Vulnerability Detector is not generating alerts for Ubuntu packages

[SeyiSoneye]

Wazuh version	Component	Install type	Install method	Platform
4.8.0-rc1	Vulnerability detector	Manager	Packages	Ubuntu 22.04 x86_64

Description

It has been detected in https://github.com/wazuh/wazuh/issues/23244 that Vulnerability Detection is not generating alerts for Ubuntu packages.

Steps to reproduce

• Install a manager.
• Install and register an Ubuntu 22.04 agent.
• Check that after Syscollector scans the vulnerable packages are detected and the vulnerabilities were included in the inventory but no alert were generated:

Inventory

Events

• Install a known vulnerable package such as Django-3.2.13 version, expecting the detection of the CVE-2022-34265 vulnerability (check https://ubuntu.com/security/CVE-2022-34265).

root@ubuntuagent:/home/vagrant# python3 -m pip install Django==3.2.13
Collecting Django==3.2.13
  Downloading Django-3.2.13-py3-none-any.whl (7.9 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 7.9/7.9 MB 14.5 MB/s eta 0:00:00
Collecting pytz
  Downloading pytz-2024.1-py2.py3-none-any.whl (505 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 505.5/505.5 KB 21.3 MB/s eta 0:00:00
Collecting sqlparse>=0.2.2
  Downloading sqlparse-0.5.0-py3-none-any.whl (43 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 44.0/44.0 KB 9.5 MB/s eta 0:00:00
Collecting asgiref<4,>=3.3.2
  Downloading asgiref-3.8.1-py3-none-any.whl (23 kB)
Collecting typing-extensions>=4
  Downloading typing_extensions-4.11.0-py3-none-any.whl (34 kB)
Installing collected packages: pytz, typing-extensions, sqlparse, asgiref, Django
Successfully installed Django-3.2.13 asgiref-3.8.1 pytz-2024.1 sqlparse-0.5.0 typing-extensions-4.11.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
root@ubuntuagent:/home/vagrant# python3 -m django --version
3.2.13

After installing the known vulnerable application on the endpoint, the vulnerability was included in the inventory but no alert was generated.

Inventory

Vulnerabilities added in Inventory. However no events generated.

Alerts

[Dwordcito]

@SeyiSoneye After installing the vulnerable package, do you wait for syscollector to run again on the agent or restart it so that scan on start runs?

Could you give us the ossec.log?

[SeyiSoneye]

@Dwordcito I restarted the agent so that scan on start runs.

ossec.log files: ossec-05.log ossec-06.log ossec-03.log

[Dwordcito]

This is an expected behavior, if you restart the agent, we don't generate alerts by design.

Try again without restarting the agent (decrease the syscollector scheduler), and if the issue appears re-open the issue.