search

future-architect / vuls

Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
https://vuls.io/
GNU General Public License v3.0
10.9k stars 1.16k forks source link

VULS in server mode, new issue about OVAL DB docker image which prevents to get json report #851

Open fredericg78 opened 5 years ago

fredericg78 commented 5 years ago

What did you do?

Launching vuls docker images for vuls, cve db and oval db (oval.sqlite3 and cve.sqlite3 are existing and have been fetched). And requesting vuls in server mode with a post and list of packages and versions to get a json report about CVEs.

What did you expect to happen?

As before, i expected to get a json report, but an error message is displayed instead.

What happened instead?

Error message is: Failed to fill with OVAL: Failed to fetch OVAL. err: [%!w(xerrors.errorString) %!w(xerrors.errorString) %!w(xerrors.errorString) %!w(xerrors.erro String) %!w(*xerrors.errorString)]

Which shows these errors in logs: {"time":"2019-06-24T16:03:39.592672217Z","level":"ERROR","prefix":"echo","file":"echo.go","line":"294","message":"Not Found"} {"time":"2019-06-24T16:03:39Z","remote_ip":"172.17.0.1","method":"GET","uri":"/packs/ubuntu/16.04/jasper","status":404, "latency":274,"latency_human": "274.178µs","bytes_in":0,"bytes_out":9}

It is also not possible anymore to request directly the OVAL DB server in http.

Configuration :

Latest docker images for vuls, cve, and oval. vuls: vuls v0.8.0 build-20190618_012226_4cf9a72

[ovalDict] type = "http" url = "http://192.168.99.100:1324"

artdanad commented 5 years ago

I have the same problem, i get 404 for all oval requests.

artdanad commented 5 years ago

I tested this problem, and looks like root cause is, that vuls don't provide arch value, that oval is expecting when running as server. Vuls error:

...
url: [redacted]/packs/ubuntu/16.04/curl, resp: &{404 Not Found
...

If I append arch to the same request, I get 200 response with json data

curl [redacted]/packs/ubuntu/16.04/curl/x86_64

If we check routes in goval-dictonary project /server/server.go, we can see that route packs is expecting arch on line 45: e.Get("/packs/:family/:release/:pack/:arch", getByPackName()) So please update vuls to also provide arch param.

AydenHex commented 5 years ago

Hi! I have the same problem, any news on that @kotakanbe ?

fredericg78 commented 5 years ago

@artdanad Yes you are right, latest oval db server is expecting an arch parameter at the end of the call URL, and vuls does not send this parameter. @kotakanbe Could you add a new http header in vuls to pass the arch param value (which should be the same for all detected packages), and add this value at the end of the oval db http call url ? I don't know if this arch param is really used as a filter in the OVAL db datas to get vulnerabilities...

For now, a workaround is to add a /<arch value> to the name of all packages to simulate the arch parameter at the end of the URL, without vuls code update.

fredericg78 commented 5 years ago

Latest versions of goval and vuls docker images fix the issue. goval: goval-dictionary v0.2.1 vuls: vuls v0.8.5 build-20190730_085002_4326bef

fredericg78 commented 5 years ago

Unfortunately, latest version of vuls docker image has introduced again this issue. It seems the arch parameter is not sent in the oval url by vuls (oval/util.go).