Open
Description
Short description
I analyze a private registry (with more than 100 images) and I keep a history of the scans I do once a week. To be able to track the vulnerabilities, it would be very useful to have the date on which a vulnerable was identified (CVE for example).
In the section Expected results I add the JSON of the analysis of an image by adding the parameter "first_detection" : "20190312" inside the CVE.
Expected results
{
"id": "58667994ed253915723c50e7",
"image_name": "jboss/wildfly",
"status": "Completed",
"timestamp": "2016-12-14 13:17:12.802486",
"static_analysis": {
...,...,
"os_packages": {
{.., ..}
"os_packages_details": [
{..,..}
{
...,
...
"vulnerabilities": [
{
"CVE-2015-1345": {
"first_detection" : "20190312"
"cveid": "CVE-2015-1345",
"cvss_access_complexity": "Low",
"cvss_access_vector": "Local access",
"cvss_authentication": "None required",
"cvss_availability_impact": "Partial",
"cvss_base": 2.1,
"cvss_confidentiality_impact": "None",
"cvss_exploit": 3.9,
"cvss_impact": 2.9,
"cvss_integrity_impact": "None",
"cvss_vector": [
"AV:L",
"AC:L",
"Au:N",
"C:N",
"I:N",
"A:P"
],
"cweid": "CWE-119",
"mod_date": "23-12-2016",
"pub_date": "12-02-2015",
"summary": "The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option."
}
}
]
},
Adicional tests
Additionally we have tried to make a post as indicated in the wiki for adds a new image analysis to the image history. We thought we could add a new analysis and modify the json of the post to accept this new field. But when we tried to make the post with the data of the example without modifying we got an error:
Post like the example without modify
curl http://localhost:5000/v1/history/image:test -X POST -d {"image_name":"jboss/wildfly","status":"Completed","timestamp":1494609523.342605,"static_analysis":{"malware_binaries":[{"file":"/tmp/test/removal-tool.exe","malware":"Worm.Sober"},{"file":"/tmp/test/error.hta","malware":"VBS.Inor.D"}],"os_packages":{"total_os_packages":182,"vuln_os_packages":41,"ok_os_packages":141,"os_packages_details":[{"product":"sed","version":"4.2.2","is_vulnerable":false,"is_false_positive":false,"vulnerabilities":[]},{"product":"grep","version":"2.20","is_vulnerable":true,"is_false_positive":false,"vulnerabilities":[{"CVE-2015-1345":{"cveid":"CVE-2015-1345","cvss_access_complexity":"Low","cvss_access_vector":"Local access","cvss_authentication":"None required","cvss_availability_impact":"Partial","cvss_base":2.1,"cvss_confidentiality_impact":"None","cvss_exploit":3.9,"cvss_impact":2.9,"cvss_integrity_impact":"None","cvss_vector":["AV:L","AC:L","Au:N","C:N","I:N","A:P"],"cweid":"CWE-119","mod_date":"23-12-2016","pub_date":"12-02-2015","summary":"The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option."}}]},[...],{"product":"sqlite","version":"3.7.17","is_vulnerable":false,"is_false_positive":false,"vulnerabilities":[]}]},"prog_lang_dependencies":{"vuln_dependencies":1,"dependencies_details":{"java":[],"js":[],"nodejs":[],"php":[],"python":[{"product":"lxml","version":"1.0.1","product_file_path":"/opt/jboss/python/lxml.1.0.1.py","is_vulnerable":true,"is_false_positive":false,"vulnerabilities":[{"CVE-2014-3146":{"cveid":"CVE-2014-3146","cvss_access_complexity":"Medium","cvss_access_vector":"Network","cvss_authentication":"None required","cvss_availability_impact":"None","cvss_base":4.3,"cvss_confidentiality_impact":"None","cvss_exploit":8.6,"cvss_impact":2.9,"cvss_integrity_impact":"Partial","cvss_vector":["AV:N","AC:M","Au:N","C:N","I:P","A:N"],"cweid":"CWE-0","mod_date":"14-04-2015","pub_date":"14-05-2014","summary":"Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function."}}]}],"ruby":[]}}}}
Dagda API server response
{"err": 500, "msg": "Internal Server Error"}
Post without format
curl http://localhost:5000/v1/history/image:test -X POST -d {'test':1, 'hola':2}
Dagda API server response
{"err": 500, "msg": "Internal Server Error"}
Dagda Server Error
In both cases, checking the logs of the server I got the same error.
<2019-02-27 13:27:42,509> <ERROR> <DagdaServer> <app> <log_exception:1761> <Exception on /v1/history/image:test [POST]>
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 2292, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1815, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python3.5/dist-packages/flask_cors/extension.py", line 161, in wrapped_function
return cors_after_request(app.make_response(f(*args, **kwargs)))
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1718, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.5/dist-packages/flask/_compat.py", line 35, in reraise
raise value
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1813, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1799, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/home/a2/dagda/dagda/api/service/history.py", line 52, in post_image_analysis_to_the_history
data = json.loads(request.data.decode('utf-8'))
File "/usr/lib/python3.5/json/__init__.py", line 319, in loads
return _default_decoder.decode(s)
File "/usr/lib/python3.5/json/decoder.py", line 339, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python3.5/json/decoder.py", line 357, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)