Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server mode doesn't use default section ignoreCves/ignorePkgsRegexp #1267

Open
hdhoang opened this issue Jul 2, 2021 · 0 comments · May be fixed by #1270
Open

server mode doesn't use default section ignoreCves/ignorePkgsRegexp #1267

hdhoang opened this issue Jul 2, 2021 · 0 comments · May be fixed by #1270
Labels
bug

Comments

@hdhoang
Copy link

hdhoang commented Jul 2, 2021

What did you do? (required. The issue will be closed when not provided.)

I run a vuls server to receive dpkg lists from other nodes, submitted like this:

dpkg-query -W -f='${binary:Package},${db:Status-Abbrev},${Version},${Source},${source:Version}\n' |
curl -sS -o - -X POST \
  -H "content-type: text/plain" -H 'X-Vuls-OS-Family: debian' \
  -H "X-Vuls-Server-Name: via-server" \
  -H "X-Vuls-OS-Release: $(cat /etc/debian_version)" \
  -H "X-Vuls-Kernel-Release: $(uname -r)" \
  -H "X-Vuls-Kernel-Version: $(uname -a | awk '{print $7}')" \
  http://127.0.0.1:5515/vuls \
  --data-binary @-

I want to ignore specific packages (libicu), or specific CVEs (eg ancient CVE-2005-3660) on all servers. So I added them to default settings ignoreCves, ignorePkgsRegexp. This works for vuls scan mode, and is visible in results json file:

    "config": {
        "scan": {
            "debug": true,
            "logDir": "/var/log/vuls",
            "resultsDir": "/vuls/results",
            "default": {
                "ignoreCves": [
                    "CVE-2005-3660"
                ],
                "ignorePkgsRegexp": [
                    "^libicu"
                ]
            },
            "servers": {
                "via-ssh": {
                    "serverName": "via-ssh",
                    "user": "root",
                    "host": "127.0.0.1",
                    "port": "22",
                    "ignoreCves": [
                        "CVE-2005-3660"
                    ],
                    "ignorePkgsRegexp": [
                        "^libicu"
                    ],

What did you expect to happen?

The default settings should be applied to vuls server scans as well.

What happened instead?

dpkg-query -W -f='${binary:Package},${db:Status-Abbrev},${Version},${Source},${source:Version}\n' |
curl -sS -o - -X POST \
  -H "content-type: text/plain" -H 'X-Vuls-OS-Family: debian' \
  -H "X-Vuls-Server-Name: via-server" \
  -H "X-Vuls-OS-Release: $(cat /etc/debian_version)" \
  -H "X-Vuls-Kernel-Release: $(uname -r)" \
  -H "X-Vuls-Kernel-Version: $(uname -a | awk '{print $7}')" \
  http://127.0.0.1:5515/vuls \
  --data-binary @- |
jq . >> via-server.json

grep 2021-30535 via-server.json
      "CVE-2021-30535": {
        "cveID": "CVE-2021-30535",
            "cveID": "CVE-2021-30535",
            "sourceLink": "https://security-tracker.debian.org/tracker/CVE-2021-30535",
            "cveID": "CVE-2021-30535",
            "sourceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-30535",
  • Current Output

Please re-run the command using -debug and provide the output below.

in gist at https://gist.github.com/hdhoang/b88afd48e3c5aa034315f58b89819818

Steps to reproduce the behaviour

Using debian VM (10.9 freshly installed from CD). vuls, cve-dictionary, gost, goval fetched for years 2020,2021, debian 10.

Configuration (MUST fill this out):

  • Go version (go version): (not relevant because I'm using docker image)

  • Go environment (go env): (not relevant because I'm using docker image)

  • Vuls environment:

Hash : vuls-v0.15.11-build-20210625_051138_8e6351a (docker image)

  • config.toml:
[default]
ignorePkgsRegexp = [
"^libicu",
]

ignoreCves = [
 "CVE-2005-3660", # linux-image
]

[servers."via-ssh"]
host = "127.0.0.1"
user = "root"
  • command:
docker run --network=host --rm -it -v $PWD:/vuls -v /root/.ssh:/root/.ssh vuls/vuls scan -debug >> scan-debug.txt
docker run --network=host --rm -it -v $PWD:/vuls -v /root/.ssh:/root/.ssh vuls/vuls server -debug >> server-debug.txt
# then submit in other terminal
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(server): Apply filters for IgnoreCves and PkgsRegexps on server mode marklofff/vuls
1 participant
@hdhoang