MySQL database backend write errors?

[skriebel]

What did you do? (required. The issue will be closed when not provided.)

I'm running the following command to populate the oval database:

goval-dictionary fetch-ubuntu --dbtype=mysql --dbpath="write:pass@/oval?charset=utf8mb4&parseTime=true&loc=America%2FNew_York" 18

I've already tried without the pareTime options as well.
MySQL information: 5.7.30-0ubuntu0.18.04.1 charset is utf8mb4 I have strict mode disabled.

What did you expect to happen?

I expect to be able to pull OVAL data when I run vuls.

What happened instead?

I'm getting a few different warnings and a fatal error.

• Current Output

[Jun 26 20:47:19]  INFO [localhost] Validating config...
INFO[0000] -cvedb-type: mysql, -cvedb-url: user:pass@/cve?charset=utf8mb4, -cvedb-path:  
[Jun 26 20:47:19]  INFO [localhost] Loaded: /usr/share/vuls-data/results/2020-06-26T19:48:21Z
[Jun 26 20:47:19]  INFO [localhost] Validating db config...
INFO[0000] -cvedb-type: mysql, -cvedb-url: user:pass@/cve?charset=utf8mb4, -cvedb-path:  
INFO[0000] -ovaldb-type: mysql, -ovaldb-url: user:pass@/oval?charset=utf8mb4, -ovaldb-path:  
INFO[0000] -gostdb-type: sqlite3, -gostdb-url: , -gostdb-path: /usr/share/vuls-data/gost.sqlite3 
INFO[0000] -exploitdb-type: mysql, -exploitdb-url: user:pass@/exploitdb?charset=utf8mb4, -exploitdb-path:  
[Jun 26 20:47:19]  WARN [localhost] --gostdb-path=/usr/share/vuls-data/gost.sqlite3 file not found. Vuls can detect `patch-not-released-CVE-ID` using gost if the scan target server is Debian, RHEL or CentOS, For details, see `https://github.com/knqyf263/gost#fetch-redhat`
INFO[06-26|20:47:19] Opening Database.                        db=mysql
INFO[06-26|20:47:19] Migrating DB.                            db=mysql
[Jun 26 20:47:19]  INFO [localhost] localhost: 0 CVEs are detected with Library
[Jun 26 20:47:19]  WARN [localhost] OVAL for ubuntu 18.04 is old, last modified is 0001-01-01 00:00:00 +0000 UTC. It's recommended to update OVAL to improve scanning accuracy. How to update OVAL database, see https://github.com/kotakanbe/goval-dictionary#usage
[Jun 26 20:47:19]  WARN [localhost] Unable to detect vulns of running kernel because the version of the runnning kernel is unknown. server: localhost
[Jun 26 20:47:19]  WARN [localhost] The OVAL name of the running kernel image {Release:4.15.0-106-generic Version: RebootRequired:false} is not found. So vulns of `linux` wll be detected. server: localhost
[Jun 26 20:47:19] ERROR [localhost] Failed to fill with OVAL: Failed to get ubuntu OVAL info by package: oval.request{packName:"apparmor", versionRelease:"2.12-4ubuntu5.1", newVersionRelease:"", arch:"", binaryPackNames:[]string(nil), isSrcPack:false}, err: sql: Scan error on column index 4, name "date": unsupported Scan, storing driver.Value type []uint8 into type *time.Time

Please re-run the command using -debug and provide the output below.

goval-dictionary fetch-ubuntu --debug --dbtype=mysql --dbpath="write:pass@/oval?charset=utf8mb4&parseTime=true&loc=America%2FNew_York" 18
INFO[06-26|20:51:18] Fetching...                              URL=https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.bionic.cve.oval.xml.bz2
INFO[06-26|20:51:21] Fetched...                               URL=https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.bionic.cve.oval.xml.bz2
INFO[06-26|20:51:21] Finished fetching OVAL definitions 
INFO[06-26|20:51:23] Fetched                                  URL=https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.bionic.cve.oval.xml.bz2 OVAL definitions=10360
DBUG[06-26|20:51:24] in Ubuntu 
INFO[06-26|20:51:24] Skip (Same Timestamp)                    Family=ubuntu Version=18

Steps to reproduce the behaviour

Run the command to fill the database

Configuration (MUST fill this out):

• Go version (go version): go version go1.13 linux/amd64

• Go environment (go env):

  GO111MODULE=""
  GOARCH="amd64"
  GOBIN=""
  GOCACHE="/root/.cache/go-build"
  GOENV="/root/.config/go/env"
  GOEXE=""
  GOFLAGS=""
  GOHOSTARCH="amd64"
  GOHOSTOS="linux"
  GONOPROXY=""
  GONOSUMDB=""
  GOOS="linux"
  GOPATH="/root/go"
  GOPRIVATE=""
  GOPROXY="https://proxy.golang.org,direct"
  GOROOT="/usr/local/go"
  GOSUMDB="sum.golang.org"
  GOTMPDIR=""
  GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
  GCCGO="gccgo"
  AR="ar"
  CC="gcc"
  CXX="g++"
  CGO_ENABLED="1"
  GOMOD=""
  CGO_CFLAGS="-g -O2"
  CGO_CPPFLAGS=""
  CGO_CXXFLAGS="-g -O2"
  CGO_FFLAGS="-g -O2"
  CGO_LDFLAGS="-g -O2"
  PKG_CONFIG="pkg-config"
  GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build463003783=/tmp/go-build -gno-record-gcc-switches"

• Vuls environment: vuls v0.10.0 build-20200625_154321_89f49b0

• config.toml:

[cveDict]
type = "mysql"
url  = "read:pass@/cve?charset=utf8mb4"

[ovalDict]
type = "mysql"
url  = "read:pass@/oval?charset=utf8mb4"

[exploit]
type = "mysql"
url  = "read:pass@/exploitdb?charset=utf8mb4"

[servers]

[servers.localhost]
host = "localhost"
port = "local"
scanMode = [ "fast" ]

• command:

goval-dictionary fetch-ubuntu --dbtype=mysql --dbpath="write:pass@/oval?charset=utf8mb4&parseTime=true&loc=America%2FNew_York" 18

• Notes

I've tried with the sqlite3 backend it works as intended. I'm hoping to get the MySQL version fixed.

[shino]

This issue was closed because it has been inactive.