Rebits
commented
2 weeks ago To streamline the troubleshooting process for this issue, we've devised a straightforward script to replicate failing cases. This approach simplifies the debugging of current parsing vulnerability methods, eliminating the need to run the entire test suite.
parse_macos_vuln.py
``` import os import json from wazuh_testing.end_to_end.vulnerability_detector import get_vulnerability_detector_alerts, \ parse_vulnerabilities_from_alerts from wazuh_testing.end_to_end.remote_operations_handler import get_expected_alerts from wazuh_testing.end_to_end.check_validators import compare_expected_found_vulnerabilities_alerts from wazuh_testing.tools.system import HostManager host_manager = HostManager("In addition we are going to use the following alert index to simulate real information collected from the wazuh-indexer
http-proxy Alert Index Example
``` [ { "_index": "wazuh-alerts-4.x-2024.04.22", "_id": "YqpJBY8BJodbzcVedMR2", "_score": 4.6972857, "_source": { "cluster": { "node": "master", "name": "wazuh" }, "agent": { "ip": "192.168.64.5", "name": "agent6", "id": "006" }, "manager": { "name": "ip-172-31-7-224" }, "data": { "vulnerability": { "severity": "Medium", "package": { "condition": "Package less than 0.7.0", "name": "http-proxy", "source": " ", "version": "0.5.9", "architecture": " " }, "assigner": "hackerone", "cwe_reference": "CWE-388", "published": "2018-06-04T19:29:00Z", "title": "CVE-2017-16014 affects http-proxy", "type": "Packages", "rationale": "Http-proxy is a proxying library. Because of the way errors are handled in versions before 0.7.0, an attacker that forces an error can crash the server, causing a denial of service.", "reference": "https://github.com/nodejitsu/node-http-proxy/pull/101, https://nodesecurity.io/advisories/323", "cve": "CVE-2017-16014", "enumeration": "CVE", "cvss": { "cvss2": { "base_score": "5", "vector": { "integrity_impact": "NONE", "availability": "PARTIAL", "confidentiality_impact": "NONE", "access_complexity": "LOW", "authentication": "NONE" } } }, "updated": "2019-10-09T23:24:36Z", "status": "Active" } }, "rule": { "firedtimes": 13, "mail": false, "level": 7, "pci_dss": ["11.2.1", "11.2.3"], "tsc": ["CC7.1", "CC7.2"], "description": "CVE-2017-16014 affects http-proxy", "groups": ["vulnerability-detector"], "id": "23504", "gdpr": ["IV_35.7.d"] }, "decoder": { "name": "json" }, "input": { "type": "log" }, "@timestamp": "2024-04-22T10:10:45.737Z", "location": "vulnerability-detector", "id": "1713780645.2742706", "timestamp": "2024-04-22T10:10:45.737+0000" } } ] ```Currently, we can see, that it is not detecting expected vulnerability:
{'vulnerabilities_affected_not_found': {'agent6': [Vulnerability(cve='CVE-2017-16014', package_name='http-proxy', package_version='0.5.9', architecture='')]}, 'vulnerabilities_mitigated_not_found': {}, 'failed_agents': ['agent6'], 'result': False}However, if we check the currently detected vulnerability, we see that it is expecting a vulnerability with as architecture instead of ``:
{'agent6': [Vulnerability(cve='CVE-2017-16014', package_name='http-proxy', package_version='0.5.9', architecture=' ')]}We need to stript collected vulnerability fields in the parse_vulnerabilities_from_alerts and get_vulnerabilities_from_states functions
rafabailon
davidjiglesias
Description
It has been detected Additional Vulnerability Detection End-to-End that vulnerability alerts for macOS agents are not correctly collected. If we check the evidence we can see in the manager alerts file and in the indexed vulnerabilities that the alerts indeed appear. However the validator is ignoring it