Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix workflows, improve CVE identification #919

Merged
merged 3 commits into from
Nov 29, 2023
Merged

Fix workflows, improve CVE identification #919

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e22a772
fix workflows, fix CVE detection
m-1-k-3 Nov 29, 2023
4c8201f
remove debug print
m-1-k-3 Nov 29, 2023
ce35819
Merge branch 'e-m-b-a:master' into trivy_workflow
m-1-k-3 Nov 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/default_install.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ jobs:
wget https://ftp.dlink.de/dir/dir-300/archive/driver_software/DIR-300_fw_revb_214b01_ALL_de_20130206.zip
- name: EMBA default analysis
run: |
sudo ./emba -f ./DIR-300_fw_revb_214b01_ALL_de_20130206.zip -l ./logs_emba -S -p ./scan-profiles/default-scan.emba -y -j
sudo ./emba -f ./DIR-300_fw_revb_214b01_ALL_de_20130206.zip -l ./logs_emba -S -p ./scan-profiles/default-scan.emba -y
- name: Check result files exist
id: check_files
uses: andstor/file-existence-action@v2
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/trivy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ jobs:
-v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/emba/emba":"/github/workspace" d6f297:4714451b1eca4e41a4cc10f0a8a8c25a \
"-a image" "-b template" "-c @/contrib/sarif.tpl" "-d " "-e false" "-f os,library" "-h trivy-results.sarif" \
"-i embeddedanalyzer/emba" \
"-j ." "-k /external/semgrep-rules,/external/routersploit,/external/arachni,/etc/ssl/private/,/external/jdk" \
"-j ." "-k /external/semgrep-rules,/external/routersploit,/external/arachni,/etc/ssl/private/,/external/jdk,/external/emba_venv/lib/python3.11/site-packages/cve_searchsploit/exploitdb" \
"-l " "-m " "-n 60m" "-o " "-p " "-q " "-r false" "-s " "-t " "-u "

- name: Upload Trivy scan results to GitHub Security tab
Expand Down
4 changes: 4 additions & 0 deletions installer/IF20_nvd_feed.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ IF20_nvd_feed() {
cd "${HOME_PATH}" || ( echo "Could not install EMBA component NVD JSON data feed" && exit 1 )

echo -e "\\n""${MAGENTA}""Check if the NVD JSON data feed is already installed and populated.""${NC}"
if [[ "${GH_ACTION}" -eq 1 ]]; then
echo "[*] Github action - not installing NVD database"
return
fi
if [[ -d external/nvd-json-data-feeds ]]; then
cd external/nvd-json-data-feeds || ( echo "Could not install EMBA component NVD JSON data feed" && exit 1 )
git pull
Expand Down
78 changes: 29 additions & 49 deletions modules/F20_vul_aggregator.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -566,41 +566,31 @@ check_cve_sources() {
# .versionStartExcluding
# .versionEndIncluding
# .versionEndExcluding
mapfile -t CVE_CPEs_vuln_ARR < <(jq -r '.configurations[].nodes[].cpeMatch[] | select(.vulnerable==true) | .criteria' "${CVE_VER_SOURCES_FILE}" | grep "cpe:[0-9]\.[0-9]:[a-z]:.*:${BIN_NAME}:\*:" || true)
mapfile -t CVE_CPEs_vuln_ARR < <(jq -rc '.configurations[].nodes[].cpeMatch[] | select(.vulnerable==true)' "${CVE_VER_SOURCES_FILE}" | grep "cpe:[0-9]\.[0-9]:[a-z]:.*:${BIN_NAME}:\*:" || true)
# the result looks like the following:
# └─$ jq -rc '.configurations[].nodes[].cpeMatch[] | select(.vulnerable==true)' external/nvd-json-data-feeds/CVE-2023/CVE-2023-02xx/CVE-2023-0215.json
# {"vulnerable":true,"criteria":"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.2","versionEndExcluding":"1.0.2zg","matchCriteriaId":"70985D55-A574-4151-B451-4D500CBFC29A"}
# {"vulnerable":true,"criteria":"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*","versionStartIncluding":"1.1.1","versionEndExcluding":"1.1.1t","matchCriteriaId":"DE0061D6-8F81-45D3-B254-82A94915FD08"}
# {"vulnerable":true,"criteria":"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.0.8","matchCriteriaId":"A6DC5D88-4E99-48F2-8892-610ACA9B5B86"}
# {"vulnerable":true,"criteria":"cpe:2.3:a:stormshield:stormshield_management_center:*:*:*:*:*:*:*:*","versionEndExcluding":"3.3.3","matchCriteriaId":"62A933C5-C56E-485C-AD49-3B6A2C329131"}

for CVE_CPE_vuln in "${CVE_CPEs_vuln_ARR[@]}"; do
if ! echo "${CVE_CPE_vuln}" | cut -d ':' -f1-8 | grep -q "${BIN_NAME}"; then
# ensure our binary is in the first 8 fields of the cpe identifier
continue
fi

# Now we walk through all the CPEMatch entries and extract the version details for further analysis
for CVE_CPEMATCH in "${CVE_CPEs_vuln_ARR[@]}"; do
# we need to check the version more in details in case we have no version in our cpe identifier
# └─$ jq -r '.configurations[].nodes[].cpeMatch[] | select(.criteria=="cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*") | .versionEndIncluding' external/nvd-json-data-feeds/CVE-2011/CVE-2011-27xx/CVE-2011-2716.json

# print_output "[*] Binary ${BIN_VERSION_} - Found no version identifier in our cpe for ${CVE_VER_SOURCES_FILE} - check for further version details with ${CVE_CPE_vuln}" "no_log"

# extract further version details form the current cpe under test
# Limitation: we currently only respect one version identifier per cpe. If we have something like the following we do not handle all the versions in a correct way:
# └─$ cat external/nvd-json-data-feeds/CVE-2022/CVE-2022-12xx/CVE-2022-1292.json | grep "cpe.*openssl:openssl" -A2
# "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*",
# "versionStartIncluding": "1.0.2",
# "versionEndExcluding": "1.0.2ze",
# --
# "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*",
# "versionStartIncluding": "1.1.1",
# "versionEndExcluding": "1.1.1o",
# --
# "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*",
# "versionStartIncluding": "3.0.0",
# "versionEndExcluding": "3.0.3",

CVE_VER_START_INCL=$(jq -r '.configurations[].nodes[].cpeMatch[] | select(.criteria=="'"${CVE_CPE_vuln}"'") | .versionStartIncluding' "${CVE_VER_SOURCES_FILE}" | grep -v "null" | sort -u | head -1 || true)
CVE_VER_START_EXCL=$(jq -r '.configurations[].nodes[].cpeMatch[] | select(.criteria=="'"${CVE_CPE_vuln}"'") | .versionStartExcluding' "${CVE_VER_SOURCES_FILE}" | grep -v "null" | sort -u | head -1 || true)
CVE_VER_END_INCL=$(jq -r '.configurations[].nodes[].cpeMatch[] | select(.criteria=="'"${CVE_CPE_vuln}"'") | .versionEndIncluding' "${CVE_VER_SOURCES_FILE}" | grep -v "null" | sort -u | head -1 || true)
CVE_VER_END_EXCL=$(jq -r '.configurations[].nodes[].cpeMatch[] | select(.criteria=="'"${CVE_CPE_vuln}"'") | .versionEndExcluding' "${CVE_VER_SOURCES_FILE}" | grep -v "null" | sort -u | head -1 || true)
CVE_VER_START_INCL=$(echo "${CVE_CPEMATCH}" | jq -r '.versionStartIncluding' | grep -v "null" || true)
CVE_VER_START_EXCL=$(echo "${CVE_CPEMATCH}" | jq -r '.versionStartExcluding' | grep -v "null" || true)
CVE_VER_END_INCL=$(echo "${CVE_CPEMATCH}" | jq -r '.versionEndIncluding' | grep -v "null" || true)
CVE_VER_END_EXCL=$(echo "${CVE_CPEMATCH}" | jq -r '.versionEndExcluding' | grep -v "null" || true)

# if we have found some version details we need to further check them now:
if [[ -n "${CVE_VER_START_INCL}" || -n "${CVE_VER_START_EXCL}" || -n "${CVE_VER_END_INCL}" || -n "${CVE_VER_END_EXCL}" ]]; then
# print_output "[*] Binary ${BIN_VERSION_} - CVE_VER_START_INCL / CVE_VER_START_EXCL / CVE_VER_END_INCL / CVE_VER_END_EXCL - ${CVE_VER_START_INCL} / ${CVE_VER_START_EXCL} / ${CVE_VER_END_INCL} / ${CVE_VER_END_EXCL}" "no_log"
# print_output "[*] Binary ${BIN_VERSION_} - CVE ${CVE_ID} - CVE_VER_START_INCL / CVE_VER_START_EXCL / CVE_VER_END_INCL / CVE_VER_END_EXCL - ${CVE_VER_START_INCL} / ${CVE_VER_START_EXCL} / ${CVE_VER_END_INCL} / ${CVE_VER_END_EXCL}" "no_log"

## first check CVE_VER_START_INCL >= VERSION <= CVE_VER_END_INCL
if [[ -n "${CVE_VER_START_INCL}" ]]; then
Expand All @@ -621,10 +611,6 @@ check_cve_sources() {
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
fi
continue
else
# print_output "[+] Vulnerability identified - CVE: ${CVE_ID} - binary ${BIN_VERSION_} - source file ${CVE_VER_SOURCES_FILE} - CVE_VER_START_INCL / CVE_VER_END_INCL: ${ORANGE}NA${GREEN}" "no_log"
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
continue
fi
## first check VERSION < CVE_VER_END_EXCL
if [[ -n "${CVE_VER_END_EXCL}" ]]; then
Expand All @@ -634,8 +620,10 @@ check_cve_sources() {
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
fi
continue
else
# print_output "[+] Vulnerability identified - CVE: ${CVE_ID} - binary ${BIN_VERSION_} - source file ${CVE_VER_SOURCES_FILE} - CVE_VER_START_INCL / CVE_VER_END_EXCL: ${ORANGE}NA${GREEN}" "no_log"
fi

if ! [[ -n "${CVE_VER_END_EXCL}" && -n "${CVE_VER_START_INCL}" ]]; then
# print_output "[+] Vulnerability identified - CVE: ${CVE_ID} - binary ${BIN_VERSION_} - source file ${CVE_VER_SOURCES_FILE} - CVE_VER_START_INCL / CVE_VER_END_EXCL: ${ORANGE}NA${GREEN} / CVE_VER_END_INCL: ${ORANGE}NA${GREEN}" "no_log"
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
continue
fi
Expand All @@ -658,10 +646,6 @@ check_cve_sources() {
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
fi
continue
else
# print_output "[+] Vulnerability identified - CVE: ${CVE_ID} - binary ${BIN_VERSION_} - source file ${CVE_VER_SOURCES_FILE} - CVE_VER_START_EXCL / CVE_VER_END_INCL: ${ORANGE}NA${GREEN}" "no_log"
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
continue
fi
if [[ -n "${CVE_VER_END_EXCL}" ]]; then
# if [[ "$(version_extended "${BIN_VERSION_ONLY}")" -lt "$(version_extended "${CVE_VER_END_EXCL}")" ]]; then
Expand All @@ -670,8 +654,9 @@ check_cve_sources() {
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
fi
continue
else
# print_output "[+] Vulnerability identified - CVE: ${CVE_ID} - binary ${BIN_VERSION_} - source file ${CVE_VER_SOURCES_FILE} - CVE_VER_START_EXCL / CVE_VER_END_EXCL: ${ORANGE}NA${GREEN}" "no_log"
fi
if ! [[ -n "${CVE_VER_END_EXCL}" && -n "${CVE_VER_END_INCL}" ]]; then
# print_output "[+] Vulnerability identified - CVE: ${CVE_ID} - binary ${BIN_VERSION_} - source file ${CVE_VER_SOURCES_FILE} - CVE_VER_START_EXCL / CVE_VER_END_INCL: ${ORANGE}NA${GREEN} / CVE_VER_END_EXCL: ${ORANGE}NA${GREEN}" "no_log"
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
continue
fi
Expand All @@ -694,10 +679,6 @@ check_cve_sources() {
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
fi
continue
else
# print_output "[+] Vulnerability identified - CVE: ${CVE_ID} - binary ${BIN_VERSION_} - source file ${CVE_VER_SOURCES_FILE} - CVE_VER_START_INCL: ${ORANGE}NA${GREEN} / CVE_VER_END_INCL" "no_log"
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
continue
fi
if [[ -n "${CVE_VER_START_EXCL}" ]]; then
# if [[ "$(version "${BIN_VERSION_ONLY}")" -gt "$(version "${CVE_VER_START_EXCL}")" ]]; then
Expand All @@ -706,8 +687,10 @@ check_cve_sources() {
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
fi
continue
else
# print_output "[+] Vulnerability identified - CVE: ${CVE_ID} - binary ${BIN_VERSION_} - source file ${CVE_VER_SOURCES_FILE} - CVE_VER_START_EXCL: ${ORANGE}NA${GREEN} / CVE_VER_END_INCL" "no_log"
fi

if ! [[ -n "${CVE_VER_START_EXCL}" && "${CVE_VER_START_INCL}" ]]; then
# print_output "[+] Vulnerability identified - CVE: ${CVE_ID} - binary ${BIN_VERSION_} - source file ${CVE_VER_SOURCES_FILE} - CVE_VER_START_INCL: ${ORANGE}NA${GREEN} / CVE_VER_START_EXCL: ${ORANGE}NA${GREEN} / CVE_VER_END_INCL" "no_log"
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
continue
fi
Expand All @@ -730,10 +713,6 @@ check_cve_sources() {
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
continue
fi
else
# print_output "[+] Vulnerability identified - CVE: ${CVE_ID} - binary ${BIN_VERSION_} - source file ${CVE_VER_SOURCES_FILE} - CVE_VER_END_EXCL / CVE_VER_START_EXCL: ${ORANGE}NA${GREEN}" "no_log"
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
continue
fi
if [[ -n "${CVE_VER_START_INCL}" ]]; then
# if [[ "$(version "${BIN_VERSION_ONLY}")" -ge "$(version "${CVE_VER_START_INCL}")" ]]; then
Expand All @@ -742,8 +721,9 @@ check_cve_sources() {
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
continue
fi
else
# print_output "[+] Vulnerability identified - CVE: ${CVE_ID} - binary ${BIN_VERSION_} - source file ${CVE_VER_SOURCES_FILE} - CVE_VER_END_EXCL / CVE_VER_START_INCL: ${ORANGE}NA${GREEN}" "no_log"
fi
if ! [[ -n "${CVE_VER_START_INCL}" && -n "${CVE_VER_START_EXCL}" ]]; then
# print_output "[+] Vulnerability identified - CVE: ${CVE_ID} - binary ${BIN_VERSION_} - source file ${CVE_VER_SOURCES_FILE} - CVE_VER_END_EXCL / CVE_VER_START_EXCL: ${ORANGE}NA${GREEN} / CVE_VER_START_INCL: ${ORANGE}NA${GREEN}" "no_log"
write_cve_log "${CVE_ID}" "${CVE_V2:-"NA"}" "${CVE_V31:-"NA"}" "${CVE_SUMMARY:-"NA"}" "${LOG_PATH_MODULE}"/"${VERSION_PATH}".txt &
continue
fi
Expand Down