedPackNames: map[string]bool{
"pack1": true,
"pack2": false,
binpkgFixstat: map[string]fixStat{
"pack1": {
notFixedYet: true,
fixedIn: "1.0.0",
},
"pack2": {
notFixedYet: false,
fixedIn: "3.0.0",
},
},
},
{
def: ovalmodels.Definition{
DefinitionID: "2222",
},
actuallyAffectedPackNames: map[string]bool{
"pack3": true,
binpkgFixstat: map[string]fixStat{
"pack3": {
notFixedYet: true,
fixedIn: "2.0.0",
},
},
},
},
@@ -93,7 +117,7 @@ func TestUpsert(t *testing.T) {
},
}
for i, tt := range tests {
upserted := tt.res.upsert(tt.def, tt.packName, tt.notFixedYet)
upserted := tt.res.upsert(tt.def, tt.packName, tt.fixStat)
if tt.upserted != upserted {
t.Errorf("[%d]\nexpected: %t\n actual: %t\n", i, tt.upserted, upserted)
}
@@ -121,17 +145,27 @@ func TestDefpacksToPackStatuses(t *testing.T) {
{
Name: "a",
NotFixedYet: true,
Version: "1.0.0",
},
{
Name: "b",
NotFixedYet: false,
Version: "2.0.0",
},
},
},
actuallyAffectedPackNames: map[string]bool{
"a": true,
"b": true,
"c": true,
binpkgFixstat: map[string]fixStat{
"a": {
notFixedYet: true,
fixedIn: "1.0.0",
isSrcPack: false,
},
"b": {
notFixedYet: true,
fixedIn: "1.0.0",
isSrcPack: true,
srcPackName: "lib-b",
},
},
},
},
@@ -139,14 +173,12 @@ func TestDefpacksToPackStatuses(t *testing.T) {
{
Name: "a",
NotFixedYet: true,
FixedIn: "1.0.0",
},
{
Name: "b",
NotFixedYet: true,
},
{
Name: "c",
NotFixedYet: true,
FixedIn: "1.0.0",
},
},
},
@@ -173,6 +205,7 @@ func TestIsOvalDefAffected(t *testing.T) {
in in
affected bool
notFixedYet bool
fixedIn string
}{
// 0. Ubuntu ovalpack.NotFixedYet == true
{
@@ -187,6 +220,7 @@ func TestIsOvalDefAffected(t *testing.T) {
{
Name: "b",
NotFixedYet: true,
Version: "1.0.0",
},
},
},
@@ -196,6 +230,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: true,
fixedIn: "1.0.0",
},
// 1. Ubuntu
// ovalpack.NotFixedYet == false
@@ -226,6 +261,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "1.0.0-1",
},
// 2. Ubuntu
// ovalpack.NotFixedYet == false
@@ -285,6 +321,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
},
affected: true,
fixedIn: "1.0.0-3",
notFixedYet: false,
},
// 4. Ubuntu
@@ -318,6 +355,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "1.0.0-2",
},
// 5 RedHat
{
@@ -345,6 +383,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "0:1.2.3-45.el6_7.8",
},
// 6 RedHat
{
@@ -372,6 +411,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "0:1.2.3-45.el6_7.8",
},
// 7 RedHat
{
@@ -451,6 +491,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "0:1.2.3-45.el6_7.8",
},
// 10 RedHat
{
@@ -478,6 +519,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "0:1.2.3-45.el6_7.8",
},
// 11 RedHat
{
@@ -504,6 +546,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "0:1.2.3-45.el6_7.8",
},
// 12 RedHat
{
@@ -583,6 +626,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "0:1.2.3-45.el6_7.8",
},
// 15
{
@@ -662,6 +706,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: true,
fixedIn: "0:1.2.3-45.el6_7.8",
},
// 18
{
@@ -689,6 +734,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "0:1.2.3-45.el6_7.8",
},
// 19
{
@@ -716,6 +762,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "0:1.2.3-45.el6_7.8",
},
// 20
{
@@ -794,6 +841,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "0:1.2.3-45.el6_7.8",
},
{
in: in{
@@ -870,6 +918,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: true,
fixedIn: "0:1.2.3-45.el6_7.8",
},
{
in: in{
@@ -896,6 +945,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "0:1.2.3-45.el6_7.8",
},
{
in: in{
@@ -922,6 +972,7 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "0:1.2.3-45.el6_7.8",
},
{
in: in{
@@ -1021,16 +1072,20 @@ func TestIsOvalDefAffected(t *testing.T) {
},
affected: true,
notFixedYet: false,
fixedIn: "3.1.0",
},
}
for i, tt := range tests {
affected, notFixedYet := isOvalDefAffected(tt.in.def, tt.in.req, tt.in.family, tt.in.kernel)
affected, notFixedYet, fixedIn := isOvalDefAffected(tt.in.def, tt.in.req, tt.in.family, tt.in.kernel)
if tt.affected != affected {
t.Errorf("[%d] affected\nexpected: %v\n actual: %v\n", i, tt.affected, affected)
}
if tt.notFixedYet != notFixedYet {
t.Errorf("[%d] notfixedyet\nexpected: %v\n actual: %v\n", i, tt.notFixedYet, notFixedYet)
}
if tt.fixedIn != fixedIn {
t.Errorf("[%d] fixedIn\nexpected: %v\n actual: %v\n", i, tt.fixedIn, fixedIn)
}
}
}

59
report/report.go
View File

@@ -25,7 +25,7 @@ import (
"github.com/future-architect/vuls/oval"
"github.com/future-architect/vuls/util"
"github.com/future-architect/vuls/wordpress"
"github.com/hashicorp/uuid"
"github.com/hashicorp/go-uuid"
gostdb "github.com/knqyf263/gost/db"
cvedb "github.com/kotakanbe/go-cve-dictionary/db"
cvemodels "github.com/kotakanbe/go-cve-dictionary/models"
@@ -264,7 +264,7 @@ func fillCertAlerts(cvedetail *cvemodels.CveDetail) (dict models.AlertDict) {
dict.Ja = append(dict.Ja, models.Alert{
URL: cert.Link,
Title: cert.Title,
Team: "ja",
Team: "jp",
})
}
}
@@ -346,7 +346,10 @@ func FillWithGost(driver gostdb.DB, r *models.ScanResult, ignoreWillNotFix bool)
gostClient := gost.NewClient(r.Family)
// TODO chekc if fetched
// TODO chekc if fresh enough
return gostClient.FillWithGost(driver, r, ignoreWillNotFix)
if nCVEs, err = gostClient.DetectUnfixed(driver, r, ignoreWillNotFix); err != nil {
return
}
return nCVEs, gostClient.FillCVEsWithRedHat(driver, r)
}
// FillWithExploit fills Exploits with exploit dataabase
@@ -464,6 +467,12 @@ func fillCweDict(r *models.ScanResult) {
if rank, ok := cwe.OwaspTopTen2017[id]; ok {
entry.OwaspTopTen2017 = rank
}
if rank, ok := cwe.CweTopTwentyfive2019[id]; ok {
entry.CweTopTwentyfive2019 = rank
}
if rank, ok := cwe.SansTopTwentyfive[id]; ok {
entry.SansTopTwentyfive = rank
}
entry.En = &e
} else {
util.Log.Debugf("CWE-ID %s is not found in English CWE Dict", id)
@@ -475,6 +484,12 @@ func fillCweDict(r *models.ScanResult) {
if rank, ok := cwe.OwaspTopTen2017[id]; ok {
entry.OwaspTopTen2017 = rank
}
if rank, ok := cwe.CweTopTwentyfive2019[id]; ok {
entry.CweTopTwentyfive2019 = rank
}
if rank, ok := cwe.SansTopTwentyfive[id]; ok {
entry.SansTopTwentyfive = rank
}
entry.Ja = &e
} else {
util.Log.Debugf("CWE-ID %s is not found in Japanese CWE Dict", id)
@@ -489,23 +504,27 @@ func fillCweDict(r *models.ScanResult) {
const reUUID = "[\\da-f]{8}-[\\da-f]{4}-[\\da-f]{4}-[\\da-f]{4}-[\\da-f]{12}"
// Scanning with the -containers-only, -images-only flag at scan time, the UUID of Container Host may not be generated,
// Scanning with the -containers-only flag at scan time, the UUID of Container Host may not be generated,
// so check it. Otherwise create a UUID of the Container Host and set it.
func getOrCreateServerUUID(r models.ScanResult, server c.ServerInfo) (serverUUID string) {
func getOrCreateServerUUID(r models.ScanResult, server c.ServerInfo) (serverUUID string, err error) {
if id, ok := server.UUIDs[r.ServerName]; !ok {
serverUUID = uuid.GenerateUUID()
if serverUUID, err = uuid.GenerateUUID(); err != nil {
return "", xerrors.Errorf("Failed to generate UUID: %w", err)
}
} else {
matched, err := regexp.MatchString(reUUID, id)
if !matched || err != nil {
serverUUID = uuid.GenerateUUID()
if serverUUID, err = uuid.GenerateUUID(); err != nil {
return "", xerrors.Errorf("Failed to generate UUID: %w", err)
}
}
}
return serverUUID
return serverUUID, nil
}
// EnsureUUIDs generate a new UUID of the scan target server if UUID is not assigned yet.
// And then set the generated UUID to config.toml and scan results.
func EnsureUUIDs(configPath string, results models.ScanResults) error {
func EnsureUUIDs(configPath string, results models.ScanResults) (err error) {
// Sort Host->Container
sort.Slice(results, func(i, j int) bool {
if results[i].ServerName == results[j].ServerName {
@@ -523,13 +542,12 @@ func EnsureUUIDs(configPath string, results models.ScanResults) error {
name := ""
if r.IsContainer() {
name = fmt.Sprintf("%s@%s", r.Container.Name, r.ServerName)
if uuid := getOrCreateServerUUID(r, server); uuid != "" {
server.UUIDs[r.ServerName] = uuid
serverUUID, err := getOrCreateServerUUID(r, server)
if err != nil {
return err
}
} else if r.IsImage() {
name = fmt.Sprintf("%s:%s@%s", r.Image.Name, r.Image.Tag, r.ServerName)
if uuid := getOrCreateServerUUID(r, server); uuid != "" {
server.UUIDs[r.ServerName] = uuid
if serverUUID != "" {
server.UUIDs[r.ServerName] = serverUUID
}
} else {
name = r.ServerName
@@ -552,16 +570,19 @@ func EnsureUUIDs(configPath string, results models.ScanResults) error {
}
// Generate a new UUID and set to config and scan result
id := uuid.GenerateUUID()
server.UUIDs[name] = id
serverUUID, err := uuid.GenerateUUID()
if err != nil {
return err
}
server.UUIDs[name] = serverUUID
server = cleanForTOMLEncoding(server, c.Conf.Default)
c.Conf.Servers[r.ServerName] = server
if r.IsContainer() {
results[i].Container.UUID = id
results[i].Container.UUID = serverUUID
results[i].ServerUUID = server.UUIDs[r.ServerName]
} else {
results[i].ServerUUID = id
results[i].ServerUUID = serverUUID
}
}

5
report/report_test.go
View File

@@ -42,7 +42,10 @@ func TestGetOrCreateServerUUID(t *testing.T) {
}
for testcase, v := range cases {
uuid := getOrCreateServerUUID(v.scanResult, v.server)
uuid, err := getOrCreateServerUUID(v.scanResult, v.server)
if err != nil {
t.Errorf("%s", err)
}
if (uuid == defaultUUID) != v.isDefault {
t.Errorf("%s : expected isDefault %t got %s", testcase, v.isDefault, uuid)
}

16
report/slack.go
View File

@@ -329,14 +329,24 @@ func attachmentText(vinfo models.VulnInfo, osFamily string, cweDict map[string]m
func cweIDs(vinfo models.VulnInfo, osFamily string, cweDict models.CweDict) string {
links := []string{}
for _, c := range vinfo.CveContents.UniqCweIDs(osFamily) {
name, url, top10Rank, top10URL := cweDict.Get(c.Value, osFamily)
name, url, top10Rank, top10URL, cweTop25Rank, cweTop25URL, sansTop25Rank, sansTop25URL := cweDict.Get(c.Value, osFamily)
line := ""
if top10Rank != "" {
line = fmt.Sprintf("<%s|[OWASP Top %s]>",
top10URL, top10Rank)
}
links = append(links, fmt.Sprintf("%s <%s|%s>: %s",
line, url, c.Value, name))
if cweTop25Rank != "" {
line = fmt.Sprintf("<%s|[CWE Top %s]>",
cweTop25URL, cweTop25Rank)
}
if sansTop25Rank != "" {
line = fmt.Sprintf("<%s|[CWE/SANS Top %s]>",
sansTop25URL, sansTop25Rank)
}
if top10Rank == "" && cweTop25Rank == "" && sansTop25Rank == "" {
links = append(links, fmt.Sprintf("%s <%s|%s>: %s",
line, url, c.Value, name))
}
}
return strings.Join(links, "\n")
}

93
report/tui.go
View File

@@ -16,7 +16,7 @@ import (
"github.com/future-architect/vuls/util"
"github.com/google/subcommands"
"github.com/gosuri/uitable"
"github.com/jroimartin/gocui"
"github.com/jesseduffield/gocui"
)
var scanResults models.ScanResults
@@ -36,14 +36,15 @@ func RunTui(results models.ScanResults) subcommands.ExitStatus {
return scanResults[i].ServerName < scanResults[j].ServerName
})
g, err := gocui.NewGui(gocui.OutputNormal)
g := gocui.NewGui()
err := g.Init()
if err != nil {
util.Log.Errorf("%+v", err)
return subcommands.ExitFailure
}
defer g.Close()
g.SetManagerFunc(layout)
g.SetLayout(layout)
if err := keybindings(g); err != nil {
util.Log.Errorf("%+v", err)
return subcommands.ExitFailure
@@ -168,19 +169,19 @@ func nextView(g *gocui.Gui, v *gocui.View) error {
var err error
if v == nil {
_, err = g.SetCurrentView("side")
err = g.SetCurrentView("side")
}
switch v.Name() {
case "side":
_, err = g.SetCurrentView("summary")
err = g.SetCurrentView("summary")
case "summary":
_, err = g.SetCurrentView("detail")
err = g.SetCurrentView("detail")
case "detail":
_, err = g.SetCurrentView("changelog")
err = g.SetCurrentView("changelog")
case "changelog":
_, err = g.SetCurrentView("side")
err = g.SetCurrentView("side")
default:
_, err = g.SetCurrentView("summary")
err = g.SetCurrentView("summary")
}
return err
}
@@ -189,19 +190,19 @@ func previousView(g *gocui.Gui, v *gocui.View) error {
var err error
if v == nil {
_, err = g.SetCurrentView("side")
err = g.SetCurrentView("side")
}
switch v.Name() {
case "side":
_, err = g.SetCurrentView("side")
err = g.SetCurrentView("side")
case "summary":
_, err = g.SetCurrentView("side")
err = g.SetCurrentView("side")
case "detail":
_, err = g.SetCurrentView("summary")
err = g.SetCurrentView("summary")
case "changelog":
_, err = g.SetCurrentView("detail")
err = g.SetCurrentView("detail")
default:
_, err = g.SetCurrentView("side")
err = g.SetCurrentView("side")
}
return err
}
@@ -384,7 +385,7 @@ func cursorPageUp(g *gocui.Gui, v *gocui.View) error {
func previousSummary(g *gocui.Gui, v *gocui.View) error {
if v != nil {
// cursor to summary
if _, err := g.SetCurrentView("summary"); err != nil {
if err := g.SetCurrentView("summary"); err != nil {
return err
}
// move next line
@@ -392,7 +393,7 @@ func previousSummary(g *gocui.Gui, v *gocui.View) error {
return err
}
// cursor to detail
if _, err := g.SetCurrentView("detail"); err != nil {
if err := g.SetCurrentView("detail"); err != nil {
return err
}
}
@@ -402,7 +403,7 @@ func previousSummary(g *gocui.Gui, v *gocui.View) error {
func nextSummary(g *gocui.Gui, v *gocui.View) error {
if v != nil {
// cursor to summary
if _, err := g.SetCurrentView("summary"); err != nil {
if err := g.SetCurrentView("summary"); err != nil {
return err
}
// move next line
@@ -410,7 +411,7 @@ func nextSummary(g *gocui.Gui, v *gocui.View) error {
return err
}
// cursor to detail
if _, err := g.SetCurrentView("detail"); err != nil {
if err := g.SetCurrentView("detail"); err != nil {
return err
}
}
@@ -484,7 +485,7 @@ func getLine(g *gocui.Gui, v *gocui.View) error {
return err
}
fmt.Fprintln(v, l)
if _, err := g.SetCurrentView("msg"); err != nil {
if err := g.SetCurrentView("msg"); err != nil {
return err
}
}
@@ -507,7 +508,7 @@ func showMsg(g *gocui.Gui, v *gocui.View) error {
return err
}
fmt.Fprintln(v, l)
if _, err := g.SetCurrentView("msg"); err != nil {
if err := g.SetCurrentView("msg"); err != nil {
return err
}
}
@@ -518,7 +519,7 @@ func delMsg(g *gocui.Gui, v *gocui.View) error {
if err := g.DeleteView("msg"); err != nil {
return err
}
_, err := g.SetCurrentView("summary")
err := g.SetCurrentView("summary")
return err
}
@@ -568,7 +569,7 @@ func setSideLayout(g *gocui.Gui) error {
}
currentScanResult = scanResults[0]
vinfos = scanResults[0].ScannedCves.ToSortedSlice()
if _, err := g.SetCurrentView("side"); err != nil {
if err := g.SetCurrentView("side"); err != nil {
return err
}
}
@@ -621,15 +622,22 @@ func summaryLines(r models.ScanResult) string {
pkgNames = append(pkgNames, vinfo.CpeURIs...)
pkgNames = append(pkgNames, vinfo.GitHubSecurityAlerts.Names()...)
pkgNames = append(pkgNames, vinfo.WpPackageFixStats.Names()...)
pkgNames = append(pkgNames, vinfo.LibraryFixedIns.Names()...)
exploits := ""
if 0 < len(vinfo.Exploits) {
exploits = "POC"
}
var cols []string
cols = []string{
fmt.Sprintf(indexFormat, i+1),
vinfo.CveID,
cvssScore + " |",
fmt.Sprintf("%1s |", vinfo.AttackVector()),
fmt.Sprintf("%7s |", vinfo.PatchStatus(r.Packages)),
fmt.Sprintf("%4s |", vinfo.AttackVector()),
fmt.Sprintf("%3s |", exploits),
fmt.Sprintf("%6s |", vinfo.AlertDict.FormatSource()),
fmt.Sprintf("%7s |", vinfo.PatchStatus(r.Packages)),
strings.Join(pkgNames, ", "),
}
icols := make([]interface{}, len(cols))
@@ -700,12 +708,10 @@ func setChangelogLayout(g *gocui.Gui) error {
var line string
if pack.Repository != "" {
line = fmt.Sprintf("* %s (%s)",
pack.FormatVersionFromTo(affected.NotFixedYet, affected.FixState),
pack.FormatVersionFromTo(affected),
pack.Repository)
} else {
line = fmt.Sprintf("* %s",
pack.FormatVersionFromTo(affected.NotFixedYet, affected.FixState),
)
line = fmt.Sprintf("* %s", pack.FormatVersionFromTo(affected))
}
lines = append(lines, line)
@@ -747,17 +753,11 @@ func setChangelogLayout(g *gocui.Gui) error {
}
}
// check library fixedin
for _, scanner := range r.LibraryScanners {
key := scanner.GetLibraryKey()
for _, fixedin := range vinfo.LibraryFixedIns {
for _, lib := range scanner.Libs {
if fixedin.Key == key && lib.Name == fixedin.Name {
lines = append(lines, fmt.Sprintf("* %s-%s, FixedIn: %s",
lib.Name, lib.Version, fixedin.FixedIn))
continue
}
}
for _, l := range vinfo.LibraryFixedIns {
libs := r.LibraryScanners.Find(l.Name)
for path, lib := range libs {
lines = append(lines, fmt.Sprintf("%s-%s, FixedIn: %s (%s)",
lib.Name, lib.Version, l.FixedIn, path))
}
}
@@ -871,15 +871,24 @@ func detailLines() (string, error) {
links = append(links, url)
}
refs := []models.Reference{}
refsMap := map[string]models.Reference{}
for _, rr := range vinfo.CveContents.References(r.Family) {
for _, ref := range rr.Value {
if ref.Source == "" {
ref.Source = "-"
}
refs = append(refs, ref)
refsMap[ref.Link] = ref
}
}
if cont, found := vinfo.CveContents[models.Trivy]; found {
for _, ref := range cont.References {
refsMap[ref.Link] = ref
}
}
refs := []models.Reference{}
for _, v := range refsMap {
refs = append(refs, v)
}
summary := vinfo.Summaries(r.Lang, r.Family)[0]
mitigation := vinfo.Mitigations(r.Family)[0]

53
report/util.go
View File

@@ -127,7 +127,7 @@ No CVE-IDs are found in updatable packages.
exploits := ""
if 0 < len(vinfo.Exploits) {
exploits = " Y"
exploits = "POC"
}
link := ""
@@ -139,13 +139,13 @@ No CVE-IDs are found in updatable packages.
data = append(data, []string{
vinfo.CveID,
fmt.Sprintf("%7s", vinfo.PatchStatus(r.Packages)),
vinfo.AlertDict.FormatSource(),
fmt.Sprintf("%4.1f", max),
fmt.Sprintf("%5s", vinfo.AttackVector()),
// fmt.Sprintf("%4.1f", v2max),
// fmt.Sprintf("%4.1f", v3max),
fmt.Sprintf("%2s", vinfo.AttackVector()),
exploits,
vinfo.AlertDict.FormatSource(),
fmt.Sprintf("%7s", vinfo.PatchStatus(r.Packages)),
link,
})
}
@@ -154,13 +154,13 @@ No CVE-IDs are found in updatable packages.
table := tablewriter.NewWriter(&b)
table.SetHeader([]string{
"CVE-ID",
"Fixed",
"CERT",
"CVSS",
"Attack",
// "v3",
// "v2",
"AV",
"PoC",
"CERT",
"Fixed",
"NVD",
})
table.SetBorder(true)
@@ -217,14 +217,28 @@ No CVE-IDs are found in updatable packages.
}
cweURLs, top10URLs := []string{}, []string{}
cweTop25URLs, sansTop25URLs := []string{}, []string{}
for _, v := range vuln.CveContents.UniqCweIDs(r.Family) {
name, url, top10Rank, top10URL := r.CweDict.Get(v.Value, r.Lang)
name, url, top10Rank, top10URL, cweTop25Rank, cweTop25URL, sansTop25Rank, sansTop25URL := r.CweDict.Get(v.Value, r.Lang)
if top10Rank != "" {
data = append(data, []string{"CWE",
fmt.Sprintf("[OWASP Top%s] %s: %s (%s)",
top10Rank, v.Value, name, v.Type)})
top10URLs = append(top10URLs, top10URL)
} else {
}
if cweTop25Rank != "" {
data = append(data, []string{"CWE",
fmt.Sprintf("[CWE Top%s] %s: %s (%s)",
cweTop25Rank, v.Value, name, v.Type)})
cweTop25URLs = append(cweTop25URLs, cweTop25URL)
}
if sansTop25Rank != "" {
data = append(data, []string{"CWE",
fmt.Sprintf("[CWE/SANS Top%s] %s: %s (%s)",
sansTop25Rank, v.Value, name, v.Type)})
sansTop25URLs = append(sansTop25URLs, sansTop25URL)
}
if top10Rank == "" && cweTop25Rank == "" && sansTop25Rank == "" {
data = append(data, []string{"CWE", fmt.Sprintf("%s: %s (%s)",
v.Value, name, v.Type)})
}
@@ -237,12 +251,10 @@ No CVE-IDs are found in updatable packages.
var line string
if pack.Repository != "" {
line = fmt.Sprintf("%s (%s)",
pack.FormatVersionFromTo(affected.NotFixedYet, affected.FixState),
pack.FormatVersionFromTo(affected),
pack.Repository)
} else {
line = fmt.Sprintf("%s",
pack.FormatVersionFromTo(affected.NotFixedYet, affected.FixState),
)
line = pack.FormatVersionFromTo(affected)
}
data = append(data, []string{"Affected Pkg", line})
@@ -279,6 +291,15 @@ No CVE-IDs are found in updatable packages.
}
}
for _, l := range vuln.LibraryFixedIns {
libs := r.LibraryScanners.Find(l.Name)
for path, lib := range libs {
data = append(data, []string{l.Key,
fmt.Sprintf("%s-%s, FixedIn: %s (%s)",
lib.Name, lib.Version, l.FixedIn, path)})
}
}
for _, confidence := range vuln.Confidences {
data = append(data, []string{"Confidence", confidence.String()})
}
@@ -309,6 +330,12 @@ No CVE-IDs are found in updatable packages.
for _, url := range top10URLs {
data = append(data, []string{"OWASP Top10", url})
}
if len(cweTop25URLs) != 0 {
data = append(data, []string{"CWE Top25", cweTop25URLs[0]})
}
if len(sansTop25URLs) != 0 {
data = append(data, []string{"SANS/CWE Top25", sansTop25URLs[0]})
}
for _, alert := range vuln.AlertDict.Ja {
data = append(data, []string{"JPCERT Alert", alert.URL})

3
scan/alpine.go
View File

@@ -75,7 +75,8 @@ func (o *alpine) apkUpdate() error {
func (o *alpine) preCure() error {
o.log.Infof("Scanning in %s", o.getServerInfo().Mode)
if err := o.detectIPAddr(); err != nil {
o.log.Debugf("Failed to detect IP addresses: %s", err)
o.log.Warnf("Failed to detect IP addresses: %s", err)
o.warns = append(o.warns, err)
}
// Ignore this error as it just failed to detect the IP addresses
return nil

12
scan/base.go
View File

@@ -416,11 +416,6 @@ func (l *base) convertToModel() models.ScanResult {
Type: ctype,
}
image := models.Image{
Name: l.ServerInfo.Image.Name,
Tag: l.ServerInfo.Image.Tag,
}
errs, warns := []string{}, []string{}
for _, e := range l.errs {
errs = append(errs, fmt.Sprintf("%+v", e))
@@ -444,7 +439,6 @@ func (l *base) convertToModel() models.ScanResult {
Family: l.Distro.Family,
Release: l.Distro.Release,
Container: container,
Image: image,
Platform: l.Platform,
IPv4Addrs: l.ServerInfo.IPv4Addrs,
IPv6Addrs: l.ServerInfo.IPv6Addrs,
@@ -555,7 +549,7 @@ func (l *base) scanLibraries() (err error) {
// find / -name "*package-lock.json" -o -name "*yarn.lock" ... 2>&1 | grep -v "Permission denied"
cmd := fmt.Sprintf(`find / ` + findopt[:len(findopt)-3] + ` 2>&1 | grep -v "Permission denied"`)
r := exec(l.ServerInfo, cmd, noSudo)
if !r.isSuccess() {
if r.ExitStatus != 0 && r.ExitStatus != 1 {
return xerrors.Errorf("Failed to find lock files")
}
detectFiles = append(detectFiles, strings.Split(r.Stdout, "\n")...)
@@ -670,7 +664,7 @@ func (l *base) detectWpCore() (string, error) {
}
func (l *base) detectWpThemes() ([]models.WpPackage, error) {
cmd := fmt.Sprintf("sudo -u %s -i -- %s theme list --path=%s --format=json --allow-root",
cmd := fmt.Sprintf("sudo -u %s -i -- %s theme list --path=%s --format=json --allow-root 2>/dev/null",
l.ServerInfo.WordPress.OSUser,
l.ServerInfo.WordPress.CmdPath,
l.ServerInfo.WordPress.DocRoot)
@@ -691,7 +685,7 @@ func (l *base) detectWpThemes() ([]models.WpPackage, error) {
}
func (l *base) detectWpPlugins() ([]models.WpPackage, error) {
cmd := fmt.Sprintf("sudo -u %s -i -- %s plugin list --path=%s --format=json --allow-root",
cmd := fmt.Sprintf("sudo -u %s -i -- %s plugin list --path=%s --format=json --allow-root 2>/dev/null",
l.ServerInfo.WordPress.OSUser,
l.ServerInfo.WordPress.CmdPath,
l.ServerInfo.WordPress.DocRoot)

14
scan/centos.go
View File

@@ -49,11 +49,8 @@ func (o *centos) depsFast() []string {
}
// repoquery
majorVersion, _ := o.Distro.MajorVersion()
if majorVersion < 8 {
return []string{"yum-utils"}
}
return []string{"dnf-utils"}
// `rpm -qa` shows dnf-utils as yum-utils on RHEL8, CentOS8
return []string{"yum-utils"}
}
func (o *centos) depsFastRoot() []string {
@@ -62,11 +59,8 @@ func (o *centos) depsFastRoot() []string {
}
// repoquery
majorVersion, _ := o.Distro.MajorVersion()
if majorVersion < 8 {
return []string{"yum-utils"}
}
return []string{"dnf-utils"}
// `rpm -qa` shows dnf-utils as yum-utils on RHEL8, CentOS8
return []string{"yum-utils"}
}
func (o *centos) depsDeep() []string {

215
scan/container.go
View File

@@ -1,215 +0,0 @@
package scan
import (
"context"
"fmt"
"strings"
"time"
"github.com/aquasecurity/fanal/analyzer"
"golang.org/x/xerrors"
fanalos "github.com/aquasecurity/fanal/analyzer/os"
godeptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
"github.com/future-architect/vuls/config"
"github.com/future-architect/vuls/models"
"github.com/future-architect/vuls/util"
// Register library analyzers
_ "github.com/aquasecurity/fanal/analyzer/library/bundler"
_ "github.com/aquasecurity/fanal/analyzer/library/cargo"
_ "github.com/aquasecurity/fanal/analyzer/library/composer"
_ "github.com/aquasecurity/fanal/analyzer/library/npm"
_ "github.com/aquasecurity/fanal/analyzer/library/pipenv"
_ "github.com/aquasecurity/fanal/analyzer/library/poetry"
_ "github.com/aquasecurity/fanal/analyzer/library/yarn"
// Register os analyzers
_ "github.com/aquasecurity/fanal/analyzer/os/alpine"
_ "github.com/aquasecurity/fanal/analyzer/os/amazonlinux"
_ "github.com/aquasecurity/fanal/analyzer/os/debianbase"
_ "github.com/aquasecurity/fanal/analyzer/os/opensuse"
_ "github.com/aquasecurity/fanal/analyzer/os/redhatbase"
// Register package analyzers
_ "github.com/aquasecurity/fanal/analyzer/pkg/apk"
_ "github.com/aquasecurity/fanal/analyzer/pkg/dpkg"
_ "github.com/aquasecurity/fanal/analyzer/pkg/rpmcmd"
)
// inherit OsTypeInterface
type image struct {
base
}
// newDummyOS is constructor
func newDummyOS(c config.ServerInfo) *image {
d := &image{
base: base{
osPackages: osPackages{
Packages: models.Packages{},
VulnInfos: models.VulnInfos{},
},
},
}
d.log = util.NewCustomLogger(c)
d.setServerInfo(c)
return d
}
func detectContainerImage(c config.ServerInfo) (itsMe bool, containerImage osTypeInterface, err error) {
if err = config.IsValidImage(c.Image); err != nil {
return false, nil, nil
}
os, pkgs, libs, err := scanImage(c)
if err != nil {
// use Alpine for setErrs
return false, newDummyOS(c), err
}
switch os.Family {
case fanalos.OpenSUSELeap, fanalos.OpenSUSETumbleweed, fanalos.OpenSUSE:
return false, newDummyOS(c), xerrors.Errorf("Unsupported OS : %s", os.Family)
}
libScanners, err := convertLibWithScanner(libs)
if err != nil {
return false, newDummyOS(c), err
}
osName := os.Name
switch os.Family {
case fanalos.Amazon:
osName = "1"
if strings.HasPrefix(os.Family, "2") {
osName = "2"
}
}
p := newContainerImage(c, pkgs, libScanners)
p.setDistro(os.Family, osName)
return true, p, nil
}
func convertLibWithScanner(libs map[analyzer.FilePath][]godeptypes.Library) ([]models.LibraryScanner, error) {
scanners := []models.LibraryScanner{}
for path, pkgs := range libs {
scanners = append(scanners, models.LibraryScanner{Path: string(path), Libs: pkgs})
}
return scanners, nil
}
// scanImage returns os, packages on image layers
func scanImage(c config.ServerInfo) (os *analyzer.OS, pkgs []analyzer.Package, libs map[analyzer.FilePath][]godeptypes.Library, err error) {
ctx := context.Background()
domain := c.Image.Name + ":" + c.Image.Tag
util.Log.Info("Start fetch container... ", domain)
// Configure dockerOption
dockerOption := c.Image.DockerOption
if dockerOption.Timeout == 0 {
dockerOption.Timeout = 60 * time.Second
}
files, err := analyzer.Analyze(ctx, domain, dockerOption)
if err != nil {
return nil, nil, nil, xerrors.Errorf("Failed scan files %q, %w", domain, err)
}
containerOs, err := analyzer.GetOS(files)
if err != nil {
return nil, nil, nil, xerrors.Errorf("Failed scan os %q, %w", domain, err)
}
pkgs, err = analyzer.GetPackages(files)
if err != nil {
return nil, nil, nil, xerrors.Errorf("Failed scan pkgs %q, %w", domain, err)
}
libs, err = analyzer.GetLibraries(files)
if err != nil {
return nil, nil, nil, xerrors.Errorf("Failed scan libs %q, %w", domain, err)
}
return &containerOs, pkgs, libs, nil
}
func convertFanalToVulsPkg(pkgs []analyzer.Package) (map[string]models.Package, map[string]models.SrcPackage) {
modelPkgs := map[string]models.Package{}
modelSrcPkgs := map[string]models.SrcPackage{}
for _, pkg := range pkgs {
version := pkg.Version
if pkg.Epoch != 0 {
version = fmt.Sprintf("%d:%s", pkg.Epoch, pkg.Version)
}
modelPkgs[pkg.Name] = models.Package{
Name: pkg.Name,
Release: pkg.Release,
Version: version,
Arch: pkg.Arch,
}
// add SrcPacks
if pkg.Name != pkg.SrcName {
if pack, ok := modelSrcPkgs[pkg.SrcName]; ok {
pack.AddBinaryName(pkg.Name)
modelSrcPkgs[pkg.SrcName] = pack
} else {
modelSrcPkgs[pkg.SrcName] = models.SrcPackage{
Name: pkg.SrcName,
Version: pkg.SrcVersion,
Arch: pkg.Arch,
BinaryNames: []string{pkg.Name},
}
}
}
}
return modelPkgs, modelSrcPkgs
}
func newContainerImage(c config.ServerInfo, pkgs []analyzer.Package, libs []models.LibraryScanner) *image {
modelPkgs, modelSrcPkgs := convertFanalToVulsPkg(pkgs)
d := &image{
base: base{
osPackages: osPackages{
Packages: modelPkgs,
SrcPackages: modelSrcPkgs,
VulnInfos: models.VulnInfos{},
},
LibraryScanners: libs,
},
}
d.log = util.NewCustomLogger(c)
d.setServerInfo(c)
return d
}
func (o *image) checkScanMode() error {
return nil
}
func (o *image) checkIfSudoNoPasswd() error {
return nil
}
func (o *image) checkDeps() error {
return nil
}
func (o *image) preCure() error {
return nil
}
func (o *image) postScan() error {
return nil
}
func (o *image) scanPackages() error {
return nil
}
func (o *image) parseInstalledPackages(string) (models.Packages, models.SrcPackages, error) {
return nil, nil, nil
}
func (o *image) detectPlatform() {
o.setPlatform(models.Platform{Name: "image"})
}

3
scan/debian.go
View File

@@ -241,7 +241,8 @@ func (o *debian) checkDeps() error {
func (o *debian) preCure() error {
o.log.Infof("Scanning in %s", o.getServerInfo().Mode)
if err := o.detectIPAddr(); err != nil {
o.log.Debugf("Failed to detect IP addresses: %s", err)
o.log.Warnf("Failed to detect IP addresses: %s", err)
o.warns = append(o.warns, err)
}
// Ignore this error as it just failed to detect the IP addresses
return nil

4
scan/debian_test.go
View File

@@ -3,6 +3,7 @@ package scan
import (
"os"
"reflect"
"sort"
"testing"
"github.com/future-architect/vuls/cache"
@@ -729,8 +730,8 @@ dpkg-query: no path found matching pattern /lib/udev/hwdb.bin
libuuid1:amd64: /lib/x86_64-linux-gnu/libuuid.so.1.3.0`,
},
wantPkgNames: []string{
"udev",
"libuuid1",
"udev",
},
},
}
@@ -738,6 +739,7 @@ libuuid1:amd64: /lib/x86_64-linux-gnu/libuuid.so.1.3.0`,
t.Run(tt.name, func(t *testing.T) {
o := &debian{}
gotPkgNames := o.parseGetPkgName(tt.args.stdout)
sort.Strings(gotPkgNames)
if !reflect.DeepEqual(gotPkgNames, tt.wantPkgNames) {
t.Errorf("debian.parseGetPkgName() = %v, want %v", gotPkgNames, tt.wantPkgNames)
}

26
scan/library.go Normal file
View File

@@ -0,0 +1,26 @@
package scan
import (
"github.com/aquasecurity/fanal/types"
"github.com/future-architect/vuls/models"
trivyTypes "github.com/aquasecurity/trivy/pkg/types"
)
func convertLibWithScanner(apps []types.Application) ([]models.LibraryScanner, error) {
scanners := []models.LibraryScanner{}
for _, app := range apps {
libs := []trivyTypes.Library{}
for _, lib := range app.Libraries {
libs = append(libs, trivyTypes.Library{
Name: lib.Library.Name,
Version: lib.Library.Version,
})
}
scanners = append(scanners, models.LibraryScanner{
Path: app.FilePath,
Libs: libs,
})
}
return scanners, nil
}

4
scan/redhatbase_test.go
View File

@@ -315,7 +315,7 @@ if-not-architecture 0 100 200 amzn-main`
}
func TestParseNeedsRestarting(t *testing.T) {
r := newCentOS(config.ServerInfo{})
r := newRHEL(config.ServerInfo{})
r.Distro = config.Distro{Family: "centos"}
var tests = []struct {
@@ -323,7 +323,7 @@ func TestParseNeedsRestarting(t *testing.T) {
out []models.NeedRestartProcess
}{
{
`1 : /usr/lib/systemd/systemd --switched-root --system --deserialize 21
`1 : /usr/lib/systemd/systemd --switched-root --system --deserialize 21kk
437 : /usr/sbin/NetworkManager --no-daemon`,
[]models.NeedRestartProcess{
{

7
scan/rhel.go
View File

@@ -55,11 +55,8 @@ func (o *rhel) depsFastRoot() []string {
}
// repoquery
majorVersion, _ := o.Distro.MajorVersion()
if majorVersion < 8 {
return []string{"yum-utils"}
}
return []string{"dnf-utils"}
// `rpm -qa` shows dnf-utils as yum-utils on RHEL8, CentOS8
return []string{"yum-utils"}
}
func (o *rhel) depsDeep() []string {

129
scan/serverapi.go
View File

@@ -109,18 +109,6 @@ func detectOS(c config.ServerInfo) (osType osTypeInterface) {
return
}
itsMe, osType, fatalErr = detectContainerImage(c)
if fatalErr != nil {
osType.setErrs(
[]error{xerrors.Errorf("Failed to detect OS: %w", fatalErr)},
)
return
}
if itsMe {
util.Log.Debugf("Container")
return
}
itsMe, osType, fatalErr = detectDebianWithRetry(c)
if fatalErr != nil {
osType.setErrs([]error{
@@ -179,28 +167,9 @@ func PrintSSHableServerNames() bool {
return true
}
func needScans() (needBaseServer, scanContainer, scanImage bool) {
scanContainer = true
scanImage = true
if !config.Conf.ContainersOnly && !config.Conf.ImagesOnly {
needBaseServer = true
}
if config.Conf.ImagesOnly && !config.Conf.ContainersOnly {
scanContainer = false
}
if config.Conf.ContainersOnly && !config.Conf.ImagesOnly {
scanImage = false
}
return needBaseServer, scanContainer, scanImage
}
// InitServers detect the kind of OS distribution of target servers
func InitServers(timeoutSec int) error {
needBaseServers, scanContainer, scanImage := needScans()
// use global servers, errServers when scan containers and images
// use global servers, errServers when scan containers
servers, errServers = detectServerOSes(timeoutSec)
if len(servers) == 0 {
return xerrors.New("No scannable base servers")
@@ -208,23 +177,16 @@ func InitServers(timeoutSec int) error {
// scan additional servers
var actives, inactives []osTypeInterface
if scanImage {
oks, errs := detectImageOSes(timeoutSec)
actives = append(actives, oks...)
inactives = append(inactives, errs...)
}
if scanContainer {
oks, errs := detectContainerOSes(timeoutSec)
actives = append(actives, oks...)
inactives = append(inactives, errs...)
}
oks, errs := detectContainerOSes(timeoutSec)
actives = append(actives, oks...)
inactives = append(inactives, errs...)
if needBaseServers {
servers = append(servers, actives...)
errServers = append(errServers, inactives...)
} else {
if config.Conf.ContainersOnly {
servers = actives
errServers = inactives
} else {
servers = append(servers, actives...)
errServers = append(errServers, inactives...)
}
if len(servers) == 0 {
@@ -434,81 +396,6 @@ func detectContainerOSesOnServer(containerHost osTypeInterface) (oses []osTypeIn
return oses
}
func detectImageOSes(timeoutSec int) (actives, inactives []osTypeInterface) {
util.Log.Info("Detecting OS of static containers... ")
osTypesChan := make(chan []osTypeInterface, len(servers))
defer close(osTypesChan)
for _, s := range servers {
go func(s osTypeInterface) {
defer func() {
if p := recover(); p != nil {
util.Log.Debugf("Panic: %s on %s",
p, s.getServerInfo().GetServerName())
}
}()
osTypesChan <- detectImageOSesOnServer(s)
}(s)
}
timeout := time.After(time.Duration(timeoutSec) * time.Second)
for i := 0; i < len(servers); i++ {
select {
case res := <-osTypesChan:
for _, osi := range res {
sinfo := osi.getServerInfo()
if 0 < len(osi.getErrs()) {
inactives = append(inactives, osi)
util.Log.Errorf("Failed: %s err: %+v", sinfo.ServerName, osi.getErrs())
continue
}
actives = append(actives, osi)
util.Log.Infof("Detected: %s@%s: %s",
sinfo.Image.Name, sinfo.ServerName, osi.getDistro())
}
case <-timeout:
msg := "Timed out while detecting static containers"
util.Log.Error(msg)
for servername, sInfo := range config.Conf.Servers {
found := false
for _, o := range append(actives, inactives...) {
if servername == o.getServerInfo().ServerName {
found = true
break
}
}
if !found {
u := &unknown{}
u.setServerInfo(sInfo)
u.setErrs([]error{
xerrors.New("Timed out"),
})
inactives = append(inactives)
util.Log.Errorf("Timed out: %s", servername)
}
}
}
}
return
}
func detectImageOSesOnServer(containerHost osTypeInterface) (oses []osTypeInterface) {
containerHostInfo := containerHost.getServerInfo()
if len(containerHostInfo.Images) == 0 {
return
}
for idx, containerConf := range containerHostInfo.Images {
copied := containerHostInfo
// change servername for original
copied.ServerName = fmt.Sprintf("%s:%s@%s", idx, containerConf.Tag, containerHostInfo.ServerName)
copied.Image = containerConf
copied.Type = ""
os := detectOS(copied)
oses = append(oses, os)
}
return oses
}
// CheckScanModes checks scan mode
func CheckScanModes() error {
for _, s := range servers {

3
util/logutil.go
View File

@@ -1,6 +1,7 @@
package util
import (
"fmt"
"io/ioutil"
"os"
"path/filepath"
@@ -62,7 +63,7 @@ func NewCustomLogger(c config.ServerInfo) *logrus.Entry {
}
if _, err := os.Stat(logDir); err == nil {
path := filepath.Join(logDir, whereami)
path := filepath.Join(logDir, fmt.Sprintf("%s.log", whereami))
log.Hooks.Add(lfshook.NewHook(lfshook.PathMap{
logrus.DebugLevel: path,
logrus.InfoLevel: path,