IssueHunt
Bug Bounty (New!)
Browse
Sign in with GitHub
future-architect/vuls

Do you want to work on this issue?

You can request for a bounty in order to promote it!

Vuls/VulsRepo reporting vulnerabilities that are not on the machine #1473

CA-dfox posted onGitHub

What did you do? (required. The issue will be closed when not provided.)

go-cve-dictionary fetch nvd
goval-dictionary fetch debian 7 8 9 10 11
goval-dictionary fetch ubuntu 14 16 18 19 20 21 22
goval-dictionary fetch redhat 5 6 7 8
gost fetch redhat
gost fetch debian
gost fetch ubuntu

vuls scan -config=/usr/share/vuls-data/kitchensink.config vuls report -config=/usr/share/vuls-data/kitchensink.config -ignore-unfixed

What did you expect to happen?

Since the machine was completely updated, I would have expected all fixed vulnerabilities to not show up on the VulsRepo table or Vuls Tui.

What happened instead?

I am seeing CVEs that are not applicable show up in the VulsRepo table and in Vuls Tui. For example, I am seeing the following CVEs in the report: CVE-2016-7969, CVE-2017-9258 and CVE-2017-13194. When I try the fix for these, I get the following:

username@machinename:~$ sudo ua fix CVE-2017-13194
CVE-2017-13194: libvpx vulnerabilities
https://ubuntu.com/security/CVE-2017-13194
No affected source packages are installed.
✔ CVE-2017-13194 does not affect your system
  • Current Output

Please re-run the command using -debug and provide the output below.

Steps to reproduce the behaviour

See above. In VulsRepo, I am filtering on fixed CVEs.

Configuration (MUST fill this out):

  • Go version (go version): go version go1.17 linux/amd64
  • Go environment (go env):
    GO111MODULE=""
GOARCH="amd64"
GOBIN=""
_GOCACHE="/home/username/.cache/go-build"_
GOENV="/home/username/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/username/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/username/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.17"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.17/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2283081390=/tmp/go-build -gno-record-gcc-switches"
  • Vuls environment:

Hash : vuls-v0.19.7-build-20220429_134618_91ed318

To check the commit hash of HEAD $ vuls -v

or

$ cd $GOPATH/src/github.com/future-architect/vuls $ git rev-parse --short HEAD

  • config.toml:
    #[servers.0.0.0.0]
#host                = "0.0.0.0"
#port               = "22"
#user               = "user"
#sshConfigPath          = "/home/username/.ssh/config"
#keyPath            = "/home/username/.ssh/id_rsa"
#scanMode           = ["fast", "fast-root", "deep", "offline"]
#scanModules        = ["ospkg", "wordpress", "lockfile", "port"]
#type               = "pseudo"
#memo               = "systemname"
#findLock = true
#lockfiles = ["/path/to/package-lock.json"]
#cpeNames           = [ "cpe:/a:rubyonrails:ruby_on_rails:4.2.1" ]
#owaspDCXMLPath     = "/path/to/dependency-check-report.xml"
#ignoreCves         = ["CVE-2014-0160"]
#containersOnly     = false
#containerType      = "docker" #or "lxd" or "lxc" default: docker
#containersIncluded = ["${running}"]
#containersExcluded = ["container_name_a"]
#confidenceScoreOver = 80

```

Can you show me the results (<results-dir>/<timestamp>/<server name>.json) when you run the vuls report? I can compare the Ubuntu vulnerability information about CVE-2017-13194 with the information about the packages you have installed on your server.

posted by MaineK00n almost 3 years ago

hostname.json.gz

posted by CA-dfox almost 3 years ago

Thanks for providing the json!

I looked at the contents and debugged how CVE-2017-13194 was detected. The cause seems to be a package called libvpx1. Your JSON targets Ubuntu 18.04 (bionic), but libvpx1 is not provided with this Ubuntu version. ref: https://packages.ubuntu.com/source/bionic/libvpx

OVAL says that CVE-2017-13194 will be fixed in version 1.7.0-3 of libvpx, and since libvpx1(≒libvpx) in your environment is version 1.3.0-2, CVE-2017-13194 is detected.

Probably the same for other CVEs. If it is CVE-2017-9258, it is probably caused by the package libsoundtouch0.

I will work on a fix for this. If it is not a problem, removing libvpx1 and libsoundtouch0 will reduce false positives.

posted by MaineK00n almost 3 years ago

@CA-dfox This CVE-2017-13194 false positive is caused by a search on libvpx and its version 1.3.0-2, which is the source package of libvpx1. In ubuntu 18.04, libvpx1 does not seem to be published (https://packages.ubuntu.com/search?suite=bionic&section=all&arch=any&keywords=libvpx1&searchon=names). Ubuntu's OVAL cannot complete all of the binary packages associated with a source package. Also, it is difficult for the package manager to classify which repository the package was installed from, or if it is the Ubuntu Official repository, which is 16.04/18/04/04/20.04/.... Therefore, it seems difficult to avoid this false positive.

The same is likely true for other CVE false positives. To deal with this problem, remove libvpx1, libsoundtouch0, etc., or consider ignoreCves or ignorePkgsRegexp (https://vuls.io/docs/en/config.toml.html#servers-section).

posted by MaineK00n over 2 years ago

The following PR will disable the detection of those with a patch status of Not vulnerable. https://github.com/vulsio/goval-dictionary/pull/241

The patch status of bionic in CVE-2017-13194 shows that it is Not vulnerable, so if the PR of this goval-dictionary is merged, it will not be detected. https://ubuntu.com/security/CVE-2017-13194

posted by MaineK00n over 2 years ago

Fund this Issue

$0.00
Funded
Only logged in users can fund an issue

Pull requests

Company
AboutMission
Community
SpectrumEmbed
Support
FAQTerms of usePrivacy policyCode of conductCredits
Connect
FacebookTwitter

© 2019 BoostIO, Inc.