Releases: future-architect/vuls
Releases · future-architect/vuls
v0.20.3
v0.20.2
v0.20.1
v0.20.0
Changelog
- 1e45732 chore: bump up version (#1511)
- a06e689 feat(cwe): add cwe top25 2022 (#1504)
- ca3f6b1 feat(amazon): support Amazon Linux 2 Extra Repository (#1510)
- f1c78e4 chore(deps): bump github.com/aquasecurity/trivy from 0.30.3 to 0.30.4 (#1507)
- 2f3b8bf chore(rocky): set Rocky Linux 9 EOL (#1495)
- ab54266 fix(library): fill libraryFixedIns{}.key in ftypes.Pnpm and ftypes.DotNetCore (#1498)
- d79d138 chore(deps): bump github.com/aquasecurity/trivy from 0.30.2 to 0.30.3 (#1499)
- 139f3a8 chore(deps): bump github.com/aquasecurity/trivy from 0.27.1 to 0.30.0 (#1494)
- d1a617c fix(ms): remove duplicate advisories (#1490)
v0.19.8
Changelog
- 48f7597 feat(ms): import gost:MaineK00n/new-windows (#1481)
- 9373131 feat(saas) add vuls tags from env (#1487)
- 999529a feat(scanner): detect host key change (#1406)
- 847d820 feat(os): support Alpine Linux 3.16 (#1479)
- 5234306 feat(cti): add Cyber Threat Intelligence info (#1442)
- 86b60e1 feat(config): support CIDR (#1415)
- 42fdc08 feat(os): support RHEL 9, CentOS Stream 9, Alma Linux 9 (#1465)
- 38b1d62 feat(cwe): update CWE dictionary (#1443)
- 2477f9a chore: tidy go.mod, add arm64 and workflows update (#1461)
- ec6e90a fix getting wp core version string via ssh (#1344)
- 2aca2e4 feat(contrib/trivy) fill image info into scan results (#1475)
- 14518d9 fix(contriv/fvuls) initialize optional map (#1469)
- 948f8c0 add VULS_TAGS env into contiriv future-vuls (#1466)
- 1c1e400 feat(library) output library type when err (#1460)
- 2158fc6 fix: judge by scannedVia (#1456)
v0.19.7
v0.19.6
What's Changed
- feat: support server scan for suse with text/plain by @Nikkely in #1433
- chore(deps): bump github.com/aquasecurity/trivy from 0.24.2 to 0.25.1 by @dependabot in #1436
- chore: fix lint error by @MaineK00n in #1438
- feat: parse OS version from result of trivy-scan by @Nikkely in #1444
- feat(ubuntu): add Jammy Jellyfish(22.04) by @MaineK00n in #1431
- chore(deps): bump github.com/aquasecurity/trivy from 0.25.4 to 0.27.0 by @dependabot in #1451
- chore(deps): update goval-dictionary and gost by @MaineK00n in #1452
Full Changelog: v0.19.5...v0.19.6
v0.19.5
What's Changed
- fix(oval/suse): use def.Advisory.Cves[0].CveID instead of def.Title by @MaineK00n in #1397
- refactor(detector): standardize db.NewDB to db.CloseDB by @MaineK00n in #1380
- fix: nil pointer when no match for any OS by @kotakanbe in #1401
- fix: handling when image contains no trivy-target by @Nikkely in #1405
- chore: update trivy from 0.23.0 to 0.24.02 by @Nikkely in #1407
- feat: replace NVD-column with packages-column at output of report by @Masato516 in #1414
- feat(library): add auto detect library by @MaineK00n in #1417
- chore(mod): update go-kev module by @MaineK00n in #1425
- chore: add fvuls image by @MaineK00n in #1426
- feat(inthewild): support inTheWild PoCs by @MaineK00n in #1428
New Contributors
Full Changelog: v0.19.4...v0.19.5
v0.19.4
What's new in v0.19.4
- SLES15, SLES12SP5, openSUSE, and SLED support
What's Changed
- feat(debian): validate running kernel version by @MaineK00n in #1382
- feat(configtest,scan): detect known_hosts error by @MaineK00n in #1386
- fix(redhat): detect RedHat version by @MaineK00n in #1387
- fix(configtest,scan): support SSH config file by @MaineK00n in #1388
- fix(util): Major() behavior for major version by @MaineK00n in #1393
- fix(suse): fix openSUSE, openSUSE Leap, SLES, SLED scan by @MaineK00n in #1384
- fix(configtest,scan): fix validateSSHConfig by @MaineK00n in #1395
Full Changelog: v0.19.3...v0.19.4
v0.19.3
What's new in v0.19.3
TL;DR
How it works
Vulnerable Fedora Environment Setup
Deliberately downgrade the mysql package so that FEDORA-MODULAR-2021-217f84c072 is detected.
- Dockerfile
FROM fedora:35
RUN dnf -y install openssh-server glibc-langpack-en
RUN mkdir /var/run/sshd
RUN sed -i 's/#\?PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed -i 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' /etc/pam.d/sshd
ENV NOTVISIBLE "in users profile"
RUN echo "export VISIBLE=now" >> /etc/profile
COPY .ssh/id_rsa.pub /root/authorized_keys
RUN mkdir ~/.ssh && \
mv ~/authorized_keys ~/.ssh/authorized_keys && \
chmod 0600 ~/.ssh/authorized_keys
RUN ssh-keygen -A
RUN rm -rf /run/nologin
EXPOSE 22
# Vuls Setting
RUN dnf -y install dnf-utils which lsof iproute
# FEDORA-MODULAR-2021-217f84c072
RUN dnf module install -y mysql && dnf downgrade -y mysql
CMD ["/usr/sbin/sshd", "-D"]
check community-mysql package version
$ docker build -t vuls-target -f Dockerfile .
$ docker run --rm -itd -p 2222:22 vuls-target
$ ssh -i ~/.ssh/id_rsa -p 2222 root@127.0.0.1
[root@615d6b9247ec /]# cat /etc/fedora-release
Fedora release 35 (Thirty Five)
[root@615d6b9247ec /]# rpm -qa | grep community-mysql
community-mysql-common-8.0.26-1.module_f35+12627+b26747dd.x86_64
community-mysql-8.0.26-1.module_f35+12627+b26747dd.x86_64
community-mysql-errmsg-8.0.26-1.module_f35+12627+b26747dd.x86_64
community-mysql-server-8.0.26-1.module_f35+12627+b26747dd.x86_64
Vulnerability Detection (dnf updateinfo --security vs vuls report)
dnf updateinfo --security
The mysql package we just installed is a modular package, so the advisory starting with FEDORA-MODULAR-
should be presented.
However, the actual advisory provided relates to a non-modular package of the same name.
[root@615d6b9247ec /]# dnf updateinfo --security --info
Last metadata expiration check: 0:02:24 ago on Thu Feb 3 04:47:52 2022.
===============================================================================
community-mysql-8.0.27-1.fc35
===============================================================================
Update ID: FEDORA-2021-46dc82116b
Type: security
Updated: 2021-11-10 02:52:52
Bugs: 2015421 - community-mysql-8.0.27 is available
: 2016141 - CVE-2021-2478 CVE-2021-2479 CVE-2021-2481 CVE-2021-35546 CVE-2021-35575 CVE-2021-35577 CVE-2021-35591 CVE-2021-35596 CVE-2021-35597 CVE-2021-35602 CVE-2021-35604 CVE-2021-35607 CVE-2021-35608 CVE-2021-35610 ... community-mysql: various flaws [fedora-all]
Description: **MySQL 8.0.27**
:
: Release notes:
:
: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-27.html
Severity: Moderate
vuls
vuls report
FixedIn is displayed correctly as module to module!
$ vuls report --format-full-text
...
+----------------+----------------------------------------------------------------------------------+
| CVE-2021-35610 | FIXED |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 7.1 MODERATE (redhat_api) |
| redhat_api | 7.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H MODERATE |
| nvd | 7.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H HIGH |
| jvn | 7.1/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H HIGH |
| Vendor | 4.0-6.9 MODERATE |
| nvd | 5.5/AV:N/AC:L/Au:S/C:N/I:P/A:P MEDIUM |
| jvn | 5.5/AV:N/AC:L/Au:S/C:N/I:P/A:P MEDIUM |
| Summary | **MySQL 8.0.27** Release notes: |
| | https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-27.html |
| Primary Src | https://www.oracle.com/security-alerts/cpuoct2021.html |
| Primary Src | https://nvd.nist.gov/vuln/detail/CVE-2021-35610 |
| Primary Src | https://bodhi.fedoraproject.org/updates/FEDORA-MODULAR-2021-217f84c072 |
| Patch | https://www.oracle.com/security-alerts/cpuoct2021.html |
| Affected Pkg | community-mysql-8.0.26-1.module_f35+12627+b26747dd |
| | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn: |
| | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular) |
| Affected Pkg | community-mysql-common-8.0.26-1.module_f35+12627+b26747dd |
| | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn: |
| | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular) |
| Affected Pkg | community-mysql-errmsg-8.0.26-1.module_f35+12627+b26747dd |
| | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn: |
| | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular) |
| Affected Pkg | community-mysql-server-8.0.26-1.module_f35+12627+b26747dd |
| | -> 8.0.27-1.module_f35+13269+c9322734 (FixedIn: |
| | 0:8.0.27-1.module_f35+13269+c9322734) (updates-modular) |
| Confidence | 100 / OvalMatch |
| CWE | NVD-CWE-noinfo: (nvd) |
| CWE | https://cwe.mitre.org/data/definitions/NVD-CWE-noinfo.html |
+----------------+----------------------------------------------------------------------------------+
...
vuls tui
Looking at the TUI, we have succeeded in getting the advisory we really want: FEDORA-MODULAR-2021-217f84c072!
What's Changed
- chore: update git submodule for integration test by @kotakanbe in #1364
- fix(scanner/base) export libFile struct by @sadayuki-matsuno in #1365
- fix(scanner/base) export libFile fields by @sadayuki-matsuno in #1366
- feat(libscan): support trivy v0.23.0 by @kotakanbe in #1377
- fix(oval): fix query in PostgreSQL by @MaineK00n in #1372
- feat(alpine): add Alpine 3.14, 3.15 EOL by @MaineK00n in #1359
- fix(gost): add nil check by @MaineK00n in #1379
- fix(centos): identify CentOS and CentOS Stream by @MaineK00n in #1360
- feat(fedora): support fedora by @maito1201 in #1367
- chore(oval): update mod by @MaineK00n in #1385
New Contributors
- @maito1201 made their first contribution in #1367
Full Changelog: v0.19.2...v0.19.3