Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(detector): use vuls2 for RedHat, CentOS, Alma and Rocky #2106

Merged
merged 15 commits into from
Jan 20, 2025
Merged

feat(detector): use vuls2 for RedHat, CentOS, Alma and Rocky #2106

merged 15 commits into from
Jan 20, 2025

Conversation

shino
Copy link
Collaborator

@shino shino commented Jan 17, 2025
edited by MaineK00n
Loading

If this Pull Request is work in progress, Add a prefix of “[WIP]” in the title.

What did you implement:

Use vuls2 for RedHat, CentOS, Alma and Rocky.

  • For RedHat and CentOS, use CSAF-VEX data source
  • For Alma and Rocky, use each official data source

This PR introduces new config items, none is mandatory:

[vuls2]
# Path = "/path/to/vuls.db"
# Repository = "ghcr.io/vulsio/vuls-nightly-db:0"
# SkipUpdate = false

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

Manually.

Command execution example:

% ./vuls report | head -n 50
[Jan 20 15:40:44]  INFO [localhost] vuls-v0.28.1-build-20250120_153724_5329983
[Jan 20 15:40:44]  INFO [localhost] Validating config...
[Jan 20 15:40:44]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Jan 20 15:40:44]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/home/shino/g/goval-dictionary/redhat-oval12.sqlite3
[Jan 20 15:40:44]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Jan 20 15:40:44]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Jan 20 15:40:44]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Jan 20 15:40:44]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Jan 20 15:40:44]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Jan 20 15:40:45]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2025-01-06T17-29-57+0900
[Jan 20 15:40:45]  INFO [localhost] No need to refresh
[Jan 20 15:40:46]  INFO [localhost] rhel_90: total 2451 CVEs detected
[Jan 20 15:40:46]  INFO [localhost] rhel_90: 0 CVEs filtered by --confidence-over=80
rhel_90 (redhat9.0)
===================
Total: 2451 (Critical:41 High:783 Medium:1603 Low:23 ?:1)
1282/2451 Fixed, 165 poc, 0 exploits, 5 kevs, uscert: 0, jpcert: 3 alerts
524 installed

+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
|      CVE-ID      | CVSS | ATTACK | POC | KEV  |   ALERT   |  FIXED  |              PACKAGES               |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2019-12900   |  9.8 |  AV:N  |     |      |           | unfixed | bzip2, bzip2-libs                   |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2021-47548   |  9.8 |  AV:N  |     |      |           |   fixed | kernel, kernel-core,                |
|                  |      |        |     |      |           |         | kernel-devel,                       |
|                  |      |        |     |      |           |         | kernel-modules, kernel-tools,       |
|                  |      |        |     |      |           |         | kernel-tools-libs,                  |
|                  |      |        |     |      |           |         | python3-perf                        |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2022-1292    |  9.8 |  AV:L  |     |      |           |   fixed | openssl, openssl-devel,             |
|                  |      |        |     |      |           |         | openssl-libs                        |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2022-2068    |  9.8 |  AV:N  |     |      |           |   fixed | openssl, openssl-devel,             |
|                  |      |        |     |      |           |         | openssl-libs                        |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2022-32207   |  9.8 |  AV:N  | POC |      |           |   fixed | curl, libcurl                       |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2022-32221   |  9.8 |  AV:N  | POC |      |           |   fixed | curl, libcurl                       |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2022-3515    |  9.8 |  AV:N  | POC |      |           |   fixed | libksba                             |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2022-36227   |  9.8 |  AV:N  |     |      |           |   fixed | libarchive                          |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2022-37434   |  9.8 |  AV:N  | POC |      |           |   fixed | zlib, zlib-devel                    |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2022-47629   |  9.8 |  AV:N  |     |      |           |   fixed | libksba                             |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2022-48337   |  9.8 |  AV:N  |     |      |           |   fixed | emacs-filesystem                    |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2023-25775   |  9.8 |  AV:N  |     |      |           |   fixed | kernel, kernel-core,                |
|                  |      |        |     |      |           |         | kernel-devel, kernel-headers,       |
|                  |      |        |     |      |           |         | kernel-modules, kernel-tools,       |
|                  |      |        |     |      |           |         | kernel-tools-libs,                  |
|                  |      |        |     |      |           |         | python3-perf                        |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2023-37920   |  9.8 |  AV:N  |     |      |           |   fixed | ca-certificates                     |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2023-38545   |  9.8 |  AV:N  |     |      |           |   fixed | curl, libcurl                       |
+------------------+------+--------+-----+------+-----------+---------+-------------------------------------+
| CVE-2024-36031   |  9.8 |  AV:N  |     |      |           |   fixed | kernel, kernel-core,                |
|                  |      |        |     |      |           |         | kernel-devel, kernel-headers,       |
|                  |      |        |     |      |           |         | kernel-modules, kernel-tools,       |

and its results, only first CVE and without CveContents:

% cat results/2025-01-06T17-29-57+0900/rhel_90.json | jq -M '.scannedCves["CVE-2007-4559"] | .cveContents = null'
{
  "cveID": "CVE-2007-4559",
  "confidences": [
    {
      "score": 100,
      "detectionMethod": "OvalMatch"
    }
  ],
  "affectedPackages": [
    {
      "name": "python-unversioned-command",
      "fixedIn": "0:3.9.18-1.el9_3"
    },
    {
      "name": "python3",
      "fixedIn": "0:3.9.18-1.el9_3"
    },
    {
      "name": "python3-libs",
      "fixedIn": "0:3.9.18-1.el9_3"
    },
    {
      "name": "python3-pip-wheel",
      "fixedIn": "0:21.2.3-7.el9"
    }
  ],
  "distroAdvisories": [
    {
      "advisoryID": "RHSA-2023:6659",
      "severity": "Moderate",
      "issued": "2023-11-07T00:00:00Z",
      "updated": "2023-11-07T00:00:00Z",
      "description": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nThe following packages have been upgraded to a later upstream version: python3.9 (3.9.18). (BZ#2210783)\n\nSecurity Fix(es):\n\n* python: tarfile module directory traversal (CVE-2007-4559)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes linked from the References section."
    },
    {
      "advisoryID": "RHSA-2023:6694",
      "severity": "Moderate",
      "issued": "2023-11-07T00:00:00Z",
      "updated": "2023-11-07T00:00:00Z",
      "description": "pip is a package management system used to install and manage software packages written in Python. Many packages can be found in the Python Package Index (PyPI). pip is a recursive acronym that can stand for either \"Pip Installs Packages\" or \"Pip Installs Python\". \n\nSecurity Fix(es):\n\n* python: tarfile module directory traversal (CVE-2007-4559)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes linked from the References section."
    }
  ],
  "cveContents": null,
  "exploits": [
    {
      "exploitType": "nvd",
      "id": "",
      "url": "http://mail.python.org/pipermail/python-dev/2007-August/074292.html",
      "description": ""
    }
  ],
  "mitigations": [
    {
      "cveContentType": "redhat_api",
      "mitigation": "Do not extract archives from untrusted sources with the Python tarfile module. Users of the module should add sanity checks when calling the tarfile.extract or tarfile.extractall functions.",
      "url": "https://access.redhat.com/security/cve/CVE-2007-4559"
    }
  ],
  "alertDict": {
    "cisa": null,
    "jpcert": null,
    "uscert": null
  }
}

and CveContens of "redhat" type:

% cat results/2025-01-06T17-29-57+0900/rhel_90.json | jq -M '.scannedCves["CVE-2007-4559"] | .cveContents["redhat"]'
[
  {
    "type": "redhat",
    "cveID": "CVE-2007-4559",
    "title": "RHSA-2023:6694: python-pip security update (Moderate)",
    "summary": "pip is a package management system used to install and manage software packages written in Python. Many packages can be found in the Python Package Index (PyPI). pip is a recursive acronym that can stand for either \"Pip Installs Packages\" or \"Pip Installs Python\". \n\nSecurity Fix(es):\n\n* python: tarfile module directory traversal (CVE-2007-4559)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes linked from the References section.",
    "cvss2Score": 0,
    "cvss2Vector": "",
    "cvss2Severity": "",
    "cvss3Score": 5.5,
    "cvss3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
    "cvss3Severity": "moderate",
    "cvss40Score": 0,
    "cvss40Vector": "",
    "cvss40Severity": "",
    "sourceLink": "https://access.redhat.com/security/cve/CVE-2007-4559",
    "references": [
      {
        "link": "https://access.redhat.com/errata/RHSA-2023:6694",
        "source": "RHSA",
        "refID": "RHSA-2023:6694"
      },
      {
        "link": "https://access.redhat.com/security/cve/CVE-2007-4559",
        "source": "CVE",
        "refID": "CVE-2007-4559"
      }
    ],
    "cweIDs": [
      "CWE-22"
    ],
    "published": "2023-11-07T00:00:00Z",
    "lastModified": "2023-11-07T00:00:00Z",
    "optional": {
      "redhat-rootid": "RHSA-2023:6694",
      "redhat-sourceid": "redhat-ovalv2"
    }
  }
]

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

Reference

shino and others added 10 commits January 17, 2025 10:37
@shino @MaineK00n
feat!(detector): use vuls2 for redhat/alma/rocky (#2075)
1b16b50 
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino @MaineK00n
chore(detector/vuls2): check downloaded time before updating db (#2077)
d4a62ac 
* chore(detector/vuls2): check downloaded time before updating db

Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino
fix(detector/vuls2): fix post convert bugs (#2082)
382af8d
@shino
fix(detector/vuls2): use tag for selection logic (#2086)
005b2c3
@MaineK00n @shino
fix(models/cvecontents): use cve content type Alma, Rocky (#2087)
27ae61d
@shino
fix(detector/vuls2): lower stauts string and compare (#2095)
85fc3db
@shino
chore(deps): update vuls2 (#2096)
db9c31e
@MaineK00n @shino
feat(detector/vuls2): fill title and summary (#2097)
82714f0
@shino
chore(deps): update vuls2 (#2099)
fd548c1
@shino
chore(deps): update vuls2
26e1ead 
incorporate MaineK00n/vuls2#139
@shino shino changed the title Merge vuls2 branch Use vuls2 for RedHat, CentOS, Alma and Rocky Jan 17, 2025
@shino shino requested a review from MaineK00n January 17, 2025 03:10
@shino shino changed the title Use vuls2 for RedHat, CentOS, Alma and Rocky feat(detector): use vuls2 for RedHat, CentOS, Alma and Rocky Jan 17, 2025
MaineK00n
MaineK00n reviewed Jan 17, 2025
View reviewed changes
MaineK00n
MaineK00n reviewed Jan 17, 2025
View reviewed changes
@shino shino self-assigned this Jan 17, 2025
@shino shino requested a review from MaineK00n January 17, 2025 08:32
MaineK00n
MaineK00n reviewed Jan 20, 2025
View reviewed changes
MaineK00n
MaineK00n reviewed Jan 20, 2025
View reviewed changes
MaineK00n
MaineK00n reviewed Jan 20, 2025
View reviewed changes
MaineK00n
MaineK00n reviewed Jan 20, 2025
View reviewed changes
MaineK00n
MaineK00n reviewed Jan 20, 2025
View reviewed changes
MaineK00n
MaineK00n reviewed Jan 20, 2025
View reviewed changes
shino and others added 3 commits January 20, 2025 14:09
@shino @MaineK00n
Update detector/vuls2/db.go
3faae8c 
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino @MaineK00n
Update detector/vuls2/vendor.go
a152285 
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino
Refactor
5329983
@shino shino requested a review from MaineK00n January 20, 2025 06:34
@shino
Copy link
Collaborator Author

shino commented Jan 20, 2025

OS package and library mixed case results.

% ./vuls report | head -n 50
[Jan 20 15:47:45]  INFO [localhost] vuls-v0.28.1-build-20250120_153724_5329983
[Jan 20 15:47:45]  INFO [localhost] Validating config...
[Jan 20 15:47:45]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Jan 20 15:47:45]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/home/shino/g/goval-dictionary/redhat-oval12.sqlite3
[Jan 20 15:47:45]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Jan 20 15:47:45]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Jan 20 15:47:45]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Jan 20 15:47:45]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Jan 20 15:47:45]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Jan 20 15:47:45]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2025-01-06T17-29-57+0900
[Jan 20 15:47:45]  INFO [localhost] Updating library db...
[Jan 20 15:47:45]  INFO [localhost] rhel_73-mixed: 5 CVEs are detected with Library
[Jan 20 15:47:56]  INFO [localhost] rhel_73-mixed: 3933 CVEs are detected with vuls2
[Jan 20 15:47:56]  INFO [localhost] rhel_73-mixed: 0 unfixed CVEs are detected with gost
[Jan 20 15:47:56]  INFO [localhost] rhel_73-mixed: 0 CVEs are detected with CPE
[Jan 20 15:48:21]  INFO [localhost] rhel_73-mixed: 67 PoC are detected
[Jan 20 15:48:21]  INFO [localhost] rhel_73-mixed: 0 exploits are detected
[Jan 20 15:48:22]  INFO [localhost] rhel_73-mixed: Known Exploited Vulnerabilities are detected for 18 CVEs
[Jan 20 15:48:22]  INFO [localhost] rhel_73-mixed: Cyber Threat Intelligences are detected for 0 CVEs
[Jan 20 15:48:22]  INFO [localhost] rhel_73-mixed: total 3938 CVEs detected
[Jan 20 15:48:22]  INFO [localhost] rhel_73-mixed: 0 CVEs filtered by --confidence-over=80
rhel_73-mixed (redhat7.3)
=========================
Total: 3938 (Critical:132 High:1231 Medium:2477 Low:93 ?:5)
962/3938 Fixed, 598 poc, 0 exploits, 18 kevs, uscert: 18, jpcert: 20 alerts
405 installed, 1 libs

Warning: Some warnings occurred.
[Standard OS support is EOL(End-of-Life). Purchase extended support if available or Upgrading your OS is strongly recommended. Extended support available until 2026-06-30. Check the vendor site.]


+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
|      CVE-ID      | CVSS | ATTACK | POC |    KEV    |   ALERT   |  FIXED  |              PACKAGES               |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2017-14491   | 10.0 |  AV:N  | POC |           |           |   fixed | dnsmasq                             |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2017-14492   | 10.0 |  AV:A  | POC |           |           |   fixed | dnsmasq                             |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2017-14493   | 10.0 |  AV:A  | POC |           |           |   fixed | dnsmasq                             |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2017-14494   | 10.0 |  AV:N  | POC |           |           |   fixed | dnsmasq                             |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2017-14495   | 10.0 |  AV:N  | POC |           |           |   fixed | dnsmasq                             |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2017-14496   | 10.0 |  AV:N  | POC |           |           |   fixed | dnsmasq                             |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2017-5461    | 10.0 |  AV:N  |     |           |           |   fixed | nss, nss-sysinit, nss-tools,        |
|                  |      |        |     |           |           |         | nss-util                            |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2018-1111    | 10.0 |  AV:A  | POC |           |           |   fixed | dhclient, dhcp-common,              |
|                  |      |        |     |           |           |         | dhcp-libs                           |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2021-43527   | 10.0 |  AV:N  |     |           |           |   fixed | nss, nss-sysinit, nss-tools         |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2021-44228   | 10.0 |  AV:N  | POC | cisa      |      CERT |   fixed | org.apache.logging.log4j:log4j-core |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2021-44832   | 10.0 |  AV:N  |     | vulncheck |      CERT |   fixed | org.apache.logging.log4j:log4j-core |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2021-45046   | 10.0 |  AV:N  |     | cisa      |      CERT |   fixed | org.apache.logging.log4j:log4j-core |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2021-45105   | 10.0 |  AV:N  |     | vulncheck |      CERT |   fixed | org.apache.logging.log4j:log4j-core |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2014-9761    |  9.8 |  AV:N  |     |           |           |   fixed | glibc, glibc-common,                |
|                  |      |        |     |           |           |         | glibc-devel, glibc-headers          |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2014-9939    |  9.8 |  AV:L  |     |           |           | unfixed | binutils                            |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2015-4042    |  9.8 |  AV:N  | POC |           |           | unfixed | coreutils                           |
+------------------+------+--------+-----+-----------+-----------+---------+-------------------------------------+
| CVE-2015-8778    |  9.8 |  AV:N  |     |           |           |   fixed | glibc, glibc-common,                |
|                  |      |        |     |           |           |         | glibc-devel, glibc-headers          |

@shino shino merged commit e89fc33 into master Jan 20, 2025
7 checks passed
@shino shino deleted the vuls2 branch January 20, 2025 07:55
@MaineK00n MaineK00n mentioned this pull request Mar 27, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MaineK00n MaineK00n MaineK00n approved these changes

Assignees

@shino shino

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shino @MaineK00n