Library (non-OS) Scan Submitted to Vuls in Server Mode Misses Affected Packages

[ohsh6o]

What did you do? (required. The issue will be closed when not provided.)

My team has set up an integration that will load the vuls binary into a CloudFoundry app instance and run it as the app is staged, and send the scan results with curl and POST it to a server running in vuls mode. We hope to view the results through vuls tui or a web UI.

I have tested this with 0.9.6 and 0.9.7 as of this morning.

Test Docker configuration:

https://github.com/flexion/10x-dux-vuls-eval/blob/master/docker/docker-compose.yaml

Shell commands run:

https://github.com/flexion/vuls-cloudfoundry-buildpack/blob/master/lib/run-scan.sh#L8-L12

The configuration run on the client:

https://github.com/flexion/vuls-cloudfoundry-buildpack/blob/master/lib/dist/config.toml

After this is complete, the CloudFoundry app instance uses curl as documented in your application, but with parameterized defaults.

https://github.com/flexion/vuls-cloudfoundry-buildpack/blob/master/lib/run-scan.sh#L14-L16

I have specifically used an old jquery version in a package-lock.json file. I expect to use a shared results direct on the server to see the findings of only library (non-OS scans) in the vulsrepo UI (vuls/vulsrepo or ishidaco/vulsrepo) to show those results.

A test server has a git repo with just this package-lock.json file (testing shows this part works).

https://gist.github.com/ohsh6o/0ac8464cb34bc9431d744f0ee224bb7d

The server will generate a report like this (which vulsrepo uses):

https://gist.github.com/ohsh6o/286b99f999fae8affddf6736479ecbeb

What did you expect to happen?

To see the information in the vulsrepo UI.

What happened instead?

It shows nothing, debugging shows the reports included have scannedCves properties, but not an affectedPackages property that is needed to generate pivot tables, as stepping through UI code here indicates. The console of the web browser finds 3 CVEs. The UI itself does not show them. It seems reports generated by vuls and accessible to vulsrepo in the same results directory miss these necessary attributes.

vuls tui shows them.

vuls report -to-localfile shows vulnerability information, as does vuls report -json -to-localfile, but regardless these important JSON properties are never added in trivy parsing or scanning step, so the table data will never load for non-OS packages. Is this correct/intentional?

• Current Output

Please re-run the command using -debug and provide the output below.

vuls_1       | time="Jun 11 21:09:17" level=debug msg="HTTP Request to http://exploitdb:1326/cves/NSWG-ECO-516" 
vuls_1       | time="Jun 11 21:09:17" level=debug msg="HTTP Request to http://exploitdb:1326/cves/CVE-2019-5428" 
vuls_1       | time="Jun 11 21:09:17" level=debug msg="HTTP Request to http://exploitdb:1326/cves/CVE-2019-11358" 
vuls_1       | time="Jun 11 21:09:17" level=info msg="localhost: 3 exploits are detected

Steps to reproduce the behaviour

• Use docker-compose to build environment.
• Run vuls scan -libs-only on cloud foundry app instance and/or test server (same behavior) with config.toml provided.
• Use curl to send POST HTTP call with localhost.json data that includes jQuery vulnerability to be reviewed in vulsrepo on that server alongside vuls in different containers.
• Review docker-compose logs vuls and during POST and observe data was received and processed by vuls in server mode.
• Use vuls tui to check.
• Open vulsrepo on different container on same server sharing results dir.
• Open selected file.
• Confirm browser processed it but missing properties prevent it from being rendered by system.

Configuration (MUST fill this out):

• Go version (go version): N/A (using prebuilt docker containers)

• Go environment (go env): N/A (using prebuilt docker containers)

• Vuls environment:

Hash :

# vuls -v
vuls v0.9.7 build-20200605_054131_1e2a299`

• config.toml:

Note: this is run on the client and server for testing only at this time.

[servers]

[servers.localhost]
host = "localhost"
port = "local"
findLock = true
scanMode     = ["offline"]

• command:

vuls server
      -debug \
      -debug-sql \
      -to-localfile \
      -format-json \
      -log-dir=/var/log \
      -results-dir=/vuls/results \
      -listen=0.0.0.0:5515 \
      -cvedb-type=http \
      -cvedb-url=http://cvedb:1323 \
      -ovaldb-type=http \
      -ovaldb-url=http://ovaldb:1324 \
      -gostdb-type=http \
      -gostdb-url=http://gostdb:1325 \
      -exploitdb-type=http \
      -exploitdb-url=http://exploitdb:1326

[ohsh6o]

Also, note, is this potentially related to future-architect/vuls#924? I know the scanning techniques are similar, but different, and I used curl to upload results to avoid needing to expose backing services (go-cve-dictionary) in the future. Is this why certain data is added into results when done local in scan-only mode and sent to the server?