1 | /* Vuls - Vulnerability Scanner |
||
2 | Copyright (C) 2016 Future Corporation , Japan. |
||
3 | |||
4 | This program is free software: you can redistribute it and/or modify |
||
5 | it under the terms of the GNU General Public License as published by |
||
6 | the Free Software Foundation, either version 3 of the License, or |
||
7 | (at your option) any later version. |
||
8 | |||
9 | This program is distributed in the hope that it will be useful, |
||
10 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
12 | GNU General Public License for more details. |
||
13 | |||
14 | You should have received a copy of the GNU General Public License |
||
15 | along with this program. If not, see <http://www.gnu.org/licenses/>. |
||
16 | */ |
||
17 | |||
18 | package config |
||
19 | |||
20 | import ( |
||
21 | "os" |
||
22 | "regexp" |
||
23 | "strings" |
||
24 | |||
25 | "github.com/BurntSushi/toml" |
||
26 | "github.com/knqyf263/go-cpe/naming" |
||
27 | "golang.org/x/xerrors" |
||
28 | ) |
||
29 | |||
30 | // TOMLLoader loads config |
||
31 | type TOMLLoader struct { |
||
32 | } |
||
33 | |||
34 | // Load load the configuration TOML file specified by path arg. |
||
35 | func (c TOMLLoader) Load(pathToToml, keyPass string) error { |
||
36 | var conf Config |
||
37 | if _, err := toml.DecodeFile(pathToToml, &conf); err != nil { |
||
38 | return err |
||
39 | } |
||
40 | Conf.EMail = conf.EMail |
||
41 | Conf.Slack = conf.Slack |
||
42 | Conf.Stride = conf.Stride |
||
43 | Conf.HipChat = conf.HipChat |
||
44 | Conf.ChatWork = conf.ChatWork |
||
45 | Conf.Telegram = conf.Telegram |
||
46 | Conf.Saas = conf.Saas |
||
47 | Conf.Syslog = conf.Syslog |
||
48 | Conf.HTTP = conf.HTTP |
||
49 | Conf.AWS = conf.AWS |
||
50 | Conf.Azure = conf.Azure |
||
51 | |||
52 | Conf.CveDict = conf.CveDict |
||
53 | Conf.OvalDict = conf.OvalDict |
||
54 | Conf.Gost = conf.Gost |
||
55 | Conf.Exploit = conf.Exploit |
||
56 | |||
57 | d := conf.Default |
||
58 | Conf.Default = d |
||
59 | servers := make(map[string]ServerInfo) |
||
60 | |||
61 | if keyPass != "" { |
||
62 | d.KeyPassword = keyPass |
||
63 | } |
||
64 | |||
65 | i := 0 |
||
66 | for serverName, v := range conf.Servers { |
||
67 | if 0 < len(v.KeyPassword) { |
||
68 | return xerrors.Errorf("[Deprecated] KEYPASSWORD IN CONFIG FILE ARE UNSECURE. REMOVE THEM IMMEDIATELY FOR A SECURITY REASONS. THEY WILL BE REMOVED IN A FUTURE RELEASE: %s", serverName) |
||
69 | } |
||
70 | |||
71 | s := ServerInfo{ServerName: serverName} |
||
72 | if v.Type != ServerTypePseudo { |
||
73 | s.Host = v.Host |
||
74 | if len(s.Host) == 0 { |
||
75 | return xerrors.Errorf("%s is invalid. host is empty", serverName) |
||
76 | } |
||
77 | |||
78 | switch { |
||
79 | case v.Port != "": |
||
80 | s.Port = v.Port |
||
81 | case d.Port != "": |
||
82 | s.Port = d.Port |
||
83 | default: |
||
84 | s.Port = "22" |
||
85 | } |
||
86 | |||
87 | switch { |
||
88 | case v.User != "": |
||
89 | s.User = v.User |
||
90 | case d.User != "": |
||
91 | s.User = d.User |
||
92 | default: |
||
93 | if s.Port != "local" { |
||
94 | return xerrors.Errorf("%s is invalid. User is empty", serverName) |
||
95 | } |
||
96 | } |
||
97 | |||
98 | s.KeyPath = v.KeyPath |
||
99 | if len(s.KeyPath) == 0 { |
||
100 | s.KeyPath = d.KeyPath |
||
101 | } |
||
102 | if s.KeyPath != "" { |
||
103 | if _, err := os.Stat(s.KeyPath); err != nil { |
||
104 | return xerrors.Errorf( |
||
105 | "%s is invalid. keypath: %s not exists", serverName, s.KeyPath) |
||
106 | } |
||
107 | } |
||
108 | |||
109 | s.KeyPassword = v.KeyPassword |
||
110 | if len(s.KeyPassword) == 0 { |
||
111 | s.KeyPassword = d.KeyPassword |
||
112 | } |
||
113 | } |
||
114 | |||
115 | s.ScanMode = v.ScanMode |
||
116 | if len(s.ScanMode) == 0 { |
||
117 | s.ScanMode = d.ScanMode |
||
118 | if len(s.ScanMode) == 0 { |
||
119 | s.ScanMode = []string{"fast"} |
||
120 | } |
||
121 | } |
||
122 | for _, m := range s.ScanMode { |
||
123 | switch m { |
||
124 | case "fast": |
||
125 | s.Mode.Set(Fast) |
||
126 | case "fast-root": |
||
127 | s.Mode.Set(FastRoot) |
||
128 | case "deep": |
||
129 | s.Mode.Set(Deep) |
||
130 | case "offline": |
||
131 | s.Mode.Set(Offline) |
||
132 | default: |
||
133 | return xerrors.Errorf("scanMode: %s of %s is invalie. Specify -fast, -fast-root, -deep or offline", m, serverName) |
||
134 | } |
||
135 | } |
||
136 | if err := s.Mode.validate(); err != nil { |
||
137 | return xerrors.Errorf("%s in %s", err, serverName) |
||
138 | } |
||
139 | |||
140 | s.CpeNames = v.CpeNames |
||
141 | if len(s.CpeNames) == 0 { |
||
142 | s.CpeNames = d.CpeNames |
||
143 | } |
||
144 | |||
145 | for i, n := range s.CpeNames { |
||
146 | uri, err := toCpeURI(n) |
||
147 | if err != nil { |
||
148 | return xerrors.Errorf("Failed to parse CPENames %s in %s, err: %w", n, serverName, err) |
||
0 ignored issues
–
show
introduced
by
Loading history...
|
|||
149 | } |
||
150 | s.CpeNames[i] = uri |
||
151 | } |
||
152 | |||
153 | s.ContainersIncluded = v.ContainersIncluded |
||
154 | if len(s.ContainersIncluded) == 0 { |
||
155 | s.ContainersIncluded = d.ContainersIncluded |
||
156 | } |
||
157 | |||
158 | s.ContainersExcluded = v.ContainersExcluded |
||
159 | if len(s.ContainersExcluded) == 0 { |
||
160 | s.ContainersExcluded = d.ContainersExcluded |
||
161 | } |
||
162 | |||
163 | s.ContainerType = v.ContainerType |
||
164 | if len(s.ContainerType) == 0 { |
||
165 | s.ContainerType = d.ContainerType |
||
166 | } |
||
167 | |||
168 | s.Containers = v.Containers |
||
169 | for contName, cont := range s.Containers { |
||
170 | cont.IgnoreCves = append(cont.IgnoreCves, d.IgnoreCves...) |
||
171 | s.Containers[contName] = cont |
||
172 | } |
||
173 | |||
174 | if len(v.DependencyCheckXMLPath) != 0 || len(d.DependencyCheckXMLPath) != 0 { |
||
175 | return xerrors.Errorf("[DEPRECATED] dependencyCheckXMLPath IS DEPRECATED. USE owaspDCXMLPath INSTEAD: %s", serverName) |
||
176 | } |
||
177 | |||
178 | s.OwaspDCXMLPath = v.OwaspDCXMLPath |
||
179 | if len(s.OwaspDCXMLPath) == 0 { |
||
180 | s.OwaspDCXMLPath = d.OwaspDCXMLPath |
||
181 | } |
||
182 | |||
183 | s.Memo = v.Memo |
||
184 | if s.Memo == "" { |
||
185 | s.Memo = d.Memo |
||
186 | } |
||
187 | |||
188 | s.IgnoreCves = v.IgnoreCves |
||
189 | for _, cve := range d.IgnoreCves { |
||
190 | found := false |
||
191 | for _, c := range s.IgnoreCves { |
||
192 | if cve == c { |
||
193 | found = true |
||
194 | break |
||
195 | } |
||
196 | } |
||
197 | if !found { |
||
198 | s.IgnoreCves = append(s.IgnoreCves, cve) |
||
199 | } |
||
200 | } |
||
201 | |||
202 | s.IgnorePkgsRegexp = v.IgnorePkgsRegexp |
||
203 | for _, pkg := range d.IgnorePkgsRegexp { |
||
204 | found := false |
||
205 | for _, p := range s.IgnorePkgsRegexp { |
||
206 | if pkg == p { |
||
207 | found = true |
||
208 | break |
||
209 | } |
||
210 | } |
||
211 | if !found { |
||
212 | s.IgnorePkgsRegexp = append(s.IgnorePkgsRegexp, pkg) |
||
213 | } |
||
214 | } |
||
215 | for _, reg := range s.IgnorePkgsRegexp { |
||
216 | _, err := regexp.Compile(reg) |
||
217 | if err != nil { |
||
218 | return xerrors.Errorf("Faild to parse %s in %s. err: %w", reg, serverName, err) |
||
0 ignored issues
–
show
|
|||
219 | } |
||
220 | } |
||
221 | for contName, cont := range s.Containers { |
||
222 | for _, reg := range cont.IgnorePkgsRegexp { |
||
223 | _, err := regexp.Compile(reg) |
||
224 | if err != nil { |
||
225 | return xerrors.Errorf("Faild to parse %s in %s@%s. err: %w", |
||
0 ignored issues
–
show
|
|||
226 | reg, contName, serverName, err) |
||
227 | } |
||
228 | } |
||
229 | } |
||
230 | |||
231 | opt := map[string]interface{}{} |
||
232 | for k, v := range d.Optional { |
||
233 | opt[k] = v |
||
234 | } |
||
235 | for k, v := range v.Optional { |
||
236 | opt[k] = v |
||
237 | } |
||
238 | s.Optional = opt |
||
239 | |||
240 | s.Enablerepo = v.Enablerepo |
||
241 | if len(s.Enablerepo) == 0 { |
||
242 | s.Enablerepo = d.Enablerepo |
||
243 | } |
||
244 | if len(s.Enablerepo) != 0 { |
||
245 | for _, repo := range s.Enablerepo { |
||
246 | switch repo { |
||
247 | case "base", "updates": |
||
248 | // nop |
||
249 | default: |
||
250 | return xerrors.Errorf( |
||
251 | "For now, enablerepo have to be base or updates: %s, servername: %s", |
||
252 | s.Enablerepo, serverName) |
||
253 | } |
||
254 | } |
||
255 | } |
||
256 | |||
257 | s.GitHubRepos = v.GitHubRepos |
||
258 | for ownerRepo, githubSetting := range s.GitHubRepos { |
||
259 | if ss := strings.Split(ownerRepo, "/"); len(ss) != 2 { |
||
260 | return xerrors.Errorf("Failed to parse GitHub owner/repo: %s in %s", |
||
261 | ownerRepo, serverName) |
||
262 | } |
||
263 | if githubSetting.Token == "" { |
||
264 | return xerrors.Errorf("GitHub owner/repo: %s in %s token is empty", |
||
265 | ownerRepo, serverName) |
||
266 | } |
||
267 | } |
||
268 | |||
269 | s.UUIDs = v.UUIDs |
||
270 | s.Type = v.Type |
||
271 | |||
272 | s.WordPress.WPVulnDBToken = v.WordPress.WPVulnDBToken |
||
273 | s.WordPress.CmdPath = v.WordPress.CmdPath |
||
274 | s.WordPress.DocRoot = v.WordPress.DocRoot |
||
275 | s.WordPress.OSUser = v.WordPress.OSUser |
||
276 | s.WordPress.IgnoreInactive = v.WordPress.IgnoreInactive |
||
277 | |||
278 | s.LogMsgAnsiColor = Colors[i%len(Colors)] |
||
279 | i++ |
||
280 | |||
281 | servers[serverName] = s |
||
282 | } |
||
283 | Conf.Servers = servers |
||
284 | return nil |
||
285 | } |
||
286 | |||
287 | func toCpeURI(cpename string) (string, error) { |
||
288 | if strings.HasPrefix(cpename, "cpe:2.3:") { |
||
289 | wfn, err := naming.UnbindFS(cpename) |
||
290 | if err != nil { |
||
291 | return "", err |
||
292 | } |
||
293 | return naming.BindToURI(wfn), nil |
||
294 | } else if strings.HasPrefix(cpename, "cpe:/") { |
||
295 | wfn, err := naming.UnbindURI(cpename) |
||
296 | if err != nil { |
||
297 | return "", err |
||
298 | } |
||
299 | return naming.BindToURI(wfn), nil |
||
300 | } |
||
301 | return "", xerrors.Errorf("Unknow CPE format: %s", cpename) |
||
302 | } |
||
303 |