Validate Vulnerability Detection doesn't analyze brew packages from macOS agents

[BelenValdivia]

Target version	Related issue	Related PR	Test planning
4.6	https://github.com/wazuh/wazuh/issues/15805	https://github.com/wazuh/wazuh/pull/16089	https://github.com/wazuh/wazuh-qa/issues/4008

Description

This issue aims to fix that the syscollector module could not retrieve homebrew/brew vendors.

• The brew packages in macOS won't be reported with a @ in their name
• Vulnerability detector will always trim the name section of the package with @ for macOS

Proposed checks

• Test that packages installed are analyzed by Vulnerability detector

  Scenario Outline 1: Check that the package installed with homebrew is properly analyzed by Vulnerability detector.

  ```Gherkin Given I Install the Wazuh agent "" in a MacOs And I Install the Wazuh manager "" When I install the "" with homebrew And active the Vulnerability detector module with NVD enabled in the manager configuration Then the installed package is in sys_programs db table And the name of the package no longer has the version inside And the package is properly analyzed by vulnerability detector Examples: | version | package | | -------------------| ------------------- | | 4.6 | PostgreSQL | | 4.6 | openssl | | 4.6 | python | ```

[BelenValdivia]

23/3/2023

• Installed wazuh manager on Ubuntu
• Installed wazuh agent on macOS mojave
• Installed homebrew
• Installed openssl
• Reproduced the behavior before change

[BelenValdivia]

27/03/2023

• Tested upgrade
• Package name without @
• No vulnerabilities detected
• Ask octa to generate a wazuh manager package

[BelenValdivia]

Review data

Tester	PR commit
@BelenValdivia	https://github.com/wazuh/wazuh/pull/16089/commits/22d1a03b573dc2f57633029ca5efdebea1878365

Testing environment

OS	Deployment	Image/AMI	Notes
Ubuntu	local	ubuntu/bionic64
macOS Mojave	local	danimaetrix/macOS-mojave

Tested packages

System	Manager	Agent
Ubuntu	deb
macOS Mojave		pkg

Status

• [x] In progress
• [x] QA team leader approved @damarisg
• [x] Development team leader approved @Dwordcito

[BelenValdivia]

Testing results

Behavior before the change

The brew packages in macOS with a @ in their name Is not analyzed

1. Install Wazuh manager and Wazuh agent with production version 4.3.10 2. Install Python, OpenSSL, and Postgresql with homebrew. 3. Check the package in the manager's DB `/var/ossec/queue/db/agent_id.db` - OpenSSL: ``` root@ubuntu1:/home/vagrant# sqlite3 /var/ossec/queue/db/001.db 'select * from sys_programs where name = "openssl@1.1"' --line scan_id = 0 scan_time = 2023/03/23 18:09:30 format = pkg name = openssl@1.1 priority = section = size = 0 vendor = install_time = version = 1.1.1d architecture = multiarch = source = homebrew description = Cryptography and SSL/TLS Toolkit location = /usr/local/Cellar triaged = 0 cpe = msu_name = checksum = cfce37459498d890ddd628353b607f3b973a1702 item_id = 16c8e91b32da131b4ef783b4cb4dc08f0c0f0802 ``` - Postgresql: ``` root@ubuntu1:/var/ossec/queue/db# sqlite3 /var/ossec/queue/db/001.db 'select * from sys_programs where name = "postgresql@14"' --line scan_id = 0 scan_time = 2023/03/23 22:03:22 format = pkg name = postgresql@14 priority = section = size = 0 vendor = install_time = version = 14.7 architecture = multiarch = source = homebrew description = Object-relational database system location = /usr/local/Cellar triaged = 1 cpe = msu_name = checksum = af5c058bb9f413bf450454d5fed8ce49b07e0f12 item_id = 0ce397d99ab178a2f3b56cfbb7038cbae1c2aa8f ``` - Python: ``` root@ubuntu1:/home/vagrant# sqlite3 /var/ossec/queue/db/001.db 'select * from sys_programs where name = "python@3.7"' --line scan_id = 0 scan_time = 2023/03/23 19:50:15 format = pkg name = python@3.7 priority = section = size = 0 vendor = install_time = version = 3.7.5 architecture = multiarch = source = homebrew description = Interpreted, interactive, object-oriented programming language location = /usr/local/Cellar triaged = 0 cpe = msu_name = checksum = 87312e3124f89a2069346de38ba4fae5a35d6f23 item_id = 04ed3c3c22318bb9b56e74aa83e1984dfe0333b3 ``` 4. Check vuln_cves in database - OpenSSL: ``` sqlite> select name, version, cve from vuln_cves where name like "%openssl@1.1%"; sqlite> ``` - Postgresql: ``` sqlite> select name, version, cve from vuln_cves where name like "%postgresql@14%"; sqlite> ``` - Pyhton: ``` sqlite> select name, version, cve from vuln_cves where name like "%python@3.7%"; sqlite> ```

Fresh install

The package with @ in the name is analyzed by vulnerability detector 🟢

-

Case 1: Check OpenSSL package 🟢

1. Install the Wazuh agent in a MacOs 2. Install the Wazuh manager 3. Install the package OpenSSL with homebrew 4. Active the Vulnerability detector module with NVD enabled in the manager configuration ``` yes 2019 1h ``` 5. Check that the installed package is in` sys_programs` db table and the name of the package no longer has the version inside ``` root@ubuntu1:/home/vagrant# sqlite3 /var/ossec/queue/db/002.db 'select * from sys_programs where name = "openssl"' --line scan_id = 0 scan_time = 2023/03/28 15:06:25 format = pkg name = openssl priority = section = size = 0 vendor = install_time = version = 1.1.1d architecture = multiarch = source = homebrew description = Cryptography and SSL/TLS Toolkit location = /usr/local/Cellar triaged = 0 cpe = msu_name = checksum = d8db0c1c6ee19ef8961d45738dfc12601bf30524 item_id = c5a7ffd184a6ac2d7ec8ffc5aaa7da571ae1d2eb ``` 6. The package is properly analyzed by vulnerability detector and there are vulnerabilities in `vuln_cves` table ``` sqlite> select name, version, cve from vuln_cves where name like "%openssl%"; openssl|1.1.1d|CVE-2021-3449 openssl|1.1.1d|CVE-2021-4160 openssl|1.1.1d|CVE-2022-2097 openssl|1.1.1d|CVE-2023-0286 openssl|1.1.1d|CVE-2022-4450 openssl|1.1.1d|CVE-2021-3711 openssl|1.1.1d|CVE-2021-3712 openssl|1.1.1d|CVE-2022-4304 openssl|1.1.1d|CVE-2022-0778 openssl|1.1.1d|CVE-2019-1551 openssl|1.1.1d|CVE-2021-23840 openssl|1.1.1d|CVE-2021-23841 openssl|1.1.1d|CVE-2022-1292 openssl|1.1.1d|CVE-2022-2068 openssl|1.1.1d|CVE-2020-1967 openssl|1.1.1d|CVE-2020-1971 openssl|1.1.1d|CVE-2023-0215 ```

• Case 2: Check Python package 🟢

  1. Install the Wazuh agent in a MacOs 2. Install the Wazuh manager 3. Install the Python package with homebrew 4. Active the Vulnerability detector module with NVD enabled in the manager configuration ``` yes 2019 1h ``` 5. Check that the installed package is in` sys_programs` db table and the name of the package no longer has the version inside ``` root@ubuntu1:/home/vagrant# sqlite3 /var/ossec/queue/db/002.db 'select * from sys_programs where name = "python"' --line scan_id = 0 scan_time = 2023/03/28 15:06:13 format = pkg name = python priority = section = size = 0 vendor = install_time = version = 3.7.5 architecture = multiarch = source = homebrew description = Interpreted, interactive, object-oriented programming language location = /usr/local/Cellar triaged = 0 cpe = msu_name = checksum = 27312e9301f89a2069346de38ba4fae5a35d6f53 item_id = 08ed7c3c55398bb9b56e74aa83e1984dfe0449a0 ``` 6. The package is properly analyzed by vulnerability detector and there are vulnerabilities in `vuln_cves` table ``` sqlite> select name, version, cve from vuln_cves where name like "%python%"; python|3.7.5|CVE-2021-28861 python|3.7.5|CVE-2020-8492 python|3.7.5|CVE-2020-27619 python|3.7.5|CVE-2019-12900 python|3.7.5|CVE-2021-23336 python|3.7.5|CVE-2019-20907 python|3.7.5|CVE-2022-42919 python|3.7.5|CVE-2021-4189 python|3.7.5|CVE-2020-10735 python|3.7.5|CVE-2019-18348 python|3.7.5|CVE-2021-3426 python|3.7.5|CVE-2021-3177 python|3.7.5|CVE-2021-3733 python|3.7.5|CVE-2021-3737 python|3.7.5|CVE-2020-14422 python|3.7.5|CVE-2020-8315 python|3.7.5|CVE-2022-45061 python|3.7.5|CVE-2020-26116 python|3.7.5|CVE-2022-0391 python|3.7.5|CVE-2023-24329 python|3.7.5|CVE-2022-37454 ```
• Case 3: Check Postgresql package 🟢

  1. Install the Wazuh agent in a MacOs 2. Install the Wazuh manager 3. Install the Postgresql package with homebrew 4. Active the Vulnerability detector module with NVD enabled in the manager configuration ``` yes 2019 1h ``` 5. Check that the installed package is in` sys_programs` db table and the name of the package no longer has the version inside ``` root@ubuntu1:/home/vagrant# sqlite3 /var/ossec/queue/db/002.db 'select * from sys_programs where name = "postgresql"' --line scan_id = 0 scan_time = 2023/03/28 15:06:13 format = pkg name = postgresql priority = section = size = 0 vendor = install_time = version = 10.22 architecture = multiarch = source = homebrew description = Object-relational database system location = /usr/local/Cellar triaged = 0 cpe = msu_name = checksum = e8c37d2ad02268e27a9d19d3fa557f0e4d519ce3 item_id = 0b7be8792439bef33fd31ecee4657bbcd3403ca5 ``` 6. The package is properly analyzed by vulnerability detector and there are vulnerabilities in `vuln_cves` table ``` sqlite> select name, version, cve from vuln_cves where name like "%postgresql%"; postgresql|10.22|CVE-2021-3393 postgresql|10.22|CVE-2019-9193 ```

Upgrade

The package with @ in the name is analyzed by vulnerability detector 🟢

-

Case 1: Check OpenSSL package 🟢

1. Upgrade the Wazuh agent in a MacOs from production version 4.3.10 to version with changes 2. Upgrade the Wazuh manager from production version 4.3.10 to version with changes 3. Install the OpenSSL package with homebrew 4. Active the Vulnerability detector module with NVD enabled in the manager configuration ``` yes 2019 1h ``` 5. Check that the installed package is in` sys_programs` db table and the name of the package no longer has the version inside ``` root@ubuntu1:/var/ossec/queue/db# root@ubuntu1:/var/ossec/queue/db# sqlite3 /var/ossec/queue/db/001.db 'select * from sys_programs where name = "openssl"' -- line scan_id = 0 scan_time = 2023/03/27 14:58:03 format = pkg name = openssl priority = section = size = 0 vendor = install_time = version = 1.1.1d architecture = multiarch = source = homebrew description = Cryptography and SSL/TLS Toolkit location = /usr/local/Cellar triaged = 1 cpe = msu_name = checksum = d8db0c1c6ee19ef8961d45738dfc12601bf30524 item_id = c5a7ffd184a6ac2d7ec8ffc5aaa7da571ae1d2eb ``` 6. The package is properly analyzed by vulnerability detector and there are vulnerabilities in `vuln_cves` table ``` sqlite> select name, version, cve from vuln_cves where name like "%openssl"; openssl|1.1.1d|CVE-2021-3449 openssl|1.1.1d|CVE-2021-4160 openssl|1.1.1d|CVE-2022-2097 openssl|1.1.1d|CVE-2023-0286 openssl|1.1.1d|CVE-2022-4450 openssl|1.1.1d|CVE-2021-3711 openssl|1.1.1d|CVE-2021-3712 openssl|1.1.1d|CVE-2022-4304 openssl|1.1.1d|CVE-2022-0778 openssl|1.1.1d|CVE-2019-1551 openssl|1.1.1d|CVE-2021-23840 openssl|1.1.1d|CVE-2021-23841 openssl|1.1.1d|CVE-2022-1292 openssl|1.1.1d|CVE-2022-2068 openssl|1.1.1d|CVE-2020-1967 openssl|1.1.1d|CVE-2020-1971 openssl|1.1.1d|CVE-2023-0215 ```

• Case 2: Check Python package 🟢

  1. Upgrade the Wazuh agent in a MacOs from production version 4.3.10 to version with changes 2. Upgrade the Wazuh manager from production version 4.3.10 to version with changes 3. Install the Python package with homebrew 4. Active the Vulnerability detector module with NVD enabled in the manager configuration ``` yes 2019 1h ``` 5. Check that the installed package is in` sys_programs` db table and the name of the package no longer has the version inside ``` root@ubuntu1:/home/vagrant# sqlite3 /var/ossec/queue/db/001.db 'select * from sys_programs where name = "python"' --line scan_id = 0 scan_time = 2023/03/28 11:46:43 format = pkg name = python priority = section = size = 0 vendor = install_time = version = 3.7.5 architecture = multiarch = source = homebrew description = Interpreted, interactive, object-oriented programming language location = /usr/local/Cellar triaged = 1 cpe = msu_name = checksum = 27312e9301f89a2069346de38ba4fae5a35d6f53 item_id = 08ed7c3c55398bb9b56e74aa83e1984dfe0449a0 ``` 6. The package is properly analyzed by vulnerability detector and there are vulnerabilities in `vuln_cves` table ``` sqlite> select name, version, cve from vuln_cves where name like "%python%"; name|version|cve python|3.7.5|CVE-2021-28861 python|3.7.5|CVE-2020-8492 python|3.7.5|CVE-2020-27619 python|3.7.5|CVE-2019-12900 python|3.7.5|CVE-2021-23336 python|3.7.5|CVE-2019-20907 python|3.7.5|CVE-2022-42919 python|3.7.5|CVE-2021-4189 python|3.7.5|CVE-2020-10735 python|3.7.5|CVE-2019-18348 python|3.7.5|CVE-2021-3426 python|3.7.5|CVE-2021-3177 python|3.7.5|CVE-2021-3733 python|3.7.5|CVE-2021-3737 python|3.7.5|CVE-2020-14422 python|3.7.5|CVE-2020-8315 python|3.7.5|CVE-2022-45061 python|3.7.5|CVE-2020-26116 python|3.7.5|CVE-2022-0391 python|3.7.5|CVE-2023-24329 python|3.7.5|CVE-2022-37454 ```
• Case 3: Check Postgresql package 🟢

  1. Upgrade the Wazuh agent in a MacOs from production version 4.3.10 to version with changes 2. Upgrade the Wazuh manager from production version 4.3.10 to version with changes 3. Install the Postgresql package with homebrew 4. Active the Vulnerability detector module with NVD enabled in the manager configuration ``` yes 2019 1h ``` 5. Check that the installed package is in` sys_programs` db table and the name of the package no longer has the version inside ``` root@ubuntu1:/var/ossec/queue/db# sqlite3 /var/ossec/queue/db/001.db 'select * from sys_programs where name = "postgresql"' --line scan_id = 0 scan_time = 2023/03/27 16:29:38 format = pkg name = postgresql priority = section = size = 0 vendor = install_time = version = 10.22 architecture = multiarch = source = homebrew description = Object-relational database system location = /usr/local/Cellar triaged = 1 cpe = msu_name = checksum = e8c37d2ad02268e27a9d19d3fa557f0e4d519ce3 item_id = ``` 6. The package is properly analyzed by vulnerability detector and there are vulnerabilities in `vuln_cves` table ``` sqlite> select name, version, cve from vuln_cves where name like "%postgresql"; postgresql|10.22|CVE-2021-3393 postgresql|10.22|CVE-2019-9193 ```

[BelenValdivia]

Conclusion 🟢

The behavior is as expected. The brew packages in macOS do not be reported with a @ in their name and now these packages are analyzed by Vulnerability detector. We decided to test this change in an agent macOS Mojave.

[damarisg]

QA review

• Type: Manual Testing
• Status: Approved 🟢
• Comments: Everything seems to work correctly.