Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(server): add filter cves #1707

Merged
merged 1 commit into from
Sep 22, 2023
Merged

Conversation

MaineK00n
Copy link
Collaborator

What did you implement:

Fixes #1704

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

before

$ vuls server -cvss-over=7.0
[Jul 19 20:19:08]  INFO [localhost] vuls-v0.23.3-build-20230719_201853_f9276a7
[Jul 19 20:19:08]  INFO [localhost] Validating config...
[Jul 19 20:19:08]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/usr/share/vuls-data/cve.sqlite3
[Jul 19 20:19:08]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/usr/share/vuls-data/oval.sqlite3
[Jul 19 20:19:08]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/usr/share/vuls-data/gost.sqlite3
[Jul 19 20:19:08]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/usr/share/vuls-data/go-exploitdb.sqlite3
[Jul 19 20:19:08]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/usr/share/vuls-data/go-msfdb.sqlite3
[Jul 19 20:19:08]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/usr/share/vuls-data/go-kev.sqlite3
[Jul 19 20:19:08]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/usr/share/vuls-data/go-cti.sqlite3
[Jul 19 20:19:08]  INFO [localhost] Listening on localhost:5515
[Jul 19 20:19:12]  INFO [localhost] Skip OVAL and Scan with gost alone.
[Jul 19 20:19:12]  INFO [localhost] VMUbuntu20: 0 CVEs are detected with OVAL
[Jul 19 20:19:12]  INFO [localhost] VMUbuntu20: 26 CVEs are detected with gost
[Jul 19 20:19:12]  INFO [localhost] Fill CVE detailed with gost
[Jul 19 20:19:12]  INFO [localhost] Fill CVE detailed with CVE-DB
[Jul 19 20:19:13]  INFO [localhost] VMUbuntu20: 0 PoC detected
[Jul 19 20:19:13]  INFO [localhost] VMUbuntu20: 0 exploits are detected
[Jul 19 20:19:13]  INFO [localhost] VMUbuntu20: Known Exploited Vulnerabilities are detected for 0 CVEs
[Jul 19 20:19:14]  INFO [localhost] VMUbuntu20: Cyber Threat Intelligences are detected for 9 CVEs

$ curl -s -H 'Content-type: text/plain' -H 'X-Vuls-OS-Family: ubuntu' -H 'X-Vuls-OS-Release: 20.04' -H 'X-Vuls-Kernel-Release: 5.4.0-100-generic' -H 'X-Vuls-Server-Name: VMUbuntu20' --data "curl,ii ,7.68.0-1ubuntu2.4,,7.68.0-1ubuntu2.4" http://localhost:5515/vuls | jq '.[0].scannedCves."CVE-2021-22876"'
{
  "cveID": "CVE-2021-22876",
  "confidences": [
    {
      "score": 100,
      "detectionMethod": "UbuntuAPIMatch"
    }
  ],
  "affectedPackages": [
    {
      "name": "curl",
      "fixedIn": "7.68.0-1ubuntu2.5"
    }
  ],
  ...

after

$ vuls server -cvss-over=7.0
[Jul 19 20:16:46]  INFO [localhost] vuls-v0.23.3-build-20230719_201608_a9984f5
[Jul 19 20:16:46]  INFO [localhost] Validating config...
[Jul 19 20:16:46]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/usr/share/vuls-data/cve.sqlite3
[Jul 19 20:16:46]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/usr/share/vuls-data/oval.sqlite3
[Jul 19 20:16:46]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/usr/share/vuls-data/gost.sqlite3
[Jul 19 20:16:46]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/usr/share/vuls-data/go-exploitdb.sqlite3
[Jul 19 20:16:46]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/usr/share/vuls-data/go-msfdb.sqlite3
[Jul 19 20:16:46]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/usr/share/vuls-data/go-kev.sqlite3
[Jul 19 20:16:46]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/usr/share/vuls-data/go-cti.sqlite3
[Jul 19 20:16:46]  INFO [localhost] Listening on localhost:5515
[Jul 19 20:17:11]  INFO [localhost] Skip OVAL and Scan with gost alone.
[Jul 19 20:17:11]  INFO [localhost] VMUbuntu20: 0 CVEs are detected with OVAL
[Jul 19 20:17:11]  INFO [localhost] VMUbuntu20: 26 CVEs are detected with gost
[Jul 19 20:17:11]  INFO [localhost] Fill CVE detailed with gost
[Jul 19 20:17:11]  INFO [localhost] Fill CVE detailed with CVE-DB
[Jul 19 20:17:11]  INFO [localhost] VMUbuntu20: 0 PoC detected
[Jul 19 20:17:11]  INFO [localhost] VMUbuntu20: 0 exploits are detected
[Jul 19 20:17:11]  INFO [localhost] VMUbuntu20: Known Exploited Vulnerabilities are detected for 0 CVEs
[Jul 19 20:17:12]  INFO [localhost] VMUbuntu20: Cyber Threat Intelligences are detected for 9 CVEs
[Jul 19 20:17:12]  INFO [localhost] VMUbuntu20: total 26 CVEs detected
[Jul 19 20:17:12]  INFO [localhost] VMUbuntu20: 21 CVEs filtered by --cvss-over=7
[Jul 19 20:17:12]  INFO [localhost] VMUbuntu20: 0 CVEs filtered by --confidence-over=80

$ curl -s -H 'Content-type: text/plain' -H 'X-Vuls-OS-Family: ubuntu' -H 'X-Vuls-OS-Release: 20.04' -H 'X-Vuls-Kernel-Release: 5.4.0-100-generic' -H 'X-Vuls-Server-Name: VMUbuntu20' --data "curl,ii ,7.68.0-1ubuntu2.4,,7.68.0-1ubuntu2.4" http://localhost:5515/vuls | jq '.[0].scannedCves."CVE-2021-22876"'

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

Reference

@MaineK00n MaineK00n self-assigned this Jul 19, 2023
@MaineK00n
Copy link
Collaborator Author

@Viengogo

CVE-2021-22876

  • NVD cvss3Score=5.3
  • Ubuntu cvss3Score=0

When filtering, Ubuntu asks for the score from severity, and in this case, the score is actually 6.9 for medium.
Therefore, please note that -cvss-over=6.0 will not filter.

vuls/models/vulninfos.go

Lines 559 to 575 in f9276a7

for _, ctype := range []CveContentType{Debian, DebianSecurityTracker, Ubuntu, UbuntuAPI, Amazon, Trivy, GitHub, WpScan} {
if conts, found := v.CveContents[ctype]; found {
for _, cont := range conts {
if cont.Cvss3Severity != "" {
values = append(values, CveContentCvss{
Type: ctype,
Value: Cvss{
Type: CVSS3,
Score: severityToCvssScoreRoughly(cont.Cvss3Severity),
CalculatedBySeverity: true,
Severity: strings.ToUpper(cont.Cvss3Severity),
},
})
}
}
}
}

vuls/models/vulninfos.go

Lines 767 to 779 in f9276a7

func severityToCvssScoreRoughly(severity string) float64 {
switch strings.ToUpper(severity) {
case "CRITICAL":
return 10.0
case "IMPORTANT", "HIGH":
return 8.9
case "MODERATE", "MEDIUM":
return 6.9
case "LOW", "NEGLIGIBLE":
return 3.9
}
return 0
}

@kotakanbe kotakanbe merged commit 70fd968 into master Sep 22, 2023
@kotakanbe kotakanbe deleted the MaineK00n/server-filter-cves branch September 22, 2023 08:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

vuls scan -cvss-over does not work
2 participants