fleetdm · juan-fdz-hawa · Jun 23, 2022 · Jun 8, 2022 · Jun 8, 2022 · Jun 8, 2022
diff --git a/changes/feature-6096-rhel-oval b/changes/feature-6096-rhel-oval
@@ -0,0 +1 @@
+- Use OVAL definitions to scan RHEL based hosts for vulnerable software
@@ -2,7 +2,6 @@ package main
 
 import (
 	"compress/gzip"
-	"database/sql"
 	"flag"
 	"fmt"
 	"io"
@@ -13,7 +12,6 @@ import (
 
 	"github.com/facebookincubator/nvdtools/cpedict"
 	"github.com/fleetdm/fleet/v4/server/vulnerabilities"
-	"github.com/fleetdm/fleet/v4/server/vulnerabilities/vuln_centos"
 )
 
 func panicif(err error) {
@@ -23,24 +21,14 @@ func panicif(err error) {
 }
 
 func main() {
-	var (
-		runCentOS bool
-		verbose   bool
-	)
-	flag.BoolVar(&runCentOS, "centos", true, "Sets whether to run the CentOS sqlite generation")
+	var verbose bool
 	flag.BoolVar(&verbose, "verbose", false, "Sets verbose mode")
 	flag.Parse()
 
 	dbPath := cpe()
 
 	fmt.Printf("Sqlite file %s size: %.2f MB\n", dbPath, getSizeMB(dbPath))
 
-	// The CentOS repository data is added to the CPE database.
-	if runCentOS {
-		centos(dbPath, verbose)
-		fmt.Printf("Sqlite file %s size with CentOS data: %.2f MB\n", dbPath, getSizeMB(dbPath))
-	}
-
 	fmt.Println("Compressing DB...")
 	compressedPath, err := compress(dbPath)
 	panicif(err)
@@ -113,21 +101,6 @@ func compress(path string) (string, error) {
 	return compressedPath, nil
 }
 
-func centos(dbPath string, verbose bool) {
-	fmt.Println("Starting CentOS sqlite generation...")
-
-	db, err := sql.Open("sqlite3", dbPath)
-	panicif(err)
-	defer db.Close()
-
-	pkgs, err := vuln_centos.ParseCentOSRepository(vuln_centos.WithVerbose(verbose))
-	panicif(err)
-
-	fmt.Printf("Storing CVE info for %d CentOS packages...\n", len(pkgs))
-	err = vuln_centos.GenCentOSSqlite(db, pkgs)
-	panicif(err)
-}
-
 func getSanitizedEtag(resp *http.Response) string {
 	etag := resp.Header.Get("Etag")
 	etag = strings.TrimPrefix(strings.TrimSuffix(etag, `"`), `"`)

@@ -277,15 +277,6 @@ func cronVulnerabilities(
 			errHandler(ctx, logger, "calculating hosts count per software", err)
 		}
 
-		// It's important vulnerabilities.PostProcess runs after ds.SyncHostsSoftware
-		// because it cleans up any software that's not installed on the fleet (e.g. hosts removal,
-		// or software being uninstalled on hosts).
-		if !vulnDisabled {
-			if err := vulnerabilities.PostProcess(ctx, ds, vulnPath, logger, config); err != nil {
-				errHandler(ctx, logger, "post processing CVEs", err)
-			}
-		}
-
 		level.Debug(logger).Log("loop", "done")
 	}
 }

@@ -2,17 +2,20 @@ package main
 
 import (
 	"bytes"
+	"compress/bzip2"
 	"crypto/tls"
 	"embed"
 	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"log"
 	"math/rand"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strings"
 	"sync"
 	"text/template"
@@ -412,16 +415,55 @@ func (a *agent) HostUsersMacOS() []fleet.HostUser {
 	return users
 }
 
+func extract(src, dst string) {
+	srcF, err := os.Open(src)
+	if err != nil {
+		panic(err)
+	}
+	defer srcF.Close()
+
+	dstF, err := os.Create(dst)
+	if err != nil {
+		panic(err)
+	}
+	defer dstF.Close()
+
+	r := bzip2.NewReader(srcF)
+	// ignoring "G110: Potential DoS vulnerability via decompression bomb", as this is test code.
+	_, err = io.Copy(dstF, r) //nolint:gosec
+	if err != nil {
+		panic(err)
+	}
+}
+
 func loadUbuntuSoftware(ver string) []fleet.Software {
-	var r []fleet.Software
+	srcPath := filepath.Join(
+		"..",
+		"..",
+		"server",
+		"vulnerabilities",
+		"testdata",
+		"ubuntu",
+		"software",
+		fmt.Sprintf("ubuntu_%s-software.json.bz2", ver),
+	)
+
+	tmpDir, err := ioutil.TempDir("", "osquery-perf")
+	if err != nil {
+		panic(err)
+	}
+	defer os.RemoveAll(tmpDir)
+	dstPath := filepath.Join(tmpDir, fmt.Sprintf("%s-software.json", ver))
+
+	extract(srcPath, dstPath)
 
 	type softwareJSON struct {
 		Name    string `json:"name"`
 		Version string `json:"version"`
 	}
 
 	var software []softwareJSON
-	contents, err := ioutil.ReadFile(fmt.Sprintf("ubuntu_%s-vulnerable_software.json", ver))
+	contents, err := ioutil.ReadFile(dstPath)
 	if err != nil {
 		log.Printf("reading vuln software for ubuntu %s: %s\n", ver, err)
 		return nil
@@ -433,6 +475,7 @@ func loadUbuntuSoftware(ver string) []fleet.Software {
 		return nil
 	}
 
+	var r []fleet.Software
 	for _, fi := range software {
 		r = append(r, fleet.Software{
 			Name:    fi.Name,
@@ -742,6 +785,7 @@ func main() {
 		"mac10.14.6.tmpl",
 
 		// Uncomment this to add ubuntu hosts with vulnerable software
+		// "partial_ubuntu.tmpl",
 		// "ubuntu_16.04.tmpl",
 		// "ubuntu_18.04.tmpl",
 		// "ubuntu_20.04.tmpl",
@@ -773,6 +817,9 @@ func main() {
 
 	for i := 0; i < *hostCount; i++ {
 		tmpl := tmpls[i%len(tmpls)]
+		if strings.HasPrefix(tmpl.Name(), "partial") {
+			continue
+		}
 		a := newAgent(i+1, *serverURL, *enrollSecret, tmpl, *configInterval, *queryInterval,
 			softwareEntityCount{
 				entityCount: entityCount{
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Use OVAL definitions to scan RHEL based hosts for vulnerable software