New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider remediations for packages' vulnerabilities scan #23225
Consider remediations for packages' vulnerabilities scan #23225
Conversation
731b0cf
to
c1a7027
Compare
621ded8
to
4cfad82
Compare
4f06218
to
3b1aca4
Compare
Testing 🔴Environment
Scan by eventsExpand
vulnerabilities.json
78 vulnerabilities for Ubuntu Jammy
0|2024/05/09 15:38:30|KB2468871|8f99821b9e79bc2258cb56cd14cfcaf9bbeda8e5
0|2024/05/09 15:38:30|KB2478063|8511235ae3ab3b642d8ba429599092634fdde3a8
0|2024/05/09 15:38:30|KB2533523|b8c4cb9a2aeb6a64269e88f6116765420a65cd80
0|2024/05/09 15:38:30|KB2544514|8e468309f00c0f31b8a0f12a6a79d2658652e9e9
0|2024/05/09 15:38:30|KB2600211|cb13c01ba11045aabbb074fc3e61b0a3b2d88dd4
0|2024/05/09 15:38:30|KB2600217|8253af775746f8545784d27edb852281c9a06955
0|2024/05/09 15:38:30|KB5027397|6aa52f220a9aebb1004ed2c308b594e5b0b463d5
0|2024/05/09 15:38:31|KB5033055|854cea78b398263b458d45dce82d0933492101fb
0|2024/05/09 15:38:31|KB5033204|2fb8a48c29e02391dbdef7ae5ee0140cf472e332
0|2024/05/09 15:38:31|KB5034467|928dcc74c96a7e988c4949519077bcd1930c391f
0|2024/05/09 15:38:31|KB5034765|783910a4b666a6dc8aa38b967909c0f9c653ebf5 Scan after installing new KBExpand0|2024/05/09 15:38:30|KB2468871|8f99821b9e79bc2258cb56cd14cfcaf9bbeda8e5
0|2024/05/09 15:38:30|KB2478063|8511235ae3ab3b642d8ba429599092634fdde3a8
0|2024/05/09 15:38:30|KB2533523|b8c4cb9a2aeb6a64269e88f6116765420a65cd80
0|2024/05/09 15:38:30|KB2544514|8e468309f00c0f31b8a0f12a6a79d2658652e9e9
0|2024/05/09 15:38:30|KB2600211|cb13c01ba11045aabbb074fc3e61b0a3b2d88dd4
0|2024/05/09 15:38:30|KB2600217|8253af775746f8545784d27edb852281c9a06955
0|2024/05/09 15:38:30|KB5027397|6aa52f220a9aebb1004ed2c308b594e5b0b463d5
0|2024/05/09 15:38:31|KB5033055|854cea78b398263b458d45dce82d0933492101fb
0|2024/05/09 15:38:31|KB5033204|2fb8a48c29e02391dbdef7ae5ee0140cf472e332
0|2024/05/09 15:38:31|KB5034467|928dcc74c96a7e988c4949519077bcd1930c391f
0|2024/05/09 15:38:31|KB5034765|783910a4b666a6dc8aa38b967909c0f9c653ebf5
0|2024/05/09 17:58:43|KB5002467|458904c3a67b0e784f288758142fc60b35315220 The last KB listed is the one installed to solve Office vulnerability related to CVE-2023-21413 Important There are no changes in the vulnerabilities detected. During research @sebasfalcone @pereyra-m we found that the root cause is the missing hotfixes information in the database. (Database initialized in this branch) Update 05/10/24Database information
Scan by eventsDisparity found between indexed vulnerabilities and log messages.Warning There's a strange mismatch between the indexed vulnerabilities and the logs reporting a vulnerability has been found.
Vulnerabilities overview0|2024/05/10 13:58:43|KB2468871|8f99821b9e79bc2258cb56cd14cfcaf9bbeda8e5
0|2024/05/10 13:58:43|KB2478063|8511235ae3ab3b642d8ba429599092634fdde3a8
0|2024/05/10 13:58:43|KB2533523|b8c4cb9a2aeb6a64269e88f6116765420a65cd80
0|2024/05/10 13:58:43|KB2544514|8e468309f00c0f31b8a0f12a6a79d2658652e9e9
0|2024/05/10 13:58:43|KB2600211|cb13c01ba11045aabbb074fc3e61b0a3b2d88dd4
0|2024/05/10 13:58:44|KB2600217|8253af775746f8545784d27edb852281c9a06955
0|2024/05/10 13:58:44|KB5027397|6aa52f220a9aebb1004ed2c308b594e5b0b463d5
0|2024/05/10 13:58:44|KB5033055|854cea78b398263b458d45dce82d0933492101fb
0|2024/05/10 13:58:44|KB5033204|2fb8a48c29e02391dbdef7ae5ee0140cf472e332
0|2024/05/10 13:58:44|KB5034467|928dcc74c96a7e988c4949519077bcd1930c391f
0|2024/05/10 13:58:44|KB5034765|783910a4b666a6dc8aa38b967909c0f9c653ebf5 77 vulnerabilities for Ubuntu Jammy 100 out of 178 are office vulnerabilities The CVEs related to office are the following Scan after installing new KB (Syscollector sync forced)
0|2024/05/10 13:58:43|KB2468871|8f99821b9e79bc2258cb56cd14cfcaf9bbeda8e5
0|2024/05/10 13:58:43|KB2478063|8511235ae3ab3b642d8ba429599092634fdde3a8
0|2024/05/10 13:58:43|KB2533523|b8c4cb9a2aeb6a64269e88f6116765420a65cd80
0|2024/05/10 13:58:43|KB2544514|8e468309f00c0f31b8a0f12a6a79d2658652e9e9
0|2024/05/10 13:58:43|KB2600211|cb13c01ba11045aabbb074fc3e61b0a3b2d88dd4
0|2024/05/10 13:58:44|KB2600217|8253af775746f8545784d27edb852281c9a06955
0|2024/05/10 13:58:44|KB5027397|6aa52f220a9aebb1004ed2c308b594e5b0b463d5
0|2024/05/10 13:58:44|KB5033055|854cea78b398263b458d45dce82d0933492101fb
0|2024/05/10 13:58:44|KB5033204|2fb8a48c29e02391dbdef7ae5ee0140cf472e332
0|2024/05/10 13:58:44|KB5034467|928dcc74c96a7e988c4949519077bcd1930c391f
0|2024/05/10 13:58:44|KB5034765|783910a4b666a6dc8aa38b967909c0f9c653ebf5
0|2024/05/10 14:31:21|KB5002467|458904c3a67b0e784f288758142fc60b35315220 2024/05/10 11:32:19 wazuh-modulesd:vulnerability-scanner[25244] packageScanner.hpp:571 at packageHotfixSolved(): DEBUG: Remediation 'KB5002467' for package 'office' on agent '002' that solves CVE 'CVE-2024-21413' has been found. 10 vulnerabilities have been fixed alerts.json Scan by events without Office packageWarning We still can see a mismatch between indexed vulnerabilities and log messages Warning The number of vulnerabilities indexed is NOT the expected one, (2384) It's like it still evaluating the office package. The package is not present in the database There are no log messages referring to Office package This behavior needs to be discussed with @sebasfalcone and @pereyra-m. ossec.log.tar.gz Vulnerabilities for non-existent package being indexed.This wrong behavior was observed following these steps. (brief description of the testing executed above)
Important The tests related to this implementation were successful, after installing the KB the specific CVE affected was solved. |
Test - Install a KB for a vulnerable package 🟢
|
Test - Install vulnerable package (KB already installed) 🟢
|
1591584
to
6fbca36
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GJ! functional testing succeeded.
ca30dfa
to
82e7171
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good, minor things. I'm worried that we didn't add a single component qa test, this shouldn't be too difficult to test with the testing framework we use.
src/wazuh_modules/vulnerability_scanner/src/scanOrchestrator/remediationDataCache.hpp
Outdated
Show resolved
Hide resolved
src/wazuh_modules/vulnerability_scanner/src/scanOrchestrator/resultIndexer.hpp
Outdated
Show resolved
Hide resolved
please, rebase this PR. |
ebfd812
to
ca7d93a
Compare
Description
This PR solves two different situations:
It was required to create a new cache with the agents' hotfixes and to store all the CVEs that affect a hotfix in a new DB column.
Logs/Alerts example
The vulnerability shown in the issue isn't being reported because the versions don't match.
After inserting a temporal candidate with the version
16.0.4266.1001
The vulnerability is found
Details
If we repeat the scan but after installing a hotfix that solves the CVE, it isn't reported as vulnerable
Details
If we now run the scan without the hotfix and the install it, we get the alert of vulnerability solved
WIP
Tests