Merge pull request #518 from m-1-k-3/cve_state

CVE state message printing

check_project.sh

@@ -17,12 +17,20 @@
 
 STRICT_MODE=1
 
+INSTALLER_DIR="./installer"
+HELP_DIR="./helpers"
+MOD_DIR="./modules"
+MOD_DIR_LOCAL="./modules_local"
+CONF_DIR="./config"
+EXT_DIR="./external"
+REP_DIR="$CONF_DIR/report_templates"
+
 if [[ "$STRICT_MODE" -eq 1 ]]; then
   # shellcheck source=./installer/wickStrictModeFail.sh
-  source ./installer/wickStrictModeFail.sh
+  source "$INSTALLER_DIR"/wickStrictModeFail.sh
   export DEBUG_SCRIPT=0
   # shellcheck source=./helpers/helpers_emba_load_strict_settings.sh
-  source ./helpers/helpers_emba_load_strict_settings.sh
+  source "$HELP_DIR"/helpers_emba_load_strict_settings.sh
   load_strict_mode_settings
   trap 'wickStrictModeFail $?' ERR  # The ERR trap is triggered when a script catches an error
 fi
@@ -34,14 +42,6 @@ export BLUE='\033[0;34m'
 export BOLD='\033[1m'
 export NC='\033[0m' # no color
 
-INSTALLER_DIR="./installer"
-HELP_DIR="./helpers"
-MOD_DIR="./modules"
-MOD_DIR_LOCAL="./modules_local"
-CONF_DIR="./config"
-EXT_DIR="./external"
-REP_DIR="$CONF_DIR/report_templates"
-
 SOURCES=()
 MODULES_TO_CHECK_ARR=()
 MODULES_TO_CHECK_ARR_TAB=()
@@ -174,7 +174,7 @@ check() {
   echo -e "\\n""$GREEN""Run shellcheck and semgrep:""$NC""\\n"
   for SOURCE in "${SOURCES[@]}"; do
     echo -e "\\n""$GREEN""Run ${ORANGE}shellcheck$GREEN on $ORANGE$SOURCE""$NC""\\n"
-    if shellcheck -x -P "./installer":"$HELP_DIR":"$MOD_DIR":"$MOD_DIR_LOCAL" "$SOURCE" || [[ $? -ne 1 && $? -ne 2 ]]; then
+    if shellcheck -x -P "$INSTALLER_DIR":"$HELP_DIR":"$MOD_DIR":"$MOD_DIR_LOCAL" "$SOURCE" || [[ $? -ne 1 && $? -ne 2 ]]; then
       echo -e "$GREEN""$BOLD""==> SUCCESS""$NC""\\n"
     else
       echo -e "\\n""$ORANGE""$BOLD""==> FIX ERRORS""$NC""\\n"

helpers/helpers_emba_defaults.sh

@@ -21,6 +21,7 @@ set_defaults() {
   export RELEASE=0
   export EMBA_VERSION="1.2.x"
 
+  export CLEANED=0              # used for the final cleaner function for not running it multiple times
   export STRICT_MODE=0
   export DEBUG_SCRIPT=0
   export UPDATE=0

helpers/helpers_emba_dependency_check.sh

@@ -113,13 +113,19 @@ check_nw_interface() {
 }
 
 check_cve_search() {
+  # CVE_STATUS_PRINT is used to disable the printing of the regular status check
+  # this was confusing for EMBA users
+  CVE_STATUS_PRINT="${1:-0}"
+
   if [[ $JUMP_OVER_CVESEARCH_CHECK -eq 1 ]] ; then
     # no cve check -> just return and enforce CVE_SEARCH
     export CVE_SEARCH=1
     return
   fi
   TOOL_NAME="cve-search"
-  print_output "    ""$TOOL_NAME"" - testing" "no_log"
+  if [[ "$CVE_STATUS_PRINT" -eq 1 ]]; then
+    print_output "    ""$TOOL_NAME"" - testing" "no_log"
+  fi
   local CVE_SEARCH_=0 # local checker variable
   # check if the cve-search produces results:
   if ! [[ $("$PATH_CVE_SEARCH" -p busybox 2>/dev/null | grep -c ":\ CVE-") -gt 18 ]]; then
@@ -163,7 +169,9 @@ check_cve_search() {
     print_cve_search_failure
     export CVE_SEARCH=0
   else
-    print_output "    ""$TOOL_NAME"" - ""$GREEN""ok""$NC" "no_log"
+    if [[ "$CVE_STATUS_PRINT" -eq 1 ]]; then
+      print_output "    ""$TOOL_NAME"" - ""$GREEN""ok""$NC" "no_log"
+    fi
     export CVE_SEARCH=1
   fi
 }
@@ -334,7 +342,7 @@ dependency_check()
     check_dep_tool "docker"
     check_dep_tool "docker-compose"
     check_docker_env
-    check_cve_search
+    check_cve_search 1
     check_dep_tool "inotifywait"
     check_dep_tool "notify-send"
   fi
@@ -474,7 +482,7 @@ dependency_check()
       # TODO change to portcheck and write one for external hosts
       check_dep_file "cve-search script" "$EXT_DIR""/cve-search/bin/search.py"
       # we have already checked it outside the docker - do not need it again
-      [[ "$IN_DOCKER" -eq 0 ]] && check_cve_search
+      [[ "$IN_DOCKER" -eq 0 ]] && check_cve_search 1
       if [[ "$IN_DOCKER" -eq 0 ]]; then
         # really basic check, if cve-search database is running - no check, if populated and also no check, if EMBA in docker
         check_dep_tool "mongo database" "mongod"

helpers/helpers_emba_helpers.sh

@@ -83,6 +83,7 @@ max_pids_protection() {
 # $1 - 0 default exit 0
 cleaner() {
   INTERRUPT_CLEAN="${1:-1}"
+  [[ "$CLEANED" -eq 1 ]] && return
   if [[ "$INTERRUPT_CLEAN" -eq 1 ]]; then
     print_output "[*] Interrupt detected!" "no_log"
   fi
@@ -157,15 +158,6 @@ cleaner() {
     fuser -k "$FIRMWARE_PATH" || true
   fi
 
-  # if [[ "$IN_DOCKER" -eq 1 ]] && [[ -f "$TMP_DIR"/EXIT_KILL_PIDS_DOCKER.log ]]; then
-    # while read -r KILL_PID; do
-    #  if [[ -e /proc/"$KILL_PID" ]]; then
-    #    print_output "[*] Stopping EMBA process with PID $KILL_PID" "no_log"
-    #    kill -9 "$KILL_PID" > /dev/null || true
-    #  fi
-    # done < "$TMP_DIR"/EXIT_KILL_PIDS_DOCKER.log
-  # fi
-
   if [[ "$IN_DOCKER" -eq 0 ]] && [[ -f "$TMP_DIR"/EXIT_KILL_PIDS.log ]]; then
     while read -r KILL_PID; do
       if [[ -e /proc/"$KILL_PID" ]]; then
@@ -178,6 +170,7 @@ cleaner() {
   if [[ "$IN_DOCKER" -eq 0 ]] && [[ -d "$TMP_DIR" ]]; then
     rm -r "$TMP_DIR" 2>/dev/null || true
   fi
+  export CLEANED=1
   if [[ "$INTERRUPT_CLEAN" -eq 1 ]]; then
     print_output "[!] Test ended on ""$(date)"" and took about ""$(date -d@"$SECONDS" -u +%H:%M:%S)"" \\n" "no_log"
     exit 1

modules/L10_system_emulation/inferService.sh

@@ -69,22 +69,22 @@ for BINARY in $("${BUSYBOX}" find / -name "lighttpd" -type f -o -name "upnp" -ty
       # check if this service is already in the service file:
       if ! "${BUSYBOX}" grep -q "${SERVICE_NAME}" /firmadyne/service 2>/dev/null; then
         # check if we have a configuration available and iterate
-        for LIGHT_CONFIG in $("${BUSYBOX}" find / -name "lighttpd*.conf" -type f); do
+        for LIGHT_CONFIG in $("${BUSYBOX}" find / -name "*lighttpd*.conf" -type f); do
           # write the service starter with config file
           "${BUSYBOX}" echo -e "[*] Writing EMBA service for $ORANGE${BINARY} - ${LIGHT_CONFIG}$NC"
           "${BUSYBOX}" echo -e -n "${BINARY} -f ${LIGHT_CONFIG}\n" >> /firmadyne/service
         done
       fi
     elif [ "$("${BUSYBOX}" echo "${SERVICE_NAME}")" == "miniupnpd" ]; then
       if ! "${BUSYBOX}" grep -q "${SERVICE_NAME}" /firmadyne/service 2>/dev/null; then
-        for MINIUPNPD_CONFIG in $("${BUSYBOX}" find / -name "miniupnpd*.conf" -type f); do
+        for MINIUPNPD_CONFIG in $("${BUSYBOX}" find / -name "*miniupnpd*.conf" -type f); do
           "${BUSYBOX}" echo -e "[*] Writing EMBA service for $ORANGE${BINARY} - ${MINIUPNPD_CONFIG}$NC"
           "${BUSYBOX}" echo -e -n "${BINARY} -f ${MINIUPNPD_CONFIG}\n" >> /firmadyne/service
         done
       fi
     elif [ "$("${BUSYBOX}" echo "${SERVICE_NAME}")" == "wscd" ]; then
       if ! "${BUSYBOX}" grep -q "${SERVICE_NAME}" /firmadyne/service 2>/dev/null; then
-        for WSCD_CONFIG in $("${BUSYBOX}" find / -name "wscd*.conf" -type f); do
+        for WSCD_CONFIG in $("${BUSYBOX}" find / -name "*wscd*.conf" -type f); do
           "${BUSYBOX}" echo -e "[*] Writing EMBA service for $ORANGE${BINARY} - ${WSCD_CONFIG}$NC"
           "${BUSYBOX}" echo -e -n "${BINARY} -c ${WSCD_CONFIG}\n" >> /firmadyne/service
         done

modules/P70_unblob.sh

@@ -66,7 +66,6 @@ P70_unblob() {
 
   module_title "Unblob binary firmware extractor"
   pre_module_reporter "${FUNCNAME[0]}"
-  print_output "[*] INFO: The results are only further used if the EMBA/binwalk extraction process was failing."
 
   export LINUX_PATH_COUNTER_UNBLOB=0
   local OUTPUT_DIR_UNBLOB="$LOG_PATH_MODULE"/unblob_extracted
@@ -108,6 +107,7 @@ P70_unblob() {
       print_ln
       tree -sh "$LOG_DIR/firmware/unblob_extracted" | tee -a "$LOG_FILE"
     else
+      print_output "[*] INFO: The Unblob results are not further used as the EMBA/binwalk extraction process looks good."
       tree -sh "$OUTPUT_DIR_UNBLOB" | tee -a "$LOG_FILE"
     fi
     print_ln

modules/S17_apk_check.sh

@@ -76,7 +76,7 @@ apk_checker_helper() {
   go run "$EXT_DIR"/APKHunt/apkhunt.go -p "$APK" -l 2>&1 | tee -a "$LOG_PATH_MODULE/APKHunt-$(basename -s .apk "$APK").txt"
 
   if [[ -f "$LOG_PATH_MODULE/APKHunt-$(basename -s .apk "$APK").txt" ]]; then
-    APK_ISSUES=$(grep -c -E "^[0-9]+:" "$LOG_PATH_MODULE/APKHunt-$(basename -s .apk "$APK").txt")
+    APK_ISSUES=$(grep -c -E "^[0-9]+:" "$LOG_PATH_MODULE/APKHunt-$(basename -s .apk "$APK").txt" || true)
     if [[ "$APK_ISSUES" -gt 0 ]]; then
       print_output "[+] APKHunt found $ORANGE$APK_ISSUES$GREEN areas of interest in $ORANGE$(print_path "$APK")$NC" "" "$LOG_PATH_MODULE/APKHunt-$(basename -s .apk "$APK").txt"
     else