canonical / sec-cvescan Goto Github PK
View Code? Open in Web Editor NEWAnalyzes an Ubuntu system and checks for unpatched vulnerabilities.
License: GNU General Public License v3.0
Analyzes an Ubuntu system and checks for unpatched vulnerabilities.
License: GNU General Public License v3.0
I have a GCP-hosted 16.04 LTS instance where cvescan fails with the following message:
Error: Failed to curl https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml.bz2
The root cause is lack of networking accessible to curl:
$ sudo snap run --shell cvescan
root# curl https://8.8.8.8/
curl: (7) Couldn't connect to server
root# curl altern.org
curl: (6) Could not resolve host: altern.org
I'm not sure what is special about this VM; we're hitting a security policy, perhaps?
Some binary packages have different version numbers than the associated source package. Since CVEs in Ubuntu are tracked against source packages, some CVEScan results may be incorrect, as dpkg-query -l
does not include the source package version.
Instead of using dpkg -l
to query the installed packages on the system, the following command could be used to provide more detail, including the source package versions:
dpkg-query -f '${db:Status-Abbrev},${binary:Package},${Version},${source:Package},${Source:Version}\n' -W
After this change, the UCT JSON data should no longer need to include a list of binaries so that binaries can be mapped to source packages. This should significantly decrease the size of those JSON files, improving download times, JSON deserialization, and overall runtime.
as a user, i'd like to know that my systems are safe from a given CVE in the case where the running kernel version is vulnerable, but livepatch has applied a patch to guard against this CVE.
A customer has suggested to have a database version printed out (possibly in the "Summary" block at the end of a scan).
It appears that this may be possible with what's already being released in the JSON data with the "metadata":"timestamp"
value (among the last values).
We just noticed that cvescan reports differently when using the -n
switch:
# cvescan -n
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!
WARNING: Affected by 1 CVEs with "high" or higher priority.
CVE-2020-28374
# cvescan -p all
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!
Summary
------------------------------------ -----
Ubuntu Release focal
Installed Packages 1121
CVE Priority All
Unique Packages Fixable by Patching 0
Unique CVEs Fixable by Patching 0
Vulnerabilities Fixable by Patching 0
Fixes Available by `apt-get upgrade` 0
------------------------------------ -----
Why is that? The scan using -n
is correct, as the kernel running on this machine is still old and affected. So why doesn't it show up if running cvescan using normal output?
Is it possible to get some compatibility to work in debian? I would like to produce a .deb to insert in the debian repositories, for that it would be interesting and there would be a compatibility with cd cve search in debian too.
I have a system which is currently affected by CVE-2018-3309 and CVE-2019-11707. When I run cvescan I get:
kiko@barbudinho:~$ cvescan -x -v
Running as a snap, changing to '/home/kiko/snap/cvescan/common' directory
Downloaded files, log files and temporary reports will be in '/home/kiko/snap/cvescan/common'
Priority filter is 'high'
Running in experimental mode, using 'alpha' OVAL file from https://people.canonical.com/~ubuntu-security/oval/alpha/alpha.com.ubuntu.bionic.cve.oval.xml.bz2
Removing file: alpha.com.ubuntu.bionic.cve.oval.xml
Removing files: alpha.com.ubuntu.bionic.cve.oval.xml.bz2 report.htm results.xml oval.log manifest debug.log
Downloading https://people.canonical.com/~ubuntu-security/oval/alpha/alpha.com.ubuntu.bionic.cve.oval.xml.bz2
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1359k 100 1359k 0 0 577k 0 0:00:02 0:00:02 --:--:-- 576k
Unzipping alpha.com.ubuntu.bionic.cve.oval.xml.bz2
Running oval scan oscap oval eval --verbose WARNING --verbose-log-file debug.log --results results.xml alpha.com.ubuntu.bionic.cve.oval.xml (output logged to /home/kiko/snap/cvescan/common/oval.log)
Generating html report /home/kiko/snap/cvescan/common/report.htm from results xml /home/kiko/snap/cvescan/common/results.xml (output logged to /home/kiko/snap/cvescan/common/oval.log)
Open /home/kiko/snap/cvescan/common/report.htm in a browser to see complete and unfiltered scan results
Running xsltproc to generate CVE list - fixable/unfixable and filtered by priority
2 vulnerabilities found with priority of high or higher:
CVE-2019-11707
CVE-2018-3309
Running xsltproc to generate CVE list - fixable and filtered by priority
0 CVEs found with priority of high or higher that can be fixed with package updates:
Full HTML report available in /home/kiko/snap/cvescan/common/report.htm
Normal non-verbose output will appear below
kiko@barbudinho:~$
This happens because the default is not to show all CVEs affecting the system, but that default should be inverted, because we need to set the bar highly towards improving visibility, as opposed to obscuring the reality of things.
Contrary to issue #8, it has been decided that CVEScan should not show the ESM entitlement status.
Working through the output I was hoping to bring it into alignment with at the end user needs to do to help mitigate something they find in the cvescan output. There's a disconnect in naming from the UA Apps vs the cli command 'ua enable esm-apps".
However, as I started to perform the simple find/replace I see it gets more interesting as the "UA Apps" goes into the utc.json and the repository section there. I'm not sure where the best place to handle a transition from "back end" to user-facing might be.
Archives are colored green or red based on whether or not they're enabled. Clarify whether or not an archive is disabled by adding "(disabled)" to the text.
Hi,
Firstly, thank you for your work :)
I work on the Canonical Public Cloud team and our partner GKE and their customers are starting to use cvescan to scan for vulnerabilities.
The GKE images we provide to GKE have certain packages installed from a PPA eg. https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s
This PPA has containerd, runc and docker.io and all are up to date and patched... but when scanning the attached manifest cvescan flags the packages as being vulnerable to CVE-2020-15157
$ cvescan -p all --manifest=ubuntu-gke-onprem-1804-1-18-v20201203.manifest.txt | grep "docker\.io\|containerd"
CVE-2020-15157 medium docker.io 19.03.6-0ubuntu1~18.04.2 Ubuntu Archive
CVE-2020-15257 medium containerd 1.3.3-0ubuntu1~18.04.4 Ubuntu Archive
I can confirm that the versions installed are not vulnerable to CVE-2020-15157.
sudo apt install apt-listchanges
wget https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s/+files/docker.io_19.03.2-0ubuntu1~18.04.0.2_amd64.deb
wget https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s/+files/containerd_1.2.10-0ubuntu1~18.04.0.3_amd64.deb
apt-listchanges --verbose --frontend text --all ./docker.io_19.03.2-0ubuntu1~18.04.0.2_amd64.deb > docker.io.changelog
apt-listchanges --verbose --frontend text --all ./containerd_1.2.10-0ubuntu1~18.04.0.3_amd64.deb > containerd.changelog
less docker.io.changelog
less containerd.changelog
In the changelog you can see that patches have been applied for CVE-2020-15157.
Is there any way to add support for cvescan to support being able to mark certain package versions from a PPA as being no longer vulnerable to a specific CVE eg. appending to the database used when scanning?
The PPAs GKE and their customers use are all public.
I generated a manifest on a Bionic system with dpkg-query -W
, copied it to a focal machine, and ran cvescan -p all -m manifest-post.txt
. The output is surprising:
$ cvescan -p all -m manifest-post.txt
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!
CVE ID PRIORITY PACKAGE FIXED VERSION REPOSITORY
CVE-2018-1000858 medium gnupg-agent 2.2.4-1ubuntu1.2 Ubuntu Archive
CVE-2019-14855 low gnupg-agent 2.2.4-1ubuntu1.3 Ubuntu Archive
Summary
------------------------------------ ------
Ubuntu Release bionic
Installed Packages 1261
CVE Priority All
Unique Packages Fixable by Patching 1
Unique CVEs Fixable by Patching 2
Vulnerabilities Fixable by Patching 2
Fixes Available by `apt-get upgrade` 2
------------------------------------ ------
gnupg-agent
isn't actually installed according to dpkg -l
, but it is included in dpkg-query -W
output all the same:
$ dpkg -l gnupg-agent | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-================-============-====================================================================
rc gnupg-agent 2.2.4-1ubuntu1.1 all GNU privacy guard - cryptographic agent (dummy transitional package)
$ dpkg-query -W | grep gnupg-agent
gnupg-agent 2.2.4-1ubuntu1.1
Thanks
CVE-2012-2663 is reported by cvescan as needed but the actual status is ignored.
The issue is probably in the JSON generation, but it's not open-sourced as far as I know so I can't verify.
I would be happy to help fixing this.
The --usage message displayed with --help
is inconsistently formatted and should be improved.
CVEScan does not check whether or not the -security pocket is enabled and, by default, assumes that any patch available from "Ubuntu Archive" will be installed when apt upgrade
is run. CVEScan should check whether or not the -security pocket is enabled and color/mark "Ubuntu Archive" appropriately in the output.
Define a new format for manifest files that includes the release codename, source package for each binary, src and binary package versions, and installation status.
Something along the lines of,
(lsb_release -c && dpkg-query -f '${binary:Package},${Source:Package},${Source:Version},${Status}\n' -W) | tee manifest.txt
could be used to generate such as file.
The key is keeping it simple enough that someone can't type it in, but also having it contain all the necessary data. We could also provide a manifest_generator that generates the manifests. The whole point of manifests is that you don't need to install CVEScan in order to scan your systems, so this is a somewhat difficult balance to achieve.
Display output indicating the current state of ESM Infra and ESM Apps.
Don't do this in manifest mode.
Add a --syslog SERVER:PORT
option to CVEScan that forwards the JSON output to a syslog server. Also add --syslog-light
which sends just the number of missing patches, rather than the whole JSON output.
In addition to the CVE-ID, or CVE tracker url, display the package(s) affected by the CVEs.
Make this the default behavior and add a cli arg to turn it off.
It looks like the cvescan unpacks uct.json into ~/snap/cvescan/common but does not download the uct.json.bz2 into that directory, and leaves it behind after decompressing. This leaves cruft in users' directories.
We have encountered an issue with a GKE image which cvescan
is showing as not vulnerable but did have kernel packages installed that were vulnerable.
This was confirmed by scanning using oscap and the oci Oval data instead.
The CVE was https://ubuntu.com/security/CVE-2021-3444 the manifest was
bionic-20210309-minimal-bionic-minimal-cloudimg-amd64-gke-on-prem-1.7.manifest.txt
Scanning this manifest with cvescan no vulnerability is shown for CVE-2021-3444
$ cvescan --priority all --manifest ./bionic-20210309-minimal-bionic-minimal-cloudimg-amd64-gke-on-prem-1.7.manifest
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!
CVE ID PRIORITY PACKAGE FIXED VERSION REPOSITORY
CVE-2019-16884 medium runc 1.0.0~rc10-0ubuntu1~18.04.2 Ubuntu Archive
CVE-2019-19921 medium runc 1.0.0~rc10-0ubuntu1~18.04.2 Ubuntu Archive
CVE-2020-15157 medium docker.io 19.03.6-0ubuntu1~18.04.2 Ubuntu Archive
CVE-2021-3429 medium cloud-init 21.1-19-gbad84ad4-0ubuntu1~18.04.1 Ubuntu Archive
CVE-2021-3449 high libssl1.1 1.1.1-1ubuntu2.1~18.04.9 Ubuntu Archive
CVE-2021-3449 high openssl 1.1.1-1ubuntu2.1~18.04.9 Ubuntu Archive
CVE-2021-21300 medium git 1:2.17.1-1ubuntu0.8 Ubuntu Archive
CVE-2021-21300 medium git-man 1:2.17.1-1ubuntu0.8 Ubuntu Archive
CVE-2021-28153 medium libglib2.0-0 2.56.4-0ubuntu0.18.04.8 Ubuntu Archive
CVE-2021-28153 medium libglib2.0-data 2.56.4-0ubuntu0.18.04.8 Ubuntu Archive
Summary
------------------------------------ ------
Ubuntu Release bionic
Installed Packages 417
CVE Priority All
Unique Packages Fixable by Patching 9
Unique CVEs Fixable by Patching 7
Vulnerabilities Fixable by Patching 10
Fixes Available by `apt-get upgrade` 10
------------------------------------ ------
This is not accurate and can be proven using oscap
# Install oscap
sudo apt install libopenscap8
# Download the up to data Oval data for the bionic release of Ubuntu
wget https://security-metadata.canonical.com/oval/oci.com.ubuntu.bionic.usn.oval.xml.bz2
# Extract this data
bunzip2 oci.com.ubuntu.bionic.usn.oval.xml.bz2
# Copy the downloaded manifest to "manifest" in current directory
cp -v bionic-20210309-minimal-bionic-minimal-cloudimg-amd64-gke-on-prem-1.7.manifest.txt manifest
# Run oscap eval against your local manifest and the Oval data you downloaded - this will generate HTML report cloud-report-vulnerable.html in the same directory.
oscap oval eval --report cloud-report-vulnerable.html oci.com.ubuntu.bionic.usn.oval.xml
This produces cloud-report-vulnerable.html (
cloud-report-vulnerable.html.tar.gz attached) which lists the kernel as vulnerable to CVE-2021-3444.
I have attached the oval data used by oscap oval eval
as com.ubuntu.bionic.cve.oval.xml.tar.gz and the json data used by cvescan
as ubuntu-vuln-db-bionic.json.tar.gz
After speaking with mdeslaur on Canonical security team it appears that the oval generation script adds the meta source package and the signed source package which the json used by cvescan does not appear to contain.
Is it possible to bring both data sources in sync so that using cvescan
will result in the same output as oscap?
In the attached json we can see that the section for CVE-2021-3444 lists the following:
"linux-gkeop-5.4": {
"binaries": [
"linux-gkeop-5.4-source-5.4.0",
"linux-gkeop-5.4-headers-5.4.0-1012",
"linux-gkeop-5.4-tools-5.4.0-1012",
"linux-gkeop-5.4-cloud-tools-5.4.0-1012",
"linux-image-unsigned-5.4.0-1012-gkeop",
"linux-modules-5.4.0-1012-gkeop",
"linux-modules-extra-5.4.0-1012-gkeop",
"linux-headers-5.4.0-1012-gkeop",
"linux-image-unsigned-5.4.0-1012-gkeop-dbgsym",
"linux-tools-5.4.0-1012-gkeop",
"linux-cloud-tools-5.4.0-1012-gkeop",
"linux-buildinfo-5.4.0-1012-gkeop"
],
"repository": "Ubuntu Archive",
"status": [
"released",
"5.4.0-1012.13~18.04.1"
]
},
But the Oval data for CVE-2021-3444 does appear to include packages present in the manifest.
Could there be a mode where cvescan could run inside a container and only look at the os packages install in that container image?
Have been working with cvescan
all day and tonight came up with an interesting observation:
$ cvescan -p all
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!
CVE ID PRIORITY PACKAGE FIXED VERSION REPOSITORY
CVE-2020-0423 low linux-aws-5.4-headers-5.4.0-1029 5.4.0-1030.31~18.04.1 Ubuntu Archive
...
CVE-2020-0423 low linux-modules-5.4.0-1029-aws 5.4.0-1030.31~18.04.1 Ubuntu Archive
CVE-2020-4788 medium linux-aws-5.4-headers-5.4.0-1029 5.4.0-1030.31~18.04.1 Ubuntu Archive
...
CVE-2020-10135 medium linux-modules-5.4.0-1029-aws 5.4.0-1030.31~18.04.1 Ubuntu Archive
CVE-2020-14351 low linux-aws-5.4-headers-5.4.0-1029 5.4.0-1030.31~18.04.1 Ubuntu Archive
...
CVE-2020-14390 low linux-modules-5.4.0-1029-aws 5.4.0-1030.31~18.04.1 Ubuntu Archive
CVE-2020-25211 medium linux-aws-5.4-headers-5.4.0-1029 5.4.0-1030.31~18.04.1 Ubuntu Archive
...
CVE-2020-28915 medium linux-modules-5.4.0-1029-aws 5.4.0-1030.31~18.04.1 Ubuntu Archive
Summary
------------------------------------ ------
Ubuntu Release bionic
Installed Packages 584
CVE Priority All
Unique Packages Fixable by Patching 4
Unique CVEs Fixable by Patching 11
Vulnerabilities Fixable by Patching 44
Fixes Available by `apt-get upgrade` 44
------------------------------------ ------
It would appear at this point, that running (as stipulated) apt-get upgrade
I'll be able to reduce my fixes by 44. So ...
$ sudo apt update
...
$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Unless I'm missing something, it appears that the "Fixes Available by apt-get upgrade
44" isn't quite correct? Additionally, to note, I'm using the FIPS 140-2 compliant library, if that helps
Ideally, CVEScan could be installed just by doing pip install .
. At the moment, it requires some libraries in support of curl, as well as python-apt.
CVEScan should also be installable in a virtualenv.
Add this as default output with an option to turn it off.
instead of using the expire time to determine if the oval scan should be re-run instead of reusing the existing results.xml file, figure out how to compare the timestamp of the results file with the most recently installed package.
In other words: Always delete the results file if packages have been installed since it was created.
For a select few packages (e.g. libreoffice), the binary packages may have different versions than the source packages. This can lead to false positives because UCT tracks the fixed versions of source packages, not binary packages.
I have an AWS instance (with no livepatch) which has the following updates available:
linux-aws/bionic-updates,bionic-security 4.15.0.1063.64 amd64 [upgradable from: 4.15.0.1060.61]
linux-headers-aws/bionic-updates,bionic-security 4.15.0.1063.64 amd64 [upgradable from: 4.15.0.1060.61]
linux-image-aws/bionic-updates,bionic-security 4.15.0.1063.64 amd64 [upgradable from: 4.15.0.1060.61]
However, cvescan doesn't report any CVEs applying:
ubuntu@ip-172-31-29-146:~$ cvescan -vp medium | tail
CVE-2016-1585
CVE-2015-8553
CVE-2014-4715
CVE-2013-7445
Running xsltproc to generate CVE list - fixable and filtered by priority
0 CVEs found with priority of medium or higher that can be fixed with package updates:
Full HTML report available in /home/ubuntu/snap/cvescan/common/report.htm
Normal non-verbose output will appear below
Thanks!
The ubuntu vulnerability database JSON is currently hosted at https://people.canonical.com/~ubuntu-security/cvescan. This should be moved to https://security-metadata.canonical.com/~ubuntu-security. people.canonical.com will need to continue to host updated JSON for as long as v2.x.x versions are expected to continue to function.
I have uno-libs3 installed:
Package: uno-libs3
Version: 6.0.7-0ubuntu0.18.04.10
Priority: optional
Section: libs
Source: libreoffice (1:6.0.7-0ubuntu0.18.04.10)
Origin: Ubuntu
cve-scan still report vulnerabilities:
CVE-2019-9848 medium uno-libs3 1:6.0.7-0ubuntu0.18.04.8 Ubuntu Archive
CVE-2019-9848 medium ure 1:6.0.7-0ubuntu0.18.04.8 Ubuntu Archive
CVE-2019-9849 medium uno-libs3 1:6.0.7-0ubuntu0.18.04.8 Ubuntu Archive
CVE-2019-9849 medium ure 1:6.0.7-0ubuntu0.18.04.8 Ubuntu Archive
CVE-2019-9850 medium uno-libs3 1:6.0.7-0ubuntu0.18.04.9 Ubuntu Archive
CVE-2019-9850 medium ure 1:6.0.7-0ubuntu0.18.04.9 Ubuntu Archive
CVE-2019-9851 medium uno-libs3 1:6.0.7-0ubuntu0.18.04.9 Ubuntu Archive
CVE-2019-9851 medium ure 1:6.0.7-0ubuntu0.18.04.9 Ubuntu Archive
CVE-2019-9852 medium uno-libs3 1:6.0.7-0ubuntu0.18.04.9 Ubuntu Archive
CVE-2019-9852 medium ure 1:6.0.7-0ubuntu0.18.04.9 Ubuntu Archive
CVE-2019-9853 medium uno-libs3 1:6.0.7-0ubuntu0.18.04.9 Ubuntu Archive
CVE-2019-9853 medium ure 1:6.0.7-0ubuntu0.18.04.9 Ubuntu Archive
CVE-2019-9854 medium uno-libs3 1:6.0.7-0ubuntu0.18.04.10 Ubuntu Archive
CVE-2019-9854 medium ure 1:6.0.7-0ubuntu0.18.04.10 Ubuntu Archive
I think this is because dpkg
does not include epoch number for some packages
dpkg -l | grep uno-libs3 ✔ 1649 11:43:20
ii uno-libs3 6.0.7-0ubuntu0.18.04.10 amd64 LibreOffice UNO runtime environment -- public shared libraries
I'm completely new to cvescan
(v2.5.0) but in the hour that I've been investigating, there appears to a difference in results when using a manifest file, or not.
$ cvescan
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!
Summary
------------------------------------ --------------
Ubuntu Release bionic
Installed Packages 632
CVE Priority high or higher
Unique Packages Fixable by Patching 0
Unique CVEs Fixable by Patching 0
Vulnerabilities Fixable by Patching 0
Fixes Available by `apt-get upgrade` 0
------------------------------------ --------------
Shows that no issues are present in my system (high or higher priorities).
$ cvescan -p all
Shows that no issues are present in my system (all priorities)
However, when I generate a manifest file, it's a different matter:
$ dpkg-query -W > ~/manifest.txt
$ cvescan -p all -m ~/manifest.txt
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!
CVE ID PRIORITY PACKAGE FIXED VERSION REPOSITORY
CVE-2019-1547 low libssl1.0.0 1.0.2n-1ubuntu5.4 Ubuntu Archive
CVE-2019-1551 low libssl1.0.0 1.0.2n-1ubuntu5.4 Ubuntu Archive
CVE-2019-1563 low libssl1.0.0 1.0.2n-1ubuntu5.4 Ubuntu Archive
CVE-2020-1968 low libssl1.0.0 1.0.2n-1ubuntu5.4 Ubuntu Archive
CVE-2020-1971 high libssl1.0.0 1.0.2n-1ubuntu5.5 Ubuntu Archive
Summary
------------------------------------ ------
Ubuntu Release bionic
Installed Packages 633
CVE Priority All
Unique Packages Fixable by Patching 1
Unique CVEs Fixable by Patching 5
Vulnerabilities Fixable by Patching 5
Fixes Available by `apt-get upgrade` 5
------------------------------------ ------
$ cvescan -c CVE-2020-1971
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!
Not affected by CVE-2020-1971.
Lastly, when I look for libssl 1.0.0, I don't see it listed:
$ apt list --installed | grep ssl
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
libssl1.1/bionic,now 1.1.1-1ubuntu2.fips.2.1~18.04.3.1 amd64 [installed,automatic]
libssl1.1-hmac/bionic,now 1.1.1-1ubuntu2.fips.2.1~18.04.3.1 amd64 [installed]
libxmlsec1-openssl/bionic,now 1.2.25-1build1 amd64 [installed,automatic]
openssl/bionic,now 1.1.1-1ubuntu2.fips.2.1~18.04.3.1 amd64 [installed,automatic]
python3-openssl/bionic,now 17.5.0-1ubuntu1 all [installed,automatic]
You'll note that I am using the FIPS 140-2 certified OpenSSL package... Does that make a difference?
Hello, there's a small typo 'datbase' in the output:
$ cvescan -p all -m manifest-post.txt
✅ Ubuntu vulnerability datbase successfully downloaded!
[...]
Thanks
Currently cvescan can only scan OCI image manifest files that it downloads. This change would enable customers can scan their own image manifest files.
The release/series would still be a required command line argument with this use case. An additional (optional?) argument should be created so that a local manifest file can be specified to scan instead of downloading a manifest.
Only way to find out version is "snap list" ? It says I'm using version 1.0.10 rev 76.
During the runs of oscap, cvescan consumes a lot of cpu. It's currently not possible to effectively use cpulimit when running cvescan to mitigate this becuase cpulimit does not currently support limiting child processes.
Investigate ways to run cvescan with reduced impact
The v3.0.0 development version is currently using https://github.com/memory/python-dpkg to compare debian versions, however, there is a bug in the way python-dpkg compares versions. Inaccurate version comparisons will result in inaccurate scan results. To resolve this, either
A) Resolve the bug in python-dpkg and thoroughly inspect it for any more bugs that may be hiding.
B) Factor out the debian version comparison in review-tools into a standalone library that can be leveraged by both review-tools and CVEScan.
If I run cvescan in an instance with 512MB RAM, such as an B1ls on Azure, or a t2.nano on AWS, cvescan installs fine, but dies on first run:
ubuntu@ermine-test:~$ sudo snap install cvescan
cvescan 1.0.3 from Mark Morlino (markmorlino) installed
ubuntu@ermine-test:~$ cvescan -v
Running as a snap, changing to '/home/ubuntu/snap/cvescan/common' directory
Downloaded files, log files and temporary reports will be in '/home/ubuntu/snap/cvescan/common'
Priority filter is 'high'
Downloading https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.eoan.cve.oval.xml.bz2
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 780k 100 780k 0 0 364k 0 0:00:02 0:00:02 --:--:-- 364k
Unzipping com.ubuntu.eoan.cve.oval.xml.bz2
Running oval scan oscap oval eval --verbose WARNING --verbose-log-file debug.log --results results.xml com.ubuntu.eoan.cve.oval.xml (output logged to /home/ubuntu/snap/cvescan/common/oval.log)
/snap/cvescan/23/bin/cvescan: line 218: 32089 Killed oscap oval eval $VERBOSE_OSCAP_OPTIONS --results "$RESULTS" "$OVAL_FILE" > $LOG 2>&1
Error: Failed to run oval scan
All logfiles are empty. Here's the OOM in dmesg: https://paste.ubuntu.com/p/CtgjqFHf6S/ and here are the kernel boot messages: https://paste.ubuntu.com/p/TKBGkZdjJ2/
CVEScan is reporting CVE-2021-3429 as fixable, but the suggested version (21.1-19-gbad84ad4-0ubuntu1~xx.yy.z) does not seem to be available in the official repositories, i.e. when I run apt-get update && apt-get install cloud-init
I get the following:
$ apt-get update && apt-get install cloud-init
Reading package lists... Done
Building dependency tree
Reading state information... Done
cloud-init is already the newest version (20.4.1-0ubuntu1~xx.yy.z).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Launchpad shows the latest package as being in the "proposed" state:
Is it possible that CVEScan's source for package availability is misreporting actual availability?
Is it possible to add CVE publish date to the report
I've run
$ ./cvescan -v
Priority filter is 'high'
Running oval scan oscap oval eval --verbose WARNING --verbose-log-file debug.log --results results.xml com.ubuntu.eoan.cve.oval.xml (output logged to oval.log)
Error: Failed to run oval scan
I am running on Ubuntu 19.10 Eoan with oscap 1.2.16.
$ oscap -V
OpenSCAP command line tool (oscap) 1.2.16
Copyright 2009--2017 Red Hat Inc., Durham, North Carolina.
==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
CVRF Version: 1.1
==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)
See https://pastebin.ubuntu.com/p/tcv3Q2k35F/ for contents of oval.log.
What could be causing this?
adjust the default behavior to output links to cve details instead of only the CVE identifier string.
Add a commandline option that turns off this behavior and only outputs the CVE ids.
The python version uses the words "or higher affect this system" even when scanning a manifest file. The wording should not indicate "this system" when scanning a manifest file.
Expecting 0, got 3 (which documentation says means there are outstanding CVEs)
root@master ~ # cvescan --version; cvescan -p all; echo $?
CVEScan, v2.5.0
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!
Summary
Ubuntu Release bionic
Installed Packages 891
CVE Priority All
Unique Packages Fixable by Patching 0
Unique CVEs Fixable by Patching 0
Vulnerabilities Fixable by Patching 0
Fixes Available by apt-get upgrade
0
3
root@master ~ #
Hello! Can you build a deb package? Many servers do not have snapd.
In addition to the CVE-ID, display the priority of the CVEs.
Make this the default behavior and add a cli argument to turn it off.
We have a few use cases where snap store access is open at the firewall, but people.canonical.com is not. It would be cool to ship the files in the snap and default to those if people is not available.
Print out a warning:
Notice: Unable to download most recent OVAL file, using one from $date
I installed snap cvescan version 1.0.10 rev 76 on Ubuntu desktop GNOME 20.04, but running it gives "Error: DISTRIB_CODENAME=focal in /etc/lsb-release is not trusty|xenial|bionic|eoan, not running".
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.