Using vendor to filter candidates for the NVD feed #23124
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
UpdateConsidering that the QA test for vulnerability detector downloads the current published candidates' DB, and this PR modifies the creation of that DB, the test will fail until the PR is merged and the feed is recreated. It was confirmed locally that the tests pass using the candidates generated by this branch Details
|
pereyra-m
force-pushed
the
enhancement/23078-vendor-field-when-using-nvd
branch
from
7833516
to
a52f6fa
Compare
Using vendor in lower case as default
pereyra-m
force-pushed
the
enhancement/23078-vendor-field-when-using-nvd
branch
from
a52f6fa
to
d5f6bfc
Compare
sebasfalcone
approved these changes
Apr 29, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR includes the
vendorinformation inside the candidates' database only for the NVD vendor and uses it to filter the candidates during the scan. If the vendor field isn't available for the package, the scan is aborted because there isn't enough information to confirm if that's the right package and we could generate false positives.Manual tests
The development branch was compiled and the following agents were connected:
Also, the candidates' database must be generated again because now the NVD will contain vendor data.
The log of the vulnerability scan for all the packages was analyzed
ossec.log.final.zip
Here we have some examples of the consequences of this change:
brewpackages in the macOS agent for example. That information isn't available and all the packages installed this way will require a translation. This might be fixed in another issue.Details
Details
Details
Tests
Notes
During these tests, some issues were found and they should be solved in other developments:
putty. This CVE for example shows different vendors for the same package: https://nvd.nist.gov/vuln/detail/CVE-2013-4207 (simon_tatham/putty). We should add a second translation or sanitize the CVE. https://github.com/wazuh/intelligence-data/issues/203python. This CVE for example shows different vendors for the same package: https://nvd.nist.gov/vuln/detail/CVE-2007-1657 (python/python_software_foundation). We should add a second translation or sanitize the CVE. https://github.com/wazuh/intelligence-data/issues/2047-Zip. This CVE for example shows different vendors for the same package: https://nvd.nist.gov/vuln/detail/CVE-2005-3051 (7-zip/igor_pavlov). We should add a second translation or sanitize the CVE. https://github.com/wazuh/intelligence-data/issues/205foxit. This CVE for example shows different vendors for the same package: https://nvd.nist.gov/vuln/detail/CVE-2021-38564 (foxit/foxitsoftware). We should add a second translation or sanitize the CVE. https://github.com/wazuh/intelligence-data/issues/206skype technologies/microsoft/skype) https://github.com/wazuh/intelligence-data/issues/207oracledoesn't matchsun(https://nvd.nist.gov/vuln/detail/CVE-2001-1008). https://github.com/wazuh/intelligence-data/issues/208Microsoft Corporationbut the the CPE usesmicrosoft(https://nvd.nist.gov/vuln/detail/CVE-2022-30168) because they don't have a vendor translation. https://github.com/wazuh/intelligence-data/issues/209windowsplatform that doesn't match any specific Windows version (https://nvd.nist.gov/vuln/detail/CVE-2012-4142) The refactored vulnerability scanner should consider the generic CPEs for "running on" configurations from NVD #23149DOWNLOAD_CONTENT, the snapshot of the content will be downloaded and processed, but we'll never decompress the expected initial content so we'll see this message every time the manager starts:WARNING: Missing database compressed file. Check DOWNLOAD_CONTENT optionInstalling the Wazuh manager by sources without the pre-generated content shows a WARNING message in every start if vulnerability detector is enabled #23150vendorfield might cause troubles. update: the changes were uploaded and the PR will be merged with this check failing