Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(detector): add ignoreFixStates, gost strict mode #1653

Closed
wants to merge 2 commits into from
Closed

feat(detector): add ignoreFixStates, gost strict mode #1653

wants to merge 2 commits into from

Conversation

MaineK00n
Copy link
Collaborator

@MaineK00n MaineK00n commented Apr 21, 2023
edited
Loading

What did you implement:

Currently, unfixed vulnerabilities are detected by gost, and FixState that detects them as unfixed vulnerabilities is under review.
For example, Red Hat's Out of support scope says that they should be assumed to be affected, and they are usually detected.

Out of support scope: When a product is listed as "Out of Support Scope", it means a vulnerability with the impact level assigned to this CVE is no longer covered by its current support lifecycle phase. The product has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed. The product should be assumed to be affected. Customers are advised to apply any mitigation options documented on this page, consider removing or disabling the impacted component, or upgrade to a supported version of the product that has an update available.

However, when out of support scope is allowed, the number of detected vulnerabilities becomes huge.
For this reason, Gost DB can be configured to use strict mode, which detects only vulnerabilities with a confirmed impact status.

[gost]
type = "sqlite3"
sqlite3Path = "/path/to/gost.sqlite3"
strict = true

Also, introduce ignoreFixStates that filter by FixState to prevent important vulnerabilities from being buried in vulnerabilities with a FixState of "Will not fix" that have an impact but the vendor does not intend to fix.

Will not fix: this package is affected by this flaw on this platform, but there is currently no intention to fix it (this would primarily be for flaws that are of Low or Moderate impact that pose no significant risk to customers)

[servers.host]
host = "127.0.0.1"
port = "22"
user = "root"
keyPath = "/path/to/id_rsa"
scanMode           = ["fast"]
scanModules        = ["ospkg"]
ignoreFixStates = ["ignored"]

Type of change

  • New feature (non-breaking change which adds functionality)
  • This change requires a documentation update

How Has This Been Tested?

v0.23.1

$ vuls report --refresh-cve
[Apr 25 06:26:44]  INFO [localhost] vuls-0.23.1-b91a7b75e299ba44280fb8aa3902046426af9a6f-2023-04-24T03:46:29Z
...
[Apr 25 06:26:44]  INFO [localhost] localhost: 0 CVEs are detected with OVAL
[Apr 25 06:26:48]  INFO [localhost] localhost: 456 CVEs are detected with gost
[Apr 25 06:26:48]  INFO [localhost] localhost: 0 CVEs are detected with CPE
[Apr 25 06:26:48]  INFO [localhost] localhost: 3 PoC are detected
[Apr 25 06:26:48]  INFO [localhost] localhost: 1 exploits are detected
[Apr 25 06:26:48]  INFO [localhost] localhost: Known Exploited Vulnerabilities are detected for 2 CVEs
[Apr 25 06:26:53]  INFO [localhost] localhost: Cyber Threat Intelligences are detected for 140 CVEs
[Apr 25 06:26:53]  INFO [localhost] localhost: total 456 CVEs detected
[Apr 25 06:26:53]  INFO [localhost] localhost: 0 CVEs filtered by --confidence-over=80
localhost (ubuntu22.04)
=======================
Total: 456 (Critical:20 High:117 Medium:251 Low:68 ?:0)
47/456 Fixed, 119 poc, 1 exploits, cisa: 2, uscert: 0, jpcert: 0 alerts
2705 installed

default

$ vuls report --refresh-cve
[Apr 25 06:19:42]  INFO [localhost] vuls-v0.23.1-build-20230425_061852_c9203bd
...
[Apr 25 06:19:42]  INFO [localhost] localhost: 0 CVEs are detected with OVAL
[Apr 25 06:19:46]  INFO [localhost] localhost: 477 CVEs are detected with gost
[Apr 25 06:19:46]  INFO [localhost] localhost: 0 CVEs are detected with CPE
[Apr 25 06:19:47]  INFO [localhost] localhost: 3 PoC are detected
[Apr 25 06:19:47]  INFO [localhost] localhost: 1 exploits are detected
[Apr 25 06:19:47]  INFO [localhost] localhost: Known Exploited Vulnerabilities are detected for 2 CVEs
[Apr 25 06:19:52]  INFO [localhost] localhost: Cyber Threat Intelligences are detected for 145 CVEs
[Apr 25 06:19:52]  INFO [localhost] localhost: total 477 CVEs detected
[Apr 25 06:19:52]  INFO [localhost] localhost: 0 CVEs filtered by --confidence-over=80
localhost (ubuntu22.04)
=======================
Total: 477 (Critical:21 High:122 Medium:264 Low:70 ?:0)
47/477 Fixed, 124 poc, 1 exploits, cisa: 2, uscert: 0, jpcert: 0 alerts
2705 installed

ignoreFixStates = ["ignored"]

$ vuls report --refresh-cve
[Apr 25 06:24:14]  INFO [localhost] vuls-v0.23.1-build-20230425_061852_c9203bd
...
[Apr 25 06:24:14]  INFO [localhost] localhost: 0 CVEs are detected with OVAL
[Apr 25 06:24:18]  INFO [localhost] localhost: 477 CVEs are detected with gost
[Apr 25 06:24:18]  INFO [localhost] localhost: 0 CVEs are detected with CPE
[Apr 25 06:24:18]  INFO [localhost] localhost: 3 PoC are detected
[Apr 25 06:24:18]  INFO [localhost] localhost: 1 exploits are detected
[Apr 25 06:24:18]  INFO [localhost] localhost: Known Exploited Vulnerabilities are detected for 2 CVEs
[Apr 25 06:24:23]  INFO [localhost] localhost: Cyber Threat Intelligences are detected for 145 CVEs
[Apr 25 06:24:23]  INFO [localhost] localhost: total 477 CVEs detected
[Apr 25 06:24:23]  INFO [localhost] localhost: 0 CVEs filtered by --confidence-over=80
[Apr 25 06:24:23]  INFO [localhost] localhost: 21 CVEs filtered by ignoreFixStates=[ignored]
localhost (ubuntu22.04)
=======================
Total: 456 (Critical:20 High:117 Medium:251 Low:68 ?:0)
47/456 Fixed, 119 poc, 1 exploits, cisa: 2, uscert: 0, jpcert: 0 alerts
2705 installed

gost strict mode = true

$ vuls report --refresh-cve
[Apr 25 06:25:07]  INFO [localhost] vuls-v0.23.1-build-20230425_061852_c9203bd
...
[Apr 25 06:25:07]  INFO [localhost] localhost: 0 CVEs are detected with OVAL
[Apr 25 06:25:11]  INFO [localhost] localhost: 456 CVEs are detected with gost
[Apr 25 06:25:11]  INFO [localhost] localhost: 0 CVEs are detected with CPE
[Apr 25 06:25:12]  INFO [localhost] localhost: 3 PoC are detected
[Apr 25 06:25:12]  INFO [localhost] localhost: 1 exploits are detected
[Apr 25 06:25:12]  INFO [localhost] localhost: Known Exploited Vulnerabilities are detected for 2 CVEs
[Apr 25 06:25:16]  INFO [localhost] localhost: Cyber Threat Intelligences are detected for 140 CVEs
[Apr 25 06:25:16]  INFO [localhost] localhost: total 456 CVEs detected
[Apr 25 06:25:16]  INFO [localhost] localhost: 0 CVEs filtered by --confidence-over=80
localhost (ubuntu22.04)
=======================
Total: 456 (Critical:20 High:117 Medium:251 Low:68 ?:0)
47/456 Fixed, 119 poc, 1 exploits, cisa: 2, uscert: 0, jpcert: 0 alerts
2705 installed

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

Reference

@MaineK00n MaineK00n self-assigned this Apr 21, 2023
@MaineK00n MaineK00n marked this pull request as ready for review April 21, 2023 21:02
@MaineK00n MaineK00n force-pushed the MaineK00n/redhat-unfixed branch 2 times, most recently from 93a7d48 to bae2f68 Compare April 24, 2023 17:35
@MaineK00n MaineK00n changed the title feat(gost/redhat): add status: "Out of support scope" to detection of unfixed vulnerabilities feat(detector): add ignoreFixStates, gost strict mode Apr 24, 2023
@MaineK00n MaineK00n mentioned this pull request Apr 24, 2023
Closed
@MaineK00n MaineK00n marked this pull request as draft April 25, 2023 00:19
@MaineK00n MaineK00n closed this May 10, 2024
@MaineK00n MaineK00n deleted the MaineK00n/redhat-unfixed branch June 13, 2024 08:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@MaineK00n MaineK00n

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@MaineK00n