v0.19.2

Updated Trivy dependencies.

pom.xml Support

pom (pseudo)
============
Total: 4 (Critical:2 High:1 Medium:1 Low:0 ?:0)
4/4 Fixed, 1 poc, 0 exploits, cisa: 1, uscert: 0, jpcert: 0 alerts
0 installed, 2 libs

+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                       NVD                       |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
| CVE-2021-44228 | 10.0 |  AV:N  | POC |      CISA |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-44228 |
| CVE-2021-45046 | 10.0 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-45046 |
| CVE-2021-45105 |  7.5 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-45105 |
| CVE-2021-44832 |  6.9 |        |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-44832 |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+

Go binary Support

gobinary (pseudo)
=================
Total: 2 (Critical:0 High:1 Medium:0 Low:0 ?:1)
2/2 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 1 libs

+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                       NVD                       |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+
| CVE-2020-14040 |  8.9 |  AV:N  |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-14040 |
| CVE-2021-38561 |  0.0 |        |     |           |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2021-38561 |
+----------------+------+--------+-----+-----------+---------+-------------------------------------------------+

What's Changed

• chore(deps): bump github.com/aquasecurity/trivy from 0.20.0 to 0.22.0 by @dependabot in #1350

New Contributors

• @dependabot made their first contribution in #1350

Full Changelog: v0.19.1...v0.19.2

v0.19.1

Vuls0.19.1 should be used with go-kev v0.1.0.
The schema of go-kev v0.1.0 has changed, so you will need to recreate the database.
For details, see https://github.com/vulsio/go-kev/releases/tag/v0.1.0

Changelog

• a3f7d1d feat(go-kev): update go-kev deps (#1352)
• bb4a1ca GPLv3 (#1351)
• 57cce64 Create SECURITY.md
• 1eb5d36 fix configtest stalled with scanMode=fast-root (#1339)
• 6bc4850 fix(detector/ospkg): Skip OVAL/gost search when the number of packages is 0 (#1343)
• 24005ae chore(GHActions): replace with dependabot (#1348)
• 7aa296b fix(oval): fix RDB query (#1347)
• 3829ed2 Fix the parsing logic of FreeBSD pkg-audit (#1334)
• 2b7294a feat(amazon): support amazon linux 2022 (#1338)

v0.19.0

What's new in v0.19.0

TL;DR

• Cybersecurity & Infrastructure Security Agency (CISA) has released a list of CVE-IDs whose attack codes are publicly available and are actually used in real-world attacks (called the Known Exploited Vulnerabilities (KEV) Catalog).
• vulsio/go-kev now manages KEV Catalog information.
• Vuls v0.19.0 works with vulsio/go-kev to display alerts for CVE-IDs in the KEV Catalog.

How it works

vuls report

$ vuls report
...
vuls-target (debian10.11)
=========================
Total: 225 (Critical:20 High:79 Medium:95 Low:16 ?:15)
0/222 Fixed, 67 poc, 0 exploits, cisa: 2, uscert: 4, jpcert: 6 alerts
218 installed

+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
|       CVE-ID        | CVSS | ATTACK | POC |   ALERT   |  FIXED  |                        NVD                        |
+---------------------+------+--------+-----+-----------+---------+---------------------------------------------------+
...
| CVE-2021-42013      |  9.8 |  AV:N  | POC | CISA/CERT |         | https://nvd.nist.gov/vuln/detail/CVE-2021-42013   |
...
| CVE-2021-41524      |  7.5 |  AV:N  |     |      CERT |         | https://nvd.nist.gov/vuln/detail/CVE-2021-41524   |
| CVE-2021-41773      |  7.5 |  AV:N  | POC | CISA/CERT |         | https://nvd.nist.gov/vuln/detail/CVE-2021-41773   |
| CVE-2008-4609       |  7.1 |  AV:N  |     |      CERT | unfixed | https://nvd.nist.gov/vuln/detail/CVE-2008-4609    |
...

vuls tui

What is the Known Exploited Vulnerabilities Catalog?

On November 3, 2021, Cybersecurity & Infrastructure Security Agency (CISA) released Binding Operational Directive 22-1 (BOD 22-1) for government agencies.

In BOD 22-1, Known Exploited Vulnerabilities (KEV) Catalog, which is "a list of CVE-IDs whose attack code is available and is actually used in real-world attacks", was published.

BOD22-1 requires that if a vulnerability listed in the KEV Catalog exists in a U.S. government system, it must be fixed within a specified period of time and in a specified method.

Currently, CVEs are scored under the Common Vulnerability Scoring System (CVSS). CVSS does not take into consideration whether a vulnerability has ever been used to exploit a system in the wild. The CVEs listed in the KEV Catalog are a collection of real threats that have been used to compromise systems in the real world.

Reference

• BOD 22-1: https://cyber.dhs.gov/bod/22-01/
• Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Changelog

0c6a892 style: fix lint (#1335)
89d94ad feat(detector): add known exploited vulnerabilities (#1331)
ffdb789 update dictionaries (#1326)
321dae3 chore: update readme
a31797a Merge branch 'sakura'
32999cf chore: udpate readme
88218f5 chore: update sponsor (#1325)
1576193 chore: update sponsor
0b62842 chore: fix go-sqlite3 deps (#1324)
6bcedde chore: update goval-dictionary (#1323)
2dcbff8 chore: sponsor (#1321)

v0.18.1

Changelog

8659668 fix(cpescan): bug in NvdVendorProductMatch (#1320)
e07b6a9 feat(report): show Amazon ALAS link to report (#1318)
aac5ef1 feat: update-trivy (#1316)
d780a73 add log json option (#1317)
9ef8cee refactor(exploitdb): use pipeline effectively (#1314)
77808a2 feat(go-cve): add error handling (#1313)
177e553 feat(go-exploitdb): add error handling (#1310)
40f8272 feat(go-msfdb): add error handling and support http mode (#1308)
a7eb114 feat(gost): add error handling (#1311)
c73ed7f chore: update find-lock file type (#1309)

v0.18.0

The schema of the DB and Reis has been changed.
Please update each dictionary, delete the old DB, and then fetch it again.

NOTE
In this Release, we are changing the architecture of Redis.

// delete all old key
$ redis-cli keys "CVE#*" | xargs redis-cli del
$ redis-cli keys "EXPLOIT#*" | xargs redis-cli del
$ redis-cli keys "METASPLOIT#*" | xargs redis-cli del
$ redis-cli keys "OVAL#*" | xargs redis-cli del

We recommend vulsctl/docker, which will automatically upgrade vuls and the dictionary binaries every time you run it.
https://github.com/vulsio/vulsctl/tree/master/docker

Changelog

f047a6f breaking-change: Update vuls-dictionaries (#1307)

v0.17.1

These repositories have been moved under vulsio as follows.

• kotakanbe/goval-dictionary => vulsio/goval-dictionary
• kotakanbe/go-cve-dictionary => vulsio/go-cve-dictionary
• knqyf263/gost => vulsio/gost
• takuzoo3868/go-msfdb => vulsio/go-msfdb

Documentation has been updated.
https://github.com/vulsdoc/vuls/pull/169/files

Changelog

7f15a86 chore: change repository owner (#1306)

v0.17.0

Changelog

da1e515 breaking-change(goval): change-redis-architecture (#1305)

v0.16.0

Please use this release with the latest version of dictionaries such as goval-dictonary, etc.
Old dictionaries can't detect it correctly.
Since the DB schema has been changed, you have to delete the DB and fetch it again.

Changelog

591786f feat(oval): support new goval-dictionary model (#1280)
47e6ea2 chore: fix lint warning (#1301)
4a72295 feat(saas): support for library-only scanning (#1300)
9ed5f2c feat(debian): support Debian 11(bullseye) (#1298)

v0.15.14

Changelog

3e67f04 breaking-change(cpescan): Improve Cpe scan (#1290)
b9416ae fix(report): too many SQL variables (#1296)
b4e49e0 feat(GAdocker): Publish docker image with Github Actions (#1291)
020f6ac fix(scan): warning if err occurred while scanning ports (#1294)
7e71cbd fix(gost) sort in ms converter (#1293)
1003f62 chore: update go-cve-dictionary (#1292)
9b18e1f breaking-change(go-exploitdb): support new go-exploitdb (#1288)
24f790f feat(go-cve): update go-cve-dictionary (#1287)
fb8749f fix(cpescan): fix confidence in cpe uri scan (#1286)
96c3592 breaking-change(go-cve-dict): support new go-cve-dictionary (#1277)
d65421c fix(cpescan): JVN scan False-Negative on RDB-backend (#1283)
c52ba44 chore: update readme (#1282)
21adce4 update readme
f24240b feat(library): update trivy v0.19.2 (#1278)
ff83cad feat(os) : support Alma Linux (#1261)
e8c0928 Update ubuntu.go (#1279)
5f4d68c feat(go-msf): update deps (#1275)
9077a83 fix(docker): docker build error (#1274)

v0.15.13

Changelog

543dc99 fix(cpescan): CpeVendorProductMatch not set when Redis Backend (#1273)
f0b3a8b feat(cpescan): Use JVN as a second DB for CPE scan (#1268)
0b9ec05 Support scanning Ubuntu using Gost (#1243)
0bf1241 fix(rocky): fix Scan in Rocky Linux (#1266)
0ea4d58 fix(gost): Use DBDriver ctx in Psuedo (#1264)
5755b00 feat(os) : support Rocky linux (#1260)
1c8e074 Feat report googlechat (#1257) (#1258)
0e0e5ce feat: Support Ubuntu21 (#1231)
23dfe53 chore: update go-exploitdb (#1262)
8e6351a feat(oval): goval-dictionary update (#1259)
3086e27 fix Ubuntu 20.10 End of Life on July 22 2021 (#1256)
b8db2e0 feat(report): Change the priority of CVE information in Debian (#1202)
43b46cb chore: add test data for integration test (#1254)
d0559c7 chore: update gost deps (#1253)
231c63c fix(libscan): support empty LibraryFixedIn (#1252)
2a9aebe fix(report): improve cpe match logic (#1251)
4e535d7 chore: fix build-tags in .goreleaser.yml (#1250)
4b48750 chore: add go.sum test data for integration test (#1249)
0095c40 fix(vet): go vet err of make build-scanner (#1248)
82c1abf fix(report): detection logic bugs for Oracle Linux (#1247)
4098840 feat(scanner) separate func analize libraries (#1246)
e8e3f4d feat(lib): support of Go (go.sum) scan (#1244)
7eb77f5 feat(scan): support external port scanner(nmap) in host machine (#1207)
e115235 fix(test): dev mode to false in package-lock.json (#1242)
151d4b2 fix(scan): Avoid panic when SSH connection refused (#1236)
e553f8b feat(trivy): go mod update trivy v0.17.2 (#1235)
47652ef fix(report): include the num of criticals in total #1233 (#1234)
ab0e950 fix(oracle): extracting only advisory ID from OVAL.title (#1232)
a7b0ce1 refactor(git-conf): config template in github section changed (#1229)
dc9c0ed refactor(git-conf): Specifing ignoreGitHubDismissed per repository (#1224)
17ae386 chore: add a test case #1227 (#1228)
2d369d0 Fix false positive for Oracle Linux (#1227)
c36e645 fix(report): false positive for kernel-related CVE for RedHat, CentOS, Oracle and Amazon #1199 (#1223)
40039c0 fix(report): panic when closing db connection of gost (#1222)
a692cec fix(gost): close gost DB connection in server mode #1217 (#1221)
e7ca491 fix(report): Avoid http reports error (#1216)
23f3e2f fix(config): add Ubuntu 20.10 (#1218)
27b3e17 feat(saas): delete json dir automatically after upload (#1212)