Releases: future-architect/vuls
v0.19.5
What's Changed
- fix(oval/suse): use def.Advisory.Cves[0].CveID instead of def.Title by @MaineK00n in #1397
- refactor(detector): standardize db.NewDB to db.CloseDB by @MaineK00n in #1380
- fix: nil pointer when no match for any OS by @kotakanbe in #1401
- fix: handling when image contains no trivy-target by @Nikkely in #1405
- chore: update trivy from 0.23.0 to 0.24.02 by @Nikkely in #1407
- feat: replace NVD-column with packages-column at output of report by @Masato516 in #1414
- feat(library): add auto detect library by @MaineK00n in #1417
- chore(mod): update go-kev module by @MaineK00n in #1425
- chore: add fvuls image by @MaineK00n in #1426
- feat(inthewild): support inTheWild PoCs by @MaineK00n in #1428
New Contributors
Full Changelog: v0.19.4...v0.19.5
Contributors
Assets 16
v0.19.4
What's new in v0.19.4
- SLES15, SLES12SP5, openSUSE, and SLED support
What's Changed
- feat(debian): validate running kernel version by @MaineK00n in #1382
- feat(configtest,scan): detect known_hosts error by @MaineK00n in #1386
- fix(redhat): detect RedHat version by @MaineK00n in #1387
- fix(configtest,scan): support SSH config file by @MaineK00n in #1388
- fix(util): Major() behavior for major version by @MaineK00n in #1393
- fix(suse): fix openSUSE, openSUSE Leap, SLES, SLED scan by @MaineK00n in #1384
- fix(configtest,scan): fix validateSSHConfig by @MaineK00n in #1395
Full Changelog: v0.19.3...v0.19.4
Contributors
Assets 16
v0.19.3
What's new in v0.19.3
TL;DR
How it works
Vulnerable Fedora Environment Setup
Deliberately downgrade the mysql package so that FEDORA-MODULAR-2021-217f84c072 is detected.
- Dockerfile
FROM fedora:35
RUN dnf -y install openssh-server glibc-langpack-en
RUN mkdir /var/run/sshd
RUN sed -i 's/#\?PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed -i 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' /etc/pam.d/sshd
ENV NOTVISIBLE "in users profile"
RUN echo "export VISIBLE=now" >> /etc/profile
COPY .ssh/id_rsa.pub /root/authorized_keys
RUN mkdir ~/.ssh && \
mv ~/authorized_keys ~/.ssh/authorized_keys && \
chmod 0600 ~/.ssh/authorized_keys
RUN ssh-keygen -A
RUN rm -rf /run/nologin
EXPOSE 22
# Vuls Setting
RUN dnf -y install dnf-utils which lsof iproute
# FEDORA-MODULAR-2021-217f84c072
RUN dnf module install -y mysql && dnf downgrade -y mysql
CMD ["/usr/sbin/sshd", "-D"]check community-mysql package version
$ docker build -t vuls-target -f Dockerfile .
$ docker run --rm -itd -p 2222:22 vuls-target
$ ssh -i ~/.ssh/id_rsa -p 2222 [email protected]
[root@615d6b9247ec /]# cat /etc/fedora-release
Fedora release 35 (Thirty Five)
[root@615d6b9247ec /]# rpm -qa | grep community-mysql
community-mysql-common-8.0.26-1.module_f35+12627+b26747dd.x86_64
community-mysql-8.0.26-1.module_f35+12627+b26747dd.x86_64
community-mysql-errmsg-8.0.26-1.module_f35+12627+b26747dd.x86_64
community-mysql-server-8.0.26-1.module_f35+12627+b26747dd.x86_64Vulnerability Detection (dnf updateinfo --security vs vuls report)
dnf updateinfo --security
The mysql package we just installed is a modular package, so the advisory starting with FEDORA-MODULAR- should be presented.
However, the actual advisory provided relates to a non-modular package of the same name.
[root@615d6b9247ec /]# dnf updateinfo --security --info
Last metadata expiration check: 0:02:24 ago on Thu Feb 3 04:47:52 2022.
===============================================================================
community-mysql-8.0.27-1.fc35
===============================================================================
Update ID: FEDORA-2021-46dc82116b
Type: security
Updated: 2021-11-10 02:52:52
Bugs: 2015421 - community-mysql-8.0.27 is available
: 2016141 - CVE-2021-2478 CVE-2021-2479 CVE-2021-2481 CVE-2021-35546 CVE-2021-35575 CVE-2021-35577 CVE-2021-35591 CVE-2021-35596 CVE-2021-35597 CVE-2021-35602 CVE-2021-35604 CVE-2021-35607 CVE-2021-35608 CVE-2021-35610 ... community-mysql: various flaws [fedora-all]
Description: **MySQL 8.0.27**
:
: Release notes:
:
: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-27.html
Severity: Moderatevuls
vuls report
FixedIn is displayed correctly as module to module!
$ vuls report --format-full-text
...
+----------------+----------------------------------------------------------------------------------+
| CVE-2021-35610 | FIXED |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 7.1 MODERATE (redhat_api) |
| redhat_api | 7.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H MODERATE |
| nvd | 7.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H HIGH |
| jvn | 7.1/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H HIGH |
| Vendor | 4.0-6.9 MODERATE |
| nvd | 5.5/AV:N/AC:L/Au:S/C:N/I:P/A:P MEDIUM |
| jvn | 5.5/AV:N/AC:L/Au:S/C:N/I:P/A:P MEDIUM |
| Summary | **MySQL 8.0.27** Release notes: |
| | https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-27.html |
| Primary Src | https://www.oracle.com/security-alerts/cpuoct2021.html |
| Primary Src | https://nvd.nist.gov/vuln/detail/CVE-2021-35610 |
| Primary Src | https://bodhi.fedoraproject.org/updates/FEDORA-MODULAR-2021-217f84c072 |
| Patch | https://www.oracle.com/security-alerts/cpuoct2021.html |
| Affected Pkg | community-mysql-8.0.26-1.module_f35+12627+b26747dd |
| | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn: |
| | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular) |
| Affected Pkg | community-mysql-common-8.0.26-1.module_f35+12627+b26747dd |
| | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn: |
| | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular) |
| Affected Pkg | community-mysql-errmsg-8.0.26-1.module_f35+12627+b26747dd |
| | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn: |
| | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular) |
| Affected Pkg | community-mysql-server-8.0.26-1.module_f35+12627+b26747dd |
| | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn: |
| | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular) |
| Confidence | 100 / OvalMatch |
| CWE | NVD-CWE-noinfo: (nvd) |
| CWE | https://cwe.mitre.org/data/definitions/NVD-CWE-noinfo.html |
+----------------+----------------------------------------------------------------------------------+
...vuls tui
Looking at the TUI, we have succeeded in getting the advisory we really want: FEDORA-MODULAR-2021-217f84c072!
What's Changed
- chore: update git submodule for integration test by @kotakanbe in #1364
- fix(scanner/base) export libFile struct by @sadayuki-matsuno in #1365
- fix(scanner/base) export libFile fields by @sadayuki-matsuno in #1366
- feat(libscan): support trivy v0.23.0 by @kotakanbe in #1377
- fix(oval): fix query in PostgreSQL by @MaineK00n in #1372
- feat(alpine): add Alpine 3.14, 3.15 EOL by @MaineK00n in #1359
- fix(gost): add nil check by @MaineK00n in #1379
- fix(centos): identify CentOS and CentOS Stream by @MaineK00n in #1360
- feat(fedora): support fedora by @maito1201 in #1367
- chore(oval): update mod by @MaineK00n in #1385
New Contributors
- @maito1201 made their first contribution in #1367
Full Changelog: v0.19.2...v0.19.3
Contributors
Assets 16
v0.19.2
Updated Trivy dependencies.
pom.xml Support
pom (pseudo)
============
Total: 4 (Critical:2 High:1 Medium:1 Low:0 ?:0)
4/4 Fixed, 1 poc, 0 exploits, cisa: 1, uscert: 0, jpcert: 0 alerts
0 installed, 2 libs
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
| CVE-ID | CVSS | ATTACK | POC | ALERT | FIXED | NVD |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
| CVE-2021-44228 | 10.0 | AV:N | POC | CISA | fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-44228 |
| CVE-2021-45046 | 10.0 | AV:N | | | fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-45046 |
| CVE-2021-45105 | 7.5 | AV:N | | | fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-45105 |
| CVE-2021-44832 | 6.9 | | | | fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-44832 |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
Go binary Support
gobinary (pseudo)
=================
Total: 2 (Critical:0 High:1 Medium:0 Low:0 ?:1)
2/2 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 1 libs
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
| CVE-ID | CVSS | ATTACK | POC | ALERT | FIXED | NVD |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
| CVE-2020-14040 | 8.9 | AV:N | | | fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-14040 |
| CVE-2021-38561 | 0.0 | | | | fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-38561 |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
What's Changed
- chore(deps): bump github.com/aquasecurity/trivy from 0.20.0 to 0.22.0 by @dependabot in #1350
New Contributors
- @dependabot made their first contribution in #1350
Full Changelog: v0.19.1...v0.19.2
Contributors
Assets 16
v0.19.1
Vuls0.19.1 should be used with go-kev v0.1.0.
The schema of go-kev v0.1.0 has changed, so you will need to recreate the database.
For details, see https://github.com/vulsio/go-kev/releases/tag/v0.1.0
Changelog
- a3f7d1d feat(go-kev): update go-kev deps (#1352)
- bb4a1ca GPLv3 (#1351)
- 57cce64 Create SECURITY.md
- 1eb5d36 fix configtest stalled with scanMode=fast-root (#1339)
- 6bc4850 fix(detector/ospkg): Skip OVAL/gost search when the number of packages is 0 (#1343)
- 24005ae chore(GHActions): replace with dependabot (#1348)
- 7aa296b fix(oval): fix RDB query (#1347)
- 3829ed2 Fix the parsing logic of FreeBSD pkg-audit (#1334)
- 2b7294a feat(amazon): support amazon linux 2022 (#1338)
v0.19.0
What's new in v0.19.0
TL;DR
- Cybersecurity & Infrastructure Security Agency (CISA) has released a list of CVE-IDs whose attack codes are publicly available and are actually used in real-world attacks (called the Known Exploited Vulnerabilities (KEV) Catalog).
- vulsio/go-kev now manages KEV Catalog information.
- Vuls v0.19.0 works with vulsio/go-kev to display alerts for CVE-IDs in the KEV Catalog.
How it works
vuls report
$ vuls report
...
vuls-target (debian10.11)
=========================
Total: 225 (Critical:20 High:79 Medium:95 Low:16 ?:15)
0/222 Fixed, 67 poc, 0 exploits, cisa: 2, uscert: 4, jpcert: 6 alerts
218 installed
+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
| CVE-ID | CVSS | ATTACK | POC | ALERT | FIXED | NVD |
+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
...
| CVE-2021-42013 | 9.8 | AV:N | POC | CISA/CERT | | https://nvd.nist.gov/vuln/detail/CVE-2021-42013 |
...
| CVE-2021-41524 | 7.5 | AV:N | | CERT | | https://nvd.nist.gov/vuln/detail/CVE-2021-41524 |
| CVE-2021-41773 | 7.5 | AV:N | POC | CISA/CERT | | https://nvd.nist.gov/vuln/detail/CVE-2021-41773 |
| CVE-2008-4609 | 7.1 | AV:N | | CERT | unfixed | https://nvd.nist.gov/vuln/detail/CVE-2008-4609 |
...vuls tui
What is the Known Exploited Vulnerabilities Catalog?
On November 3, 2021, Cybersecurity & Infrastructure Security Agency (CISA) released Binding Operational Directive 22-1 (BOD 22-1) for government agencies.
In BOD 22-1, Known Exploited Vulnerabilities (KEV) Catalog, which is "a list of CVE-IDs whose attack code is available and is actually used in real-world attacks", was published.
BOD22-1 requires that if a vulnerability listed in the KEV Catalog exists in a U.S. government system, it must be fixed within a specified period of time and in a specified method.
Currently, CVEs are scored under the Common Vulnerability Scoring System (CVSS). CVSS does not take into consideration whether a vulnerability has ever been used to exploit a system in the wild. The CVEs listed in the KEV Catalog are a collection of real threats that have been used to compromise systems in the real world.
Reference
- BOD 22-1: https://cyber.dhs.gov/bod/22-01/
- Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Changelog
0c6a892 style: fix lint (#1335)
89d94ad feat(detector): add known exploited vulnerabilities (#1331)
ffdb789 update dictionaries (#1326)
321dae3 chore: update readme
a31797a Merge branch 'sakura'
32999cf chore: udpate readme
88218f5 chore: update sponsor (#1325)
1576193 chore: update sponsor
0b62842 chore: fix go-sqlite3 deps (#1324)
6bcedde chore: update goval-dictionary (#1323)
2dcbff8 chore: sponsor (#1321)
v0.18.1
Changelog
8659668 fix(cpescan): bug in NvdVendorProductMatch (#1320)
e07b6a9 feat(report): show Amazon ALAS link to report (#1318)
aac5ef1 feat: update-trivy (#1316)
d780a73 add log json option (#1317)
9ef8cee refactor(exploitdb): use pipeline effectively (#1314)
77808a2 feat(go-cve): add error handling (#1313)
177e553 feat(go-exploitdb): add error handling (#1310)
40f8272 feat(go-msfdb): add error handling and support http mode (#1308)
a7eb114 feat(gost): add error handling (#1311)
c73ed7f chore: update find-lock file type (#1309)
v0.18.0
The schema of the DB and Reis has been changed.
Please update each dictionary, delete the old DB, and then fetch it again.
NOTE
In this Release, we are changing the architecture of Redis.
// delete all old key
$ redis-cli keys "CVE#*" | xargs redis-cli del
$ redis-cli keys "EXPLOIT#*" | xargs redis-cli del
$ redis-cli keys "METASPLOIT#*" | xargs redis-cli del
$ redis-cli keys "OVAL#*" | xargs redis-cli del
We recommend vulsctl/docker, which will automatically upgrade vuls and the dictionary binaries every time you run it.
https://github.com/vulsio/vulsctl/tree/master/docker
Changelog
v0.17.1
These repositories have been moved under vulsio as follows.
- kotakanbe/goval-dictionary => vulsio/goval-dictionary
- kotakanbe/go-cve-dictionary => vulsio/go-cve-dictionary
- knqyf263/gost => vulsio/gost
- takuzoo3868/go-msfdb => vulsio/go-msfdb
Documentation has been updated.
https://github.com/vulsdoc/vuls/pull/169/files