search

facebookincubator / nvdtools

A set of tools to work with the feeds (vulnerabilities, CPE dictionary etc.) distributed by National Vulnerability Database (NVD)
Apache License 2.0
451 stars 91 forks source link

Use with Debian based packages #171

Open akzincsystems opened 3 years ago

akzincsystems commented 3 years ago

Hi, and thanks for an interesting project.

Whilst my servers are all rpm package based, all my engineers use Debian based distros. I've had a play with dpkg to try and emulate rpm output. However I get a significant number of misses. e.g.

dpkg-query --show -f='${binary:Package}-${Version}.${Architecture}\n' | rpm2cpe -rpm=1 -cpe=2

appears to give valid results e.g.:

wamerican-2018.04.16-1.all      cpe:/a::wamerican:2018.04.16:1:~~~~all~                                                                                                                         
wbritish-2018.04.16-1.all       cpe:/a::wbritish:2018.04.16:1:~~~~all~                                                                                                                          
wget-1.20.3-1ubuntu1.amd64      cpe:/a::wget:1.20.3:1ubuntu1:~~~~amd64~                                                                                                                         
whiptail-0.52.21-4ubuntu2.amd64 cpe:/a::whiptail:0.52.21:4ubuntu2:~~~~amd64~                                                                                                                    
whoopsie-preferences-22.amd64   cpe:/a::whoopsie:preferences:22:~~~~amd64~

but also a lot of errors e.g.:

rpm2cpe: error: couldn't process record []: couldn't parse RPM name from field "zoom-5.4.54779.1115.amd64": can't get fields from "zoom-5.4.54779.1115.amd64": can't find version in pkg "zoom"
rpm2cpe: error: couldn't process record []: couldn't parse RPM name from field "whois-5.5.6.amd64": can't get fields from "whois-5.5.6.amd64": can't find versi
on in pkg "whois"                                                                                                                                                                               
rpm2cpe: error: couldn't process record []: couldn't parse RPM name from field "whoopsie-0.2.69ubuntu0.3.amd64": can't get fields from "whoopsie-0.2.69ubuntu0.3.amd64": can't find version in p
kg "whoopsie"                                                                                                                                                                                   
rpm2cpe: error: couldn't process record []: couldn't parse RPM name from field "xorg-1:7.7+19ubuntu14.amd64": can't get fields from "xorg-1:7.7+19ubuntu14.amd64": can't find version in pkg "xo
rg"

I could clean up the dpkg output to remove the errors, but that will mean missing substantial numbers of packages. Any suggestions on how I perhaps modify my one-liner? Or is there a better method to achieve what I want?

My eventual aim is to install a cron on all the engineer's development machines to input their stack to a central database and run the CVE checks for them alongside doing the same for the servers. Any help appreciated.

scottcunningham commented 3 years ago

Hi, thanks for your interest in the project!

I think the best option would be to build a new binary like rpm2cpe, maybe called dpkg2cpe. That way we can put dpkg-specific implementation details in that code. The code shouldn’t be too hard to implement and would likely be pretty similar to the rpm2cpe code, if you want to give that a go.

This seems like a generally useful tool to have so we might look at implementing it in the future if you don’t.