IssueHunt
Bug Bounty (New!)
Browse
Sign in with GitHub
future-architect/vuls

Do you want to work on this issue?

You can request for a bounty in order to promote it!

server mode doesn't use `default` section ignoreCves/ignorePkgsRegexp #1267

hdhoang posted onGitHub

What did you do? (required. The issue will be closed when not provided.)

I run a vuls server to receive dpkg lists from other nodes, submitted like this:

dpkg-query -W -f='${binary:Package},${db:Status-Abbrev},${Version},${Source},${source:Version}\n' |
curl -sS -o - -X POST \
  -H "content-type: text/plain" -H 'X-Vuls-OS-Family: debian' \
  -H "X-Vuls-Server-Name: via-server" \
  -H "X-Vuls-OS-Release: $(cat /etc/debian_version)" \
  -H "X-Vuls-Kernel-Release: $(uname -r)" \
  -H "X-Vuls-Kernel-Version: $(uname -a | awk '{print $7}')" \
  http://127.0.0.1:5515/vuls \
  --data-binary @-

I want to ignore specific packages (libicu), or specific CVEs (eg ancient CVE-2005-3660) on all servers. So I added them to default settings ignoreCves, ignorePkgsRegexp. This works for vuls scan mode, and is visible in results json file:


    "config": {
        "scan": {
            "debug": true,
            "logDir": "/var/log/vuls",
            "resultsDir": "/vuls/results",
            "default": {
                "ignoreCves": [
                    "CVE-2005-3660"
                ],
                "ignorePkgsRegexp": [
                    "^libicu"
                ]
            },
            "servers": {
                "via-ssh": {
                    "serverName": "via-ssh",
                    "user": "root",
                    "host": "127.0.0.1",
                    "port": "22",
                    "ignoreCves": [
                        "CVE-2005-3660"
                    ],
                    "ignorePkgsRegexp": [
                        "^libicu"
                    ],

What did you expect to happen?

The default settings should be applied to vuls server scans as well.

What happened instead?

dpkg-query -W -f='${binary:Package},${db:Status-Abbrev},${Version},${Source},${source:Version}\n' |
curl -sS -o - -X POST \
  -H "content-type: text/plain" -H 'X-Vuls-OS-Family: debian' \
  -H "X-Vuls-Server-Name: via-server" \
  -H "X-Vuls-OS-Release: $(cat /etc/debian_version)" \
  -H "X-Vuls-Kernel-Release: $(uname -r)" \
  -H "X-Vuls-Kernel-Version: $(uname -a | awk '{print $7}')" \
  http://127.0.0.1:5515/vuls \
  --data-binary @- |
jq . >> via-server.json

grep 2021-30535 via-server.json
      "CVE-2021-30535": {
        "cveID": "CVE-2021-30535",
            "cveID": "CVE-2021-30535",
            "sourceLink": "https://security-tracker.debian.org/tracker/CVE-2021-30535",
            "cveID": "CVE-2021-30535",
            "sourceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-30535",
  • Current Output

Please re-run the command using -debug and provide the output below.

in gist at https://gist.github.com/hdhoang/b88afd48e3c5aa034315f58b89819818

Steps to reproduce the behaviour

Using debian VM (10.9 freshly installed from CD). vuls, cve-dictionary, gost, goval fetched for years 2020,2021, debian 10.

Configuration (MUST fill this out):

  • Go version (go version): (not relevant because I'm using docker image)

  • Go environment (go env): (not relevant because I'm using docker image)

  • Vuls environment:

Hash : vuls-v0.15.11-build-20210625_051138_8e6351a (docker image)

  • config.toml:
    [default]
ignorePkgsRegexp = [
"^libicu",
]

ignoreCves = [ "CVE-2005-3660", # linux-image ]

[servers."via-ssh"] host = "127.0.0.1" user = "root"

* command:

```sh
docker run --network=host --rm -it -v $PWD:/vuls -v /root/.ssh:/root/.ssh vuls/vuls scan -debug >> scan-debug.txt
docker run --network=host --rm -it -v $PWD:/vuls -v /root/.ssh:/root/.ssh vuls/vuls server -debug >> server-debug.txt
# then submit in other terminal

Fund this Issue

$0.00
Funded
Only logged in users can fund an issue

Pull requests

Company
AboutMission
Community
SpectrumEmbed
Support
FAQTerms of usePrivacy policyCode of conductCredits
Connect
FacebookTwitter

© 2019 BoostIO, Inc.