Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(scanner/dpkg): fix false-negative in Debian and Ubuntu #1646

Merged
merged 3 commits into from Apr 20, 2023
Merged

fix(scanner/dpkg): fix false-negative in Debian and Ubuntu #1646

merged 3 commits into from Apr 20, 2023

Conversation

MaineK00n
Copy link
Collaborator

@MaineK00n MaineK00n commented Apr 18, 2023
edited

What did you implement:

fix #1643

In Debian and Ubuntu, it is detected by the Source Package.
However, there was a bug in Scanner, which was left over from when it used to detect a mixture of binary and source packages, such as not registering the source package when the binary package and source package had the same name.

In this PR, the binary package and source package information obtained from Scanner is imported directly into Vuls.
Also, fix the dpkg-query so that the source package name is set in the dpkg result.
And a bug in the Debian Kernel Package that had escaped detection of fixed vulnerabilities has been fixed.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

root@2b0d0de79489:/# cat /etc/os-release 
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
root@2b0d0de79489:/# dpkg --version
Debian 'dpkg' package management program version 1.19.0.5 (amd64).
This is free software; see the GNU General Public License version 2 or
later for copying conditions. There is NO warranty.
root@2b0d0de79489:/# dpkg-query -W -f="\${binary:Package},\${db:Status-Abbrev},\${Version},\${Source},\${source:Version}\n" bash            
bash,ii ,4.4.18-2ubuntu1.2,,4.4.18-2ubuntu1.2
root@2b0d0de79489:/# dpkg-query -W -f="\${binary:Package},\${db:Status-Abbrev},\${Version},\${source:Package},\${source:Version}\n" bash
bash,ii ,4.4.18-2ubuntu1.2,bash,4.4.18-2ubuntu1.2

before

$ vuls scan
$ cat results/2023-04-18T11-48-40+0900/docker.json | jq .packages.bash
{
  "name": "bash",
  "version": "4.4.18-2ubuntu1.2",
  "release": "",
  "newVersion": "",
  "newRelease": "",
  "arch": "",
  "repository": ""
}
$ cat results/2023-04-18T11-48-40+0900/docker.json | jq .SrcPackages.bash
$ vuls report
...
docker (ubuntu18.04)
====================
Total: 19 (Critical:1 High:10 Medium:6 Low:2 ?:0)
0/19 Fixed, 6 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
218 installed

Warning: Some warnings occurred.
[Standard OS support is EOL(End-of-Life). Purchase extended support if available or Upgrading your OS is strongly recommended. Extended support available until 2028-04-01. Check the vendor site.]


+----------------+------+--------+-----+-----------+---------+--------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |            PACKAGES            |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2016-1585  |  9.8 |  AV:N  |     |           | unfixed | libapparmor1                   |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2019-17594 |  8.8 |  AV:L  | POC |           | unfixed | libncurses5, libncursesw5,     |
|                |      |        |     |           |         | libtinfo5, ncurses-base,       |
|                |      |        |     |           |         | ncurses-bin, ncurses-term      |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2021-39537 |  8.8 |  AV:N  | POC |           | unfixed | libncurses5, libncursesw5,     |
|                |      |        |     |           |         | libtinfo5, ncurses-base,       |
|                |      |        |     |           |         | ncurses-bin, ncurses-term      |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2009-5155  |  7.5 |  AV:N  | POC |           | unfixed | libc-bin, libc6,               |
|                |      |        |     |           |         | multiarch-support              |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2016-20013 |  7.5 |  AV:N  | POC |           | unfixed | libc-bin, libc6,               |
|                |      |        |     |           |         | multiarch-support              |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2017-11164 |  7.5 |  AV:N  |     |           | unfixed | libpcre3                       |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2019-9511  |  7.5 |  AV:N  |     |           | unfixed | libnghttp2-14                  |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2019-9513  |  7.5 |  AV:N  |     |           | unfixed | libnghttp2-14                  |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2021-36222 |  7.5 |  AV:N  |     |           | unfixed | krb5-locales,                  |
|                |      |        |     |           |         | libgssapi-krb5-2,              |
|                |      |        |     |           |         | libk5crypto3, libkrb5-3,       |
|                |      |        |     |           |         | libkrb5support0                |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2022-29458 |  7.1 |  AV:N  | POC |           | unfixed | libncurses5, libncursesw5,     |
|                |      |        |     |           |         | libtinfo5, ncurses-base,       |
|                |      |        |     |           |         | ncurses-bin, ncurses-term      |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2021-41617 |  7.0 |  AV:L  |     |           | unfixed | openssh-client,                |
|                |      |        |     |           |         | openssh-server,                |
|                |      |        |     |           |         | openssh-sftp-server            |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2020-13844 |  6.9 |  AV:L  |     |           | unfixed | gcc-8-base, libgcc1,           |
|                |      |        |     |           |         | libstdc++6                     |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2021-37750 |  6.9 |  AV:N  |     |           | unfixed | krb5-locales,                  |
|                |      |        |     |           |         | libgssapi-krb5-2,              |
|                |      |        |     |           |         | libk5crypto3, libkrb5-3,       |
|                |      |        |     |           |         | libkrb5support0                |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2019-17595 |  6.5 |  AV:N  | POC |           | unfixed | libncurses5, libncursesw5,     |
|                |      |        |     |           |         | libtinfo5, ncurses-base,       |
|                |      |        |     |           |         | ncurses-bin, ncurses-term      |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2015-8985  |  5.9 |  AV:N  |     |           | unfixed | libc-bin, libc6,               |
|                |      |        |     |           |         | multiarch-support              |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2020-14145 |  5.9 |  AV:N  |     |           | unfixed | openssh-client,                |
|                |      |        |     |           |         | openssh-server,                |
|                |      |        |     |           |         | openssh-sftp-server            |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2013-4235  |  4.7 |  AV:L  |     |           | unfixed | login, passwd                  |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2009-5080  |  3.9 |  AV:L  |     |           | unfixed | groff-base                     |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2022-3219  |  3.9 |        |     |           | unfixed | gpgv                           |
+----------------+------+--------+-----+-----------+---------+--------------------------------+

after

$ vuls scan
$ cat results/2023-04-18T11-19-45+0900/docker.json | jq .packages.bash
{
  "name": "bash",
  "version": "4.4.18-2ubuntu1.2",
  "release": "",
  "newVersion": "",
  "newRelease": "",
  "arch": "",
  "repository": ""
}
$ cat results/2023-04-18T11-19-45+0900/docker.json | jq .SrcPackages.bash
{
  "name": "bash",
  "version": "4.4.18-2ubuntu1.2",
  "arch": "",
  "binaryNames": [
    "bash"
  ]
}
$ vuls report
...
docker (ubuntu18.04)
====================
Total: 24 (Critical:2 High:10 Medium:9 Low:3 ?:0)
1/24 Fixed, 7 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
218 installed

Warning: Some warnings occurred.
[Standard OS support is EOL(End-of-Life). Purchase extended support if available or Upgrading your OS is strongly recommended. Extended support available until 2028-04-01. Check the vendor site.]


+----------------+------+--------+-----+-----------+---------+--------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |            PACKAGES            |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2016-1585  |  9.8 |  AV:N  |     |           | unfixed | libapparmor1                   |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2019-18276 |  9.8 |  AV:L  | POC |           |   fixed | bash                           |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2019-17594 |  8.8 |  AV:L  | POC |           | unfixed | libncurses5, libncursesw5,     |
|                |      |        |     |           |         | libtinfo5, ncurses-base,       |
|                |      |        |     |           |         | ncurses-bin, ncurses-term      |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2021-39537 |  8.8 |  AV:N  | POC |           | unfixed | libncurses5, libncursesw5,     |
|                |      |        |     |           |         | libtinfo5, ncurses-base,       |
|                |      |        |     |           |         | ncurses-bin, ncurses-term      |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2009-5155  |  7.5 |  AV:N  | POC |           | unfixed | libc-bin, libc6,               |
|                |      |        |     |           |         | multiarch-support              |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2016-20013 |  7.5 |  AV:N  | POC |           | unfixed | libc-bin, libc6,               |
|                |      |        |     |           |         | multiarch-support              |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2017-11164 |  7.5 |  AV:N  |     |           | unfixed | libpcre3                       |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2019-9511  |  7.5 |  AV:N  |     |           | unfixed | libnghttp2-14                  |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2019-9513  |  7.5 |  AV:N  |     |           | unfixed | libnghttp2-14                  |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2021-36222 |  7.5 |  AV:N  |     |           | unfixed | krb5-locales,                  |
|                |      |        |     |           |         | libgssapi-krb5-2,              |
|                |      |        |     |           |         | libk5crypto3, libkrb5-3,       |
|                |      |        |     |           |         | libkrb5support0                |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2022-29458 |  7.1 |  AV:N  | POC |           | unfixed | libncurses5, libncursesw5,     |
|                |      |        |     |           |         | libtinfo5, ncurses-base,       |
|                |      |        |     |           |         | ncurses-bin, ncurses-term      |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2021-41617 |  7.0 |  AV:L  |     |           | unfixed | openssh-client,                |
|                |      |        |     |           |         | openssh-server,                |
|                |      |        |     |           |         | openssh-sftp-server            |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2020-13844 |  6.9 |  AV:L  |     |           | unfixed | gcc-8-base, libgcc1,           |
|                |      |        |     |           |         | libstdc++6                     |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2021-31879 |  6.9 |  AV:N  |     |           | unfixed | wget                           |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2021-37750 |  6.9 |  AV:N  |     |           | unfixed | krb5-locales,                  |
|                |      |        |     |           |         | libgssapi-krb5-2,              |
|                |      |        |     |           |         | libk5crypto3, libkrb5-3,       |
|                |      |        |     |           |         | libkrb5support0                |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2022-3821  |  6.9 |        |     |           | unfixed | libnss-systemd,                |
|                |      |        |     |           |         | libpam-systemd, libsystemd0,   |
|                |      |        |     |           |         | libudev1, systemd,             |
|                |      |        |     |           |         | systemd-sysv                   |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2016-2781  |  6.5 |  AV:L  |     |           | unfixed | coreutils                      |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2019-17595 |  6.5 |  AV:N  | POC |           | unfixed | libncurses5, libncursesw5,     |
|                |      |        |     |           |         | libtinfo5, ncurses-base,       |
|                |      |        |     |           |         | ncurses-bin, ncurses-term      |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2015-8985  |  5.9 |  AV:N  |     |           | unfixed | libc-bin, libc6,               |
|                |      |        |     |           |         | multiarch-support              |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2020-14145 |  5.9 |  AV:N  |     |           | unfixed | openssh-client,                |
|                |      |        |     |           |         | openssh-server,                |
|                |      |        |     |           |         | openssh-sftp-server            |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2013-4235  |  4.7 |  AV:L  |     |           | unfixed | login, passwd                  |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2009-5080  |  3.9 |  AV:L  |     |           | unfixed | groff-base                     |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2021-28861 |  3.9 |        |     |           | unfixed | libpython3.6-minimal,          |
|                |      |        |     |           |         | libpython3.6-stdlib,           |
|                |      |        |     |           |         | python3.6, python3.6-minimal   |
+----------------+------+--------+-----+-----------+---------+--------------------------------+
| CVE-2022-3219  |  3.9 |        |     |           | unfixed | gpgv                           |
+----------------+------+--------+-----+-----------+---------+--------------------------------+

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

Reference

@MaineK00n MaineK00n self-assigned this Apr 18, 2023
@MaineK00n MaineK00n marked this pull request as ready for review April 19, 2023 03:42
@MaineK00n MaineK00n marked this pull request as draft April 19, 2023 03:46
@MaineK00n MaineK00n marked this pull request as ready for review April 19, 2023 04:01
kotakanbe
kotakanbe approved these changes Apr 20, 2023
View reviewed changes
Copy link
Member

@kotakanbe kotakanbe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kotakanbe kotakanbe changed the title fix(scanner/dpkg): fix dpkg-query and not remove src pkgs fix(scanner/dpkg): fix dpkg-query and not remove src pkgs Fix detection in Debian and Ubuntu by using Source Package and improve dpkg-query results handling Apr 20, 2023
@kotakanbe kotakanbe changed the title fix(scanner/dpkg): fix dpkg-query and not remove src pkgs Fix detection in Debian and Ubuntu by using Source Package and improve dpkg-query results handling fix(scanner/dpkg): Apr 20, 2023
@kotakanbe kotakanbe changed the title fix(scanner/dpkg): fix(scanner/dpkg): Fix false-negative in Debian and Ubuntu Apr 20, 2023
@MaineK00n MaineK00n changed the title fix(scanner/dpkg): Fix false-negative in Debian and Ubuntu fix(scanner/dpkg): fix false-negative in Debian and Ubuntu Apr 20, 2023
@kotakanbe kotakanbe merged commit d4d33fc into master Apr 20, 2023
4 checks passed
@kotakanbe kotakanbe deleted the MaineK00n/dpkg-srcpkg branch April 20, 2023 02:42
@MaineK00n MaineK00n mentioned this pull request Apr 20, 2023
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kotakanbe kotakanbe kotakanbe approved these changes

Assignees

@MaineK00n MaineK00n

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

False Positive in Packages in ubuntu after moving to gost instead of oval
2 participants
@MaineK00n @kotakanbe