-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using vendor to filter candidates for the NVD feed #23124
Using vendor to filter candidates for the NVD feed #23124
Conversation
UpdateConsidering that the QA test for vulnerability detector downloads the current published candidates' DB, and this PR modifies the creation of that DB, the test will fail until the PR is merged and the feed is recreated. It was confirmed locally that the tests pass using the candidates generated by this branch Details
|
7833516
to
a52f6fa
Compare
Using vendor in lower case as default
a52f6fa
to
d5f6bfc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes LGTM!
All problems that arise during this development are already triaged or solved
Description
This PR includes the
vendor
information inside the candidates' database only for the NVD vendor and uses it to filter the candidates during the scan. If the vendor field isn't available for the package, the scan is aborted because there isn't enough information to confirm if that's the right package and we could generate false positives.Manual tests
The development branch was compiled and the following agents were connected:
Also, the candidates' database must be generated again because now the NVD will contain vendor data.
The log of the vulnerability scan for all the packages was analyzed
ossec.log.final.zip
Here we have some examples of the consequences of this change:
brew
packages in the macOS agent for example. That information isn't available and all the packages installed this way will require a translation. This might be fixed in another issue.Details
Details
Details
Tests
Notes
During these tests, some issues were found and they should be solved in other developments:
putty
. This CVE for example shows different vendors for the same package: https://nvd.nist.gov/vuln/detail/CVE-2013-4207 (simon_tatham/putty
). We should add a second translation or sanitize the CVE. https://github.com/wazuh/intelligence-data/issues/203python
. This CVE for example shows different vendors for the same package: https://nvd.nist.gov/vuln/detail/CVE-2007-1657 (python/python_software_foundation
). We should add a second translation or sanitize the CVE. https://github.com/wazuh/intelligence-data/issues/2047-Zip
. This CVE for example shows different vendors for the same package: https://nvd.nist.gov/vuln/detail/CVE-2005-3051 (7-zip/igor_pavlov
). We should add a second translation or sanitize the CVE. https://github.com/wazuh/intelligence-data/issues/205foxit
. This CVE for example shows different vendors for the same package: https://nvd.nist.gov/vuln/detail/CVE-2021-38564 (foxit/foxitsoftware
). We should add a second translation or sanitize the CVE. https://github.com/wazuh/intelligence-data/issues/206skype technologies/microsoft/skype
) https://github.com/wazuh/intelligence-data/issues/207oracle
doesn't matchsun
(https://nvd.nist.gov/vuln/detail/CVE-2001-1008). https://github.com/wazuh/intelligence-data/issues/208Microsoft Corporation
but the the CPE usesmicrosoft
(https://nvd.nist.gov/vuln/detail/CVE-2022-30168) because they don't have a vendor translation. https://github.com/wazuh/intelligence-data/issues/209windows
platform that doesn't match any specific Windows version (https://nvd.nist.gov/vuln/detail/CVE-2012-4142) The refactored vulnerability scanner should consider the generic CPEs for "running on" configurations from NVD #23149DOWNLOAD_CONTENT
, the snapshot of the content will be downloaded and processed, but we'll never decompress the expected initial content so we'll see this message every time the manager starts:WARNING: Missing database compressed file. Check DOWNLOAD_CONTENT option
Installing the Wazuh manager by sources without the pre-generated content shows a WARNING message in every start if vulnerability detector is enabled #23150vendor
field might cause troubles. update: the changes were uploaded and the PR will be merged with this check failing