Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add VDT does not report updated vulnerable packages as Solved IT #4359

Closed
wants to merge 15 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ Release report: TBD

### Added

- Add test VDT does not generate alert when updated package is still vulnerable to CVE ([#4359](https://github.com/wazuh/wazuh-qa/pull/4359)) \- (Tests)
- New 'SCA' test suite and framework. ([#3566](https://github.com/wazuh/wazuh-qa/pull/3566)) \- (Framework + Tests)
- Add integration tests for AWS module. ([#3911](https://github.com/wazuh/wazuh-qa/pull/3911)) \- (Framework + Tests + Documentation)
- Add tests for msu patches with no associated CVE . ([#4009](https://github.com/wazuh/wazuh-qa/pull/4009)) \- (Framework + Tests)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
- sections:
- section: syscheck
elements:
- disabled:
value: 'no'
- frequency:
value: FREQUENCY
- windows_registry:
value: WINDOWS_REGISTRY
attributes:
- arch: both

- section: sca
elements:
- enabled:
value: 'no'
- section: rootcheck
elements:
- disabled:
value: 'yes'
- section: wodle
attributes:
- name: syscollector
elements:
- disabled:
value: 'yes'
- section: active-response
elements:
- disabled:
value: 'yes'
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ def test_registry_key_wildcards(configuration, metadata, set_wazuh_configuration
description: Check the behavior of FIM when using wildcards to configure the path of registry keys, and validate
the keys creation, modification and deletion is detected correctly.

wazuh_min_version: 4.5.0
wazuh_min_version: 4.6.0

test_phases:
- setup:
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
<oval_definitions
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
xmlns:linux-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#macos linux-definitions-schema.xsd">

<generator>
<oval:product_name>Canonical CVE OVAL Generator</oval:product_name>
<oval:product_version>1.1</oval:product_version>
<oval:schema_version>5.11.1</oval:schema_version>
<oval:timestamp>2021-11-16T15:30:28</oval:timestamp>
</generator>
<definitions>
<definition class="vulnerability" id="oval:com.ubuntu.focal:def:1" version="1">
<metadata>
<title>CVE-2023 custom-package-0</title>
<affected family="unix">
<platform>Ubuntu 22.04 LTS</platform>
<platform>Ubuntu 20.04 LTS</platform>
<platform>Ubuntu 18.04 LTS</platform>
<platform>Ubuntu 16.04 LTS</platform>
<platform>Ubuntu 14.04 LTS</platform>
</affected>
<reference source="CVE" ref_id="CVE-2023" ref_url="https://github.com/wazuh/wazuh-qa" />
</metadata>
<criteria>
<criteria operator="OR">
<criterion test_ref="oval:com.ubuntu.focal:tst:1" comment="custom-package-0 package in focal, is related to the CVE in some way and has been fixed (note: '10.0.0')." />
</criteria>
</criteria>
</definition>
</definitions>
<tests>
<linux-def:dpkginfo_test id="oval:com.ubuntu.focal:tst:1" version="1" check_existence="at_least_one_exists" check="at least one" comment="Does the 'custom-package-0' package exist and is the version less than '10.0.0'?">
<linux-def:object object_ref="oval:com.ubuntu.focal:obj:1"/>
<linux-def:state state_ref="oval:com.ubuntu.focal:ste:1" />
</linux-def:dpkginfo_test>
</tests>
<objects>
<linux-def:dpkginfo_object id="oval:com.ubuntu.focal:obj:1" version="1" comment="The 'custom-package-0' package binary.">
<linux-def:name>custom-package-0</linux-def:name>
</linux-def:dpkginfo_object>
</objects>
<states>
<linux-def:dpkginfo_state id="oval:com.ubuntu.focal:ste:1" version="1" comment="The package version is less than '10.0.0'.">
<linux-def:evr datatype="debian_evr_string" operation="less than">10.0.0</linux-def:evr>
</linux-def:dpkginfo_state>
</states>
</oval_definitions>
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Canonical Configuration
- sections:
- section: vulnerability-detector
elements:
- enabled:
value: 'yes'
- interval:
value: 5s
- min_full_scan_interval:
value: 5s
- run_on_start:
value: 'yes'
- provider:
attributes:
- name: canonical
elements:
- enabled:
value: 'yes'
- os:
attributes:
- path: CUSTOM_OVAL_FEED
value: focal
- provider:
attributes:
- name: nvd
elements:
- enabled:
value: 'yes'
- path:
value: CUSTOM_NVD_JSON_FEED
- update_interval:
value: 10s

- section: sca
elements:
- enabled:
value: 'no'

- section: rootcheck
elements:
- disabled:
value: 'yes'

- section: syscheck
elements:
- disabled:
value: 'yes'

- section: wodle
attributes:
- name: syscollector
elements:
- disabled:
value: 'yes'

- section: auth
elements:
- disabled:
value: 'no'
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
- name: no_alert_updated_package_still_vulnerable
description: When a package is updated to still vulnerable version, no alert appears showing package vuln as solved
configuration_parameters: null
metadata:
provider_name: canonical
system: FOCAL
oval_feed: custom_feed_updated_packace_still_vulnerable.xml
nvd_feed: real_nvd_feed.json
oval_feed_tag: CUSTOM_OVAL_FEED
nvd_feed_tag: CUSTOM_NVD_JSON_FEED
test_package_version: 1.0.0
test_package_version_still_vulnerable: 9.0.0
test_package_name: custom-package-0
cve: CVE-2023
Original file line number Diff line number Diff line change
@@ -0,0 +1,186 @@
'''
copyright: Copyright (C) 2015-2023, Wazuh Inc.

Created by Wazuh, Inc. <info@wazuh.com>.

This program is free software; you can redistribute it and/or modify it under the terms of GPLv2

type: integration

brief: Wazuh is able to detect vulnerabilities in the applications installed in agents using the Vulnerability Detector
module. This software audit is performed through the integration of vulnerability feeds indexed by Redhat,
Canonical, Debian, SUSE, Amazon Linux and NVD Database.

components:
- vulnerability_detector

suite: scan_results

targets:
- manager

daemons:
- wazuh-modulesd
- wazuh-db
- wazuh-analysisd

os_platform:
- linux

os_version:
- Arch Linux
- Amazon Linux 2022
- Amazon Linux 2
- Amazon Linux 1
- CentOS 8
- CentOS 7
- Debian Buster
- Red Hat 8
- Ubuntu Focal
- Ubuntu Bionic
- Suse Enterprise Linux Server 15
- Suse Enterprise Linux Server 12
- Suse Enterprise Linux Server 11
- Suse Enterprise Linux Desktop 15
- Suse Enterprise Linux Desktop 12
- Suse Enterprise Linux Desktop 11

references:
- https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/index.html
- https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/vuln-detector.html#provider

tags:
- settings
- vulnerability
- vulnerability_detector
- providers
'''
import os
import pytest
import time

from wazuh_testing.tools import configuration
from wazuh_testing.tools.file import read_yaml
from wazuh_testing.db_interface import agent_db, cve_db
from wazuh_testing.tools.time import get_current_timestamp
from wazuh_testing.modules import vulnerability_detector as vd
from wazuh_testing.modules.vulnerability_detector import event_monitor as evm


# Reference paths
TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template')
TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases')
TEST_FEEDS_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'data', 'feeds')

# Configuration and cases data
configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_scan_updated_package_still_vulnerable.yaml')
cases_path = os.path.join(TEST_CASES_PATH, 'cases_scan_updated_package_still_vulnerable.yaml')


# Test configurations
configurations = read_yaml(configurations_path)
metadata = [item['metadata'] for item in read_yaml(cases_path)]
configuration_parameters, configuration_metadata, test_case_ids = configuration.get_test_cases_data(cases_path)
configurations = vd.update_feed_path_configurations(configurations, metadata, TEST_FEEDS_PATH)
systems = [metadata['system'] for metadata in configuration_metadata]


@pytest.mark.tier(level=1)
@pytest.mark.parametrize('configuration, metadata, agent_system', zip(configurations, configuration_metadata, systems),
ids=test_case_ids)
def test_vulnerability_updated_package_still_vulnerable(configuration, metadata, agent_system,
set_wazuh_configuration_vdt, truncate_monitored_files,
clean_cve_tables_func, setup_log_monitor,
prepare_full_scan_with_vuln_packages_and_custom_system,
restart_modulesd_function):
'''
description: Check that the Vulnerability Detector module does not generates an alert when a vulnerability is
updated to a version that is still vulnerable for a given CVE.

test_phases:
- Set a custom Wazuh configuration.
- Mock an agent with a custom system and vulnerable packages.
- Force a full scan.
- Restart wazuh-modulesd.
- Wait for full scan event log.
- Update one vulnerable package to a non-vulnerable version.
- Force again a full scan and wait for the full scan event log.
- Check that package update has been detected and an alert with new version is generated.
- Check no alert is generated for the removal of the older version.

wazuh_min_version: 4.6.0

tier: 1

parameters:
- configuration:
type: dict
brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture.
- metadata:
type: dict
brief: Wazuh configuration metadata
- agent_system:
type: str
brief: System to set to the mocked agent.
- set_wazuh_configuration_vdt:
type: fixture
brief: Set the wazuh configuration according to the configuration data.
- truncate_monitored_files:
type: fixture
brief: Truncate all the log files and json alerts files before and after the test execution.
- clean_cve_tables_func:
type: fixture
brief: Clean all the vulnerabilities tables before and after running the test.
- prepare_full_scan_with_vuln_packages_and_custom_system:
type: fixture
brief: Insert vulnerable packages to an agent with a custom system and finally clean the database.
- setup_log_monitor:
type: fixture
brief: Create the log monitor.
- restart_modulesd_function:
type: fixture
brief: Restart the wazuh-modulesd daemon.

assertions:
- The full scan will start for the agent.
- The full scan finish for the agent.
- The package with new version is vulnerable.
- The package's older version is not shown as solved

input_description:
- The `cases_scan_updated_package_still_vulnerable.yaml` file provides the module configuration for this test.

expected_output:
- 'A full scan will be run on agent <agent_id>'
- 'Finished vulnerability assessment for agent <agent_id>'
- '<test_package_cve> affecting <test_package_name> was eliminated'
- Package '<test_package_name>' not vulnerable to '<test_package_cve>'
'''
agent_id = prepare_full_scan_with_vuln_packages_and_custom_system
log_monitor = setup_log_monitor

# Wait for full scan event log
evm.check_full_scan_start_finish(log_monitor=log_monitor, agent_id=agent_id)

# Check the package has been marked as vulnerable and generated an alert
evm.check_vulnerability_affects_alert(package=metadata['test_package_name'], cve=metadata['cve'],
agent_id=agent_id)

# Update test package 1 to a vulnerable version 2.0.
agent_db.update_package(agent_id=agent_id, package=metadata['test_package_name'],
version=metadata['test_package_version_still_vulnerable'])

# Force a full scan again after simulating the update the NVD feed and passing the min_full_scan_interval
cve_db.update_nvd_metadata_vuldet(int(get_current_timestamp()))

# Check again the full scan event
evm.check_full_scan_start_finish(log_monitor=log_monitor, agent_id=agent_id)

# Check the new version of the package generates and alert
evm.check_vulnerability_affects_alert(package=metadata['test_package_name'], cve=metadata['cve'],
agent_id=agent_id)

# Check the old version of the package being removed is not shown as solved
with pytest.raises(TimeoutError):
evm.check_vulnerability_scan_remove_alert(metadata['test_package_name'], metadata['cve'], agent_id=agent_id)