search

sonatype-nexus-community / ahab

ahab is a tool to check for vulnerabilities in your apt, apk, or yum powered operating systems, powered by Sonatype OSS Index.
Apache License 2.0
66 stars 17 forks source link

[BUG] Piping in alpine packages and getting debian results #39

Open ButterB0wl opened 4 years ago

ButterB0wl commented 4 years ago

Steps to reproduce

Pull latest alpine distribution of the ghost image: docker pull ghost:alpine

Make sure that the image distro is alpine:

$ docker run -it ghost:alpine cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.11.6
PRETTY_NAME="Alpine Linux v3.11"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

Run the alpine package list command from the help docs:

$ docker run -it ghost:alpine apk info -vv | sort
WARNING: Ignoring APKINDEX.70f61090.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.ca2fea5b.tar.gz: No such file or directory
alpine-baselayout-3.2.0-r3 - Alpine base dir structure and init scripts
alpine-keys-2.1-r2 - Public keys for Alpine Linux packages
apk-tools-2.10.5-r0 - Alpine Package Keeper - package manager for alpine
bash-5.0.11-r1 - The GNU Bourne Again shell
busybox-1.31.1-r9 - Size optimized toolbox of many common UNIX utilities
ca-certificates-cacert-20191127-r1 - Mozilla bundled certificates
libc-utils-0.7.2-r0 - Meta package to pull in correct libc
libcrypto1.1-1.1.1g-r0 - Crypto library from openssl
libgcc-9.2.0-r4 - GNU C compiler runtime libraries
libssl1.1-1.1.1g-r0 - SSL shared libraries
libstdc++-9.2.0-r4 - GNU C++ standard runtime library
libtls-standalone-2.9.1-r0 - libtls extricated from libressl sources
musl-1.1.24-r2 - the musl c library (libc) implementation
musl-utils-1.1.24-r2 - the musl c library (libc) implementation
ncurses-libs-6.1_p20200118-r4 - Ncurses libraries
ncurses-terminfo-base-6.1_p20200118-r4 - Descriptions of common terminals
readline-8.0.1-r0 - GNU readline library
scanelf-1.2.4-r0 - Scan ELF binaries for stuff
ssl_client-1.31.1-r9 - EXternal ssl_client for busybox wget
su-exec-0.2-r1 - switch user and group id, setgroups and exec
zlib-1.2.11-r3 - A compression/decompression Library

Piping the above output does not work because of those two warning lines but the error message isn't the most helpful here:

$ docker run -it ghost:alpine apk info -vv | sort | ./ahab chase
Uh oh, an error occurred, if this persists try rerunning with -v, -vv, or -vvv to get more information in the logs
Error: An error occurred: [400 Bad Request] error accessing OSS Index
Check log file at /home/artie/.ossindex/ahab.combined.log for more information
artie@ArtieSonaDell:~/git_repos/ahab$ cat /home/artie/.ossindex/ahab.combined.log
{"level":"error","msg":"Error: exit status 1\n","time":"2020-09-07T20:02:29-04:00"}
{"level":"error","msg":"Error: exit status 1\n","time":"2020-09-07T20:02:29-04:00"}
{"level":"error","msg":"Error: exit status 1\n","time":"2020-09-07T20:02:29-04:00"}
{"level":"error","msg":"Error accessing OSS Index","resp_status_code":"400 Bad Request","time":"2020-09-07T20:02:30-04:00"}
{"level":"error","msg":"An error occurred: [400 Bad Request] error accessing OSS Index","time":"2020-09-07T20:02:30-04:00"}

So I pipe it to a file and remove the two warnings at the top, then pipe that to ahab:

$ cat ghost.txt
alpine-baselayout-3.2.0-r3 - Alpine base dir structure and init scripts
alpine-keys-2.1-r2 - Public keys for Alpine Linux packages
apk-tools-2.10.5-r0 - Alpine Package Keeper - package manager for alpine
bash-5.0.11-r1 - The GNU Bourne Again shell
busybox-1.31.1-r9 - Size optimized toolbox of many common UNIX utilities
ca-certificates-cacert-20191127-r1 - Mozilla bundled certificates
libc-utils-0.7.2-r0 - Meta package to pull in correct libc
libcrypto1.1-1.1.1g-r0 - Crypto library from openssl
libgcc-9.2.0-r4 - GNU C compiler runtime libraries
libssl1.1-1.1.1g-r0 - SSL shared libraries
libstdc++-9.2.0-r4 - GNU C++ standard runtime library
libtls-standalone-2.9.1-r0 - libtls extricated from libressl sources
musl-1.1.24-r2 - the musl c library (libc) implementation
musl-utils-1.1.24-r2 - the musl c library (libc) implementation
ncurses-libs-6.1_p20200118-r4 - Ncurses libraries
ncurses-terminfo-base-6.1_p20200118-r4 - Descriptions of common terminals
readline-8.0.1-r0 - GNU readline library
scanelf-1.2.4-r0 - Scan ELF binaries for stuff
ssl_client-1.31.1-r9 - EXternal ssl_client for busybox wget
su-exec-0.2-r1 - switch user and group id, setgroups and exec
zlib-1.2.11-r3 - A compression/decompression Library

$ cat ghost.txt | ./ahab chase --loud
 ______      __                    __
/\  _  \    /\ \                  /\ \
\ \ \L\ \   \ \ \___       __     \ \ \____
 \ \  __ \   \ \  _ `\   /'__`\    \ \ '__`\
  \ \ \/\ \   \ \ \ \ \ /\ \L\.\_   \ \ \L\ \
   \ \_\ \_\   \ \_\ \_\\ \__/.\_\   \ \_,__/
    \/_/\/_/    \/_/\/_/ \/__/\/_/    \/___/
  _        _                           _    _
 /_)      /_` _  _  _ _/_     _  _    (/   /_` _ . _  _   _/  _
/_) /_/  ._/ /_// //_|/  /_/ /_//_'  (_X  /   / / /_'/ //_/ _\
    _/                   _/ /
Ahab version: development

Non Vulnerable Packages

[1/21]  pkg:deb/debian/alpine-baselayout-3.2.0-r3@-
[2/21]  pkg:deb/debian/alpine-keys-2.1-r2@-
[3/21]  pkg:deb/debian/apk-tools-2.10.5-r0@-
[4/21]  pkg:deb/debian/bash-5.0.11-r1@-
[5/21]  pkg:deb/debian/busybox-1.31.1-r9@-
[6/21]  pkg:deb/debian/ca-certificates-cacert-20191127-r1@-
[7/21]  pkg:deb/debian/libc-utils-0.7.2-r0@-
[8/21]  pkg:deb/debian/libcrypto1.1-1.1.1g-r0@-
[9/21]  pkg:deb/debian/libgcc-9.2.0-r4@-
[10/21] pkg:deb/debian/libssl1.1-1.1.1g-r0@-
[11/21] pkg:deb/debian/libtls-standalone-2.9.1-r0@-
[12/21] pkg:deb/debian/musl-1.1.24-r2@-
[13/21] pkg:deb/debian/musl-utils-1.1.24-r2@-
[14/21] pkg:deb/debian/ncurses-libs-6.1_p20200118-r4@-
[15/21] pkg:deb/debian/ncurses-terminfo-base-6.1_p20200118-r4@-
[16/21] pkg:deb/debian/readline-8.0.1-r0@-
[17/21] pkg:deb/debian/scanelf-1.2.4-r0@-
[18/21] pkg:deb/debian/ssl_client-1.31.1-r9@-
[19/21] pkg:deb/debian/su-exec-0.2-r1@-
[20/21] pkg:deb/debian/zlib-1.2.11-r3@-
[21/21] pkg:deb/debian/libstdc%20%20-9.2.0-r4@-
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                      ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies    ┃ 21 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 0  ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛

And the alpine packages are reported as debian packages, and formatted all funky.

Here's what the IQ report looks like for the same input: image

cc @bhamail / @DarthHater / @ken-duck / @zendern

DarthHater commented 4 years ago

For your last command, try cat ghost.txt | ./ahab chase --loud --os alpine, I think it is auto detecting dpkg and using that. I was able to run your commands with --os alpine specified (even with the WARNING lines).

ButterB0wl commented 4 years ago

Yeah i got it working specifying the OS explicitly. Are all the package list outputs sufficiently similar that it would be a pain to resolve based on that payload?

DarthHater commented 3 years ago

@ButterB0wl I noticed most of the outputs were wildly different, hence why I added this. Not common enough to figure it out on the fly.