Closed Rebits closed 1 week ago
santipadilla
commented
2 weeks ago After a meeting with @wazuh/devel-qa-div2, change issue description to coordinate with the implementation of this issue.
Changes made in the branch: fix/5312-macos-fix-upgrade-case
In this PR: https://github.com/wazuh/wazuh-qa/pull/5334
santipadilla
commented
2 weeks ago Changes made, still to be checked by launching the new VD test.
santipadilla
commented
1 week ago Moved to on hold due to 4.8.0 - rc1 release testing.
santipadilla
commented
1 week ago Time of the VD test with only one macOS agent ≈ 1h 30min
After launching the test with the changes it still fails. Further investigation will be carried out to check the case and the package.
santipadilla
commented
1 week ago Time of the VD test with only one macOS agent and only the issue's VD case ≈ 50min
After launching the test with only the issue's VD case it still fails. A manual test will be carried out.
santipadilla
commented
1 week ago sh-3.2# npm install -g luxon@2.5.2
added 1 package in 298ms
sh-3.2# npm list -g
/usr/local/lib
├── corepack@0.25.2
├── luxon@2.5.2
└── npm@10.5.0
sh-3.2# {"timestamp":"2024-05-07T14:56:26.872+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"ip-172-31-15-154"},"manager":{"name":"ip-172-31-15-154"},"id":"1715093786.2812802","cluster":{"name":"wazuh","node":"master"},"full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2024-05-07T14:57:46.251+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"agent1"},"manager":{"name":"ip-172-31-15-154"},"id":"1715093866.2813060","cluster":{"name":"wazuh","node":"master"},"full_log":"ossec: Agent started: 'agent1->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"agent1->any"},"location":"wazuh-agent"}sh-3.2# npm install -g luxon@3.0.0
changed 1 package in 133ms
sh-3.2# npm list -g
/usr/local/lib
├── corepack@0.25.2
├── luxon@3.0.0
└── npm@10.5.0{"timestamp":"2024-05-07T14:56:26.872+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"ip-172-31-15-154"},"manager":{"name":"ip-172-31-15-154"},"id":"1715093786.2812802","cluster":{"name":"wazuh","node":"master"},"full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2024-05-07T14:57:46.251+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"agent1"},"manager":{"name":"ip-172-31-15-154"},"id":"1715093866.2813060","cluster":{"name":"wazuh","node":"master"},"full_log":"ossec: Agent started: 'agent1->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"agent1->any"},"location":"wazuh-agent"}
{"timestamp":"2024-05-07T15:02:18.205+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"ip-172-31-15-154"},"manager":{"name":"ip-172-31-15-154"},"id":"1715094138.2813383","cluster":{"name":"wazuh","node":"master"},"previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 172.31.15.154:68 0.0.0.0:* 493/systemd-network\ntcp 0.0.0.0:443 0.0.0.0:* 82210/node\ntcp 0.0.0.0:1514 0.0.0.0:* 105914/wazuh-remote\ntcp 0.0.0.0:1515 0.0.0.0:* 105777/wazuh-authd\ntcp6 172.31.15.154:9200 :::* 13222/java\ntcp6 172.31.15.154:9300 :::* 13222/java\ntcp 0.0.0.0:55000 0.0.0.0:* 105729/python3","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 172.31.15.154:68 0.0.0.0:* 493/systemd-network\ntcp 0.0.0.0:443 0.0.0.0:* 82210/node\ntcp 0.0.0.0:1514 0.0.0.0:* 105914/wazuh-remote\ntcp 0.0.0.0:1515 0.0.0.0:* 105777/wazuh-authd\ntcp 0.0.0.0:1516 0.0.0.0:* 106354/python3\ntcp6 172.31.15.154:9200 :::* 13222/java\ntcp6 172.31.15.154:9300 :::* 13222/java\ntcp 0.0.0.0:55000 0.0.0.0:* 105729/python3","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 172.31.15.154:68 0.0.0.0:* 493/systemd-network\ntcp 0.0.0.0:443 0.0.0.0:* 82210/node\ntcp 0.0.0.0:1514 0.0.0.0:* 105914/wazuh-remote\ntcp 0.0.0.0:1515 0.0.0.0:* 105777/wazuh-authd\ntcp6 172.31.15.154:9200 :::* 13222/java\ntcp6 172.31.15.154:9300 :::* 13222/java\ntcp 0.0.0.0:55000 0.0.0.0:* 105729/python3","location":"netstat listening ports"}
{"timestamp":"2024-05-07T15:04:17.784+0000","rule":{"level":7,"description":"CVE-2022-31129 affects luxon","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"agent1","ip":"192.168.64.7"},"manager":{"name":"ip-172-31-15-154"},"id":"1715094257.2814761","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"GitHub_M","cve":"CVE-2022-31129","cvss":{"cvss2":{"base_score":"5","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"NONE","integrity_impact":"NONE"}}},"cwe_reference":"CWE-1333","enumeration":"CVE","package":{"architecture":" ","condition":"Package less than 3.2.1","name":"luxon","source":" ","version":"3.0.0"},"published":"2022-07-06T18:15:19Z","rationale":"moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.","reference":"https://github.com/moment/moment/pull/6015#issuecomment-1152961973, https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/, https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g, https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html, https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3, https://security.netapp.com/advisory/ntap-20221014-0003/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/","severity":"Medium","status":"Active","title":"CVE-2022-31129 affects luxon","type":"Packages","updated":"2023-11-07T03:47:32Z"}},"location":"vulnerability-detector"}Having checked that it is correct manually and looking at the report we can see the following:
Check setup_operation_results succeeded this check verifies that the installation of the package has been successful.alerts_found_in_index we get that the alert has been found. 
MARCOSD4
commented
1 week ago LGTM
Description
The recent replacement of Vulnerability Detection End-to-End (E2E) test cases for the macOS agent in PR #5174 introduced an issue where upgrade cases lack the necessary setup steps to install the specified package, leading to test failures on macOS endpoints.
Issue
In case such as
upgrade_package_nonvulnerable_to_vulnerable, the goal is to confirm that theluxon-2.5.2version does not present any vulnerability and that the new vulnerability associated with the updated version,luxon-3.0.0, emerge. However, the current upgrade package structure only installs the package specified in the to field, assuming it is already present on the host system. This approach was likely implemented to avoid redundant package installations.