feat(cpescan): Use JVN as a second DB for CPE scan (#1268)

* feat(cpescan): Use JVN as a second DB for CPE scan * feat(tui): display score of detectionmethod * update go.mod
future-architect · Jul 8, 2021 · f0b3a8b · f0b3a8b
1 parent 0b9ec05
commit f0b3a8b
Show file tree

Hide file tree

Showing 7 changed files with 39 additions and 43 deletions.
diff --git a/detector/detector.go b/detector/detector.go
@@ -420,17 +420,21 @@ func DetectCpeURIsCves(r *models.ScanResult, cpeURIs []string, cnf config.GoCveD
 			return err
 		}
 		for _, detail := range details {
+
+			confidence := models.CpeVersionMatch
+			if detail.IsJvn() {
+				confidence = models.CpeVendorProductMatch
+			}
+
 			if val, ok := r.ScannedCves[detail.CveID]; ok {
-				names := val.CpeURIs
-				names = util.AppendIfMissing(names, name)
-				val.CpeURIs = names
-				val.Confidences.AppendIfMissing(models.CpeNameMatch)
+				val.CpeURIs = util.AppendIfMissing(val.CpeURIs, name)
+				val.Confidences.AppendIfMissing(confidence)
 				r.ScannedCves[detail.CveID] = val
 			} else {
 				v := models.VulnInfo{
 					CveID:       detail.CveID,
 					CpeURIs:     []string{name},
-					Confidences: models.Confidences{models.CpeNameMatch},
+					Confidences: models.Confidences{confidence},
 				}
 				r.ScannedCves[detail.CveID] = v
 				nCVEs++

diff --git a/go.mod b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21
 	github.com/emersion/go-smtp v0.14.0
 	github.com/fatih/color v1.12.0 // indirect
-	github.com/go-redis/redis/v8 v8.10.0 // indirect
+	github.com/go-redis/redis/v8 v8.11.0 // indirect
 	github.com/google/subcommands v1.2.0
 	github.com/gosuri/uitable v0.0.4
 	github.com/hashicorp/go-uuid v1.0.2
@@ -33,8 +33,8 @@ require (
 	github.com/knqyf263/go-cpe v0.0.0-20201213041631-54f6ab28673f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
+	github.com/kotakanbe/go-cve-dictionary v0.6.0
 	github.com/knqyf263/gost v0.2.0
-	github.com/kotakanbe/go-cve-dictionary v0.15.14
 	github.com/kotakanbe/go-pingscanner v0.1.0
 	github.com/kotakanbe/goval-dictionary v0.3.6-0.20210625044258-9be85404d7dd
 	github.com/kotakanbe/logrus-prefixed-formatter v0.0.0-20180123152602-928f7356cb96
@@ -54,12 +54,11 @@ require (
 	github.com/spf13/viper v1.8.1 // indirect
 	github.com/takuzoo3868/go-msfdb v0.1.5
 	github.com/vulsio/go-exploitdb v0.1.8-0.20210625021845-e5081ca67229
-	go.opentelemetry.io/otel/internal/metric v0.21.0 // indirect
 	golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e // indirect
 	golang.org/x/net v0.0.0-20210614182718-04defd469f4e // indirect
 	golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 // indirect
+	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
 	gorm.io/driver/mysql v1.1.1 // indirect
 	gorm.io/gorm v1.21.11 // indirect

diff --git a/go.sum b/go.sum
@@ -504,8 +504,8 @@ github.com/go-redis/redis/v8 v8.4.0/go.mod h1:A1tbYoHSa1fXwN+//ljcCYYJeLmVrwL9hb
 github.com/go-redis/redis/v8 v8.4.10/go.mod h1:d5yY/TlkQyYBSBHnXUmnf1OrHbyQere5JV4dLKwvXmo=
 github.com/go-redis/redis/v8 v8.4.11/go.mod h1:d5yY/TlkQyYBSBHnXUmnf1OrHbyQere5JV4dLKwvXmo=
 github.com/go-redis/redis/v8 v8.8.0/go.mod h1:F7resOH5Kdug49Otu24RjHWwgK7u9AmtqWMnCV1iP5Y=
-github.com/go-redis/redis/v8 v8.10.0 h1:OZwrQKuZqdJ4QIM8wn8rnuz868Li91xA3J2DEq+TPGA=
-github.com/go-redis/redis/v8 v8.10.0/go.mod h1:vXLTvigok0VtUX0znvbcEW1SOt4OA9CU1ZfnOtKOaiM=
+github.com/go-redis/redis/v8 v8.11.0 h1:O1Td0mQ8UFChQ3N9zFQqo6kTU2cJ+/it88gDB+zg0wo=
+github.com/go-redis/redis/v8 v8.11.0/go.mod h1:DLomh7y2e3ggQXQLd1YgmvIfecPJoFl7WU5SOQ/r06M=
 github.com/go-restruct/restruct v0.0.0-20191227155143-5734170a48a1 h1:LoN2wx/aN8JPGebG+2DaUyk4M+xRcqJXfuIbs8AWHdE=
 github.com/go-restruct/restruct v0.0.0-20191227155143-5734170a48a1/go.mod h1:KqrpKpn4M8OLznErihXTGLlsXFGeLxHUrLRRI/1YjGk=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
@@ -928,8 +928,8 @@ github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4g
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kotakanbe/go-cve-dictionary v0.15.14 h1:9NY5p9on+zLy1qBJuVxSEzJdkwXyRiVzxFXmESxXthg=
-github.com/kotakanbe/go-cve-dictionary v0.15.14/go.mod h1:E/CipfNDV31W39MH9QtgkA12JFBMe/3CELxXVvPRphQ=
+github.com/kotakanbe/go-cve-dictionary v0.6.0 h1:HNSzAJ8gRDmM9heKLUhYx68V+i+dHMnXyKg8ZcvI+ac=
+github.com/kotakanbe/go-cve-dictionary v0.6.0/go.mod h1:Ht9ESpkhbQtdVRoo/lEPZ6B8j6lVUsfRkxpfl6FlwD8=
 github.com/kotakanbe/go-pingscanner v0.1.0 h1:VG4/9l0i8WeToXclj7bIGoAZAu7a07Z3qmQiIfU0gT0=
 github.com/kotakanbe/go-pingscanner v0.1.0/go.mod h1:/761QZzuZFcfN8h/1QuawUA+pKukp3qcNj5mxJCOiAk=
 github.com/kotakanbe/goval-dictionary v0.3.6-0.20210625044258-9be85404d7dd h1:hnkOzwlknmNU64P5UaQzAZcyNnuSsCz/PIt/P/ZPKYg=
@@ -1472,22 +1472,9 @@ go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opentelemetry.io/otel v0.14.0/go.mod h1:vH5xEuwy7Rts0GNtsCW3HYQoZDY+OmBJ6t1bFGGlxgw=
 go.opentelemetry.io/otel v0.16.0/go.mod h1:e4GKElweB8W2gWUqbghw0B8t5MCTccc9212eNHnOHwA=
 go.opentelemetry.io/otel v0.19.0/go.mod h1:j9bF567N9EfomkSidSfmMwIwIBuP37AMAIzVW85OxSg=
-go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo=
-go.opentelemetry.io/otel v1.0.0-RC1 h1:4CeoX93DNTWt8awGK9JmNXzF9j7TyOu9upscEdtcdXc=
-go.opentelemetry.io/otel v1.0.0-RC1/go.mod h1:x9tRa9HK4hSSq7jf2TKbqFbtt58/TGk0f9XiEYISI1I=
-go.opentelemetry.io/otel/internal/metric v0.21.0 h1:gZlIBo5O51hZOOZz8vEcuRx/l5dnADadKfpT70AELoo=
-go.opentelemetry.io/otel/internal/metric v0.21.0/go.mod h1:iOfAaY2YycsXfYD4kaRSbLx2LKmfpKObWBEv9QK5zFo=
 go.opentelemetry.io/otel/metric v0.19.0/go.mod h1:8f9fglJPRnXuskQmKpnad31lcLJ2VmNNqIsx/uIwBSc=
-go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU=
-go.opentelemetry.io/otel/metric v0.21.0 h1:ZtcJlHqVE4l8Su0WOLOd9fEPheJuYEiQ0wr9wv2p25I=
-go.opentelemetry.io/otel/metric v0.21.0/go.mod h1:JWCt1bjivC4iCrz/aCrM1GSw+ZcvY44KCbaeeRhzHnc=
 go.opentelemetry.io/otel/oteltest v0.19.0/go.mod h1:tI4yxwh8U21v7JD6R3BcA/2+RBoTKFexE/PJ/nSO7IA=
-go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw=
-go.opentelemetry.io/otel/oteltest v1.0.0-RC1/go.mod h1:+eoIG0gdEOaPNftuy1YScLr1Gb4mL/9lpDkZ0JjMRq4=
 go.opentelemetry.io/otel/trace v0.19.0/go.mod h1:4IXiNextNOpPnRlI4ryK69mn5iC84bjBWZQA5DXz/qg=
-go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw=
-go.opentelemetry.io/otel/trace v1.0.0-RC1 h1:jrjqKJZEibFrDz+umEASeU3LvdVyWKlnTh7XEfwrT58=
-go.opentelemetry.io/otel/trace v1.0.0-RC1/go.mod h1:86UHmyHWFEtWjfWPSbu0+d0Pf9Q6e1U+3ViBOc+NXAg=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
@@ -1777,8 +1764,8 @@ golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 h1:RqytpXGR1iVNX7psjB3ff8y7sNFinVFvkx1c8SjBkio=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

diff --git a/models/vulninfos.go b/models/vulninfos.go
@@ -808,8 +808,11 @@ func (c Confidence) String() string {
 type DetectionMethod string
 
 const (
-	// CpeNameMatchStr is a String representation of CpeNameMatch
-	CpeNameMatchStr = "CpeNameMatch"
+	// CpeVersionMatchStr is a String representation of CpeNameMatch
+	CpeVersionMatchStr = "CpeVersionMatch"
+
+	// CpeVendorProductMatchStr is a String representation of CpeNameMatch
+	CpeVendorProductMatchStr = "CpeVendorProductMatch"
 
 	// YumUpdateSecurityMatchStr is a String representation of YumUpdateSecurityMatch
 	YumUpdateSecurityMatchStr = "YumUpdateSecurityMatch"
@@ -852,8 +855,8 @@ const (
 )
 
 var (
-	// CpeNameMatch is a ranking how confident the CVE-ID was detected correctly
-	CpeNameMatch = Confidence{100, CpeNameMatchStr, 1}
+	// CpeVersionMatch is a ranking how confident the CVE-ID was detected correctly
+	CpeVersionMatch = Confidence{100, CpeVersionMatchStr, 1}
 
 	// YumUpdateSecurityMatch is a ranking how confident the CVE-ID was detected correctly
 	YumUpdateSecurityMatch = Confidence{100, YumUpdateSecurityMatchStr, 2}
@@ -887,4 +890,7 @@ var (
 
 	// WpScanMatch is a ranking how confident the CVE-ID was detected correctly
 	WpScanMatch = Confidence{100, WpScanMatchStr, 0}
+
+	// CpeVendorProductMatch is a ranking how confident the CVE-ID was detected correctly
+	CpeVendorProductMatch = Confidence{10, CpeVendorProductMatchStr, 9}
 )
diff --git a/models/vulninfos_test.go b/models/vulninfos_test.go
@@ -1037,20 +1037,20 @@ func TestAppendIfMissing(t *testing.T) {
 	}{
 		{
 			in: Confidences{
-				CpeNameMatch,
+				CpeVersionMatch,
 			},
-			arg: CpeNameMatch,
+			arg: CpeVersionMatch,
 			out: Confidences{
-				CpeNameMatch,
+				CpeVersionMatch,
 			},
 		},
 		{
 			in: Confidences{
-				CpeNameMatch,
+				CpeVersionMatch,
 			},
 			arg: ChangelogExactMatch,
 			out: Confidences{
-				CpeNameMatch,
+				CpeVersionMatch,
 				ChangelogExactMatch,
 			},
 		},
@@ -1071,21 +1071,21 @@ func TestSortByConfident(t *testing.T) {
 		{
 			in: Confidences{
 				OvalMatch,
-				CpeNameMatch,
+				CpeVersionMatch,
 			},
 			out: Confidences{
 				OvalMatch,
-				CpeNameMatch,
+				CpeVersionMatch,
 			},
 		},
 		{
 			in: Confidences{
-				CpeNameMatch,
+				CpeVersionMatch,
 				OvalMatch,
 			},
 			out: Confidences{
 				OvalMatch,
-				CpeNameMatch,
+				CpeVersionMatch,
 			},
 		},
 	}

diff --git a/scanner/base.go b/scanner/base.go
@@ -62,7 +62,7 @@ type osPackages struct {
 	// enabled dnf modules or packages
 	EnabledDnfModules []string
 
-	// unsecure packages
+	// Detected Vulnerabilities Key: CVE-ID
 	VulnInfos models.VulnInfos
 
 	// kernel information

diff --git a/tui/tui.go b/tui/tui.go
@@ -1014,7 +1014,7 @@ CWE
 Confidence
 -----------
 {{range $confidence := .Confidences -}}
-* {{$confidence.DetectionMethod}}
+* {{$confidence.Score}} / {{$confidence.DetectionMethod}}
 {{end}}
 References
 -----------