Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle Generic CPEs for "Running On" Configurations #23549

Closed
wants to merge 12 commits into from
Closed

Handle Generic CPEs for "Running On" Configurations #23549

wants to merge 12 commits into from

Conversation

GabrielEValenzuela
Copy link
Member

Related issue
#23149

Objetive

This PR aims to enhance the vulnerability scanner by incorporating logic to accurately handle generic Windows CPEs, especially in "running on" configurations as specified by the NVD. The objective is to improve the scanner's ability to assess vulnerabilities more precisely in environments where specific version details are not available but a generic classification is.

Changes Implemented

  • Enhanced Logic in oscpe-global:

    • Added logic to handle the template of oscpe-global.json to facilitate reverse mapping from platform to vendor using feed-global.json.

  • Updates to osDataCache.hpp:

    • Integrated support for new generic CPEs in the cache system to enhance matching capabilities.

  • New Functionality in scanContext.hpp:

    • Implemented buildCPENameForGenericOrRunning to construct CPE names based on information received from syscollector messages.

  • Improvements in packageScanner.hpp:

    • Enhanced log messages for better clarity and troubleshooting.
    • Added logic to handle comparisons involving generic CPEs, improving the accuracy of vulnerability assessments.

Implementation Details

  • Modified JSON parsing logic and data structures to support the inclusion of new generic CPEs.
  • Updated schema definitions in oscpe-global.json to align with the enhanced functionality.
  • Conducted extensive unit and integration testing to ensure accurate CPE generation and comparison under various scenarios.

Testing

  • Implemented automated tests to verify the correct functioning of the new logic across different modules (osDataCache.hpp, scanContext.hpp, and packageScanner.hpp).
  • Performed regression testing to ensure that existing functionalities are not adversely affected by the new updates.
  • Conducted manual testing with simulated syscollector messages to validate the effectiveness of CPE name construction.

Additional Information

  • Documentation has been updated to reflect the new capabilities and guide users on how to leverage the enhanced features effectively.

@GabrielEValenzuela GabrielEValenzuela self-assigned this May 21, 2024
@GabrielEValenzuela GabrielEValenzuela linked an issue May 21, 2024 that may be closed by this pull request
The refactored vulnerability scanner should consider the generic CPEs for "running on" configurations from NVD #23149
Closed
4 tasks
@GabrielEValenzuela GabrielEValenzuela marked this pull request as ready for review May 23, 2024 18:45
sebasfalcone
sebasfalcone reviewed May 24, 2024
View reviewed changes
Copy link
Member

@sebasfalcone sebasfalcone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will take from here @GabrielEValenzuela

src/wazuh_modules/vulnerability_scanner/src/scanOrchestrator/scanContext.hpp Outdated Show resolved Hide resolved
@sebasfalcone sebasfalcone changed the base branch from 4.8.0 to 4.9.0 May 27, 2024 18:29
@sebasfalcone
Copy link
Member

Update

  • The target branch changed from 4.8.0 to 4.9.0
  • Still waiting for 4.8.0 to be merged into 4.9.0

@sebasfalcone sebasfalcone changed the base branch from 4.9.0 to master June 1, 2024 16:57
sebasfalcone
sebasfalcone requested changes Jun 1, 2024
View reviewed changes
Copy link
Member

@sebasfalcone sebasfalcone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work @GabrielEValenzuela!

Please add an efficacy test for this scenario

@GabrielEValenzuela
Copy link
Member Author

Update

With local changes, test 🟢

❯ python -m pytest  -xvv -k "run_process_and_monitor_log14"  wazuh_modules/vulnerability_scanner/qa
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.11.9, pytest-7.2.2, pluggy-1.5.0 -- /home/gvalenzuela/Documents/Work/wazuh/src/virtual_env/bin/python
cachedir: .pytest_cache
rootdir: /home/gvalenzuela/Documents/Work/wazuh/src
collected 19 items / 18 deselected / 1 selected

wazuh_modules/vulnerability_scanner/qa/test_efficacy_log.py::test_false_negatives[run_process_and_monitor_log14] PASSED                                                                [100%]

============================================================================== 1 passed, 18 deselected in 2.14s ==============================================================================

sebasfalcone
sebasfalcone requested changes Jun 7, 2024
View reviewed changes
Copy link
Member

@sebasfalcone sebasfalcone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simple, yet effective!

Just one thing, add the documentation for the test 20 (here is a template)

@GabrielEValenzuela
Copy link
Member Author

Test case II

  • After adding the content manually in the code, we run the QA tests again
❯ python -m pytest --log-cli-level=DEBUG --capture=tee-sys -xvv  wazuh_modules/vulnerability_scanner/qa/
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.11.9, pytest-7.2.2, pluggy-1.5.0 -- /home/gvalenzuela/Documents/Work/wazuh/src/virtual_env/bin/python
cachedir: .pytest_cache
rootdir: /home/gvalenzuela/Documents/Work/wazuh/src
collected 23 items
[...]
=============================================================================== 23 passed in 240.81s (0:04:00) ===============================================================================

sebasfalcone
sebasfalcone previously approved these changes Jun 12, 2024
View reviewed changes
Copy link
Member

@sebasfalcone sebasfalcone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work @GabrielEValenzuela!

  • Tests 🟢
  • Code 🟢

GabrielEValenzuela and others added 10 commits June 13, 2024 15:12
@GabrielEValenzuela
CL:
a95f090 
- Implement logic according design proposal.
@GabrielEValenzuela
CL:
3d5b6f6 
- Fix UTs. Modify logic. Fix review comments.
@GabrielEValenzuela
Revert "CL:"
0eeb4e4 
This reverts commit e97180a.
@GabrielEValenzuela
CL:
ef17389 
- Modify logic. Fix review comments.
@GabrielEValenzuela
CL:
abbee38 
- Fix UTs.
@sebasfalcone @GabrielEValenzuela
CL:
113bf0b 
- Improved access to map, to prevent segfault
@GabrielEValenzuela
CL:
a91f77a 
- Add efficacy test.
@sebasfalcone @GabrielEValenzuela
CL:
7ca507b 
- Fixed QA test
@GabrielEValenzuela
CL:
272f0db 
- Rename folder.
@GabrielEValenzuela
CL:
1fc163e 
- Fix log.
@GabrielEValenzuela GabrielEValenzuela force-pushed the enhancement/23149_considerer_generic_cpe branch from ffdb715 to 1fc163e Compare June 13, 2024 18:43
sebasfalcone
sebasfalcone requested changes Jun 13, 2024
View reviewed changes
Copy link
Member

@sebasfalcone sebasfalcone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing efficacy test for the case proposed on the issues:

@GabrielEValenzuela
CL:
ebafc0d 
- Undo rename.
@GabrielEValenzuela
CL:
66d4bcf 
- Add missing tests.
@sebasfalcone sebasfalcone changed the title Handle Generic Windows CPE for "Running On" Configurations Handle Generic CPEs for "Running On" Configurations Jun 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebasfalcone sebasfalcone sebasfalcone approved these changes

@pereyra-m pereyra-m Awaiting requested review from pereyra-m

Assignees

@GabrielEValenzuela GabrielEValenzuela

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The refactored vulnerability scanner should consider the generic CPEs for "running on" configurations from NVD
2 participants
@GabrielEValenzuela @sebasfalcone