Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update trivy from 0.35.0 to 0.49.1 #1806

Merged
merged 81 commits into from
Feb 28, 2024
Merged

Update trivy from 0.35.0 to 0.49.1 #1806

merged 81 commits into from
Feb 28, 2024

Conversation

shino
Copy link
Collaborator

@shino shino commented Dec 8, 2023
edited
Loading

What did you implement:

Update Trivy dependency 0.35.0 -> 0.49.1

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
    • Partially break compatibility because large database file (~ 600MB) wll be downloaded when detecting vulns of JAR files
  • This change requires a documentation update

Main change is only updating trivy 0.35.0 to 0.49.1 in go.mod .
Other changes in go.mod and every change in go.sum are not by human beings.
Due to this, type puzzles forced some other code changes.
One internal but (maybe) important change is that trivy introduces "post analyzer" concept.
It uses temp directories and temp files so vuls follows the way and create them.

The trivy update enables vuls to use additional language scanners:

  • dart/pub
    • pubspec.lock is auto-detected
  • elixir/mix
    • mix.lock is auto-detected
  • rust/binary
    • only enabled by specifying lock file paths EXPLICITLY
  • swift/cocoapods
    • Podfile.lock is auto-detected
  • swift/swift
    • Package.resolved is auto-detected

Trivy's java/jar logic uses Java DB and it is heavy (~ 600MB).
This PR does NOT download it at scan phase but does at detect phase.
So, following options are added to vuls report command:

  • -trivy-java-db-repository
  • -trivy-skip-java-db-update

Also includes small bug fixes:

  • changes (almost) white spaces in contrib/future-vuls/README.md

How Has This Been Tested?

By hand.

  • Newly added cases
  • local and ssh

Checklist:

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Reference

shino
shino commented Dec 11, 2023
View reviewed changes
scanner/base.go Outdated Show resolved Hide resolved
@shino shino mentioned this pull request Dec 12, 2023
Merged
@shino shino changed the title [WIP] Update trivy from 0.35.0 to 0.48.0 Update trivy from 0.35.0 to 0.48.0 Dec 12, 2023
@shino shino requested review from MaineK00n and kotakanbe December 12, 2023 06:20
MaineK00n
MaineK00n reviewed Dec 12, 2023
View reviewed changes
models/library.go Outdated Show resolved Hide resolved
MaineK00n
MaineK00n reviewed Dec 12, 2023
View reviewed changes
scanner/base.go Outdated Show resolved Hide resolved
MaineK00n
MaineK00n reviewed Dec 12, 2023
View reviewed changes
models/library.go Outdated Show resolved Hide resolved
MaineK00n
MaineK00n reviewed Dec 12, 2023
View reviewed changes
go.mod Outdated Show resolved Hide resolved
MaineK00n
MaineK00n reviewed Dec 14, 2023
View reviewed changes
scanner/base.go Outdated Show resolved Hide resolved
@shino shino force-pushed the shino/trivy-update branch from fe33770 to 996c7b8 Compare December 15, 2023 09:32
@shino shino force-pushed the shino/trivy-update branch 3 times, most recently from 9e4eb64 to 7be4469 Compare February 7, 2024 06:25
@shino shino changed the title Update trivy from 0.35.0 to 0.48.0 Update trivy from 0.35.0 to 0.49.1 Feb 8, 2024
@shino shino force-pushed the shino/trivy-update branch from 90fc42b to 4886ab1 Compare February 13, 2024 03:37
@shino shino marked this pull request as ready for review February 14, 2024 07:46
@shino shino force-pushed the shino/trivy-update branch from fa860e3 to 6633b81 Compare February 14, 2024 07:56
@shino shino requested a review from MaineK00n February 14, 2024 07:57
MaineK00n
MaineK00n reviewed Feb 15, 2024
View reviewed changes
scanner/trivy/jar/jar.go Outdated Show resolved Hide resolved
MaineK00n
MaineK00n reviewed Feb 15, 2024
View reviewed changes
detector/library.go Outdated Show resolved Hide resolved
shino and others added 15 commits February 27, 2024 11:05
@shino shino force-pushed the shino/trivy-update branch from 506c517 to 0e752b0 Compare February 27, 2024 02:06
@shino
Copy link
Collaborator Author

shino commented Feb 27, 2024

manual test result for jar/war

% ./vuls scan -config ./integration/int-config.toml war
[Feb 27 11:09:27]  INFO [localhost] vuls-v0.24.9-build-20240227_110827_0e752b0
[Feb 27 11:09:27]  INFO [localhost] Start scanning
[Feb 27 11:09:27]  INFO [localhost] config: ./integration/int-config.toml
[Feb 27 11:09:27]  INFO [localhost] Validating config...
[Feb 27 11:09:27]  INFO [localhost] Detecting Server/Container OS...
[Feb 27 11:09:27]  INFO [localhost] Detecting OS of servers...
[Feb 27 11:09:27]  INFO [localhost] (1/1) Detected: war: pseudo
[Feb 27 11:09:27]  INFO [localhost] Detecting OS of containers...
[Feb 27 11:09:27]  INFO [localhost] Checking Scan Modes...
[Feb 27 11:09:27]  INFO [localhost] Detecting Platforms...
[Feb 27 11:09:27]  INFO [localhost] (1/1) war is running on other
[Feb 27 11:09:27]  INFO [war] Scanning listen port...
[Feb 27 11:09:27]  INFO [war] Using Port Scanner: Vuls built-in Scanner
[Feb 27 11:09:27]  INFO [war] Scanning Language-specific Packages...


Scan Summary
================
war     pseudo  0 installed, 0 updatable        79 libs





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.

% ./vuls report -config ./integration/int-config.toml
[Feb 27 11:09:50]  INFO [localhost] vuls-v0.24.9-build-20240227_110827_0e752b0
[Feb 27 11:09:50]  INFO [localhost] Validating config...
[Feb 27 11:09:50]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Feb 27 11:09:50]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Feb 27 11:09:50]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Feb 27 11:09:50]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Feb 27 11:09:50]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Feb 27 11:09:50]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Feb 27 11:09:50]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Feb 27 11:09:50]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2024-02-27T11-09-27+0900
[Feb 27 11:09:50]  INFO [localhost] Updating library db...
[Feb 27 11:09:50]  INFO [localhost] war: 30 CVEs are detected with Library
[Feb 27 11:09:50]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Feb 27 11:09:50]  INFO [localhost] war: 0 CVEs are detected with CPE
[Feb 27 11:09:50]  INFO [localhost] war: 0 PoC are detected
[Feb 27 11:09:50]  INFO [localhost] war: 0 exploits are detected
[Feb 27 11:09:50]  INFO [localhost] war: Known Exploited Vulnerabilities are detected for 0 CVEs
[Feb 27 11:09:50]  INFO [localhost] war: Cyber Threat Intelligences are detected for 0 CVEs
[Feb 27 11:09:50]  INFO [localhost] war: total 30 CVEs detected
[Feb 27 11:09:50]  INFO [localhost] war: 0 CVEs filtered by --confidence-over=80
war (pseudo)
============
Total: 30 (Critical:7 High:15 Medium:8 Low:0 ?:0)
30/30 Fixed, 7 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 79 libs

+------------------+------+--------+-----+-----------+---------+---------------------------------------+
|      CVE-ID      | CVSS | ATTACK | POC |   ALERT   |  FIXED  |               PACKAGES                |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2016-1000027 | 10.0 |  AV:N  | POC |           |   fixed | org.springframework:spring-web        |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2018-1270    | 10.0 |  AV:N  |     |           |   fixed | org.springframework:spring-core       |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2018-1275    | 10.0 |  AV:N  |     |           |   fixed | org.springframework:spring-core       |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2019-17571   | 10.0 |  AV:N  |     |           |   fixed | log4j:log4j                           |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2020-10683   | 10.0 |  AV:N  |     |           |   fixed | dom4j:dom4j                           |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2022-22965   | 10.0 |  AV:N  | POC |           |   fixed | org.springframework:spring-beans      |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2022-23305   | 10.0 |  AV:N  |     |           |   fixed | log4j:log4j                           |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2016-5007    |  8.9 |  AV:N  |     |           |   fixed | org.springframework:spring-core       |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2018-1000632 |  8.9 |  AV:N  | POC |           |   fixed | dom4j:dom4j                           |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2018-1272    |  8.9 |  AV:N  |     |           |   fixed | org.springframework:spring-core       |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2018-15756   |  8.9 |  AV:N  |     |           |   fixed | org.springframework:spring-core       |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2020-25638   |  8.9 |  AV:N  |     |           |   fixed | org.hibernate:hibernate-core          |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2021-4104    |  8.9 |  AV:N  |     |           |   fixed | log4j:log4j                           |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2022-23302   |  8.9 |  AV:N  |     |           |   fixed | log4j:log4j                           |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2022-23307   |  8.9 |  AV:N  |     |           |   fixed | log4j:log4j                           |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2022-40149   |  8.9 |  AV:N  |     |           |   fixed | org.codehaus.jettison:jettison        |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2022-40150   |  8.9 |  AV:N  |     |           |   fixed | org.codehaus.jettison:jettison        |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2022-45685   |  8.9 |  AV:N  | POC |           |   fixed | org.codehaus.jettison:jettison        |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2022-45688   |  8.9 |  AV:N  | POC |           |   fixed | org.json:json                         |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2022-45693   |  8.9 |  AV:N  | POC |           |   fixed | org.codehaus.jettison:jettison        |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2023-1436    |  8.9 |  AV:N  | POC |           |   fixed | org.codehaus.jettison:jettison        |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2023-5072    |  8.9 |        |     |           |   fixed | org.json:json                         |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2018-1257    |  6.9 |  AV:N  |     |           |   fixed | org.springframework:spring-core       |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2018-1271    |  6.9 |  AV:N  |     |           |   fixed | org.springframework:spring-core       |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2020-13956   |  6.9 |  AV:N  |     |           |   fixed | org.apache.httpcomponents:httpclient  |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2022-22950   |  6.9 |  AV:N  |     |           |   fixed | org.springframework:spring-expression |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2022-22968   |  6.9 |  AV:N  |     |           |   fixed | org.springframework:spring-context    |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2022-22970   |  6.9 |  AV:N  |     |           |   fixed | org.springframework:spring-beans      |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2023-20861   |  6.9 |  AV:N  |     |           |   fixed | org.springframework:spring-expression |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+
| CVE-2023-20863   |  6.9 |  AV:N  |     |           |   fixed | org.springframework:spring-expression |
+------------------+------+--------+-----+-----------+---------+---------------------------------------+

@shino
Copy link
Collaborator Author

shino commented Feb 27, 2024

manual test result for dart/pub

% ./vuls scan -config ./integration/int-config.toml dart
[Feb 27 11:11:15]  INFO [localhost] vuls-v0.24.9-build-20240227_110827_0e752b0
[Feb 27 11:11:15]  INFO [localhost] Start scanning
[Feb 27 11:11:15]  INFO [localhost] config: ./integration/int-config.toml
[Feb 27 11:11:15]  INFO [localhost] Validating config...
[Feb 27 11:11:15]  INFO [localhost] Detecting Server/Container OS...
[Feb 27 11:11:15]  INFO [localhost] Detecting OS of servers...
[Feb 27 11:11:15]  INFO [localhost] (1/1) Detected: dart: pseudo
[Feb 27 11:11:15]  INFO [localhost] Detecting OS of containers...
[Feb 27 11:11:15]  INFO [localhost] Checking Scan Modes...
[Feb 27 11:11:15]  INFO [localhost] Detecting Platforms...
[Feb 27 11:11:15]  INFO [localhost] (1/1) dart is running on other
[Feb 27 11:11:15]  INFO [dart] Scanning listen port...
[Feb 27 11:11:15]  INFO [dart] Using Port Scanner: Vuls built-in Scanner
[Feb 27 11:11:15]  INFO [dart] Scanning Language-specific Packages...


Scan Summary
================
dart    pseudo  0 installed, 0 updatable        50 libs





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
% ./vuls report -config ./integration/int-config.toml
[Feb 27 11:11:18]  INFO [localhost] vuls-v0.24.9-build-20240227_110827_0e752b0
[Feb 27 11:11:18]  INFO [localhost] Validating config...
[Feb 27 11:11:18]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Feb 27 11:11:18]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Feb 27 11:11:18]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Feb 27 11:11:18]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Feb 27 11:11:18]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Feb 27 11:11:18]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Feb 27 11:11:18]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Feb 27 11:11:18]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2024-02-27T11-11-15+0900
[Feb 27 11:11:18]  INFO [localhost] Updating library db...
[Feb 27 11:11:18]  INFO [localhost] dart: 3 CVEs are detected with Library
[Feb 27 11:11:18]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Feb 27 11:11:18]  INFO [localhost] dart: 0 CVEs are detected with CPE
[Feb 27 11:11:18]  INFO [localhost] dart: 0 PoC are detected
[Feb 27 11:11:18]  INFO [localhost] dart: 0 exploits are detected
[Feb 27 11:11:18]  INFO [localhost] dart: Known Exploited Vulnerabilities are detected for 0 CVEs
[Feb 27 11:11:18]  INFO [localhost] dart: Cyber Threat Intelligences are detected for 0 CVEs
[Feb 27 11:11:18]  INFO [localhost] dart: total 3 CVEs detected
[Feb 27 11:11:18]  INFO [localhost] dart: 0 CVEs filtered by --confidence-over=80
dart (pseudo)
=============
Total: 3 (Critical:0 High:2 Medium:1 Low:0 ?:0)
3/3 Fixed, 3 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 50 libs

+----------------+------+--------+-----+-----------+---------+----------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  | PACKAGES |
+----------------+------+--------+-----+-----------+---------+----------+
| CVE-2023-39137 |  8.9 |  AV:L  | POC |           |   fixed | archive  |
+----------------+------+--------+-----+-----------+---------+----------+
| CVE-2023-39139 |  8.9 |  AV:L  | POC |           |   fixed | archive  |
+----------------+------+--------+-----+-----------+---------+----------+
| CVE-2020-35669 |  6.9 |  AV:N  | POC |           |   fixed | http     |
+----------------+------+--------+-----+-----------+---------+----------+

@shino
Copy link
Collaborator Author

shino commented Feb 27, 2024

manual test result for elixir/mix

% ./vuls scan -config ./integration/int-config.toml elixir
[Feb 27 11:12:08]  INFO [localhost] vuls-v0.24.9-build-20240227_110827_0e752b0
[Feb 27 11:12:08]  INFO [localhost] Start scanning
[Feb 27 11:12:08]  INFO [localhost] config: ./integration/int-config.toml
[Feb 27 11:12:08]  INFO [localhost] Validating config...
[Feb 27 11:12:08]  INFO [localhost] Detecting Server/Container OS...
[Feb 27 11:12:08]  INFO [localhost] Detecting OS of servers...
[Feb 27 11:12:08]  INFO [localhost] (1/1) Detected: elixir: pseudo
[Feb 27 11:12:08]  INFO [localhost] Detecting OS of containers...
[Feb 27 11:12:08]  INFO [localhost] Checking Scan Modes...
[Feb 27 11:12:08]  INFO [localhost] Detecting Platforms...
[Feb 27 11:12:08]  INFO [localhost] (1/1) elixir is running on other
[Feb 27 11:12:08]  INFO [elixir] Scanning listen port...
[Feb 27 11:12:08]  INFO [elixir] Using Port Scanner: Vuls built-in Scanner
[Feb 27 11:12:08]  INFO [elixir] Scanning Language-specific Packages...


Scan Summary
================
elixir  pseudo  0 installed, 0 updatable        4 libs





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
% ./vuls report -config ./integration/int-config.toml
[Feb 27 11:12:12]  INFO [localhost] vuls-v0.24.9-build-20240227_110827_0e752b0
[Feb 27 11:12:12]  INFO [localhost] Validating config...
[Feb 27 11:12:12]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Feb 27 11:12:12]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Feb 27 11:12:12]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Feb 27 11:12:12]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Feb 27 11:12:12]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Feb 27 11:12:12]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Feb 27 11:12:12]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Feb 27 11:12:12]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2024-02-27T11-12-08+0900
[Feb 27 11:12:12]  INFO [localhost] Updating library db...
[Feb 27 11:12:12]  INFO [localhost] elixir: 1 CVEs are detected with Library
[Feb 27 11:12:12]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Feb 27 11:12:12]  INFO [localhost] elixir: 0 CVEs are detected with CPE
[Feb 27 11:12:12]  INFO [localhost] elixir: 0 PoC are detected
[Feb 27 11:12:12]  INFO [localhost] elixir: 0 exploits are detected
[Feb 27 11:12:12]  INFO [localhost] elixir: Known Exploited Vulnerabilities are detected for 0 CVEs
[Feb 27 11:12:12]  INFO [localhost] elixir: Cyber Threat Intelligences are detected for 0 CVEs
[Feb 27 11:12:12]  INFO [localhost] elixir: total 1 CVEs detected
[Feb 27 11:12:12]  INFO [localhost] elixir: 0 CVEs filtered by --confidence-over=80
elixir (pseudo)
===============
Total: 1 (Critical:1 High:0 Medium:0 Low:0 ?:0)
1/1 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 4 libs

+----------------+------+--------+-----+-----------+---------+-----------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  | PACKAGES  |
+----------------+------+--------+-----+-----------+---------+-----------+
| CVE-2020-15150 | 10.0 |  AV:N  |     |           |   fixed | paginator |
+----------------+------+--------+-----+-----------+---------+-----------+

@shino
Copy link
Collaborator Author

shino commented Feb 27, 2024

manual test result for rust/binary

% ./vuls scan -config ./integration/int-config.toml rust-binary
[Feb 27 11:12:52]  INFO [localhost] vuls-v0.24.9-build-20240227_110827_0e752b0
[Feb 27 11:12:52]  INFO [localhost] Start scanning
[Feb 27 11:12:52]  INFO [localhost] config: ./integration/int-config.toml
[Feb 27 11:12:52]  INFO [localhost] Validating config...
[Feb 27 11:12:52]  INFO [localhost] Detecting Server/Container OS...
[Feb 27 11:12:52]  INFO [localhost] Detecting OS of servers...
[Feb 27 11:12:52]  INFO [localhost] (1/1) Detected: rust-binary: pseudo
[Feb 27 11:12:52]  INFO [localhost] Detecting OS of containers...
[Feb 27 11:12:52]  INFO [localhost] Checking Scan Modes...
[Feb 27 11:12:52]  INFO [localhost] Detecting Platforms...
[Feb 27 11:12:52]  INFO [localhost] (1/1) rust-binary is running on other
[Feb 27 11:12:52]  INFO [rust-binary] Scanning listen port...
[Feb 27 11:12:52]  INFO [rust-binary] Using Port Scanner: Vuls built-in Scanner
[Feb 27 11:12:52]  INFO [rust-binary] Scanning Language-specific Packages...


Scan Summary
================
rust-binary     pseudo  0 installed, 0 updatable        6 libs





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
% ./vuls report -config ./integration/int-config.toml
[Feb 27 11:13:01]  INFO [localhost] vuls-v0.24.9-build-20240227_110827_0e752b0
[Feb 27 11:13:01]  INFO [localhost] Validating config...
[Feb 27 11:13:01]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Feb 27 11:13:01]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Feb 27 11:13:01]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Feb 27 11:13:01]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Feb 27 11:13:01]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Feb 27 11:13:01]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Feb 27 11:13:01]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Feb 27 11:13:01]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2024-02-27T11-12-52+0900
[Feb 27 11:13:01]  INFO [localhost] Updating library db...
[Feb 27 11:13:01]  INFO [localhost] rust-binary: 4 CVEs are detected with Library
[Feb 27 11:13:01]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Feb 27 11:13:01]  INFO [localhost] rust-binary: 0 CVEs are detected with CPE
[Feb 27 11:13:01]  INFO [localhost] rust-binary: 0 PoC are detected
[Feb 27 11:13:01]  INFO [localhost] rust-binary: 0 exploits are detected
[Feb 27 11:13:01]  INFO [localhost] rust-binary: Known Exploited Vulnerabilities are detected for 0 CVEs
[Feb 27 11:13:01]  INFO [localhost] rust-binary: Cyber Threat Intelligences are detected for 0 CVEs
[Feb 27 11:13:01]  INFO [localhost] rust-binary: total 4 CVEs detected
[Feb 27 11:13:01]  INFO [localhost] rust-binary: 0 CVEs filtered by --confidence-over=80
rust-binary (pseudo)
====================
Total: 4 (Critical:1 High:1 Medium:1 Low:1 ?:0)
4/4 Fixed, 1 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 6 libs

+---------------------+------+--------+-----+-----------+---------+-------------+
|       CVE-ID        | CVSS | ATTACK | POC |   ALERT   |  FIXED  |  PACKAGES   |
+---------------------+------+--------+-----+-----------+---------+-------------+
| CVE-2018-20991      | 10.0 |  AV:N  |     |           |   fixed | smallvec    |
+---------------------+------+--------+-----+-----------+---------+-------------+
| CVE-2018-25023      |  8.9 |  AV:N  | POC |           |   fixed | smallvec    |
+---------------------+------+--------+-----+-----------+---------+-------------+
| GHSA-66p5-j55p-32r9 |  6.9 |        |     |           |   fixed | smallvec    |
+---------------------+------+--------+-----+-----------+---------+-------------+
| GHSA-v363-rrf2-5fmj |  3.9 |        |     |           |   fixed | ferris-says |
+---------------------+------+--------+-----+-----------+---------+-------------+

@shino
Copy link
Collaborator Author

shino commented Feb 27, 2024

manual test result for swift/cocoapods

% ./vuls scan -config ./integration/int-config.toml swift-cocoapods
[Feb 27 11:14:15]  INFO [localhost] vuls-v0.24.9-build-20240227_110827_0e752b0
[Feb 27 11:14:15]  INFO [localhost] Start scanning
[Feb 27 11:14:15]  INFO [localhost] config: ./integration/int-config.toml
[Feb 27 11:14:15]  INFO [localhost] Validating config...
[Feb 27 11:14:15]  INFO [localhost] Detecting Server/Container OS...
[Feb 27 11:14:15]  INFO [localhost] Detecting OS of servers...
[Feb 27 11:14:15]  INFO [localhost] (1/1) Detected: swift-cocoapods: pseudo
[Feb 27 11:14:15]  INFO [localhost] Detecting OS of containers...
[Feb 27 11:14:15]  INFO [localhost] Checking Scan Modes...
[Feb 27 11:14:15]  INFO [localhost] Detecting Platforms...
[Feb 27 11:14:15]  INFO [localhost] (1/1) swift-cocoapods is running on other
[Feb 27 11:14:15]  INFO [swift-cocoapods] Scanning listen port...
[Feb 27 11:14:15]  INFO [swift-cocoapods] Using Port Scanner: Vuls built-in Scanner
[Feb 27 11:14:15]  INFO [swift-cocoapods] Scanning Language-specific Packages...


Scan Summary
================
swift-cocoapods pseudo  0 installed, 0 updatable        6 libs





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
% ./vuls report -config ./integration/int-config.toml
[Feb 27 11:14:18]  INFO [localhost] vuls-v0.24.9-build-20240227_110827_0e752b0
[Feb 27 11:14:18]  INFO [localhost] Validating config...
[Feb 27 11:14:18]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Feb 27 11:14:18]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Feb 27 11:14:18]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Feb 27 11:14:18]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Feb 27 11:14:18]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Feb 27 11:14:18]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Feb 27 11:14:18]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Feb 27 11:14:18]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2024-02-27T11-14-15+0900
[Feb 27 11:14:18]  INFO [localhost] Updating library db...
[Feb 27 11:14:18]  INFO [localhost] swift-cocoapods: 1 CVEs are detected with Library
[Feb 27 11:14:18]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Feb 27 11:14:18]  INFO [localhost] swift-cocoapods: 0 CVEs are detected with CPE
[Feb 27 11:14:18]  INFO [localhost] swift-cocoapods: 0 PoC are detected
[Feb 27 11:14:18]  INFO [localhost] swift-cocoapods: 0 exploits are detected
[Feb 27 11:14:18]  INFO [localhost] swift-cocoapods: Known Exploited Vulnerabilities are detected for 0 CVEs
[Feb 27 11:14:18]  INFO [localhost] swift-cocoapods: Cyber Threat Intelligences are detected for 0 CVEs
[Feb 27 11:14:18]  INFO [localhost] swift-cocoapods: total 1 CVEs detected
[Feb 27 11:14:18]  INFO [localhost] swift-cocoapods: 0 CVEs filtered by --confidence-over=80
swift-cocoapods (pseudo)
========================
Total: 1 (Critical:0 High:1 Medium:0 Low:0 ?:0)
1/1 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 6 libs

+---------------+------+--------+-----+-----------+---------+----------+
|    CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  | PACKAGES |
+---------------+------+--------+-----+-----------+---------+----------+
| CVE-2022-3215 |  8.9 |  AV:N  |     |           |   fixed | SwiftNIO |
+---------------+------+--------+-----+-----------+---------+----------+

@shino
Copy link
Collaborator Author

shino commented Feb 27, 2024

manual test result for swift/swift

% ./vuls scan -config ./integration/int-config.toml swift-swift
[Feb 27 11:14:59]  INFO [localhost] vuls-v0.24.9-build-20240227_110827_0e752b0
[Feb 27 11:14:59]  INFO [localhost] Start scanning
[Feb 27 11:14:59]  INFO [localhost] config: ./integration/int-config.toml
[Feb 27 11:14:59]  INFO [localhost] Validating config...
[Feb 27 11:14:59]  INFO [localhost] Detecting Server/Container OS...
[Feb 27 11:14:59]  INFO [localhost] Detecting OS of servers...
[Feb 27 11:14:59]  INFO [localhost] (1/1) Detected: swift-swift: pseudo
[Feb 27 11:14:59]  INFO [localhost] Detecting OS of containers...
[Feb 27 11:14:59]  INFO [localhost] Checking Scan Modes...
[Feb 27 11:14:59]  INFO [localhost] Detecting Platforms...
[Feb 27 11:14:59]  INFO [localhost] (1/1) swift-swift is running on other
[Feb 27 11:14:59]  INFO [swift-swift] Scanning listen port...
[Feb 27 11:14:59]  INFO [swift-swift] Using Port Scanner: Vuls built-in Scanner
[Feb 27 11:14:59]  INFO [swift-swift] Scanning Language-specific Packages...


Scan Summary
================
swift-swift     pseudo  0 installed, 0 updatable        4 libs





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
% ./vuls report -config ./integration/int-config.toml
[Feb 27 11:15:01]  INFO [localhost] vuls-v0.24.9-build-20240227_110827_0e752b0
[Feb 27 11:15:01]  INFO [localhost] Validating config...
[Feb 27 11:15:01]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Feb 27 11:15:01]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Feb 27 11:15:01]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Feb 27 11:15:01]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Feb 27 11:15:01]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Feb 27 11:15:01]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Feb 27 11:15:01]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Feb 27 11:15:01]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2024-02-27T11-14-59+0900
[Feb 27 11:15:01]  INFO [localhost] Updating library db...
[Feb 27 11:15:01]  INFO [localhost] swift-swift: 1 CVEs are detected with Library
[Feb 27 11:15:01]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Feb 27 11:15:01]  INFO [localhost] swift-swift: 0 CVEs are detected with CPE
[Feb 27 11:15:01]  INFO [localhost] swift-swift: 0 PoC are detected
[Feb 27 11:15:01]  INFO [localhost] swift-swift: 0 exploits are detected
[Feb 27 11:15:01]  INFO [localhost] swift-swift: Known Exploited Vulnerabilities are detected for 0 CVEs
[Feb 27 11:15:01]  INFO [localhost] swift-swift: Cyber Threat Intelligences are detected for 0 CVEs
[Feb 27 11:15:01]  INFO [localhost] swift-swift: total 1 CVEs detected
[Feb 27 11:15:01]  INFO [localhost] swift-swift: 0 CVEs filtered by --confidence-over=80
swift-swift (pseudo)
====================
Total: 1 (Critical:0 High:1 Medium:0 Low:0 ?:0)
1/1 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 4 libs

+---------------+------+--------+-----+-----------+---------+----------------------------+
|    CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |          PACKAGES          |
+---------------+------+--------+-----+-----------+---------+----------------------------+
| CVE-2022-3215 |  8.9 |  AV:N  |     |           |   fixed | github.com/apple/swift-nio |
+---------------+------+--------+-----+-----------+---------+----------------------------+

@shino
Copy link
Collaborator Author

shino commented Feb 27, 2024

Above manual tests are done with integration at the commit vulsio/integration@b91ccaa

@shino shino requested a review from MaineK00n February 27, 2024 02:39
MaineK00n
MaineK00n approved these changes Feb 27, 2024
View reviewed changes
Copy link
Collaborator

@MaineK00n MaineK00n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM🎉

@shino shino merged commit 351cf4f into master Feb 28, 2024
3 of 4 checks passed
@shino shino deleted the shino/trivy-update branch February 28, 2024 05:25
@TsubasaKanemitsu TsubasaKanemitsu mentioned this pull request Mar 5, 2024
Merged
9 tasks
@shino shino mentioned this pull request Mar 11, 2024
Merged
12 tasks
@shino shino self-assigned this Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MaineK00n MaineK00n MaineK00n approved these changes

@kotakanbe kotakanbe Awaiting requested review from kotakanbe

Assignees

@shino shino

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shino @MaineK00n