canonical / sec-cvescan Goto Github PK

View Code? Open in Web Editor NEW

83.0 83.0 30.0 856 KB

Analyzes an Ubuntu system and checks for unpatched vulnerabilities.

License: GNU General Public License v3.0

Shell 7.60% XSLT 4.54% Python 87.86%

sec-cvescan's People

Contributors

Stargazers

Watchers

sec-cvescan's Issues

cvescan fails due to lack of networking when confined

I have a GCP-hosted 16.04 LTS instance where cvescan fails with the following message:

Error: Failed to curl https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml.bz2

The root cause is lack of networking accessible to curl:

$ sudo snap run --shell cvescan
root# curl https://8.8.8.8/
curl: (7) Couldn't connect to server
root# curl altern.org
curl: (6) Could not resolve host: altern.org

I'm not sure what is special about this VM; we're hitting a security policy, perhaps?

Mismatch between source and binary package version numbers

Some binary packages have different version numbers than the associated source package. Since CVEs in Ubuntu are tracked against source packages, some CVEScan results may be incorrect, as dpkg-query -l does not include the source package version.

Instead of using dpkg -l to query the installed packages on the system, the following command could be used to provide more detail, including the source package versions:

dpkg-query -f '${db:Status-Abbrev},${binary:Package},${Version},${source:Package},${Source:Version}\n' -W

After this change, the UCT JSON data should no longer need to include a list of binaries so that binaries can be mapped to source packages. This should significantly decrease the size of those JSON files, improving download times, JSON deserialization, and overall runtime.

feature request: make cvescan livepatch-aware

as a user, i'd like to know that my systems are safe from a given CVE in the case where the running kernel version is vulnerable, but livepatch has applied a patch to guard against this CVE.

Database Release Version

A customer has suggested to have a database version printed out (possibly in the "Summary" block at the end of a scan).
It appears that this may be possible with what's already being released in the JSON data with the "metadata":"timestamp" value (among the last values).

Different results when using Nagios report format (`-n`)

We just noticed that cvescan reports differently when using the -n switch:

# cvescan -n
✅ Ubuntu vulnerability datbase successfully downloaded! 
✅ Scan complete!
 
WARNING: Affected by 1 CVEs with "high" or higher priority.
CVE-2020-28374

# cvescan -p all
✅ Ubuntu vulnerability datbase successfully downloaded! 
✅ Scan complete!
 
Summary
------------------------------------  -----
Ubuntu Release                        focal
Installed Packages                    1121
CVE Priority                          All
Unique Packages Fixable by Patching   0
Unique CVEs Fixable by Patching       0
Vulnerabilities Fixable by Patching   0
Fixes Available by `apt-get upgrade`  0
------------------------------------  -----

Why is that? The scan using -n is correct, as the kernel running on this machine is still old and affected. So why doesn't it show up if running cvescan using normal output?

Debian compatibility

Is it possible to get some compatibility to work in debian? I would like to produce a .deb to insert in the debian repositories, for that it would be interesting and there would be a compatibility with cd cve search in debian too.

cvescan defaults to omitting CVEs for which no patches are available

I have a system which is currently affected by CVE-2018-3309 and CVE-2019-11707. When I run cvescan I get:

kiko@barbudinho:~$ cvescan -x -v
Running as a snap, changing to '/home/kiko/snap/cvescan/common' directory
Downloaded files, log files and temporary reports will be in '/home/kiko/snap/cvescan/common'
Priority filter is 'high'
Running in experimental mode, using 'alpha' OVAL file from https://people.canonical.com/~ubuntu-security/oval/alpha/alpha.com.ubuntu.bionic.cve.oval.xml.bz2
Removing file: alpha.com.ubuntu.bionic.cve.oval.xml
Removing files: alpha.com.ubuntu.bionic.cve.oval.xml.bz2 report.htm results.xml oval.log manifest debug.log
Downloading https://people.canonical.com/~ubuntu-security/oval/alpha/alpha.com.ubuntu.bionic.cve.oval.xml.bz2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1359k  100 1359k    0     0   577k      0  0:00:02  0:00:02 --:--:--  576k
Unzipping alpha.com.ubuntu.bionic.cve.oval.xml.bz2
Running oval scan oscap oval eval --verbose WARNING --verbose-log-file debug.log --results results.xml alpha.com.ubuntu.bionic.cve.oval.xml (output logged to /home/kiko/snap/cvescan/common/oval.log)
Generating html report /home/kiko/snap/cvescan/common/report.htm from results xml /home/kiko/snap/cvescan/common/results.xml (output logged to /home/kiko/snap/cvescan/common/oval.log)
Open /home/kiko/snap/cvescan/common/report.htm in a browser to see complete and unfiltered scan results
Running xsltproc to generate CVE list - fixable/unfixable and filtered by priority
2 vulnerabilities found with priority of high or higher:
CVE-2019-11707
CVE-2018-3309
Running xsltproc to generate CVE list - fixable and filtered by priority
0 CVEs found with priority of high or higher that can be fixed with package updates:

Full HTML report available in /home/kiko/snap/cvescan/common/report.htm
Normal non-verbose output will appear below
kiko@barbudinho:~$

This happens because the default is not to show all CVEs affecting the system, but that default should be inverted, because we need to set the bar highly towards improving visibility, as opposed to obscuring the reality of things.

improve handling of manifest files

Improve help and error messages when running under snap confinement and unable to access manifest file specified by '-f'
Add capability to read manifest file via stdin

Remove ESM entitlement status lines from output

Contrary to issue #8, it has been decided that CVEScan should not show the ESM entitlement status.

output suggests ua apps but you need to ua enable esm-apps

Working through the output I was hoping to bring it into alignment with at the end user needs to do to help mitigate something they find in the cvescan output. There's a disconnect in naming from the UA Apps vs the cli command 'ua enable esm-apps".

However, as I started to perform the simple find/replace I see it gets more interesting as the "UA Apps" goes into the utc.json and the repository section there. I'm not sure where the best place to handle a transition from "back end" to user-facing might be.

Provide a progress indicator

Add a progress indicator during download and scanning. See 89912bd and 3d3d259 for examples.

Clarify archive status

Archives are colored green or red based on whether or not they're enabled. Clarify whether or not an archive is disabled by adding "(disabled)" to the text.

Scan shows vulnerable if some patched packages are installed from PPA

Hi,

Firstly, thank you for your work :)

I work on the Canonical Public Cloud team and our partner GKE and their customers are starting to use cvescan to scan for vulnerabilities.

The GKE images we provide to GKE have certain packages installed from a PPA eg. https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s

This PPA has containerd, runc and docker.io and all are up to date and patched... but when scanning the attached manifest cvescan flags the packages as being vulnerable to CVE-2020-15157

$ cvescan -p all --manifest=ubuntu-gke-onprem-1804-1-18-v20201203.manifest.txt | grep "docker\.io\|containerd"

CVE-2020-15157  medium      docker.io               19.03.6-0ubuntu1~18.04.2     Ubuntu Archive
CVE-2020-15257  medium      containerd              1.3.3-0ubuntu1~18.04.4       Ubuntu Archive

I can confirm that the versions installed are not vulnerable to CVE-2020-15157.

sudo apt install apt-listchanges
wget https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s/+files/docker.io_19.03.2-0ubuntu1~18.04.0.2_amd64.deb
wget https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s/+files/containerd_1.2.10-0ubuntu1~18.04.0.3_amd64.deb
apt-listchanges --verbose --frontend text --all ./docker.io_19.03.2-0ubuntu1~18.04.0.2_amd64.deb > docker.io.changelog
apt-listchanges --verbose --frontend text --all ./containerd_1.2.10-0ubuntu1~18.04.0.3_amd64.deb > containerd.changelog
less docker.io.changelog
less containerd.changelog

In the changelog you can see that patches have been applied for CVE-2020-15157.

Is there any way to add support for cvescan to support being able to mark certain package versions from a PPA as being no longer vulnerable to a specific CVE eg. appending to the database used when scanning?

The PPAs GKE and their customers use are all public.

ubuntu-gke-onprem-1804-1-18-v20201203.manifest.txt

Is dpkg-query -W sufficient for the manifest?

I generated a manifest on a Bionic system with dpkg-query -W, copied it to a focal machine, and ran cvescan -p all -m manifest-post.txt. The output is surprising:

$ cvescan -p all -m manifest-post.txt 
✅ Ubuntu vulnerability datbase successfully downloaded! 
✅ Scan complete!
 
CVE ID            PRIORITY    PACKAGE      FIXED VERSION     REPOSITORY
CVE-2018-1000858  medium      gnupg-agent  2.2.4-1ubuntu1.2  Ubuntu Archive
CVE-2019-14855    low         gnupg-agent  2.2.4-1ubuntu1.3  Ubuntu Archive

Summary
------------------------------------  ------
Ubuntu Release                        bionic
Installed Packages                    1261
CVE Priority                          All
Unique Packages Fixable by Patching   1
Unique CVEs Fixable by Patching       2
Vulnerabilities Fixable by Patching   2
Fixes Available by `apt-get upgrade`  2
------------------------------------  ------

gnupg-agent isn't actually installed according to dpkg -l, but it is included in dpkg-query -W output all the same:

$ dpkg -l gnupg-agent | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version          Architecture Description
+++-==============-================-============-====================================================================
rc  gnupg-agent    2.2.4-1ubuntu1.1 all          GNU privacy guard - cryptographic agent (dummy transitional package)
$ dpkg-query -W | grep gnupg-agent
gnupg-agent	2.2.4-1ubuntu1.1

Thanks

Mismatch between oval and cvescan

CVE-2012-2663 is reported by cvescan as needed but the actual status is ignored.
The issue is probably in the JSON generation, but it's not open-sourced as far as I know so I can't verify.
I would be happy to help fixing this.

Clean up usage

The --usage message displayed with --help is inconsistently formatted and should be improved.

CVEScan assumes -security pocket is enabled

CVEScan does not check whether or not the -security pocket is enabled and, by default, assumes that any patch available from "Ubuntu Archive" will be installed when apt upgrade is run. CVEScan should check whether or not the -security pocket is enabled and color/mark "Ubuntu Archive" appropriately in the output.

More data in manifest files

Define a new format for manifest files that includes the release codename, source package for each binary, src and binary package versions, and installation status.

Something along the lines of,

(lsb_release -c && dpkg-query -f '${binary:Package},${Source:Package},${Source:Version},${Status}\n' -W) | tee manifest.txt

could be used to generate such as file.

The key is keeping it simple enough that someone can't type it in, but also having it contain all the necessary data. We could also provide a manifest_generator that generates the manifests. The whole point of manifests is that you don't need to install CVEScan in order to scan your systems, so this is a somewhat difficult balance to achieve.

report if esm is installed or enabled

Display output indicating the current state of ESM Infra and ESM Apps.
Don't do this in manifest mode.

Add option to send output to a syslog server

Add a --syslog SERVER:PORT option to CVEScan that forwards the JSON output to a syslog server. Also add --syslog-light which sends just the number of missing patches, rather than the whole JSON output.

Add Output formatting options

After #9, #11, and #30 have been addressed (or possibly while addressing them) we should probably add some additional output formats.

I think the default will be fixed-width tabular text output but we should add options for people to get output in CSV or JSON and maybe other formats?

Output package names in addition to CVEs

In addition to the CVE-ID, or CVE tracker url, display the package(s) affected by the CVEs.
Make this the default behavior and add a cli arg to turn it off.

cvescan v2 downloads uct.json.bz2 into $PWD and does not clean it up

It looks like the cvescan unpacks uct.json into ~/snap/cvescan/common but does not download the uct.json.bz2 into that directory, and leaves it behind after decompressing. This leaves cruft in users' directories.

Vulnerability database used by cvescan not the same as the Oval data thus missing some vulnerable packages during scan

We have encountered an issue with a GKE image which cvescan is showing as not vulnerable but did have kernel packages installed that were vulnerable.

This was confirmed by scanning using oscap and the oci Oval data instead.

The CVE was https://ubuntu.com/security/CVE-2021-3444 the manifest was
bionic-20210309-minimal-bionic-minimal-cloudimg-amd64-gke-on-prem-1.7.manifest.txt

Scanning this manifest with cvescan no vulnerability is shown for CVE-2021-3444

$ cvescan --priority all --manifest ./bionic-20210309-minimal-bionic-minimal-cloudimg-amd64-gke-on-prem-1.7.manifest
✅ Ubuntu vulnerability datbase successfully downloaded! 
✅ Scan complete!
 
CVE ID          PRIORITY    PACKAGE          FIXED VERSION                       REPOSITORY
CVE-2019-16884  medium      runc             1.0.0~rc10-0ubuntu1~18.04.2         Ubuntu Archive
CVE-2019-19921  medium      runc             1.0.0~rc10-0ubuntu1~18.04.2         Ubuntu Archive
CVE-2020-15157  medium      docker.io        19.03.6-0ubuntu1~18.04.2            Ubuntu Archive
CVE-2021-3429   medium      cloud-init       21.1-19-gbad84ad4-0ubuntu1~18.04.1  Ubuntu Archive
CVE-2021-3449   high        libssl1.1        1.1.1-1ubuntu2.1~18.04.9            Ubuntu Archive
CVE-2021-3449   high        openssl          1.1.1-1ubuntu2.1~18.04.9            Ubuntu Archive
CVE-2021-21300  medium      git              1:2.17.1-1ubuntu0.8                 Ubuntu Archive
CVE-2021-21300  medium      git-man          1:2.17.1-1ubuntu0.8                 Ubuntu Archive
CVE-2021-28153  medium      libglib2.0-0     2.56.4-0ubuntu0.18.04.8             Ubuntu Archive
CVE-2021-28153  medium      libglib2.0-data  2.56.4-0ubuntu0.18.04.8             Ubuntu Archive

Summary
------------------------------------  ------
Ubuntu Release                        bionic
Installed Packages                    417
CVE Priority                          All
Unique Packages Fixable by Patching   9
Unique CVEs Fixable by Patching       7
Vulnerabilities Fixable by Patching   10
Fixes Available by `apt-get upgrade`  10
------------------------------------  ------

This is not accurate and can be proven using oscap

# Install oscap
sudo apt install libopenscap8
# Download the up to data Oval data for the bionic release of Ubuntu
wget https://security-metadata.canonical.com/oval/oci.com.ubuntu.bionic.usn.oval.xml.bz2
# Extract this data
bunzip2 oci.com.ubuntu.bionic.usn.oval.xml.bz2
# Copy the downloaded manifest to "manifest" in current directory
cp -v bionic-20210309-minimal-bionic-minimal-cloudimg-amd64-gke-on-prem-1.7.manifest.txt manifest 
# Run oscap eval against your local manifest and the Oval data you downloaded - this will generate HTML report cloud-report-vulnerable.html in the same directory.
oscap oval eval --report cloud-report-vulnerable.html oci.com.ubuntu.bionic.usn.oval.xml

This produces cloud-report-vulnerable.html (
cloud-report-vulnerable.html.tar.gz attached) which lists the kernel as vulnerable to CVE-2021-3444.

I have attached the oval data used by oscap oval eval as com.ubuntu.bionic.cve.oval.xml.tar.gz and the json data used by cvescan as ubuntu-vuln-db-bionic.json.tar.gz

After speaking with mdeslaur on Canonical security team it appears that the oval generation script adds the meta source package and the signed source package which the json used by cvescan does not appear to contain.

Is it possible to bring both data sources in sync so that using cvescan will result in the same output as oscap?

In the attached json we can see that the section for CVE-2021-3444 lists the following:

"linux-gkeop-5.4": {
                        "binaries": [
                            "linux-gkeop-5.4-source-5.4.0",
                            "linux-gkeop-5.4-headers-5.4.0-1012",
                            "linux-gkeop-5.4-tools-5.4.0-1012",
                            "linux-gkeop-5.4-cloud-tools-5.4.0-1012",
                            "linux-image-unsigned-5.4.0-1012-gkeop",
                            "linux-modules-5.4.0-1012-gkeop",
                            "linux-modules-extra-5.4.0-1012-gkeop",
                            "linux-headers-5.4.0-1012-gkeop",
                            "linux-image-unsigned-5.4.0-1012-gkeop-dbgsym",
                            "linux-tools-5.4.0-1012-gkeop",
                            "linux-cloud-tools-5.4.0-1012-gkeop",
                            "linux-buildinfo-5.4.0-1012-gkeop"
                        ],
                        "repository": "Ubuntu Archive",
                        "status": [
                            "released",
                            "5.4.0-1012.13~18.04.1"
                        ]
                    },

But the Oval data for CVE-2021-3444 does appear to include packages present in the manifest.

feature request that cvescan be made to work in ubuntu container images

Could there be a mode where cvescan could run inside a container and only look at the os packages install in that container image?

Fixes Available by `apt-get upgrade` aren't fixable

Have been working with cvescan all day and tonight came up with an interesting observation:

$ cvescan -p all
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!

CVE ID          PRIORITY    PACKAGE                           FIXED VERSION          REPOSITORY
CVE-2020-0423   low         linux-aws-5.4-headers-5.4.0-1029  5.4.0-1030.31~18.04.1  Ubuntu Archive
...
CVE-2020-0423   low         linux-modules-5.4.0-1029-aws      5.4.0-1030.31~18.04.1  Ubuntu Archive
CVE-2020-4788   medium      linux-aws-5.4-headers-5.4.0-1029  5.4.0-1030.31~18.04.1  Ubuntu Archive
...
CVE-2020-10135  medium      linux-modules-5.4.0-1029-aws      5.4.0-1030.31~18.04.1  Ubuntu Archive
CVE-2020-14351  low         linux-aws-5.4-headers-5.4.0-1029  5.4.0-1030.31~18.04.1  Ubuntu Archive
...
CVE-2020-14390  low         linux-modules-5.4.0-1029-aws      5.4.0-1030.31~18.04.1  Ubuntu Archive
CVE-2020-25211  medium      linux-aws-5.4-headers-5.4.0-1029  5.4.0-1030.31~18.04.1  Ubuntu Archive
...
CVE-2020-28915  medium      linux-modules-5.4.0-1029-aws      5.4.0-1030.31~18.04.1  Ubuntu Archive

Summary
------------------------------------  ------
Ubuntu Release                        bionic
Installed Packages                    584
CVE Priority                          All
Unique Packages Fixable by Patching   4
Unique CVEs Fixable by Patching       11
Vulnerabilities Fixable by Patching   44
Fixes Available by `apt-get upgrade`  44
------------------------------------  ------

It would appear at this point, that running (as stipulated) apt-get upgrade I'll be able to reduce my fixes by 44. So ...

$ sudo apt update
...
$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Unless I'm missing something, it appears that the "Fixes Available by apt-get upgrade 44" isn't quite correct? Additionally, to note, I'm using the FIPS 140-2 compliant library, if that helps

Improve pip installability

Ideally, CVEScan could be installed just by doing pip install .. At the moment, it requires some libraries in support of curl, as well as python-apt.

CVEScan should also be installable in a virtualenv.

Output patch availability status in addition to CVEs

Add this as default output with an option to turn it off.

re-use results.xml in a smarter way

instead of using the expire time to determine if the oval scan should be re-run instead of reusing the existing results.xml file, figure out how to compare the timestamp of the results file with the most recently installed package.

In other words: Always delete the results file if packages have been installed since it was created.

Binary versions do not match source versions creating false positives

For a select few packages (e.g. libreoffice), the binary packages may have different versions than the source packages. This can lead to false positives because UCT tracks the fixed versions of source packages, not binary packages.

cvescan fails to report on (at least a set of kernel) security updates

I have an AWS instance (with no livepatch) which has the following updates available:

linux-aws/bionic-updates,bionic-security 4.15.0.1063.64 amd64 [upgradable from: 4.15.0.1060.61]
linux-headers-aws/bionic-updates,bionic-security 4.15.0.1063.64 amd64 [upgradable from: 4.15.0.1060.61]
linux-image-aws/bionic-updates,bionic-security 4.15.0.1063.64 amd64 [upgradable from: 4.15.0.1060.61]

However, cvescan doesn't report any CVEs applying:

ubuntu@ip-172-31-29-146:~$ cvescan -vp medium | tail
CVE-2016-1585
CVE-2015-8553
CVE-2014-4715
CVE-2013-7445
Running xsltproc to generate CVE list - fixable and filtered by priority
0 CVEs found with priority of medium or higher that can be fixed with package updates:

Full HTML report available in /home/ubuntu/snap/cvescan/common/report.htm
Normal non-verbose output will appear below

Thanks!

Migrate ubuntu-vuln-db.json.bz2 off of people.canonical.com

The ubuntu vulnerability database JSON is currently hosted at https://people.canonical.com/~ubuntu-security/cvescan. This should be moved to https://security-metadata.canonical.com/~ubuntu-security. people.canonical.com will need to continue to host updated JSON for as long as v2.x.x versions are expected to continue to function.

epoch number might causing inaccurate results

I have uno-libs3 installed:

Package: uno-libs3
Version: 6.0.7-0ubuntu0.18.04.10
Priority: optional
Section: libs
Source: libreoffice (1:6.0.7-0ubuntu0.18.04.10)
Origin: Ubuntu

cve-scan still report vulnerabilities:

CVE-2019-9848   medium      uno-libs3                       1:6.0.7-0ubuntu0.18.04.8         Ubuntu Archive
CVE-2019-9848   medium      ure                             1:6.0.7-0ubuntu0.18.04.8         Ubuntu Archive
CVE-2019-9849   medium      uno-libs3                       1:6.0.7-0ubuntu0.18.04.8         Ubuntu Archive
CVE-2019-9849   medium      ure                             1:6.0.7-0ubuntu0.18.04.8         Ubuntu Archive
CVE-2019-9850   medium      uno-libs3                       1:6.0.7-0ubuntu0.18.04.9         Ubuntu Archive
CVE-2019-9850   medium      ure                             1:6.0.7-0ubuntu0.18.04.9         Ubuntu Archive
CVE-2019-9851   medium      uno-libs3                       1:6.0.7-0ubuntu0.18.04.9         Ubuntu Archive
CVE-2019-9851   medium      ure                             1:6.0.7-0ubuntu0.18.04.9         Ubuntu Archive
CVE-2019-9852   medium      uno-libs3                       1:6.0.7-0ubuntu0.18.04.9         Ubuntu Archive
CVE-2019-9852   medium      ure                             1:6.0.7-0ubuntu0.18.04.9         Ubuntu Archive
CVE-2019-9853   medium      uno-libs3                       1:6.0.7-0ubuntu0.18.04.9         Ubuntu Archive
CVE-2019-9853   medium      ure                             1:6.0.7-0ubuntu0.18.04.9         Ubuntu Archive
CVE-2019-9854   medium      uno-libs3                       1:6.0.7-0ubuntu0.18.04.10        Ubuntu Archive
CVE-2019-9854   medium      ure                             1:6.0.7-0ubuntu0.18.04.10        Ubuntu Archive

I think this is because dpkg does not include epoch number for some packages

dpkg -l | grep uno-libs3                                                                        ✔  1649  11:43:20
ii  uno-libs3                                  6.0.7-0ubuntu0.18.04.10                          amd64        LibreOffice UNO runtime environment -- public shared libraries

Mismatch between using manifest file or not

I'm completely new to cvescan (v2.5.0) but in the hour that I've been investigating, there appears to a difference in results when using a manifest file, or not.

$ cvescan
✅ Ubuntu vulnerability datbase successfully downloaded! 
✅ Scan complete!
 
Summary
------------------------------------  --------------
Ubuntu Release                        bionic
Installed Packages                    632
CVE Priority                          high or higher
Unique Packages Fixable by Patching   0
Unique CVEs Fixable by Patching       0
Vulnerabilities Fixable by Patching   0
Fixes Available by `apt-get upgrade`  0
------------------------------------  --------------

Shows that no issues are present in my system (high or higher priorities).

$ cvescan -p all
Shows that no issues are present in my system (all priorities)

However, when I generate a manifest file, it's a different matter:

$ dpkg-query -W > ~/manifest.txt
$ cvescan -p all -m ~/manifest.txt
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!

CVE ID PRIORITY PACKAGE FIXED VERSION REPOSITORY
CVE-2019-1547 low libssl1.0.0 1.0.2n-1ubuntu5.4 Ubuntu Archive
CVE-2019-1551 low libssl1.0.0 1.0.2n-1ubuntu5.4 Ubuntu Archive
CVE-2019-1563 low libssl1.0.0 1.0.2n-1ubuntu5.4 Ubuntu Archive
CVE-2020-1968 low libssl1.0.0 1.0.2n-1ubuntu5.4 Ubuntu Archive
CVE-2020-1971 high libssl1.0.0 1.0.2n-1ubuntu5.5 Ubuntu Archive

Summary
------------------------------------ ------
Ubuntu Release bionic
Installed Packages 633
CVE Priority All
Unique Packages Fixable by Patching 1
Unique CVEs Fixable by Patching 5
Vulnerabilities Fixable by Patching 5
Fixes Available by `apt-get upgrade` 5
------------------------------------ ------

I see that the Installed Packages increments by one - I'm assuming that that's a reference to the manifest file itself?
How come I get different results with a manifest file, as opposed to not specifying one?
Additionally, when I pick one of the CVEs that I'm supposedly vulnerable to, it tells me that I'm not vulnerable:

$ cvescan -c CVE-2020-1971
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!

Not affected by CVE-2020-1971.

Lastly, when I look for libssl 1.0.0, I don't see it listed:

$ apt list --installed | grep ssl

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libssl1.1/bionic,now 1.1.1-1ubuntu2.fips.2.1~18.04.3.1 amd64 [installed,automatic]
libssl1.1-hmac/bionic,now 1.1.1-1ubuntu2.fips.2.1~18.04.3.1 amd64 [installed]
libxmlsec1-openssl/bionic,now 1.2.25-1build1 amd64 [installed,automatic]
openssl/bionic,now 1.1.1-1ubuntu2.fips.2.1~18.04.3.1 amd64 [installed,automatic]
python3-openssl/bionic,now 17.5.0-1ubuntu1 all [installed,automatic]

You'll note that I am using the FIPS 140-2 certified OpenSSL package... Does that make a difference?

Typo 'datbase'

Hello, there's a small typo 'datbase' in the output:

$ cvescan -p all -m manifest-post.txt 
✅ Ubuntu vulnerability datbase successfully downloaded! 
[...]

Thanks

Allow the use of a specified manifest file rather than a downloaded OCI manifest when running in manifest mode

Currently cvescan can only scan OCI image manifest files that it downloads. This change would enable customers can scan their own image manifest files.

The release/series would still be a required command line argument with this use case. An additional (optional?) argument should be created so that a local manifest file can be specified to scan instead of downloading a manifest.

Please provide --version option on CLI

Only way to find out version is "snap list" ? It says I'm using version 1.0.10 rev 76.

CVEScan consumes a lot of CPU resources

During the runs of oscap, cvescan consumes a lot of cpu. It's currently not possible to effectively use cpulimit when running cvescan to mitigate this becuase cpulimit does not currently support limiting child processes.

Investigate ways to run cvescan with reduced impact

Incorrect debian version comparison in v3.0.0

The v3.0.0 development version is currently using https://github.com/memory/python-dpkg to compare debian versions, however, there is a bug in the way python-dpkg compares versions. Inaccurate version comparisons will result in inaccurate scan results. To resolve this, either

A) Resolve the bug in python-dpkg and thoroughly inspect it for any more bugs that may be hiding.
B) Factor out the debian version comparison in review-tools into a standalone library that can be leveraged by both review-tools and CVEScan.

cvescan crashes with OOM on machines with under 1GB RAM

If I run cvescan in an instance with 512MB RAM, such as an B1ls on Azure, or a t2.nano on AWS, cvescan installs fine, but dies on first run:

ubuntu@ermine-test:~$ sudo snap install cvescan
cvescan 1.0.3 from Mark Morlino (markmorlino) installed
ubuntu@ermine-test:~$ cvescan -v
Running as a snap, changing to '/home/ubuntu/snap/cvescan/common' directory
Downloaded files, log files and temporary reports will be in '/home/ubuntu/snap/cvescan/common'
Priority filter is 'high'
Downloading https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.eoan.cve.oval.xml.bz2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  780k  100  780k    0     0   364k      0  0:00:02  0:00:02 --:--:--  364k
Unzipping com.ubuntu.eoan.cve.oval.xml.bz2
Running oval scan oscap oval eval --verbose WARNING --verbose-log-file debug.log --results results.xml com.ubuntu.eoan.cve.oval.xml (output logged to /home/ubuntu/snap/cvescan/common/oval.log)
/snap/cvescan/23/bin/cvescan: line 218: 32089 Killed                  oscap oval eval $VERBOSE_OSCAP_OPTIONS --results "$RESULTS" "$OVAL_FILE" > $LOG 2>&1
Error: Failed to run oval scan

All logfiles are empty. Here's the OOM in dmesg: https://paste.ubuntu.com/p/CtgjqFHf6S/ and here are the kernel boot messages: https://paste.ubuntu.com/p/TKBGkZdjJ2/

cloud-init package listed as fixable, but not yet available in official repositories

CVEScan is reporting CVE-2021-3429 as fixable, but the suggested version (21.1-19-gbad84ad4-0ubuntu1~xx.yy.z) does not seem to be available in the official repositories, i.e. when I run apt-get update && apt-get install cloud-init I get the following:

$ apt-get update && apt-get install cloud-init

Reading package lists... Done
Building dependency tree
Reading state information... Done
cloud-init is already the newest version (20.4.1-0ubuntu1~xx.yy.z).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Launchpad shows the latest package as being in the "proposed" state:

Is it possible that CVEScan's source for package availability is misreporting actual availability?

CVE publish date

Is it possible to add CVE publish date to the report

Error: Failed to run oval scan

I've run

$ ./cvescan -v
Priority filter is 'high'
Running oval scan oscap oval eval --verbose WARNING --verbose-log-file debug.log --results results.xml com.ubuntu.eoan.cve.oval.xml (output logged to oval.log)
Error: Failed to run oval scan

I am running on Ubuntu 19.10 Eoan with oscap 1.2.16.

$ oscap -V
OpenSCAP command line tool (oscap) 1.2.16
Copyright 2009--2017 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
CVRF Version: 1.1

==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)

See https://pastebin.ubuntu.com/p/tcv3Q2k35F/ for contents of oval.log.

What could be causing this?

links to CVE webpage

adjust the default behavior to output links to cve details instead of only the CVE identifier string.
Add a commandline option that turns off this behavior and only outputs the CVE ids.

python version verbiage

The python version uses the words "or higher affect this system" even when scanning a manifest file. The wording should not indicate "this system" when scanning a manifest file.

Incorrect return code

Expecting 0, got 3 (which documentation says means there are outstanding CVEs)

root@master ~ # cvescan --version; cvescan -p all; echo $?
CVEScan, v2.5.0
✅ Ubuntu vulnerability datbase successfully downloaded!
✅ Scan complete!

Summary

Ubuntu Release bionic
Installed Packages 891
CVE Priority All
Unique Packages Fixable by Patching 0
Unique CVEs Fixable by Patching 0
Vulnerabilities Fixable by Patching 0
Fixes Available by apt-get upgrade 0

3
root@master ~ #

canonical / sec-cvescan Goto Github PK

sec-cvescan's People

Contributors

Stargazers

Watchers

Forkers

sec-cvescan's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs