[v2] Data sent to ES Integration doesn't have host/container/etc., fields #1376

gnmahanth · 2023-07-19T09:39:26Z

Describe the bug
data sent to ES integration is missing fields useful to identify the node where the scan was run

Steps To Reproduce

Go to Integrations
Configure a ES integration to send vulnerability/secret data
Run a vulnerability or secret scab
Check data in the configured index

Expected behavior
the fields related to which node scan belongs to is missing

Sample Vulnerability from data in ES

{
        "_index" : "scans",
        "_type" : "_doc",
        "_id" : "1AljbYkB9I5oKUBekxXj",
        "_score" : 1.0,
        "_ignored" : [
          "cve_description.keyword"
        ],
        "_source" : {
          "cve_attack_vector" : "cvss:3.1/av:n/ac:l/pr:n/ui:n/s:u/c:h/i:n/a:n",
          "cve_caused_by_package" : "libgcrypt20:1.8.7-6",
          "cve_caused_by_package_path" : "",
          "cve_container_layer" : "",
          "cve_cvss_score" : 7.5,
          "cve_description" : "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.",
          "cve_fixed_in" : "",
          "cve_id" : "CVE-2021-33560",
          "cve_link" : "https://www.oracle.com/security-alerts/cpuoct2021.html",
          "cve_overall_score" : 7.5,
          "cve_severity" : "high",
          "cve_type" : "",
          "exploit_poc" : "",
          "has_live_connection" : false,
          "masked" : false,
          "node_id" : "libgcrypt20:1.8.7-6CVE-2021-33560",
          "parsed_attack_vector" : "network",
          "resources" : null,
          "updated_at" : 1689757363792,
          "urls" : [
            "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33560.json",
            "https://access.redhat.com/security/cve/CVE-2021-33560",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33560",
            "https://dev.gnupg.org/T5305",
            "https://dev.gnupg.org/T5328",
            "https://dev.gnupg.org/T5466",
            "https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61",
            "https://eprint.iacr.org/2021/923",
            "https://errata.almalinux.org/8/ALSA-2021-4409.html",
            "https://linux.oracle.com/cve/CVE-2021-33560.html",
            "https://linux.oracle.com/errata/ELSA-2022-9263.html",
            "https://lists.debian.org/debian-lts-announce/2021/06/msg00021.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BKKTOIGFW2SGN3DO2UHHVZ7MJSYN4AAB/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7OAPCUGPF3VLA7QAJUQSL255D4ITVTL/",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-33560",
            "https://security.gentoo.org/glsa/202210-13",
            "https://ubuntu.com/security/notices/USN-5080-1",
            "https://ubuntu.com/security/notices/USN-5080-2",
            "https://www.cve.org/CVERecord?id=CVE-2021-33560",
            "https://www.oracle.com/security-alerts/cpuapr2022.html",
            "https://www.oracle.com/security-alerts/cpujan2022.html",
            "https://www.oracle.com/security-alerts/cpujul2022.html",
            "https://www.oracle.com/security-alerts/cpuoct2021.html"
          ]
        }
      }

Sample data for Secret in ES

{
        "_index" : "secrets",
        "_type" : "_doc",
        "_id" : "NQlnbYkB9I5oKUBesRaB",
        "_score" : 1.0,
        "_source" : {
          "full_filename" : "etc/shadow",
          "level" : "medium",
          "masked" : false,
          "matched_content" : "\"etc/shadow\"",
          "name" : "Potential Linux shadow file",
          "node_id" : "84_etc_shadow",
          "part" : "path",
          "relative_ending_index" : 10,
          "relative_starting_index" : 0,
          "resources" : null,
          "rule_id" : 84,
          "score" : 5,
          "signature_to_match" : "etc/shadow$",
          "starting_index" : 0,
          "updated_at" : 1689757628653
        }
      }

The text was updated successfully, but these errors were encountered:

varunsharma0286 · 2023-07-19T10:03:44Z

This is consistent across all the integration. We have no way to associate the result with the entity (host, image or container).
We should be putting an "Identifier" in the results to accomplish this association. Identifier could be "ScanID" or "Name" of the entity (hostname, image name+tag, container name).

#1376

gnmahanth added bug Something isn't working needs-triage Indicates that issue is not yet triaged and assigned v2 ThreatMapper revamp based on neo4j integration labels Jul 19, 2023

gnmahanth assigned shyam-dev Jul 19, 2023

shyam-dev assigned saurabh2253 and unassigned shyam-dev Jul 19, 2023

gnmahanth assigned gnmahanth and unassigned saurabh2253 Jul 24, 2023

gnmahanth added a commit that referenced this issue Jul 24, 2023

Fix: Add missing node details in the results sent to notification

5685c40

#1376

gnmahanth mentioned this issue Jul 24, 2023

Fix: Add missing node details in the results sent to notification #1403

Merged

gnmahanth added a commit that referenced this issue Jul 24, 2023

Fix: Add missing node details in the results sent to notification

25a7970

#1376

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[v2] Data sent to ES Integration doesn't have host/container/etc., fields #1376

[v2] Data sent to ES Integration doesn't have host/container/etc., fields #1376

gnmahanth commented Jul 19, 2023

varunsharma0286 commented Jul 19, 2023

[v2] Data sent to ES Integration doesn't have host/container/etc., fields #1376

[v2] Data sent to ES Integration doesn't have host/container/etc., fields #1376

Comments

gnmahanth commented Jul 19, 2023

varunsharma0286 commented Jul 19, 2023