Comments (4)
mssalvatore
commented on June 4, 2024
The way manifest files are generated right now really doesn't provide CVEScan with enough information. If you run dpkg-query --list, you'll probably see a line that looks something like:
rc libssl1..0.0 1.0.2n-1ubuntu5.4
Whereas if you run dpkg-query -W to generate the manifest, you'll see
libssl1.0.0 1.0.2n-1ubuntu5.4
In the output from dpkg-query --list, the first to characters, "rc" indicate that the package has been removed, but the config files have been left in place. The manifest file doesn't contain this information, so it can't filter out these scan results. In contrast, when you run CVEScan directly on a machine, it can use the dpkg-query --list output and provide more accurate results.
See #61, #56, and #53 for more information.
from sec-cvescan.
D4V3M0NK
commented on June 4, 2024
@mssalvatore Thanks for your input Mike - I take it then we have two options to obtain an accurate representation of vulnerability:
- Run
cvescanwithout the manifest switch - Run
cvescan -m manifest.txt, with a manifest switch but generate the manifest file using(lsb_release -c && dpkg-query -f '${db:Status-Abbrev},${binary:Package},${Version},${source:Package},${Source:Version}\n' -W) | tee manifest.txtas per #53?- Loving this approach as it'll work in docker containers too, from what I read
- Noting that at the moment, using v2.5.0, generating the manifest file in this manner generates an error in
manifest_parser.py
Am I reading this all correctly?
from sec-cvescan.
techalchemy
commented on June 4, 2024
@D4V3M0NK thanks for the report and for your patience with this issue. It likely won't be until some time in the new year that we release v3.0 of CVEScan and therefore a proper fix for this issue.
In the interim, can you try the following and see if it generates manifests which exclude packages which are not installed? It may be an adequate temporary solution:
grep -v -f <(dpkg --get-selections | awk '$2 ~ /deinstall/ {print $1}') <(dpkg-query -W) > manifest.txtThis essentially captures a list of previously installed packages which are now set to deinstall and searches for lines in dpkg-query -W which do not match the given uninstalled packages. We have done very limited testing with it but small samples seemed okay so far. Let us know if you are able to test this and whether you have any success. Thanks again for reporting!
from sec-cvescan.
D4V3M0NK
commented on June 4, 2024
@techalchemy no issues at all. The way I see it, you fine chaps are doing all the hard work that we get to benefit from, so it makes a change to be able to (in some minute way) assist in whatever way we can.
At the moment I'm not finding a system that I can test the same as what I had on, but I'll spin one up in the next few days and see if I can replicate the initial issue with those dastardly rc entries : then I'll be able to test your solution.
from sec-cvescan.
Related Issues (20)
- CVE publish date
- deb package cvescan HOT 1
- Database Release Version
- Debian compatibility HOT 2
- Scan shows vulnerable if some patched packages are installed from PPA HOT 1
- Mismatch between oval and cvescan
- Vulnerability database used by cvescan not the same as the Oval data thus missing some vulnerable packages during scan
- cloud-init package listed as fixable, but not yet available in official repositories HOT 3
- epoch number might causing inaccurate results
- CVE-2019-3466 outstanding when postgresql-all = 10+190ubuntu0.1
- Database files are out of date HOT 2
- grub related packages reported as vulnerable without a means to fix HOT 3
- CVEscan should catch network issues and not crash HOT 1
- Publish Pypi packages
- CVE data not yet published for Impish Indiri HOT 2
- cvescan on Xenial incorrectly labelling a number of CVEs as still unfixed. HOT 1
- KeyError in parsing recent /var/lib/ubuntu-advantage/status.json HOT 1
- Add support for parsing DISTRIB_CODENAME vs just Ubuntu only HOT 1
- cvescan gives dpkg error on rhel8 HOT 2
- When using manifest, please provide option to specify suite HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sec-cvescan.