VULS in server mode, new issue about OVAL DB docker image which prevents to get json report

[fredericg78]

What did you do?

Launching vuls docker images for vuls, cve db and oval db (oval.sqlite3 and cve.sqlite3 are existing and have been fetched).
And requesting vuls in server mode with a post and list of packages and versions to get a json report about CVEs.

What did you expect to happen?

As before, i expected to get a json report, but an error message is displayed instead.

What happened instead?

Error message is:
Failed to fill with OVAL: Failed to fetch OVAL. err: [%!w(*xerrors.errorString) %!w(*xerrors.errorString) %!w(*xerrors.errorString) %!w(*xerrors.erro
String) %!w(*xerrors.errorString)]

• Current Output
  Probably a new issue on the OVAL docker image, its version is:
  goval-dictionary v0.1.2 078b163

Which shows these errors in logs:
{"time":"2019-06-24T16:03:39.592672217Z","level":"ERROR","prefix":"echo","file":"echo.go","line":"294","message":"Not Found"}
{"time":"2019-06-24T16:03:39Z","remote_ip":"172.17.0.1","method":"GET","uri":"/packs/ubuntu/16.04/jasper","status":404, "latency":274,"latency_human":
"274.178µs","bytes_in":0,"bytes_out":9}

It is also not possible anymore to request directly the OVAL DB server in http.

Configuration :

Latest docker images for vuls, cve, and oval.
vuls: vuls v0.8.0 build-20190618_012226_4cf9a72

• config.toml:
  [cveDict]
  type = "http"
  url = "http://192.168.99.100:1323"

[ovalDict]
type = "http"
url = "http://192.168.99.100:1324"

[artdanad]

I have the same problem, i get 404 for all oval requests.

[artdanad]

I tested this problem, and looks like root cause is, that vuls don't provide arch value, that oval is expecting when running as server.
Vuls error:

...
url: [redacted]/packs/ubuntu/16.04/curl, resp: &{404 Not Found
... 

If I append arch to the same request, I get 200 response with json data

curl [redacted]/packs/ubuntu/16.04/curl/x86_64

If we check routes in goval-dictonary project /server/server.go, we can see that route packs is expecting arch on line 45:
e.Get("/packs/:family/:release/:pack/:arch", getByPackName())
So please update vuls to also provide arch param.

[AydenHex]

Hi!
I have the same problem, any news on that @kotakanbe ?

[fredericg78]

@artdanad Yes you are right, latest oval db server is expecting an arch parameter at the end of the call URL, and vuls does not send this parameter.
@kotakanbe Could you add a new http header in vuls to pass the arch param value (which should be the same for all detected packages), and add this value at the end of the oval db http call url ? I don't know if this arch param is really used as a filter in the OVAL db datas to get vulnerabilities...

For now, a workaround is to add a /<arch value> to the name of all packages to simulate the arch parameter at the end of the URL, without vuls code update.

[fredericg78]

Latest versions of goval and vuls docker images fix the issue.
goval: goval-dictionary v0.2.1
vuls: vuls v0.8.5 build-20190730_085002_4326bef

[fredericg78]

Unfortunately, latest version of vuls docker image has introduced again this issue. It seems the arch parameter is not sent in the oval url by vuls (oval/util.go).