scan.*base.scanWp - Code Metrics - Inspection of "WordPress Vulnerability Scan (core, plugin, theme)" - future-architect/vuls - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#769)

unknown

created 2019-02-05 06:41 UTC

scan.*base.scanWp C

↳ Parent: scan/base.go

Complexity

Conditions

Size

Total Lines	29
Code Lines	19

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	11
eloc	19
dl	0
loc	29
rs	5.4
c	0
b	0
f	0
nop	0

How to fix Complexity

/* Vuls - Vulnerability Scanner
Copyright (C) 2016  Future Corporation , Japan.

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

package scan

import (
	"bufio"
	"encoding/json"
	"fmt"
	"net"
	"regexp"
	"strings"
	"time"

	"github.com/future-architect/vuls/config"
	"github.com/future-architect/vuls/models"
	"github.com/hashicorp/go-version"
	"github.com/sirupsen/logrus"
)

type base struct {
	ServerInfo config.ServerInfo
	Distro     config.Distro
	Platform   models.Platform
	osPackages

	log  *logrus.Entry
	errs []error
}

//Command is for check dependence
type Command struct {
	Command string
	Name    string
}

func (l *base) scanWp() (err error) {
	if len(l.ServerInfo.WpPath) == 0 && len(l.ServerInfo.WpToken) == 0 {
		return nil
	}
	if len(l.ServerInfo.WpPath) == 0 {
		return fmt.Errorf("not found : WpPath")
	}
	if len(l.ServerInfo.WpToken) == 0 {
		return fmt.Errorf("not found : WpToken")
	}

	cmds := []Command{{Command: "wp cli", Name: "wp"}, {Command: "curl --help", Name: "curl"}}
	for _, cmd := range cmds {
		if r := exec(l.ServerInfo, cmd.Command, noSudo); !r.isSuccess() {
			return fmt.Errorf("%s command not installed", cmd.Name)
		}
	}

	var vinfos []models.VulnInfo
	if vinfos, err = detectWp(l); err != nil {
		l.log.Errorf("Failed to scan wordpress: %s", err)
		return err
	}
	l.WpVulnInfos = map[string]models.VulnInfo{}
	for _, vinfo := range vinfos {
		l.WpVulnInfos[vinfo.CveID] = vinfo
	}

	return
}

//WpCveInfos is for wpvulndb's json
type WpCveInfos struct {
	ReleaseDate     string      `json:"release_date"`
	ChangelogURL    string      `json:"changelog_url"`
	Status          string      `json:"status"`
	LatestVersion   string      `json:"latest_version"`
	LastUpdated     string      `json:"last_updated"`
	Popular         bool        `json:"popular"`
	Vulnerabilities []WpCveInfo `json:"vulnerabilities"`
	Error           string      `json:"error"`
}

//WpCveInfo is for wpvulndb's json
type WpCveInfo struct {
	ID            int        `json:"id"`
	Title         string     `json:"title"`
	CreatedAt     string     `json:"created_at"`
	UpdatedAt     string     `json:"updated_at"`
	PublishedDate string     `json:"published_date"`
	VulnType      string     `json:"vuln_type"`
	References    References `json:"references"`
	FixedIn       string     `json:"fixed_in"`
}

//References is for wpvulndb's json
type References struct {
	URL     []string `json:"url"`
	Cve     []string `json:"cve"`
	Secunia []string `json:"secunia"`
}

func detectWp(c *base) (vinfos []models.VulnInfo, err error) {
	var coreVulns []models.VulnInfo
	if coreVulns, err = detectWpCore(c); err != nil {
		return
	}
	vinfos = append(vinfos, coreVulns...)

	var themeVulns []models.VulnInfo
	if themeVulns, err = detectWpTheme(c); err != nil {
		return
	}
	vinfos = append(vinfos, themeVulns...)

	var pluginVulns []models.VulnInfo
	if pluginVulns, err = detectWpPlugin(c); err != nil {
		return
	}
	vinfos = append(vinfos, pluginVulns...)

	return
}

func detectWpCore(c *base) (vinfos []models.VulnInfo, err error) {
	cmd := fmt.Sprintf("wp core version --path=%s", c.ServerInfo.WpPath)

	var coreVersion string
	if r := exec(c.ServerInfo, cmd, noSudo); r.isSuccess() {
		tmp := strings.Split(r.Stdout, ".")
		coreVersion = strings.Join(tmp, "")
		coreVersion = strings.TrimRight(coreVersion, "\r\n")
		if len(coreVersion) == 0 {
			return
		}
	}
	cmd = fmt.Sprintf("curl -k -H 'Authorization: Token token=%s' https://wpvulndb.com/api/v3/wordpresses/%s", c.ServerInfo.WpToken, coreVersion)
	if r := exec(c.ServerInfo, cmd, noSudo); r.isSuccess() {
		coreConvertVinfos(r.Stdout)
	}
	return
}

func coreConvertVinfos(stdout string) (vinfos []models.VulnInfo, err error) {
	data := map[string]WpCveInfos{}
	if err = json.Unmarshal([]byte(stdout), &data); err != nil {
		return
	}
	for _, i := range data {
		if len(i.Vulnerabilities) == 0 {
			continue
		}
		for _, vulnerability := range i.Vulnerabilities {
			if len(vulnerability.References.Cve) == 0 {
				continue
			}
			NotFixedYet := false
			if len(vulnerability.FixedIn) == 0 {
				NotFixedYet = true
			}
			var cveIDs []string
			for _, cveNumber := range vulnerability.References.Cve {
				cveIDs = append(cveIDs, "CVE-"+cveNumber)
			}

			for _, cveID := range cveIDs {
				vinfos = append(vinfos, models.VulnInfo{
					CveID: cveID,
					CveContents: models.NewCveContents(
						models.CveContent{
							CveID: cveID,
							Title: vulnerability.Title,
						},
					),
					AffectedPackages: models.PackageStatuses{
						{
							NotFixedYet: NotFixedYet,
						},
					},
				})
			}
		}
	}
	return
}

//WpStatus is for wp command
type WpStatus struct {
	Name    string `json:"name"`
	Status  string `json:"status"`
	Update  string `json:"update"`
	Version string `json:"version"`
}

func detectWpTheme(c *base) (vinfos []models.VulnInfo, err error) {
	cmd := fmt.Sprintf("wp theme list --path=%s --format=json", c.ServerInfo.WpPath)

	var themes []WpStatus
	if r := exec(c.ServerInfo, cmd, noSudo); r.isSuccess() {
		if err = json.Unmarshal([]byte(r.Stdout), &themes); err != nil {
			return
		}
	}

	for _, theme := range themes {
		cmd := fmt.Sprintf("curl -k -H 'Authorization: Token token=%s' https://wpvulndb.com/api/v3/themes/%s", c.ServerInfo.WpToken, theme.Name)

		if r := exec(c.ServerInfo, cmd, noSudo); r.isSuccess() {
			contentConvertVinfos(c, r.Stdout, theme)
		}
	}
	return
}

func detectWpPlugin(c *base) (vinfos []models.VulnInfo, err error) {
	cmd := fmt.Sprintf("wp plugin list --path=%s --format=json", c.ServerInfo.WpPath)

	var plugins []WpStatus
	if r := exec(c.ServerInfo, cmd, noSudo); r.isSuccess() {
		if err = json.Unmarshal([]byte(r.Stdout), &plugins); err != nil {
			return
		}
	}

	for _, plugin := range plugins {
		cmd := fmt.Sprintf("curl -k -H 'Authorization: Token token=%s' https://wpvulndb.com/api/v3/plugins/%s", c.ServerInfo.WpToken, plugin.Name)

		if r := exec(c.ServerInfo, cmd, noSudo); r.isSuccess() {
			contentConvertVinfos(c, r.Stdout, plugin)
		}
	}
	return
}

func contentConvertVinfos(c *base, stdout string, content WpStatus) (vinfos []models.VulnInfo, err error) {
	data := map[string]WpCveInfos{}
	if err = json.Unmarshal([]byte(stdout), &data); err != nil {
		var jsonError WpCveInfos
		if err = json.Unmarshal([]byte(stdout), &jsonError); err != nil {
			return
		}
		c.log.Errorf("wordpress: %s not found", content.Name)
	}
	for _, i := range data {
		if len(i.Vulnerabilities) == 0 {
			continue
		}
		for _, vulnerability := range i.Vulnerabilities {
			if len(vulnerability.References.Cve) == 0 {
				continue
			}
			notFixedYet := false
			if len(vulnerability.FixedIn) == 0 {
				notFixedYet = true
			}
			if len(vulnerability.FixedIn) == 0 {
				vulnerability.FixedIn = "0"
			}
			var v1 *version.Version
			v1, err = version.NewVersion(content.Version)
			if err != nil {
				return
			}
			var v2 *version.Version
			v2, err = version.NewVersion(vulnerability.FixedIn)
			if err != nil {
				return
			}
			if v1.LessThan(v2) {
				var cveIDs []string
				for _, cveNumber := range vulnerability.References.Cve {
					cveIDs = append(cveIDs, "CVE-"+cveNumber)
				}

				for _, cveID := range cveIDs {
					vinfos = append(vinfos, models.VulnInfo{
						CveID: cveID,
						CveContents: models.NewCveContents(
							models.CveContent{
								CveID: cveID,
								Title: vulnerability.Title,
							},
						),
						AffectedPackages: models.PackageStatuses{
							{
								NotFixedYet: notFixedYet,
							},
						},
					})
				}
			}
		}
	}
	return
}

func (l *base) wpConvertToModel() models.VulnInfos {
	return l.WpVulnInfos
}

func (l *base) exec(cmd string, sudo bool) execResult {
	return exec(l.ServerInfo, cmd, sudo, l.log)
}

func (l *base) setServerInfo(c config.ServerInfo) {
	l.ServerInfo = c
}

func (l *base) getServerInfo() config.ServerInfo {
	return l.ServerInfo
}

func (l *base) setDistro(fam, rel string) {
	d := config.Distro{
		Family:  fam,
		Release: rel,
	}
	l.Distro = d

	s := l.getServerInfo()
	s.Distro = d
	l.setServerInfo(s)
}

func (l *base) getDistro() config.Distro {
	return l.Distro
}

func (l *base) setPlatform(p models.Platform) {
	l.Platform = p
}

func (l *base) getPlatform() models.Platform {
	return l.Platform
}

func (l *base) runningKernel() (release, version string, err error) {
	r := l.exec("uname -r", noSudo)
	if !r.isSuccess() {
		return "", "", fmt.Errorf("Failed to SSH: %s", r)
	}
	release = strings.TrimSpace(r.Stdout)

	switch l.Distro.Family {
	case config.Debian:
		r := l.exec("uname -a", noSudo)
		if !r.isSuccess() {
			return "", "", fmt.Errorf("Failed to SSH: %s", r)
		}
		ss := strings.Fields(r.Stdout)
		if 6 < len(ss) {
			version = ss[6]
		}
	}
	return
}

func (l *base) allContainers() (containers []config.Container, err error) {
	switch l.ServerInfo.ContainerType {
	case "", "docker":
		stdout, err := l.dockerPs("-a --format '{{.ID}} {{.Names}} {{.Image}}'")
		if err != nil {
			return containers, err
		}
		return l.parseDockerPs(stdout)
	case "lxd":
		stdout, err := l.lxdPs("-c n")
		if err != nil {
			return containers, err
		}
		return l.parseLxdPs(stdout)
	case "lxc":
		stdout, err := l.lxcPs("-1")
		if err != nil {
			return containers, err
		}
		return l.parseLxcPs(stdout)
	default:
		return containers, fmt.Errorf(
			"Not supported yet: %s", l.ServerInfo.ContainerType)
	}
}

func (l *base) runningContainers() (containers []config.Container, err error) {
	switch l.ServerInfo.ContainerType {
	case "", "docker":
		stdout, err := l.dockerPs("--format '{{.ID}} {{.Names}} {{.Image}}'")
		if err != nil {
			return containers, err
		}
		return l.parseDockerPs(stdout)
	case "lxd":
		stdout, err := l.lxdPs("volatile.last_state.power=RUNNING -c n")
		if err != nil {
			return containers, err
		}
		return l.parseLxdPs(stdout)
	case "lxc":
		stdout, err := l.lxcPs("-1 --running")
		if err != nil {
			return containers, err
		}
		return l.parseLxcPs(stdout)
	default:
		return containers, fmt.Errorf(
			"Not supported yet: %s", l.ServerInfo.ContainerType)
	}
}

func (l *base) exitedContainers() (containers []config.Container, err error) {
	switch l.ServerInfo.ContainerType {
	case "", "docker":
		stdout, err := l.dockerPs("--filter 'status=exited' --format '{{.ID}} {{.Names}} {{.Image}}'")
		if err != nil {
			return containers, err
		}
		return l.parseDockerPs(stdout)
	case "lxd":
		stdout, err := l.lxdPs("volatile.last_state.power=STOPPED -c n")
		if err != nil {
			return containers, err
		}
		return l.parseLxdPs(stdout)
	case "lxc":
		stdout, err := l.lxcPs("-1 --stopped")
		if err != nil {
			return containers, err
		}
		return l.parseLxcPs(stdout)
	default:
		return containers, fmt.Errorf(
			"Not supported yet: %s", l.ServerInfo.ContainerType)
	}
}

func (l *base) dockerPs(option string) (string, error) {
	cmd := fmt.Sprintf("docker ps %s", option)
	r := l.exec(cmd, noSudo)
	if !r.isSuccess() {
		return "", fmt.Errorf("Failed to SSH: %s", r)
	}
	return r.Stdout, nil
}

func (l *base) lxdPs(option string) (string, error) {
	cmd := fmt.Sprintf("lxc list %s", option)
	r := l.exec(cmd, noSudo)
	if !r.isSuccess() {
		return "", fmt.Errorf("failed to SSH: %s", r)
	}
	return r.Stdout, nil
}

func (l *base) lxcPs(option string) (string, error) {
	cmd := fmt.Sprintf("lxc-ls %s 2>/dev/null", option)
	r := l.exec(cmd, sudo)
	if !r.isSuccess() {
		return "", fmt.Errorf("failed to SSH: %s", r)
	}
	return r.Stdout, nil
}

func (l *base) parseDockerPs(stdout string) (containers []config.Container, err error) {
	lines := strings.Split(stdout, "\n")
	for _, line := range lines {
		fields := strings.Fields(line)
		if len(fields) == 0 {
			break
		}
		if len(fields) != 3 {
			return containers, fmt.Errorf("Unknown format: %s", line)
		}
		containers = append(containers, config.Container{
			ContainerID: fields[0],
			Name:        fields[1],
			Image:       fields[2],
		})
	}
	return
}

func (l *base) parseLxdPs(stdout string) (containers []config.Container, err error) {
	lines := strings.Split(stdout, "\n")
	for i, line := range lines[3:] {
		if i%2 == 1 {
			continue
		}
		fields := strings.Fields(strings.Replace(line, "|", " ", -1))
		if len(fields) == 0 {
			break
		}
		if len(fields) != 1 {
			return containers, fmt.Errorf("Unknown format: %s", line)
		}
		containers = append(containers, config.Container{
			ContainerID: fields[0],
			Name:        fields[0],
		})
	}
	return
}

func (l *base) parseLxcPs(stdout string) (containers []config.Container, err error) {
	lines := strings.Split(stdout, "\n")
	for _, line := range lines {
		fields := strings.Fields(line)
		if len(fields) == 0 {
			break
		}
		containers = append(containers, config.Container{
			ContainerID: fields[0],
			Name:        fields[0],
		})
	}
	return
}

// ip executes ip command and returns IP addresses
func (l *base) ip() ([]string, []string, error) {
	// e.g.
	// 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000\    link/ether 52:54:00:2a:86:4c brd ff:ff:ff:ff:ff:ff
	// 2: eth0    inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
	// 2: eth0    inet6 fe80::5054:ff:fe2a:864c/64 scope link \       valid_lft forever preferred_lft forever
	r := l.exec("/sbin/ip -o addr", noSudo)
	if !r.isSuccess() {
		return nil, nil, fmt.Errorf("Failed to detect IP address: %v", r)
	}
	ipv4Addrs, ipv6Addrs := l.parseIP(r.Stdout)
	return ipv4Addrs, ipv6Addrs, nil
}

// parseIP parses the results of ip command
func (l *base) parseIP(stdout string) (ipv4Addrs []string, ipv6Addrs []string) {
	lines := strings.Split(stdout, "\n")
	for _, line := range lines {
		fields := strings.Fields(line)
		if len(fields) < 4 {
			continue
		}
		ip, _, err := net.ParseCIDR(fields[3])
		if err != nil {
			continue
		}
		if !ip.IsGlobalUnicast() {
			continue
		}
		if ipv4 := ip.To4(); ipv4 != nil {
			ipv4Addrs = append(ipv4Addrs, ipv4.String())
		} else {
			ipv6Addrs = append(ipv6Addrs, ip.String())
		}
	}
	return
}

func (l *base) detectPlatform() {
	if l.getServerInfo().Mode.IsOffline() {
		l.setPlatform(models.Platform{Name: "unknown"})
		return
	}
	ok, instanceID, err := l.detectRunningOnAws()
	if err != nil {
		l.setPlatform(models.Platform{Name: "other"})
		return
	}
	if ok {
		l.setPlatform(models.Platform{
			Name:       "aws",
			InstanceID: instanceID,
		})
		return
	}

	//TODO Azure, GCP...
	l.setPlatform(models.Platform{Name: "other"})
	return
}

func (l *base) detectRunningOnAws() (ok bool, instanceID string, err error) {
	if r := l.exec("type curl", noSudo); r.isSuccess() {
		cmd := "curl --max-time 1 --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/instance-id"
		r := l.exec(cmd, noSudo)
		if r.isSuccess() {
			id := strings.TrimSpace(r.Stdout)
			if !l.isAwsInstanceID(id) {
				return false, "", nil
			}
			return true, id, nil
		}

		switch r.ExitStatus {
		case 28, 7:
			// Not running on AWS
			//  7   Failed to connect to host.
			// 28  operation timeout.
			return false, "", nil
		}
	}

	if r := l.exec("type wget", noSudo); r.isSuccess() {
		cmd := "wget --tries=3 --timeout=1 --no-proxy -q -O - http://169.254.169.254/latest/meta-data/instance-id"
		r := l.exec(cmd, noSudo)
		if r.isSuccess() {
			id := strings.TrimSpace(r.Stdout)
			if !l.isAwsInstanceID(id) {
				return false, "", nil
			}
			return true, id, nil
		}

		switch r.ExitStatus {
		case 4, 8:
			// Not running on AWS
			// 4   Network failure
			// 8   Server issued an error response.
			return false, "", nil
		}
	}
	return false, "", fmt.Errorf(
		"Failed to curl or wget to AWS instance metadata on %s. container: %s",
		l.ServerInfo.ServerName, l.ServerInfo.Container.Name)
}

// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/resource-ids.html
var awsInstanceIDPattern = regexp.MustCompile(`^i-[0-9a-f]+$`)

func (l *base) isAwsInstanceID(str string) bool {
	return awsInstanceIDPattern.MatchString(str)
}

func (l *base) convertToModel() models.ScanResult {
	ctype := l.ServerInfo.ContainerType
	if l.ServerInfo.Container.ContainerID != "" && ctype == "" {
		ctype = "docker"
	}
	container := models.Container{
		ContainerID: l.ServerInfo.Container.ContainerID,
		Name:        l.ServerInfo.Container.Name,
		Image:       l.ServerInfo.Container.Image,
		Type:        ctype,
	}

	errs := []string{}
	for _, e := range l.errs {
		errs = append(errs, fmt.Sprintf("%s", e))
	}

	return models.ScanResult{
		JSONVersion:   models.JSONVersion,
		ServerName:    l.ServerInfo.ServerName,
		ScannedAt:     time.Now(),
		ScanMode:      l.ServerInfo.Mode.String(),
		Family:        l.Distro.Family,
		Release:       l.Distro.Release,
		Container:     container,
		Platform:      l.Platform,
		IPv4Addrs:     l.ServerInfo.IPv4Addrs,
		IPv6Addrs:     l.ServerInfo.IPv6Addrs,
		ScannedCves:   l.VulnInfos,
		RunningKernel: l.Kernel,
		Packages:      l.Packages,
		SrcPackages:   l.SrcPackages,
		Optional:      l.ServerInfo.Optional,
		Errors:        errs,
	}
}

func (l *base) setErrs(errs []error) {
	l.errs = errs
}

func (l *base) getErrs() []error {
	return l.errs
}

const (
	systemd  = "systemd"
	upstart  = "upstart"
	sysVinit = "init"
)

// https://unix.stackexchange.com/questions/196166/how-to-find-out-if-a-system-uses-sysv-upstart-or-systemd-initsystem
func (l *base) detectInitSystem() (string, error) {
	var f func(string) (string, error)
	f = func(cmd string) (string, error) {
		r := l.exec(cmd, sudo)
		if !r.isSuccess() {
			return "", fmt.Errorf("Failed to stat %s: %s", cmd, r)
		}
		scanner := bufio.NewScanner(strings.NewReader(r.Stdout))
		scanner.Scan()
		line := strings.TrimSpace(scanner.Text())
		if strings.Contains(line, "systemd") {
			return systemd, nil
		} else if strings.Contains(line, "upstart") {
			return upstart, nil
		} else if strings.Contains(line, "File: ‘/proc/1/exe’ -> ‘/sbin/init’") ||
			strings.Contains(line, "File: `/proc/1/exe' -> `/sbin/init'") {
			return f("stat /sbin/init")
		} else if line == "File: ‘/sbin/init’" ||
			line == "File: `/sbin/init'" {
			r := l.exec("/sbin/init --version", noSudo)
			if r.isSuccess() {
				if strings.Contains(r.Stdout, "upstart") {
					return upstart, nil
				}
			}
			return sysVinit, nil
		}
		return "", fmt.Errorf("Failed to detect a init system: %s", line)
	}
	return f("stat /proc/1/exe")
}

func (l *base) detectServiceName(pid string) (string, error) {
	cmd := fmt.Sprintf("systemctl status --quiet --no-pager %s", pid)
	r := l.exec(cmd, noSudo)
	if !r.isSuccess() {
		return "", fmt.Errorf("Failed to stat %s: %s", cmd, r)
	}
	return l.parseSystemctlStatus(r.Stdout), nil
}

func (l *base) parseSystemctlStatus(stdout string) string {
	scanner := bufio.NewScanner(strings.NewReader(stdout))
	scanner.Scan()
	line := scanner.Text()
	ss := strings.Fields(line)
	if len(ss) < 2 || strings.HasPrefix(line, "Failed to get unit for PID") {
		return ""
	}
	return ss[1]
}


1			/* Vuls - Vulnerability Scanner
2			Copyright (C) 2016 Future Corporation , Japan.
3
4			This program is free software: you can redistribute it and/or modify
5			it under the terms of the GNU General Public License as published by
6			the Free Software Foundation, either version 3 of the License, or
7			(at your option) any later version.
8
9			This program is distributed in the hope that it will be useful,
10			but WITHOUT ANY WARRANTY; without even the implied warranty of
11			MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12			GNU General Public License for more details.
13
14			You should have received a copy of the GNU General Public License
15			along with this program. If not, see <http://www.gnu.org/licenses/>.
16			*/
17
18			package scan
19
20			import (
21			"bufio"
22			"encoding/json"
23			"fmt"
24			"net"
25			"regexp"
26			"strings"
27			"time"
28
29			"github.com/future-architect/vuls/config"
30			"github.com/future-architect/vuls/models"
31			"github.com/hashicorp/go-version"
32			"github.com/sirupsen/logrus"
33			)
34
35			type base struct {
36			ServerInfo config.ServerInfo
37			Distro config.Distro
38			Platform models.Platform
39			osPackages
40
41			log *logrus.Entry
42			errs []error
43			}
44
45			//Command is for check dependence
46			type Command struct {
47			Command string
48			Name string
49			}
50
51			func (l *base) scanWp() (err error) {
52			if len(l.ServerInfo.WpPath) == 0 && len(l.ServerInfo.WpToken) == 0 {
53			return nil
54			}
55			if len(l.ServerInfo.WpPath) == 0 {
56			return fmt.Errorf("not found : WpPath")
57			}
58			if len(l.ServerInfo.WpToken) == 0 {
59			return fmt.Errorf("not found : WpToken")
60			}
61
62			cmds := []Command{{Command: "wp cli", Name: "wp"}, {Command: "curl --help", Name: "curl"}}
63			for _, cmd := range cmds {
64			if r := exec(l.ServerInfo, cmd.Command, noSudo); !r.isSuccess() {
65			return fmt.Errorf("%s command not installed", cmd.Name)
66			}
67			}
68
69			var vinfos []models.VulnInfo
70			if vinfos, err = detectWp(l); err != nil {
71			l.log.Errorf("Failed to scan wordpress: %s", err)
72			return err
73			}
74			l.WpVulnInfos = map[string]models.VulnInfo{}
75			for _, vinfo := range vinfos {
76			l.WpVulnInfos[vinfo.CveID] = vinfo
77			}
78
79			return
80			}
81
82			//WpCveInfos is for wpvulndb's json
83			type WpCveInfos struct {
84			ReleaseDate string `json:"release_date"`
85			ChangelogURL string `json:"changelog_url"`
86			Status string `json:"status"`
87			LatestVersion string `json:"latest_version"`
88			LastUpdated string `json:"last_updated"`
89			Popular bool `json:"popular"`
90			Vulnerabilities []WpCveInfo `json:"vulnerabilities"`
91			Error string `json:"error"`
92			}
93
94			//WpCveInfo is for wpvulndb's json
95			type WpCveInfo struct {
96			ID int `json:"id"`
97			Title string `json:"title"`
98			CreatedAt string `json:"created_at"`
99			UpdatedAt string `json:"updated_at"`
100			PublishedDate string `json:"published_date"`
101			VulnType string `json:"vuln_type"`
102			References References `json:"references"`
103			FixedIn string `json:"fixed_in"`
104			}
105
106			//References is for wpvulndb's json
107			type References struct {
108			URL []string `json:"url"`
109			Cve []string `json:"cve"`
110			Secunia []string `json:"secunia"`
111			}
112
113			func detectWp(c *base) (vinfos []models.VulnInfo, err error) {
114			var coreVulns []models.VulnInfo
115			if coreVulns, err = detectWpCore(c); err != nil {
116			return
117			}
118			vinfos = append(vinfos, coreVulns...)
119
120			var themeVulns []models.VulnInfo
121			if themeVulns, err = detectWpTheme(c); err != nil {
122			return
123			}
124			vinfos = append(vinfos, themeVulns...)
125
126			var pluginVulns []models.VulnInfo
127			if pluginVulns, err = detectWpPlugin(c); err != nil {
128			return
129			}
130			vinfos = append(vinfos, pluginVulns...)
131
132			return
133			}
134
135			func detectWpCore(c *base) (vinfos []models.VulnInfo, err error) {
136			cmd := fmt.Sprintf("wp core version --path=%s", c.ServerInfo.WpPath)
137
138			var coreVersion string
139			if r := exec(c.ServerInfo, cmd, noSudo); r.isSuccess() {
140			tmp := strings.Split(r.Stdout, ".")
141			coreVersion = strings.Join(tmp, "")
142			coreVersion = strings.TrimRight(coreVersion, "\r\n")
143			if len(coreVersion) == 0 {
144			return
145			}
146			}
147			cmd = fmt.Sprintf("curl -k -H 'Authorization: Token token=%s' https://wpvulndb.com/api/v3/wordpresses/%s", c.ServerInfo.WpToken, coreVersion)
148			if r := exec(c.ServerInfo, cmd, noSudo); r.isSuccess() {
149			coreConvertVinfos(r.Stdout)
150			}
151			return
152			}
153
154			func coreConvertVinfos(stdout string) (vinfos []models.VulnInfo, err error) {
155			data := map[string]WpCveInfos{}
156			if err = json.Unmarshal([]byte(stdout), &data); err != nil {
157			return
158			}
159			for _, i := range data {
160			if len(i.Vulnerabilities) == 0 {
161			continue
162			}
163			for _, vulnerability := range i.Vulnerabilities {
164			if len(vulnerability.References.Cve) == 0 {
165			continue
166			}
167			NotFixedYet := false
168			if len(vulnerability.FixedIn) == 0 {
169			NotFixedYet = true
170			}
171			var cveIDs []string
172			for _, cveNumber := range vulnerability.References.Cve {
173			cveIDs = append(cveIDs, "CVE-"+cveNumber)
174			}
175
176			for _, cveID := range cveIDs {
177			vinfos = append(vinfos, models.VulnInfo{
178			CveID: cveID,
179			CveContents: models.NewCveContents(
180			models.CveContent{
181			CveID: cveID,
182			Title: vulnerability.Title,
183			},
184			),
185			AffectedPackages: models.PackageStatuses{
186			{
187			NotFixedYet: NotFixedYet,
188			},
189			},
190			})
191			}
192			}
193			}
194			return
195			}
196
197			//WpStatus is for wp command
198			type WpStatus struct {
199			Name string `json:"name"`
200			Status string `json:"status"`
201			Update string `json:"update"`
202			Version string `json:"version"`
203			}
204
205			func detectWpTheme(c *base) (vinfos []models.VulnInfo, err error) {
206			cmd := fmt.Sprintf("wp theme list --path=%s --format=json", c.ServerInfo.WpPath)
207
208			var themes []WpStatus
209			if r := exec(c.ServerInfo, cmd, noSudo); r.isSuccess() {
210			if err = json.Unmarshal([]byte(r.Stdout), &themes); err != nil {
211			return
212			}
213			}
214
215			for _, theme := range themes {
216			cmd := fmt.Sprintf("curl -k -H 'Authorization: Token token=%s' https://wpvulndb.com/api/v3/themes/%s", c.ServerInfo.WpToken, theme.Name)
217
218			if r := exec(c.ServerInfo, cmd, noSudo); r.isSuccess() {
219			contentConvertVinfos(c, r.Stdout, theme)
220			}
221			}
222			return
223			}
224
225			func detectWpPlugin(c *base) (vinfos []models.VulnInfo, err error) {
226			cmd := fmt.Sprintf("wp plugin list --path=%s --format=json", c.ServerInfo.WpPath)
227
228			var plugins []WpStatus
229			if r := exec(c.ServerInfo, cmd, noSudo); r.isSuccess() {
230			if err = json.Unmarshal([]byte(r.Stdout), &plugins); err != nil {
231			return
232			}
233			}
234
235			for _, plugin := range plugins {
236			cmd := fmt.Sprintf("curl -k -H 'Authorization: Token token=%s' https://wpvulndb.com/api/v3/plugins/%s", c.ServerInfo.WpToken, plugin.Name)
237
238			if r := exec(c.ServerInfo, cmd, noSudo); r.isSuccess() {
239			contentConvertVinfos(c, r.Stdout, plugin)
240			}
241			}
242			return
243			}
244
245			func contentConvertVinfos(c *base, stdout string, content WpStatus) (vinfos []models.VulnInfo, err error) {
246			data := map[string]WpCveInfos{}
247			if err = json.Unmarshal([]byte(stdout), &data); err != nil {
248			var jsonError WpCveInfos
249			if err = json.Unmarshal([]byte(stdout), &jsonError); err != nil {
250			return
251			}
252			c.log.Errorf("wordpress: %s not found", content.Name)
253			}
254			for _, i := range data {
255			if len(i.Vulnerabilities) == 0 {
256			continue
257			}
258			for _, vulnerability := range i.Vulnerabilities {
259			if len(vulnerability.References.Cve) == 0 {
260			continue
261			}
262			notFixedYet := false
263			if len(vulnerability.FixedIn) == 0 {
264			notFixedYet = true
265			}
266			if len(vulnerability.FixedIn) == 0 {
267			vulnerability.FixedIn = "0"
268			}
269			var v1 *version.Version
270			v1, err = version.NewVersion(content.Version)
271			if err != nil {
272			return
273			}
274			var v2 *version.Version
275			v2, err = version.NewVersion(vulnerability.FixedIn)
276			if err != nil {
277			return
278			}
279			if v1.LessThan(v2) {
280			var cveIDs []string
281			for _, cveNumber := range vulnerability.References.Cve {
282			cveIDs = append(cveIDs, "CVE-"+cveNumber)
283			}
284
285			for _, cveID := range cveIDs {
286			vinfos = append(vinfos, models.VulnInfo{
287			CveID: cveID,
288			CveContents: models.NewCveContents(
289			models.CveContent{
290			CveID: cveID,
291			Title: vulnerability.Title,
292			},
293			),
294			AffectedPackages: models.PackageStatuses{
295			{
296			NotFixedYet: notFixedYet,
297			},
298			},
299			})
300			}
301			}
302			}
303			}
304			return
305			}
306
307			func (l *base) wpConvertToModel() models.VulnInfos {
308			return l.WpVulnInfos
309			}
310
311			func (l *base) exec(cmd string, sudo bool) execResult {
312			return exec(l.ServerInfo, cmd, sudo, l.log)
313			}
314
315			func (l *base) setServerInfo(c config.ServerInfo) {
316			l.ServerInfo = c
317			}
318
319			func (l *base) getServerInfo() config.ServerInfo {
320			return l.ServerInfo
321			}
322
323			func (l *base) setDistro(fam, rel string) {
324			d := config.Distro{
325			Family: fam,
326			Release: rel,
327			}
328			l.Distro = d
329
330			s := l.getServerInfo()
331			s.Distro = d
332			l.setServerInfo(s)
333			}
334
335			func (l *base) getDistro() config.Distro {
336			return l.Distro
337			}
338
339			func (l *base) setPlatform(p models.Platform) {
340			l.Platform = p
341			}
342
343			func (l *base) getPlatform() models.Platform {
344			return l.Platform
345			}
346
347			func (l *base) runningKernel() (release, version string, err error) {
348			r := l.exec("uname -r", noSudo)
349			if !r.isSuccess() {
350			return "", "", fmt.Errorf("Failed to SSH: %s", r)
351			}
352			release = strings.TrimSpace(r.Stdout)
353
354			switch l.Distro.Family {
355			case config.Debian:
356			r := l.exec("uname -a", noSudo)
357			if !r.isSuccess() {
358			return "", "", fmt.Errorf("Failed to SSH: %s", r)
359			}
360			ss := strings.Fields(r.Stdout)
361			if 6 < len(ss) {
362			version = ss[6]
363			}
364			}
365			return
366			}
367
368			func (l *base) allContainers() (containers []config.Container, err error) {
369			switch l.ServerInfo.ContainerType {
370			case "", "docker":
371			stdout, err := l.dockerPs("-a --format '{{.ID}} {{.Names}} {{.Image}}'")
372			if err != nil {
373			return containers, err
374			}
375			return l.parseDockerPs(stdout)
376			case "lxd":
377			stdout, err := l.lxdPs("-c n")
378			if err != nil {
379			return containers, err
380			}
381			return l.parseLxdPs(stdout)
382			case "lxc":
383			stdout, err := l.lxcPs("-1")
384			if err != nil {
385			return containers, err
386			}
387			return l.parseLxcPs(stdout)
388			default:
389			return containers, fmt.Errorf(
390			"Not supported yet: %s", l.ServerInfo.ContainerType)
391			}
392			}
393
394			func (l *base) runningContainers() (containers []config.Container, err error) {
395			switch l.ServerInfo.ContainerType {
396			case "", "docker":
397			stdout, err := l.dockerPs("--format '{{.ID}} {{.Names}} {{.Image}}'")
398			if err != nil {
399			return containers, err
400			}
401			return l.parseDockerPs(stdout)
402			case "lxd":
403			stdout, err := l.lxdPs("volatile.last_state.power=RUNNING -c n")
404			if err != nil {
405			return containers, err
406			}
407			return l.parseLxdPs(stdout)
408			case "lxc":
409			stdout, err := l.lxcPs("-1 --running")
410			if err != nil {
411			return containers, err
412			}
413			return l.parseLxcPs(stdout)
414			default:
415			return containers, fmt.Errorf(
416			"Not supported yet: %s", l.ServerInfo.ContainerType)
417			}
418			}
419
420			func (l *base) exitedContainers() (containers []config.Container, err error) {
421			switch l.ServerInfo.ContainerType {
422			case "", "docker":
423			stdout, err := l.dockerPs("--filter 'status=exited' --format '{{.ID}} {{.Names}} {{.Image}}'")
424			if err != nil {
425			return containers, err
426			}
427			return l.parseDockerPs(stdout)
428			case "lxd":
429			stdout, err := l.lxdPs("volatile.last_state.power=STOPPED -c n")
430			if err != nil {
431			return containers, err
432			}
433			return l.parseLxdPs(stdout)
434			case "lxc":
435			stdout, err := l.lxcPs("-1 --stopped")
436			if err != nil {
437			return containers, err
438			}
439			return l.parseLxcPs(stdout)
440			default:
441			return containers, fmt.Errorf(
442			"Not supported yet: %s", l.ServerInfo.ContainerType)
443			}
444			}
445
446			func (l *base) dockerPs(option string) (string, error) {
447			cmd := fmt.Sprintf("docker ps %s", option)
448			r := l.exec(cmd, noSudo)
449			if !r.isSuccess() {
450			return "", fmt.Errorf("Failed to SSH: %s", r)
451			}
452			return r.Stdout, nil
453			}
454
455			func (l *base) lxdPs(option string) (string, error) {
456			cmd := fmt.Sprintf("lxc list %s", option)
457			r := l.exec(cmd, noSudo)
458			if !r.isSuccess() {
459			return "", fmt.Errorf("failed to SSH: %s", r)
460			}
461			return r.Stdout, nil
462			}
463
464			func (l *base) lxcPs(option string) (string, error) {
465			cmd := fmt.Sprintf("lxc-ls %s 2>/dev/null", option)
466			r := l.exec(cmd, sudo)
467			if !r.isSuccess() {
468			return "", fmt.Errorf("failed to SSH: %s", r)
469			}
470			return r.Stdout, nil
471			}
472
473			func (l *base) parseDockerPs(stdout string) (containers []config.Container, err error) {
474			lines := strings.Split(stdout, "\n")
475			for _, line := range lines {
476			fields := strings.Fields(line)
477			if len(fields) == 0 {
478			break
479			}
480			if len(fields) != 3 {
481			return containers, fmt.Errorf("Unknown format: %s", line)
482			}
483			containers = append(containers, config.Container{
484			ContainerID: fields[0],
485			Name: fields[1],
486			Image: fields[2],
487			})
488			}
489			return
490			}
491
492			func (l *base) parseLxdPs(stdout string) (containers []config.Container, err error) {
493			lines := strings.Split(stdout, "\n")
494			for i, line := range lines[3:] {
495			if i%2 == 1 {
496			continue
497			}
498			fields := strings.Fields(strings.Replace(line, "\|", " ", -1))
499			if len(fields) == 0 {
500			break
501			}
502			if len(fields) != 1 {
503			return containers, fmt.Errorf("Unknown format: %s", line)
504			}
505			containers = append(containers, config.Container{
506			ContainerID: fields[0],
507			Name: fields[0],
508			})
509			}
510			return
511			}
512
513			func (l *base) parseLxcPs(stdout string) (containers []config.Container, err error) {
514			lines := strings.Split(stdout, "\n")
515			for _, line := range lines {
516			fields := strings.Fields(line)
517			if len(fields) == 0 {
518			break
519			}
520			containers = append(containers, config.Container{
521			ContainerID: fields[0],
522			Name: fields[0],
523			})
524			}
525			return
526			}
527
528			// ip executes ip command and returns IP addresses
529			func (l *base) ip() ([]string, []string, error) {
530			// e.g.
531			// 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000\ link/ether 52:54:00:2a:86:4c brd ff:ff:ff:ff:ff:ff
532			// 2: eth0 inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
533			// 2: eth0 inet6 fe80::5054:ff:fe2a:864c/64 scope link \ valid_lft forever preferred_lft forever
534			r := l.exec("/sbin/ip -o addr", noSudo)
535			if !r.isSuccess() {
536			return nil, nil, fmt.Errorf("Failed to detect IP address: %v", r)
537			}
538			ipv4Addrs, ipv6Addrs := l.parseIP(r.Stdout)
539			return ipv4Addrs, ipv6Addrs, nil
540			}
541
542			// parseIP parses the results of ip command
543			func (l *base) parseIP(stdout string) (ipv4Addrs []string, ipv6Addrs []string) {
544			lines := strings.Split(stdout, "\n")
545			for _, line := range lines {
546			fields := strings.Fields(line)
547			if len(fields) < 4 {
548			continue
549			}
550			ip, _, err := net.ParseCIDR(fields[3])
551			if err != nil {
552			continue
553			}
554			if !ip.IsGlobalUnicast() {
555			continue
556			}
557			if ipv4 := ip.To4(); ipv4 != nil {
558			ipv4Addrs = append(ipv4Addrs, ipv4.String())
559			} else {
560			ipv6Addrs = append(ipv6Addrs, ip.String())
561			}
562			}
563			return
564			}
565
566			func (l *base) detectPlatform() {
567			if l.getServerInfo().Mode.IsOffline() {
568			l.setPlatform(models.Platform{Name: "unknown"})
569			return
570			}
571			ok, instanceID, err := l.detectRunningOnAws()
572			if err != nil {
573			l.setPlatform(models.Platform{Name: "other"})
574			return
575			}
576			if ok {
577			l.setPlatform(models.Platform{
578			Name: "aws",
579			InstanceID: instanceID,
580			})
581			return
582			}
583
584			//TODO Azure, GCP...
585			l.setPlatform(models.Platform{Name: "other"})
586			return
587			}
588
589			func (l *base) detectRunningOnAws() (ok bool, instanceID string, err error) {
590			if r := l.exec("type curl", noSudo); r.isSuccess() {
591			cmd := "curl --max-time 1 --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/instance-id"
592			r := l.exec(cmd, noSudo)
593			if r.isSuccess() {
594			id := strings.TrimSpace(r.Stdout)
595			if !l.isAwsInstanceID(id) {
596			return false, "", nil
597			}
598			return true, id, nil
599			}
600
601			switch r.ExitStatus {
602			case 28, 7:
603			// Not running on AWS
604			// 7 Failed to connect to host.
605			// 28 operation timeout.
606			return false, "", nil
607			}
608			}
609
610			if r := l.exec("type wget", noSudo); r.isSuccess() {
611			cmd := "wget --tries=3 --timeout=1 --no-proxy -q -O - http://169.254.169.254/latest/meta-data/instance-id"
612			r := l.exec(cmd, noSudo)
613			if r.isSuccess() {
614			id := strings.TrimSpace(r.Stdout)
615			if !l.isAwsInstanceID(id) {
616			return false, "", nil
617			}
618			return true, id, nil
619			}
620
621			switch r.ExitStatus {
622			case 4, 8:
623			// Not running on AWS
624			// 4 Network failure
625			// 8 Server issued an error response.
626			return false, "", nil
627			}
628			}
629			return false, "", fmt.Errorf(
630			"Failed to curl or wget to AWS instance metadata on %s. container: %s",
631			l.ServerInfo.ServerName, l.ServerInfo.Container.Name)
632			}
633
634			// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/resource-ids.html
635			var awsInstanceIDPattern = regexp.MustCompile(`^i-[0-9a-f]+$`)
636
637			func (l *base) isAwsInstanceID(str string) bool {
638			return awsInstanceIDPattern.MatchString(str)
639			}
640
641			func (l *base) convertToModel() models.ScanResult {
642			ctype := l.ServerInfo.ContainerType
643			if l.ServerInfo.Container.ContainerID != "" && ctype == "" {
644			ctype = "docker"
645			}
646			container := models.Container{
647			ContainerID: l.ServerInfo.Container.ContainerID,
648			Name: l.ServerInfo.Container.Name,
649			Image: l.ServerInfo.Container.Image,
650			Type: ctype,
651			}
652
653			errs := []string{}
654			for _, e := range l.errs {
655			errs = append(errs, fmt.Sprintf("%s", e))
656			}
657
658			return models.ScanResult{
659			JSONVersion: models.JSONVersion,
660			ServerName: l.ServerInfo.ServerName,
661			ScannedAt: time.Now(),
662			ScanMode: l.ServerInfo.Mode.String(),
663			Family: l.Distro.Family,
664			Release: l.Distro.Release,
665			Container: container,
666			Platform: l.Platform,
667			IPv4Addrs: l.ServerInfo.IPv4Addrs,
668			IPv6Addrs: l.ServerInfo.IPv6Addrs,
669			ScannedCves: l.VulnInfos,
670			RunningKernel: l.Kernel,
671			Packages: l.Packages,
672			SrcPackages: l.SrcPackages,
673			Optional: l.ServerInfo.Optional,
674			Errors: errs,
675			}
676			}
677
678			func (l *base) setErrs(errs []error) {
679			l.errs = errs
680			}
681
682			func (l *base) getErrs() []error {
683			return l.errs
684			}
685
686			const (
687			systemd = "systemd"
688			upstart = "upstart"
689			sysVinit = "init"
690			)
691
692			// https://unix.stackexchange.com/questions/196166/how-to-find-out-if-a-system-uses-sysv-upstart-or-systemd-initsystem
693			func (l *base) detectInitSystem() (string, error) {
694			var f func(string) (string, error)
695			f = func(cmd string) (string, error) {
696			r := l.exec(cmd, sudo)
697			if !r.isSuccess() {
698			return "", fmt.Errorf("Failed to stat %s: %s", cmd, r)
699			}
700			scanner := bufio.NewScanner(strings.NewReader(r.Stdout))
701			scanner.Scan()
702			line := strings.TrimSpace(scanner.Text())
703			if strings.Contains(line, "systemd") {
704			return systemd, nil
705			} else if strings.Contains(line, "upstart") {
706			return upstart, nil
707			} else if strings.Contains(line, "File: ‘/proc/1/exe’ -> ‘/sbin/init’") \|\|
708			strings.Contains(line, "File: `/proc/1/exe' -> `/sbin/init'") {
709			return f("stat /sbin/init")
710			} else if line == "File: ‘/sbin/init’" \|\|
711			line == "File: `/sbin/init'" {
712			r := l.exec("/sbin/init --version", noSudo)
713			if r.isSuccess() {
714			if strings.Contains(r.Stdout, "upstart") {
715			return upstart, nil
716			}
717			}
718			return sysVinit, nil
719			}
720			return "", fmt.Errorf("Failed to detect a init system: %s", line)
721			}
722			return f("stat /proc/1/exe")
723			}
724
725			func (l *base) detectServiceName(pid string) (string, error) {
726			cmd := fmt.Sprintf("systemctl status --quiet --no-pager %s", pid)
727			r := l.exec(cmd, noSudo)
728			if !r.isSuccess() {
729			return "", fmt.Errorf("Failed to stat %s: %s", cmd, r)
730			}
731			return l.parseSystemctlStatus(r.Stdout), nil
732			}
733
734			func (l *base) parseSystemctlStatus(stdout string) string {
735			scanner := bufio.NewScanner(strings.NewReader(stdout))
736			scanner.Scan()
737			line := scanner.Text()
738			ss := strings.Fields(line)
739			if len(ss) < 2 \|\| strings.HasPrefix(line, "Failed to get unit for PID") {
740			return ""
741			}
742			return ss[1]
743			}
744

future-architect / vuls

Pull Request — master (#769)

scan.*base.scanWp C

Complexity

Size

Duplication

Importance

How to fix Complexity

Complexity

Duplication Side-by-Side

Filter issues like