Skip to content

Add first detection date to the cves image report #53

Open
@ilcapone

Description

@ilcapone

Short description

I analyze a private registry (with more than 100 images) and I keep a history of the scans I do once a week. To be able to track the vulnerabilities, it would be very useful to have the date on which a vulnerable was identified (CVE for example).
In the section Expected results I add the JSON of the analysis of an image by adding the parameter "first_detection" : "20190312" inside the CVE.

Expected results

{
        "id": "58667994ed253915723c50e7",
        "image_name": "jboss/wildfly",
        "status": "Completed",
        "timestamp": "2016-12-14 13:17:12.802486",
        "static_analysis": {
            ...,...,
            "os_packages": {
                {.., ..}
                "os_packages_details": [
                    {..,..}
                    {
                        ...,
						...
                        "vulnerabilities": [
                            {
                                "CVE-2015-1345": {
				   "first_detection" : "20190312"
                                    "cveid": "CVE-2015-1345",
                                    "cvss_access_complexity": "Low",
                                    "cvss_access_vector": "Local access",
                                    "cvss_authentication": "None required",
                                    "cvss_availability_impact": "Partial",
                                    "cvss_base": 2.1,
                                    "cvss_confidentiality_impact": "None",
                                    "cvss_exploit": 3.9,
                                    "cvss_impact": 2.9,
                                    "cvss_integrity_impact": "None",
                                    "cvss_vector": [
                                        "AV:L",
                                        "AC:L",
                                        "Au:N",
                                        "C:N",
                                        "I:N",
                                        "A:P"
                                    ],
                                    "cweid": "CWE-119",
                                    "mod_date": "23-12-2016",
                                    "pub_date": "12-02-2015",
                                    "summary": "The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option."
                                }
                            }
                        ]
                    },

Adicional tests

Additionally we have tried to make a post as indicated in the wiki for adds a new image analysis to the image history. We thought we could add a new analysis and modify the json of the post to accept this new field. But when we tried to make the post with the data of the example without modifying we got an error:

Post like the example without modify

curl http://localhost:5000/v1/history/image:test -X POST -d {"image_name":"jboss/wildfly","status":"Completed","timestamp":1494609523.342605,"static_analysis":{"malware_binaries":[{"file":"/tmp/test/removal-tool.exe","malware":"Worm.Sober"},{"file":"/tmp/test/error.hta","malware":"VBS.Inor.D"}],"os_packages":{"total_os_packages":182,"vuln_os_packages":41,"ok_os_packages":141,"os_packages_details":[{"product":"sed","version":"4.2.2","is_vulnerable":false,"is_false_positive":false,"vulnerabilities":[]},{"product":"grep","version":"2.20","is_vulnerable":true,"is_false_positive":false,"vulnerabilities":[{"CVE-2015-1345":{"cveid":"CVE-2015-1345","cvss_access_complexity":"Low","cvss_access_vector":"Local access","cvss_authentication":"None required","cvss_availability_impact":"Partial","cvss_base":2.1,"cvss_confidentiality_impact":"None","cvss_exploit":3.9,"cvss_impact":2.9,"cvss_integrity_impact":"None","cvss_vector":["AV:L","AC:L","Au:N","C:N","I:N","A:P"],"cweid":"CWE-119","mod_date":"23-12-2016","pub_date":"12-02-2015","summary":"The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option."}}]},[...],{"product":"sqlite","version":"3.7.17","is_vulnerable":false,"is_false_positive":false,"vulnerabilities":[]}]},"prog_lang_dependencies":{"vuln_dependencies":1,"dependencies_details":{"java":[],"js":[],"nodejs":[],"php":[],"python":[{"product":"lxml","version":"1.0.1","product_file_path":"/opt/jboss/python/lxml.1.0.1.py","is_vulnerable":true,"is_false_positive":false,"vulnerabilities":[{"CVE-2014-3146":{"cveid":"CVE-2014-3146","cvss_access_complexity":"Medium","cvss_access_vector":"Network","cvss_authentication":"None required","cvss_availability_impact":"None","cvss_base":4.3,"cvss_confidentiality_impact":"None","cvss_exploit":8.6,"cvss_impact":2.9,"cvss_integrity_impact":"Partial","cvss_vector":["AV:N","AC:M","Au:N","C:N","I:P","A:N"],"cweid":"CWE-0","mod_date":"14-04-2015","pub_date":"14-05-2014","summary":"Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function."}}]}],"ruby":[]}}}}

Dagda API server response

{"err": 500, "msg": "Internal Server Error"}

Post without format

curl http://localhost:5000/v1/history/image:test -X POST -d {'test':1, 'hola':2}

Dagda API server response
{"err": 500, "msg": "Internal Server Error"}

Dagda Server Error

In both cases, checking the logs of the server I got the same error.

<2019-02-27 13:27:42,509> <ERROR> <DagdaServer> <app> <log_exception:1761> <Exception on /v1/history/image:test [POST]>
Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 2292, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1815, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python3.5/dist-packages/flask_cors/extension.py", line 161, in wrapped_function
    return cors_after_request(app.make_response(f(*args, **kwargs)))
  File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1718, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python3.5/dist-packages/flask/_compat.py", line 35, in reraise
    raise value
  File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1813, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1799, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/home/a2/dagda/dagda/api/service/history.py", line 52, in post_image_analysis_to_the_history
    data = json.loads(request.data.decode('utf-8'))
  File "/usr/lib/python3.5/json/__init__.py", line 319, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python3.5/json/decoder.py", line 339, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib/python3.5/json/decoder.py", line 357, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions