search

sjvermeu / cvechecker

Command-line utility to scan the system and report on potential vulnerabilities, based on public CVE data
GNU General Public License v3.0
258 stars 68 forks source link

Nothing detected on RHEL 7 and Fedora #30

Closed sztsian closed 7 years ago

sztsian commented 7 years ago

I've packaged cvechecker to EPEL and Fedora. When I am testing how it works, I find it detects no risk on RHEL 7(CentOS 7) and Fedora 25. I think it is a potential issue since even I am trying with CentOS 7.3, it reports nothing. Can you take a look into this?

Packages can be found here https://koji.fedoraproject.org/koji/packageinfo?packageID=24352

sztsian commented 7 years ago

I also tested a 3.8 version locally on Fedora 25, nothing reported either.

sjvermeu commented 7 years ago

I'll see if I can reproduce on a Fedora or CentOS VM this weekend. In the mean time, can you see if cvechecker at least reports that it found software on the system?

~$ cvechecker -s

For instance, on my system it has lines like so:

Detected vendor="xfs", product="acl", version="2.2.52", update="", edition="", language="" on host="clevo", userkey="clevo" Detected vendor="gnu", product="gettext", version="1.05", update="", edition="", language="" on host="clevo", userkey="clevo" Detected vendor="gnu", product="binutils", version="2.25.1", update="", edition="", language="" on host="clevo", userkey="clevo"

sztsian commented 7 years ago

Unfortunately no. Nothing shows up. $ sudo cvechecker -s $ rpm -q cvechecker cvechecker-3.8-1.fc25.x86_64 $

sjvermeu commented 7 years ago

I tried to reproduce (Fedora 25) but here cvechecker works just fine. I did build from source (not RPM) but the result or approach should be the same.

Initialize the MySQL database (only needs to happen once): ~# cvechecker -i

Download CVE information: ~# pullcves pull

Create the list of binaries ~# find / -type f -perm -o+x > /root/scanlist.txt

Add kernel version to the scanlist ~# echo "/proc/version" >> /root/scanlist.txt

Inform cvechecker about the binaries. This is the phase that cvechecker attempts to detect which software you have installed on the system by reading the binaries and trying to obtain identification from it. ~# cvechecker -b scanlist.txt

To see which software it detected (it would've also outputted that during the previous command as it progresses): ~# cvechecker -s

I did this succesfully with the current 3.8 release, albeit one issue - the CVE data from 2014 and 2016 contains illegal CPE identifiers (just one each year). This can be worked around by opening the nvdcve-2.0-YEAR.csv file in the /var/lib/cvechecker/cache location, going to the line that cvechecker mentioned the illegal entry, deleting the line and saving the CSV again. Then, load it manually with "cvechecker -c nvdcve-2.0-YEAR.csv" file.

This has been fixed in the sources, I just need to make a new release for that.

sztsian commented 7 years ago

Oh thanks. I updated to 3.8 with patch up to commit 085b9dba4fe34e44bb54a6686f8943d6691003f9, and it detects potential risks on CentOS 1611. So I assume it works now.