search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.19k stars 457 forks source link

new checker request: RedHat OpenShift #2061

Open terriko opened 1 year ago

terriko commented 1 year ago

Note: I'm not sure how easy this one will be to build a regular checker for given the languages it's written in. If you investigate it and don't think it's possible, please comment here and let us konw!

New checker request: RedHat OpenShift

CVEs: https://www.cvedetails.com/product/23704/Redhat-Openshift.html?vendor_id=25

Instructions: How to add a new checker to the CVE Binary Tool

We also have a checker creation helper script that can get you started in making the checker.

New to cve-bin-tool or open source? Our New contributor documentation can help you set up tests, etc.

You don't need to have this assigned to you in order for you to work on it, but given the volume of hacktoberfest participants looking for things to work on, you may want to comment here to "claim" the issue and let others know that you're working on it. Issues that have comments but no pull requests after a week may wind up claimed by someone else.

mitchmeistr commented 1 year ago

If this is not needed immediately, I would like to attempt this issue.

I am a software development student, completely new the world of security, but I find this issue and project as a whole very interesting. Therefore, I will have a ton of questions.

Thanks for your consideration, Mitch

terriko commented 1 year ago

It's not needed immediately so feel free to take your time and have fun. Let us know when you've got questions!

mitchmeistr commented 1 year ago

Hey @terriko ,

I was wondering if you could clear up some confusion I am having. I apologize in advance if its convoluted.

When I search for packages for OpenShift on rpm find, I get packages that lead to openshift/origin.

Doubts began to arise when I see the about section on the github repository only contains "Conformance test suite for OpenShift".

When checking cvedetails, is became apparent that there is OpenShift, and OpenShift Origin. (https://www.cvedetails.com/cve/CVE-2016-2160/)

There is also OKD, which is an upstream community distribution. It appears that OpenShift Origin, is this OKD community distribution project..

Although there seems to be two different repositories for a similar product? One being https://github.com/okd-project/okd && the other https://github.com/openshift/origin

I am now uncertain of which product I am to be testing. From what I have gathered, OpenShift is the commercial product, and OKD is the community upstream.

Furthermore, my understanding of OpenShift is that its several products bundled together. Which makes me wonder about how effective it is testing just OpenShift in general, & not all it's components inside as well?

I have checked the origin package contents I have locally that I grabbed from rpmfind and there are various tools here I believe.

Any thoughts, opinions, or advice would be appreciated.

Here is some of the results, in case they are helpful in any way:

Search for openshift in our executables.txt strings $(cat executables.txt) | sort | uniq | grep -i openshift

Output on codeshare

Search for version number in executables.txt, matching version to github release # and rpmfind release #

strings $(cat execuateable.txt) | sort | uniq | grep -v v3.11

build -ldflags="-X github.com/openshift/origin/pkg/oc/clusterup.defaultImageStreams=centos7 -X github.com/openshift/origin/pkg/cmd/util/variable.DefaultImagePrefix=openshift/origin -X github.com/openshift/origin/pkg/version.majorFromGit=3 -X github.com/openshift/origin/pkg/version.minorFromGit=11+ -X github.com/openshift/origin/pkg/version.versionFromGit=v3.11.0+20c5b86 -X github.com/openshift/origin/pkg/version.commitFromGit=20c5b86 -X github.com/openshift/origin/pkg/version.buildDate=2022-07-22T02:33:09Z -X github.com/openshift/origin/vendor/k8s.io/kubernetes/pkg/version.gitMajor=1 -X github.com/openshift/origin/vendor/k8s.io/kubernetes/pkg/version.gitMinor=10+ -X github.com/openshift/origin/vendor/k8s.io/kubernetes/pkg/version.gitCommit=b3b92b2 -X github.com/openshift/origin/vendor/k8s.io/kubernetes/pkg/version.gitVersion=v1.10.0+b3b92b2 -X github.com/openshift/origin/vendor/k8s.io/kubernetes/pkg/version.buildDate=2022-07-22T02:33:09Z -X github.com/openshift/origin/vendor/k8s.io/kubernetes/pkg/version.gitTreeState=clean -X github.com/openshift/origin/vendor/k8s.io/client-go/pkg/version.gitMajor=1 -X github.com/openshift/origin/vendor/k8s.io/client-go/pkg/version.gitMinor=10+ -X github.com/openshift/origin/vendor/k8s.io/client-go/pkg/version.gitCommit=b3b92b2 -X github.com/openshift/origin/vendor/k8s.io/client-go/pkg/version.gitVersion=v1.10.0+b3b92b2 -X github.com/openshift/origin/vendor/k8s.io/client-go/pkg/version.buildDate=2022-07-22T02:33:09Z -X github.com/openshift/origin/vendor/k8s.io/client-go/pkg/version.gitTreeState=clean" v3.11.0+20c5b86

terriko commented 1 year ago

Let's go with what's easiest. If that means you build a checker for OpenShift Origin or OKD, then just lean into whichever one seems like it's going to work (or more than one if it looks like you could get multiples to work!).

Sometimes we file new checker requests where someone has a specific need to detect a specific package, but this one was just filed as "can we even detect this?" thing for someone to experiment on during hacktoberfest. So honestly, any new checker (or even multiple checkers?) is a valid solution to this issue. And if you investigate Origin and OKD and neither of them is detectable, saying so and asking for this issue to be closed is also a valid contribution!

mitchmeistr commented 1 year ago

Since I've spent so much time on this OpenShift Origin, I might as well finish it. Then I can move onto OKD & Ceph. I've found differentiating between these products a headache for somebody new to them. Especially with the word origin in both products, and doing things manually..

That being said it appears as OpenShift Origin is an older branch of OKD. This aligns with the last current release being v3.11 in 2018 on the GitHub repo. CVE Details has the last version listed at 2.1.1 . In your experience, is it normal to see gaps like that?

Does your team or contributors to the project frequently experience Timeout Errors when building the database from NDV? I seem to only get between 49% - 55% completion before it hangs with a Timeout error. This has been occurring over the past couple days.

Finally, if the helper script is used correctly, it pretty much does all the work for me regarding getting the CONTAINS..,FILENAME..,VERSION..,VENDOR_PROD yes? I just need a regex pattern to narrow down the exact version string.

terriko commented 1 year ago

Nvd - oh goodness yes. Getting an NVD api key from them and setting it in your environment/config file helps a lot, but we're probably going to switch to using a mirror of nvd in 2023.

Yes, the helper script should do most of the work for you if there's a relatively easy pattern to be found!