7d8a24ee1a
* feat(subcmds/report,server): read environment variables when configPath is "" * refactor: standardize db.NewDB to db.CloseDB * chore: clean up import * chore: error wrap * chore: update goval-dictionary * fix(oval): return Pseudo instead of nil for client * chore: fix comment * fix: lint error
251 lines
6.5 KiB
Go
251 lines
6.5 KiB
Go
//go:build !scanner
|
|
// +build !scanner
|
|
|
|
package detector
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/cenkalti/backoff"
|
|
"github.com/parnurzeal/gorequest"
|
|
"golang.org/x/xerrors"
|
|
|
|
"github.com/future-architect/vuls/config"
|
|
"github.com/future-architect/vuls/logging"
|
|
"github.com/future-architect/vuls/models"
|
|
"github.com/future-architect/vuls/util"
|
|
exploitdb "github.com/vulsio/go-exploitdb/db"
|
|
exploitmodels "github.com/vulsio/go-exploitdb/models"
|
|
exploitlog "github.com/vulsio/go-exploitdb/util"
|
|
)
|
|
|
|
// goExploitDBClient is a DB Driver
|
|
type goExploitDBClient struct {
|
|
driver exploitdb.DB
|
|
baseURL string
|
|
}
|
|
|
|
// closeDB close a DB connection
|
|
func (client goExploitDBClient) closeDB() error {
|
|
if client.driver == nil {
|
|
return nil
|
|
}
|
|
return client.driver.CloseDB()
|
|
}
|
|
|
|
func newGoExploitDBClient(cnf config.VulnDictInterface, o logging.LogOpts) (*goExploitDBClient, error) {
|
|
if err := exploitlog.SetLogger(o.LogToFile, o.LogDir, o.Debug, o.LogJSON); err != nil {
|
|
return nil, xerrors.Errorf("Failed to set go-exploitdb logger. err: %w", err)
|
|
}
|
|
|
|
db, err := newExploitDB(cnf)
|
|
if err != nil {
|
|
return nil, xerrors.Errorf("Failed to newExploitDB. err: %w", err)
|
|
}
|
|
return &goExploitDBClient{driver: db, baseURL: cnf.GetURL()}, nil
|
|
}
|
|
|
|
// FillWithExploit fills exploit information that has in Exploit
|
|
func FillWithExploit(r *models.ScanResult, cnf config.ExploitConf, logOpts logging.LogOpts) (nExploitCve int, err error) {
|
|
client, err := newGoExploitDBClient(&cnf, logOpts)
|
|
if err != nil {
|
|
return 0, xerrors.Errorf("Failed to newGoExploitDBClient. err: %w", err)
|
|
}
|
|
defer func() {
|
|
if err := client.closeDB(); err != nil {
|
|
logging.Log.Errorf("Failed to close DB. err: %+v", err)
|
|
}
|
|
}()
|
|
|
|
if client.driver == nil {
|
|
var cveIDs []string
|
|
for cveID := range r.ScannedCves {
|
|
cveIDs = append(cveIDs, cveID)
|
|
}
|
|
prefix, err := util.URLPathJoin(client.baseURL, "cves")
|
|
if err != nil {
|
|
return 0, xerrors.Errorf("Failed to join URLPath. err: %w", err)
|
|
}
|
|
responses, err := getExploitsViaHTTP(cveIDs, prefix)
|
|
if err != nil {
|
|
return 0, xerrors.Errorf("Failed to get Exploits via HTTP. err: %w", err)
|
|
}
|
|
for _, res := range responses {
|
|
exps := []exploitmodels.Exploit{}
|
|
if err := json.Unmarshal([]byte(res.json), &exps); err != nil {
|
|
return 0, xerrors.Errorf("Failed to unmarshal json. err: %w", err)
|
|
}
|
|
exploits := ConvertToModelsExploit(exps)
|
|
v, ok := r.ScannedCves[res.request.cveID]
|
|
if ok {
|
|
v.Exploits = exploits
|
|
}
|
|
r.ScannedCves[res.request.cveID] = v
|
|
nExploitCve++
|
|
}
|
|
} else {
|
|
for cveID, vuln := range r.ScannedCves {
|
|
if cveID == "" {
|
|
continue
|
|
}
|
|
es, err := client.driver.GetExploitByCveID(cveID)
|
|
if err != nil {
|
|
return 0, xerrors.Errorf("Failed to get Exploits by CVE-ID. err: %w", err)
|
|
}
|
|
if len(es) == 0 {
|
|
continue
|
|
}
|
|
exploits := ConvertToModelsExploit(es)
|
|
vuln.Exploits = exploits
|
|
r.ScannedCves[cveID] = vuln
|
|
nExploitCve++
|
|
}
|
|
}
|
|
return nExploitCve, nil
|
|
}
|
|
|
|
// ConvertToModelsExploit converts exploit model to vuls model
|
|
func ConvertToModelsExploit(es []exploitmodels.Exploit) (exploits []models.Exploit) {
|
|
for _, e := range es {
|
|
var documentURL, shellURL *string
|
|
if e.OffensiveSecurity != nil {
|
|
os := e.OffensiveSecurity
|
|
if os.Document != nil {
|
|
documentURL = &os.Document.DocumentURL
|
|
}
|
|
if os.ShellCode != nil {
|
|
shellURL = &os.ShellCode.ShellCodeURL
|
|
}
|
|
}
|
|
exploit := models.Exploit{
|
|
ExploitType: e.ExploitType,
|
|
ID: e.ExploitUniqueID,
|
|
URL: e.URL,
|
|
Description: e.Description,
|
|
DocumentURL: documentURL,
|
|
ShellCodeURL: shellURL,
|
|
}
|
|
exploits = append(exploits, exploit)
|
|
}
|
|
return exploits
|
|
}
|
|
|
|
type exploitResponse struct {
|
|
request exploitRequest
|
|
json string
|
|
}
|
|
|
|
func getExploitsViaHTTP(cveIDs []string, urlPrefix string) (
|
|
responses []exploitResponse, err error) {
|
|
nReq := len(cveIDs)
|
|
reqChan := make(chan exploitRequest, nReq)
|
|
resChan := make(chan exploitResponse, nReq)
|
|
errChan := make(chan error, nReq)
|
|
defer close(reqChan)
|
|
defer close(resChan)
|
|
defer close(errChan)
|
|
|
|
go func() {
|
|
for _, cveID := range cveIDs {
|
|
reqChan <- exploitRequest{
|
|
cveID: cveID,
|
|
}
|
|
}
|
|
}()
|
|
|
|
concurrency := 10
|
|
tasks := util.GenWorkers(concurrency)
|
|
for i := 0; i < nReq; i++ {
|
|
tasks <- func() {
|
|
req := <-reqChan
|
|
url, err := util.URLPathJoin(
|
|
urlPrefix,
|
|
req.cveID,
|
|
)
|
|
if err != nil {
|
|
errChan <- err
|
|
} else {
|
|
logging.Log.Debugf("HTTP Request to %s", url)
|
|
httpGetExploit(url, req, resChan, errChan)
|
|
}
|
|
}
|
|
}
|
|
|
|
timeout := time.After(2 * 60 * time.Second)
|
|
var errs []error
|
|
for i := 0; i < nReq; i++ {
|
|
select {
|
|
case res := <-resChan:
|
|
responses = append(responses, res)
|
|
case err := <-errChan:
|
|
errs = append(errs, err)
|
|
case <-timeout:
|
|
return nil, xerrors.New("Timeout Fetching Exploit")
|
|
}
|
|
}
|
|
if len(errs) != 0 {
|
|
return nil, xerrors.Errorf("Failed to fetch Exploit. err: %w", errs)
|
|
}
|
|
return
|
|
}
|
|
|
|
type exploitRequest struct {
|
|
cveID string
|
|
}
|
|
|
|
func httpGetExploit(url string, req exploitRequest, resChan chan<- exploitResponse, errChan chan<- error) {
|
|
var body string
|
|
var errs []error
|
|
var resp *http.Response
|
|
count, retryMax := 0, 3
|
|
f := func() (err error) {
|
|
// resp, body, errs = gorequest.New().SetDebug(config.Conf.Debug).Get(url).End()
|
|
resp, body, errs = gorequest.New().Timeout(10 * time.Second).Get(url).End()
|
|
if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
|
|
count++
|
|
if count == retryMax {
|
|
return nil
|
|
}
|
|
return xerrors.Errorf("HTTP GET error, url: %s, resp: %v, err: %+v", url, resp, errs)
|
|
}
|
|
return nil
|
|
}
|
|
notify := func(err error, t time.Duration) {
|
|
logging.Log.Warnf("Failed to HTTP GET. retrying in %s seconds. err: %+v", t, err)
|
|
}
|
|
err := backoff.RetryNotify(f, backoff.NewExponentialBackOff(), notify)
|
|
if err != nil {
|
|
errChan <- xerrors.Errorf("HTTP Error %w", err)
|
|
return
|
|
}
|
|
if count == retryMax {
|
|
errChan <- xerrors.New("Retry count exceeded")
|
|
return
|
|
}
|
|
|
|
resChan <- exploitResponse{
|
|
request: req,
|
|
json: body,
|
|
}
|
|
}
|
|
|
|
func newExploitDB(cnf config.VulnDictInterface) (driver exploitdb.DB, err error) {
|
|
if cnf.IsFetchViaHTTP() {
|
|
return nil, nil
|
|
}
|
|
path := cnf.GetURL()
|
|
if cnf.GetType() == "sqlite3" {
|
|
path = cnf.GetSQLite3Path()
|
|
}
|
|
driver, locked, err := exploitdb.NewDB(cnf.GetType(), path, cnf.GetDebugSQL(), exploitdb.Option{})
|
|
if err != nil {
|
|
if locked {
|
|
return nil, xerrors.Errorf("Failed to init exploit DB. SQLite3: %s is locked. err: %w", cnf.GetSQLite3Path(), err)
|
|
}
|
|
return nil, xerrors.Errorf("Failed to init exploit DB. DB Path: %s, err: %w", path, err)
|
|
}
|
|
return driver, nil
|
|
}
|