search

eliasgranderubio / dagda

a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
Apache License 2.0
1.16k stars 163 forks source link

vuln doesn't show CVE which is present in securityfocus and NVD #46

Closed szymonpk closed 5 years ago

szymonpk commented 5 years ago

Short description

I am trying to request information with dagda about CVE-2018-15727 which is present in securityfocus and NVD databases and I am getting "CVE not found"

{
    "err": 404,
    "msg": "CVE not found"
}

Reproduction steps

  1. Start Dagda server with docker-compose up
  2. Populate DB with python dagda.py vuln --init and wait until it is finished. 
    {
  "status": "Updated",
  "timestamp": "2019-02-15 07:48:54.802088"
}
  3. Point dagda client to server
  4. Type the Dagda CLI command python dagda.py vuln --cve CVE-2018-15727

Expected results

I expected information about CVE. I can get information about other CVE's just fine. For example:

$ python dagda.py vuln --cve CVE-2018-12099
[
    {
        "product": "grafana",
        "vendor": "grafana",
        "version": "5.2.0",
        "year": 2018
    }
]

Actual results

{
    "err": 404,
    "msg": "CVE not found"
}

On which platforms did you notice this:

Backtrace

During startup I have noticed:

dagda     | <2019-02-15 08:16:27,116> <ERROR> <DagdaServer> <dagda> <main:46> <500 Server Error: Internal Server Error ("Multiple IDs found with provided prefix: 9")>
dagda     | Traceback (most recent call last):
dagda     |   File "/usr/local/lib/python3.6/site-packages/docker/api/client.py", line 246, in _raise_for_status
dagda     |     response.raise_for_status()
dagda     |   File "/usr/local/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
dagda     |     raise HTTPError(http_error_msg, response=self)
dagda     | requests.exceptions.HTTPError: 500 Server Error: Internal Server Error for url: http+docker://localhost/v1.39/containers/9/stop
dagda     | 
dagda     | During handling of the above exception, another exception occurred:
dagda     | 
dagda     | Traceback (most recent call last):
dagda     |   File "dagda.py", line 35, in main
dagda     |     r = execute_dagda_cmd(cmd=cmd, args=parsed_args)
dagda     |   File "/opt/app/cli/dagda_cli.py", line 43, in execute_dagda_cmd
dagda     |     ds.run()
dagda     |   File "/opt/app/api/dagda_server.py", line 101, in run
dagda     |     self.sysdig_falco_monitor.pre_check()
dagda     |   File "/opt/app/analysis/runtime/sysdig_falco_monitor.py", line 97, in pre_check
dagda     |     self.docker_driver.docker_stop(container_id)
dagda     |   File "/opt/app/driver/docker_driver.py", line 110, in docker_stop
dagda     |     self.cli.stop(container=container_id)
dagda     |   File "/usr/local/lib/python3.6/site-packages/docker/utils/decorators.py", line 19, in wrapped
dagda     |     return f(self, resource_id, *args, **kwargs)
dagda     |   File "/usr/local/lib/python3.6/site-packages/docker/api/container.py", line 1134, in stop
dagda     |     self._raise_for_status(res)
dagda     |   File "/usr/local/lib/python3.6/site-packages/docker/api/client.py", line 248, in _raise_for_status
dagda     |     raise create_api_error_from_http_exception(e)
dagda     |   File "/usr/local/lib/python3.6/site-packages/docker/errors.py", line 31, in create_api_error_from_http_exception
dagda     |     raise cls(e, response=response, explanation=explanation)
dagda     | docker.errors.APIError: 500 Server Error: Internal Server Error ("Multiple IDs found with provided prefix: 9")

But application works fine(-ish), there is no errors when querying for CVE's

eliasgranderubio commented 5 years ago

Hi @szymonpk ,

You are right but I don't know why the CVE-2018-15727 is tagged in a different way into the NVD vulnerabilities file and therefore, the parser I have implemented for CVEs doesn't recognice that CVE.

imagen

On the other hand, the error you get in the log is related on Sysdig Falco and the monitoring feature. Perhaps, when Dagda tries to shut down the previous Falco container, it found multiple container with similar IDs. I'm not sure about it because is a very rare issue. How many times do you get this error in the logs?

szymonpk commented 5 years ago

Is summary the only difference? The one you have pasted is from CVE-2018-558213 which was a candidate for proper CVE CVE-2018-15727, probably there are more records like this.

eliasgranderubio commented 5 years ago

If there is any issue in the parser which filters the NVD files, it would be in the next function:

eliasgranderubio commented 5 years ago

Hi @szymonpk ,

Did you found any error in the parser of the NVD files for fixing your issue? Could you give me any update you have about this issue?

szymonpk commented 5 years ago

Sorry but no. I couldn't find time for this.

eliasgranderubio commented 5 years ago

Closed due to inactivity.