Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cve_scan_v2 returns empty set with Salt 2017.7.1 #228

Closed
dgmorrisjr opened this issue Oct 18, 2017 · 3 comments
Closed

cve_scan_v2 returns empty set with Salt 2017.7.1 #228

dgmorrisjr opened this issue Oct 18, 2017 · 3 comments
Labels
Documentation

Comments

@dgmorrisjr
Copy link

Environment:

  • RHEL 6.9
  • Salt 2017.7.1
  • Python 2.7.13
  • hubble-salt v2017.9.0

Our environment is disconnected from the internet, so we must use cve_scan_v2 with downloaded json from vulners.com.

After a fresh basic install of RHEL 6.9, Salt 2017.7.1, and updating a basic install of Python 2.7.13, when trying to run a cve scan (using a configuration that worked successfully under Salt 2016), we received an empty result set:

salt \manager hubble.audit cve
manager:
    ----------
    Failure:
    Success:

After researching and working with Colton, we were able to resolve the issues.

Issue #1: python requests needed to be updated. When running with the -l debug args, found this issue below.

[DEBUG   ] Failed to import nova /cve_scan_v2.py:
Traceback (most recent call last):
  File "/var/cache/salt/minion/extmods/modules/nova_loader.py", line 1930, in _load_module
    ), fn_, fpath, desc)
  File "/var/cache/salt/minion/files/base/hubble/nova_modules/cve_scan_v2.py", line 79, in <module>
    import requests
  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in <module>
    from . import utils
  File "/usr/lib/python2.7/site-packages/requests/utils.py", line 25, in <module>
    from . import certs

Issue 1 Resolution: I updated requests package to requests-2.18.4 and the above issue went away.

Issue #2: Even though the above issue was resolved, I was still getting an empty result set. Running salt-minion in the foreground and with the -l debug flag, I was seeing the following error when cve_scan_v2 was trying to compare rpm versions:

[WARNING ] rpmdevtools is not installed, please install it for more accurate version comparisons
[DEBUG   ] rpm module imported, but it does not have the labelCompare function. Not using rpm.labelCompare for version comparison.

Issue #2 resolution: I then installed rpmdevtools and it's dependencies (elfutils, elfutils-libelf, fakeroot, fakeroot-libs, gdb, patch, redhat-rpm-config, rpm, rpm-build, rpm-libs, rpm-python). After installing these rpms, cve_scan_v2 was still returning an empty result set. So finally I restarted the salt-minion. After which the cve_scan_v2 provided failure results as expected.

Summary:

  1. Had to update to the latest version of requests
  2. Had to install rpmdevtools and dependencies
  3. Restarted salt-minion
@basepi
Copy link
Collaborator

basepi commented Oct 23, 2018

cve_scan_v2 has been deprecated (due to security and performance issues) and you should now use vulners_scanner.py.

@basepi basepi closed this as completed Oct 23, 2018
@AfterSpencer
Copy link

Is there documentation on vulners_scanner.py usage?

@basepi
Copy link
Collaborator

basepi commented Nov 13, 2018

Yep! I haven't pulled it into the ReadTheDocs docs, but usage is documented in the module docstring: https://github.com/hubblestack/hubble/blob/develop/hubblestack/files/hubblestack_nova/vulners_scanner.py

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@basepi @AfterSpencer @dgmorrisjr