bump up version (#1007)

* Add proxyjump func

* Run go mod tidy

* Run make fmt

.goreleaser.yml

@@ -6,7 +6,8 @@ release:
     owner: future-architect
     name: vuls
 builds:
-- goos:
+- id: vuls
+  goos:
   - linux
   goarch:
   - amd64
@@ -15,8 +16,50 @@ builds:
       - -a
   ldflags: -s -w -X main.version={{.Version}} -X main.revision={{.Commit}} 
   binary: vuls
+
+- id: trivy-to-vuls
+  goos:
+  - linux
+  goarch:
+  - amd64
+  main: ./contrib/trivy/cmd/main.go
+  binary: trivy-to-vuls
+
+- id: future-vuls
+  goos:
+  - linux
+  goarch:
+  - amd64
+  main: ./contrib/future-vuls/cmd/main.go
+  binary: future-vuls
 archives:
-- name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
+
+- id: vuls
+  name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
+  builds:
+  - vuls
+  format: tar.gz
+  files:
+  - LICENSE
+  - NOTICE
+  - README*
+  - CHANGELOG.md
+
+- id: trivy-to-vuls
+  name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
+  builds:
+  - trivy-to-vuls
+  format: tar.gz
+  files:
+  - LICENSE
+  - NOTICE
+  - README*
+  - CHANGELOG.md
+- id: future-vuls
+  name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
+  builds:
+
+  - future-vuls
   format: tar.gz
   files:
   - LICENSE

Dockerfile

@@ -11,7 +11,7 @@ COPY . $GOPATH/src/$REPOSITORY
 RUN cd $GOPATH/src/$REPOSITORY && make install
 
 
-FROM alpine:3.7
+FROM alpine:3.11
 
 MAINTAINER hikachan sadayuki-matsuno
 

commands/configtest.go

@@ -36,7 +36,7 @@ func (*ConfigtestCmd) Usage() string {
 			[-log-dir=/path/to/log]
 			[-ask-key-password]
 			[-timeout=300]
-			[-ssh-external]
+			[-ssh-config]
 			[-containers-only]
 			[-http-proxy=http://192.168.0.1:8080]
 			[-debug]
@@ -69,7 +69,7 @@ func (p *ConfigtestCmd) SetFlags(f *flag.FlagSet) {
 		"Use Native Go implementation of SSH. Default: Use the external command")
 
 	f.BoolVar(&c.Conf.SSHConfig, "ssh-config", false,
-		"Use SSH options specified in ssh_config preferentially")
+		"[Deprecated] Use SSH options specified in ssh_config preferentially")
 
 	f.BoolVar(&c.Conf.ContainersOnly, "containers-only", false,
 		"Test containers only. Default: Test both of hosts and containers")
@@ -108,6 +108,16 @@ func (p *ConfigtestCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interfa
 		return subcommands.ExitUsageError
 	}
 
+	if c.Conf.SSHConfig {
+		msg := []string{
+			"-ssh-config is deprecated",
+			"If you update Vuls and get this error, there may be incompatible changes in config.toml",
+			"Please check config.toml template : https://vuls.io/docs/en/usage-settings.html",
+		}
+		util.Log.Errorf("%s", strings.Join(msg, "\n"))
+		return subcommands.ExitUsageError
+	}
+
 	var servernames []string
 	if 0 < len(f.Args()) {
 		servernames = f.Args()

commands/discover.go

@@ -187,6 +187,7 @@ sqlite3Path = "/path/to/go-exploitdb.sqlite3"
 host                = "{{$ip}}"
 #port               = "22"
 #user               = "root"
+#sshConfigPath		= "/home/username/.ssh/config"
 #keyPath            = "/home/username/.ssh/id_rsa"
 #scanMode           = ["fast", "fast-root", "deep", "offline"]
 #type               = "pseudo"

commands/scan.go

@@ -80,7 +80,7 @@ func (p *ScanCmd) SetFlags(f *flag.FlagSet) {
 		"Use Native Go implementation of SSH. Default: Use the external command")
 
 	f.BoolVar(&c.Conf.SSHConfig, "ssh-config", false,
-		"Use SSH options specified in ssh_config preferentially")
+		"[Deprecated] Use SSH options specified in ssh_config preferentially")
 
 	f.BoolVar(&c.Conf.ContainersOnly, "containers-only", false,
 		"Scan running containers only. Default: Scan both of hosts and running containers")
@@ -146,6 +146,16 @@ func (p *ScanCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{})
 		return subcommands.ExitUsageError
 	}
 
+	if c.Conf.SSHConfig {
+		msg := []string{
+			"-ssh-config is deprecated",
+			"If you update Vuls and get this error, there may be incompatible changes in config.toml",
+			"Please check config.toml template : https://vuls.io/docs/en/usage-settings.html",
+		}
+		util.Log.Errorf("%s", strings.Join(msg, "\n"))
+		return subcommands.ExitUsageError
+	}
+
 	util.Log.Info("Start scanning")
 	util.Log.Infof("config: %s", p.configPath)
 

config/config.go

@@ -16,7 +16,7 @@ import (
 )
 
 // Version of Vuls
-var Version = "0.9.6"
+var Version = "0.9.8"
 
 // Revision of Git
 var Revision string
@@ -1035,7 +1035,9 @@ type ServerInfo struct {
 	ServerName             string                      `toml:"-" json:"serverName,omitempty"`
 	User                   string                      `toml:"user,omitempty" json:"user,omitempty"`
 	Host                   string                      `toml:"host,omitempty" json:"host,omitempty"`
+	JumpServer             []string                    `toml:"jumpServer,omitempty" json:"jumpServer,omitempty"`
 	Port                   string                      `toml:"port,omitempty" json:"port,omitempty"`
+	SSHConfigPath          string                      `toml:"sshConfigPath,omitempty" json:"sshConfigPath,omitempty"`
 	KeyPath                string                      `toml:"keyPath,omitempty" json:"keyPath,omitempty"`
 	KeyPassword            string                      `json:"-,omitempty" toml:"-"`
 	CpeNames               []string                    `toml:"cpeNames,omitempty" json:"cpeNames,omitempty"`

config/tomlloader.go

@@ -57,6 +57,11 @@ func (c TOMLLoader) Load(pathToToml, keyPass string) error {
 				return xerrors.Errorf("%s is invalid. host is empty", serverName)
 			}
 
+			s.JumpServer = v.JumpServer
+			if len(s.JumpServer) == 0 {
+				s.JumpServer = d.JumpServer
+			}
+
 			switch {
 			case v.Port != "":
 				s.Port = v.Port
@@ -77,6 +82,11 @@ func (c TOMLLoader) Load(pathToToml, keyPass string) error {
 				}
 			}
 
+			s.SSHConfigPath = v.SSHConfigPath
+			if len(s.SSHConfigPath) == 0 {
+				s.SSHConfigPath = d.SSHConfigPath
+			}
+
 			s.KeyPath = v.KeyPath
 			if len(s.KeyPath) == 0 {
 				s.KeyPath = d.KeyPath

contrib/future-vuls/cmd/main.go

@@ -58,12 +58,14 @@ func main() {
 				scanResultJSON = buf.Bytes()
 			} else {
 				fmt.Println("use --stdin option")
+				os.Exit(1)
 				return
 			}
 
 			var scanResult models.ScanResult
 			if err = json.Unmarshal(scanResultJSON, &scanResult); err != nil {
 				fmt.Println("Failed to parse json", err)
+				os.Exit(1)
 				return
 			}
 			scanResult.ServerUUID = serverUUID
@@ -72,7 +74,8 @@ func main() {
 			config.Conf.Saas.Token = token
 			config.Conf.Saas.URL = url
 			if err = (report.SaasWriter{}).Write(scanResult); err != nil {
-				fmt.Println("Failed to create json", err)
+				fmt.Println(err)
+				os.Exit(1)
 				return
 			}
 			return

contrib/trivy/cmd/main.go

@@ -34,12 +34,14 @@ func main() {
 				reader := bufio.NewReader(os.Stdin)
 				buf := new(bytes.Buffer)
 				if _, err = buf.ReadFrom(reader); err != nil {
+					os.Exit(1)
 					return
 				}
 				trivyJSON = buf.Bytes()
 			} else {
 				if trivyJSON, err = ioutil.ReadFile(jsonFilePath); err != nil {
 					fmt.Println("Failed to read file", err)
+					os.Exit(1)
 					return
 				}
 			}
@@ -50,11 +52,13 @@ func main() {
 			}
 			if scanResult, err = parser.Parse(trivyJSON, scanResult); err != nil {
 				fmt.Println("Failed to execute command", err)
+				os.Exit(1)
 				return
 			}
 			var resultJSON []byte
 			if resultJSON, err = json.MarshalIndent(scanResult, "", "   "); err != nil {
 				fmt.Println("Failed to create json", err)
+				os.Exit(1)
 				return
 			}
 			fmt.Println(string(resultJSON))
@@ -69,5 +73,6 @@ func main() {
 	rootCmd.AddCommand(cmdTrivyToVuls)
 	if err = rootCmd.Execute(); err != nil {
 		fmt.Println("Failed to execute command", err)
+		os.Exit(1)
 	}
 }

go.mod

@@ -27,7 +27,7 @@ require (
 	github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c
 	github.com/jesseduffield/gocui v0.3.0
 	github.com/k0kubun/pp v3.0.1+incompatible
-	github.com/knqyf263/go-apk-version v0.0.0-20200507080916-9f84b1e3c54c
+	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-cpe v0.0.0-20180327054844-659663f6eca2
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936

go.sum

@@ -361,8 +361,8 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/knqyf263/berkeleydb v0.0.0-20190501065933-fafe01fb9662/go.mod h1:bu1CcN4tUtoRcI/B/RFHhxMNKFHVq/c3SV+UTyduoXg=
-github.com/knqyf263/go-apk-version v0.0.0-20200507080916-9f84b1e3c54c h1:qHcn6FUgD+GRk2ieUL3Re+/+rgjh+QK7Db2ClEUQ0RM=
-github.com/knqyf263/go-apk-version v0.0.0-20200507080916-9f84b1e3c54c/go.mod h1:q59u9px8b7UTj0nIjEjvmTWekazka6xIt6Uogz5Dm+8=
+github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f h1:GvCU5GXhHq+7LeOzx/haG7HSIZokl3/0GkoUFzsRJjg=
+github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f/go.mod h1:q59u9px8b7UTj0nIjEjvmTWekazka6xIt6Uogz5Dm+8=
 github.com/knqyf263/go-cpe v0.0.0-20180327054844-659663f6eca2 h1:9CYbtr3i56D/rD6u6jJ/Aocsic9G+MupyVu7gb+QHF4=
 github.com/knqyf263/go-cpe v0.0.0-20180327054844-659663f6eca2/go.mod h1:XM58Cg7dN+g0J9UPVmKjiXWlGi55lx+9IMs0IMoFWQo=
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4Kn3JPupAwwWuo4AzYp16P0OyLO9d7OnMZc/c=

report/email.go

@@ -1,6 +1,7 @@
 package report
 
 import (
+	"crypto/tls"
 	"fmt"
 	"net"
 	"net/mail"
@@ -87,6 +88,61 @@ type emailSender struct {
 	send func(string, smtp.Auth, string, []string, []byte) error
 }
 
+func smtps(emailConf config.SMTPConf, message string) (err error) {
+	auth := smtp.PlainAuth("",
+		emailConf.User,
+		emailConf.Password,
+		emailConf.SMTPAddr,
+	)
+
+	//TLS Config
+	tlsConfig := &tls.Config{
+		ServerName: emailConf.SMTPAddr,
+	}
+
+	smtpServer := net.JoinHostPort(emailConf.SMTPAddr, emailConf.SMTPPort)
+	//New TLS connection
+	con, err := tls.Dial("tcp", smtpServer, tlsConfig)
+	if err != nil {
+		return xerrors.Errorf("Failed to create TLS connection: %w", err)
+	}
+	defer con.Close()
+
+	c, err := smtp.NewClient(con, emailConf.SMTPAddr)
+	if err != nil {
+		return xerrors.Errorf("Failed to create new client: %w", err)
+	}
+	if err = c.Auth(auth); err != nil {
+		return xerrors.Errorf("Failed to authenticate: %w", err)
+	}
+	if err = c.Mail(emailConf.From); err != nil {
+		return xerrors.Errorf("Failed to send Mail command: %w", err)
+	}
+	for _, to := range emailConf.To {
+		if err = c.Rcpt(to); err != nil {
+			return xerrors.Errorf("Failed to send Rcpt command: %w", err)
+		}
+	}
+
+	w, err := c.Data()
+	if err != nil {
+		return xerrors.Errorf("Failed to send Data command: %w", err)
+	}
+	_, err = w.Write([]byte(message))
+	if err != nil {
+		return xerrors.Errorf("Failed to write EMail message: %w", err)
+	}
+	err = w.Close()
+	if err != nil {
+		return xerrors.Errorf("Failed to close Writer: %w", err)
+	}
+	err = c.Quit()
+	if err != nil {
+		return xerrors.Errorf("Failed to close connection: %w", err)
+	}
+	return nil
+}
+
 func (e *emailSender) Send(subject, body string) (err error) {
 	emailConf := e.conf
 	to := strings.Join(emailConf.To[:], ", ")
@@ -113,20 +169,28 @@ func (e *emailSender) Send(subject, body string) (err error) {
 	smtpServer := net.JoinHostPort(emailConf.SMTPAddr, emailConf.SMTPPort)
 
 	if emailConf.User != "" && emailConf.Password != "" {
-		err = e.send(
-			smtpServer,
-			smtp.PlainAuth(
-				"",
-				emailConf.User,
-				emailConf.Password,
-				emailConf.SMTPAddr,
-			),
-			emailConf.From,
-			mailAddresses,
-			[]byte(message),
-		)
-		if err != nil {
-			return xerrors.Errorf("Failed to send emails: %w", err)
+		switch emailConf.SMTPPort {
+		case "465":
+			err := smtps(emailConf, message)
+			if err != nil {
+				return xerrors.Errorf("Failed to send emails: %w", err)
+			}
+		default:
+			err = e.send(
+				smtpServer,
+				smtp.PlainAuth(
+					"",
+					emailConf.User,
+					emailConf.Password,
+					emailConf.SMTPAddr,
+				),
+				emailConf.From,
+				mailAddresses,
+				[]byte(message),
+			)
+			if err != nil {
+				return xerrors.Errorf("Failed to send emails: %w", err)
+			}
 		}
 		return nil
 	}

report/report.go

@@ -44,6 +44,7 @@ func FillCveInfos(dbclient DBClient, rs []models.ScanResult, dir string) ([]mode
 	var filledResults []models.ScanResult
 	reportedAt := time.Now()
 	hostname, _ := os.Hostname()
+	wpVulnCaches := map[string]string{}
 	for _, r := range rs {
 		if c.Conf.RefreshCve || needToRefreshCve(r) {
 			if ovalSupported(&r) {
@@ -83,7 +84,7 @@ func FillCveInfos(dbclient DBClient, rs []models.ScanResult, dir string) ([]mode
 			// Integrations
 			githubInts := GithubSecurityAlerts(c.Conf.Servers[r.ServerName].GitHubRepos)
 
-			wpOpt := WordPressOption{c.Conf.Servers[r.ServerName].WordPress.WPVulnDBToken}
+			wpOpt := WordPressOption{c.Conf.Servers[r.ServerName].WordPress.WPVulnDBToken, &wpVulnCaches}
 
 			if err := FillCveInfo(dbclient,
 				&r,
@@ -429,14 +430,15 @@ func (g GithubSecurityAlertOption) apply(r *models.ScanResult, ints *integration
 
 // WordPressOption :
 type WordPressOption struct {
-	token string
+	token        string
+	wpVulnCaches *map[string]string
 }
 
 func (g WordPressOption) apply(r *models.ScanResult, ints *integrationResults) (err error) {
 	if g.token == "" {
 		return nil
 	}
-	n, err := wordpress.FillWordPress(r, g.token)
+	n, err := wordpress.FillWordPress(r, g.token, g.wpVulnCaches)
 	if err != nil {
 		return xerrors.Errorf("Failed to fetch from WPVulnDB. Check the WPVulnDBToken in config.toml. err: %w", err)
 	}

scan/executil.go

@@ -260,7 +260,9 @@ func sshExecExternal(c conf.ServerInfo, cmd string, sudo bool) (result execResul
 
 	defaultSSHArgs := []string{"-tt"}
 
-	if !conf.Conf.SSHConfig {
+	if 0 < len(c.SSHConfigPath) {
+		defaultSSHArgs = append(defaultSSHArgs, "-F", c.SSHConfigPath)
+	} else {
 		home, err := homedir.Dir()
 		if err != nil {
 			msg := fmt.Sprintf("Failed to get HOME directory: %s", err)
@@ -285,6 +287,10 @@ func sshExecExternal(c conf.ServerInfo, cmd string, sudo bool) (result execResul
 		defaultSSHArgs = append(defaultSSHArgs, "-vvv")
 	}
 
+	if len(c.JumpServer) != 0 {
+		defaultSSHArgs = append(defaultSSHArgs, "-J", strings.Join(c.JumpServer, ","))
+	}
+
 	args := append(defaultSSHArgs, fmt.Sprintf("%s@%s", c.User, c.Host))
 	args = append(args, "-p", c.Port)
 	if 0 < len(c.KeyPath) {

server/server.go

@@ -62,6 +62,12 @@ func (h VulsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// set ReportedAt to current time when it's set to the epoch, ensures that ReportedAt will be set
+	// properly for scans sent to vuls when running in server mode
+	if result.ReportedAt.IsZero() {
+		result.ReportedAt = time.Now()
+	}
+
 	// report
 	reports := []report.ResultWriter{
 		report.HTTPResponseWriter{Writer: w},

wordpress/wordpress.go

@@ -48,20 +48,28 @@ type References struct {
 
 // FillWordPress access to wpvulndb and fetch scurity alerts and then set to the given ScanResult.
 // https://wpvulndb.com/
-func FillWordPress(r *models.ScanResult, token string) (int, error) {
+func FillWordPress(r *models.ScanResult, token string, wpVulnCaches *map[string]string) (int, error) {
 	// Core
 	ver := strings.Replace(r.WordPressPackages.CoreVersion(), ".", "", -1)
 	if ver == "" {
 		return 0, xerrors.New("Failed to get WordPress core version")
 	}
-	url := fmt.Sprintf("https://wpvulndb.com/api/v3/wordpresses/%s", ver)
-	body, err := httpRequest(url, token)
-	if err != nil {
-		return 0, err
-	}
-	if body == "" {
-		util.Log.Warnf("A result of REST access is empty: %s", url)
+
+	body, ok := searchCache(ver, wpVulnCaches)
+	if !ok {
+		url := fmt.Sprintf("https://wpvulndb.com/api/v3/wordpresses/%s", ver)
+		var err error
+		body, err = httpRequest(url, token)
+		if err != nil {
+			return 0, err
+		}
+		if body == "" {
+			util.Log.Warnf("A result of REST access is empty: %s", url)
+		}
+
+		(*wpVulnCaches)[ver] = body
 	}
+
 	wpVinfos, err := convertToVinfos(models.WPCore, body)
 	if err != nil {
 		return 0, err
@@ -77,11 +85,17 @@ func FillWordPress(r *models.ScanResult, token string) (int, error) {
 
 	// Themes
 	for _, p := range themes {
-		url := fmt.Sprintf("https://wpvulndb.com/api/v3/themes/%s", p.Name)
-		body, err := httpRequest(url, token)
-		if err != nil {
-			return 0, err
+		body, ok := searchCache(p.Name, wpVulnCaches)
+		if !ok {
+			url := fmt.Sprintf("https://wpvulndb.com/api/v3/themes/%s", p.Name)
+			var err error
+			body, err = httpRequest(url, token)
+			if err != nil {
+				return 0, err
+			}
+			(*wpVulnCaches)[p.Name] = body
 		}
+
 		if body == "" {
 			continue
 		}
@@ -113,11 +127,17 @@ func FillWordPress(r *models.ScanResult, token string) (int, error) {
 
 	// Plugins
 	for _, p := range plugins {
-		url := fmt.Sprintf("https://wpvulndb.com/api/v3/plugins/%s", p.Name)
-		body, err := httpRequest(url, token)
-		if err != nil {
-			return 0, err
+		body, ok := searchCache(p.Name, wpVulnCaches)
+		if !ok {
+			url := fmt.Sprintf("https://wpvulndb.com/api/v3/plugins/%s", p.Name)
+			var err error
+			body, err = httpRequest(url, token)
+			if err != nil {
+				return 0, err
+			}
+			(*wpVulnCaches)[p.Name] = body
 		}
+
 		if body == "" {
 			continue
 		}
@@ -277,3 +297,11 @@ func removeInactives(pkgs models.WordPressPackages) (removed models.WordPressPac
 	}
 	return removed
 }
+
+func searchCache(name string, wpVulnCaches *map[string]string) (string, bool) {
+	value, ok := (*wpVulnCaches)[name]
+	if ok {
+		return value, true
+	}
+	return "", false
+}

wordpress/wordpress_test.go

@@ -79,3 +79,52 @@ func TestRemoveInactive(t *testing.T) {
 		}
 	}
 }
+
+func TestSearchCache(t *testing.T) {
+
+	var tests = []struct {
+		name        string
+		wpVulnCache map[string]string
+		value       string
+		ok          bool
+	}{
+		{
+			name: "akismet",
+			wpVulnCache: map[string]string{
+				"akismet": "body",
+			},
+			value: "body",
+			ok:    true,
+		},
+		{
+			name: "akismet",
+			wpVulnCache: map[string]string{
+				"BackWPup": "body",
+				"akismet":  "body",
+			},
+			value: "body",
+			ok:    true,
+		},
+		{
+			name: "akismet",
+			wpVulnCache: map[string]string{
+				"BackWPup": "body",
+			},
+			value: "",
+			ok:    false,
+		},
+		{
+			name:        "akismet",
+			wpVulnCache: nil,
+			value:       "",
+			ok:          false,
+		},
+	}
+
+	for i, tt := range tests {
+		value, ok := searchCache(tt.name, &tt.wpVulnCache)
+		if value != tt.value || ok != tt.ok {
+			t.Errorf("[%d] searchCache error ", i)
+		}
+	}
+}