Issues in util.go (master) - Issues in master - future-architect/vuls - Measure and Improve Code Quality continuously with Scrutinizer

Issues (121)

report/util.go (6 issues)

Severity

Unknown 6

/* Vuls - Vulnerability Scanner
Copyright (C) 2016  Future Corporation , Japan.

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

package report

import (
	"bytes"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"os"
	"path/filepath"
	"reflect"
	"regexp"
	"sort"
	"strings"
	"time"

	"github.com/future-architect/vuls/config"
	"github.com/future-architect/vuls/models"
	"github.com/future-architect/vuls/util"
	"github.com/gosuri/uitable"
	"github.com/olekukonko/tablewriter"
	"golang.org/x/xerrors"
)

const maxColWidth = 100

func formatScanSummary(rs ...models.ScanResult) string {
	table := uitable.New()
	table.MaxColWidth = maxColWidth
	table.Wrap = true
	for _, r := range rs {
		var cols []interface{}
		if len(r.Errors) == 0 {
			cols = []interface{}{
				r.FormatServerName(),
				fmt.Sprintf("%s%s", r.Family, r.Release),
				r.FormatUpdatablePacksSummary(),
			}
		} else {
			cols = []interface{}{
				r.FormatServerName(),
				"Error",
				"",
				"Run with --debug to view the details",
			}
		}
		table.AddRow(cols...)
	}
	return fmt.Sprintf("%s\n", table)
}

func formatOneLineSummary(rs ...models.ScanResult) string {
	table := uitable.New()
	table.MaxColWidth = maxColWidth
	table.Wrap = true
	for _, r := range rs {
		var cols []interface{}
		if len(r.Errors) == 0 {
			cols = []interface{}{
				r.FormatServerName(),
				r.ScannedCves.FormatCveSummary(),
				r.ScannedCves.FormatFixedStatus(r.Packages),
				r.FormatUpdatablePacksSummary(),
				r.FormatExploitCveSummary(),
				r.FormatAlertSummary(),
			}
		} else {
			cols = []interface{}{
				r.FormatServerName(),
				"Error: Scan with --debug to view the details",
				"",
			}
		}
		table.AddRow(cols...)
	}
	return fmt.Sprintf("%s\n", table)
}

func formatList(r models.ScanResult) string {
	header := r.FormatTextReportHeadedr()
	if len(r.Errors) != 0 {
		return fmt.Sprintf(
			"%s\nError: Scan with --debug to view the details\n%s\n\n",
			header, r.Errors)
	}

	if len(r.ScannedCves) == 0 {
		return fmt.Sprintf(`
%s
No CVE-IDs are found in updatable packages.
%s
`, header, r.FormatUpdatablePacksSummary())
	}

	data := [][]string{}
	for _, vinfo := range r.ScannedCves.ToSortedSlice() {
		max := vinfo.MaxCvssScore().Value.Score
		// v2max := vinfo.MaxCvss2Score().Value.Score
		// v3max := vinfo.MaxCvss3Score().Value.Score

		// packname := vinfo.AffectedPackages.FormatTuiSummary()
		// packname += strings.Join(vinfo.CpeURIs, ", ")

		exploits := ""
		if 0 < len(vinfo.Exploits) {
			exploits = "   Y"
		}

		link := ""
		if strings.HasPrefix(vinfo.CveID, "CVE-") {
			link = fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", vinfo.CveID)
		} else if strings.HasPrefix(vinfo.CveID, "WPVDBID-") {
			link = fmt.Sprintf("https://wpvulndb.com/vulnerabilities/%s", strings.TrimPrefix(vinfo.CveID, "WPVDBID-"))
		}

		data = append(data, []string{
			vinfo.CveID,
			fmt.Sprintf("%7s", vinfo.PatchStatus(r.Packages)),
			vinfo.AlertDict.FormatSource(),
			fmt.Sprintf("%4.1f", max),
			// fmt.Sprintf("%4.1f", v2max),
			// fmt.Sprintf("%4.1f", v3max),
			fmt.Sprintf("%2s", vinfo.AttackVector()),
			exploits,
			link,
		})
	}

	b := bytes.Buffer{}
	table := tablewriter.NewWriter(&b)
	table.SetHeader([]string{
		"CVE-ID",
		"Fixed",
		"CERT",
		"CVSS",
		// "v3",
		// "v2",
		"AV",
		"PoC",
		"NVD",
	})
	table.SetBorder(true)
	table.AppendBulk(data)
	table.Render()
	return fmt.Sprintf("%s\n%s", header, b.String())
}

func formatFullPlainText(r models.ScanResult) (lines string) {
	header := r.FormatTextReportHeadedr()
	if len(r.Errors) != 0 {
		return fmt.Sprintf(
			"%s\nError: Scan with --debug to view the details\n%s\n\n",
			header, r.Errors)
	}

	if len(r.ScannedCves) == 0 {
		return fmt.Sprintf(`
%s
No CVE-IDs are found in updatable packages.
%s
`, header, r.FormatUpdatablePacksSummary())
	}

	lines = header + "\n"

	for _, vuln := range r.ScannedCves.ToSortedSlice() {
		data := [][]string{}
		data = append(data, []string{"Max Score", vuln.FormatMaxCvssScore()})
		for _, cvss := range vuln.Cvss3Scores() {
			if cvssstr := cvss.Value.Format(); cvssstr != "" {
				data = append(data, []string{string(cvss.Type), cvssstr})
			}
		}

		for _, cvss := range vuln.Cvss2Scores(r.Family) {
			if cvssstr := cvss.Value.Format(); cvssstr != "" {
				data = append(data, []string{string(cvss.Type), cvssstr})
			}
		}

		data = append(data, []string{"Summary", vuln.Summaries(
			config.Conf.Lang, r.Family)[0].Value})

		mitigation := vuln.Mitigations(r.Family)[0]
		if mitigation.Type != models.Unknown {
			data = append(data, []string{"Mitigation", mitigation.Value})
		}

		cweURLs, top10URLs := []string{}, []string{}
		for _, v := range vuln.CveContents.UniqCweIDs(r.Family) {
			name, url, top10Rank, top10URL := r.CweDict.Get(v.Value, r.Lang)
			if top10Rank != "" {
				data = append(data, []string{"CWE",
					fmt.Sprintf("[OWASP Top%s] %s: %s (%s)",
						top10Rank, v.Value, name, v.Type)})
				top10URLs = append(top10URLs, top10URL)
			} else {
				data = append(data, []string{"CWE", fmt.Sprintf("%s: %s (%s)",
					v.Value, name, v.Type)})
			}
			cweURLs = append(cweURLs, url)
		}

		vuln.AffectedPackages.Sort()
		for _, affected := range vuln.AffectedPackages {
			if pack, ok := r.Packages[affected.Name]; ok {
				var line string
				if pack.Repository != "" {
					line = fmt.Sprintf("%s (%s)",
						pack.FormatVersionFromTo(affected.NotFixedYet, affected.FixState),
						pack.Repository)
				} else {
					line = fmt.Sprintf("%s",
						pack.FormatVersionFromTo(affected.NotFixedYet, affected.FixState),
					)
				}
				data = append(data, []string{"Affected Pkg", line})

				if len(pack.AffectedProcs) != 0 {
					for _, p := range pack.AffectedProcs {
						data = append(data, []string{"",
							fmt.Sprintf("  - PID: %s %s", p.PID, p.Name)})
					}
				}
			}
		}
		sort.Strings(vuln.CpeURIs)
		for _, name := range vuln.CpeURIs {
			data = append(data, []string{"CPE", name})
		}

		for _, alert := range vuln.GitHubSecurityAlerts {
			data = append(data, []string{"GitHub", alert.PackageName})
		}

		for _, wp := range vuln.WpPackageFixStats {
			if p, ok := r.WordPressPackages.Find(wp.Name); ok {
				if p.Type == models.WPCore {
					data = append(data, []string{"WordPress",
						fmt.Sprintf("%s-%s, FixedIn: %s", wp.Name, p.Version, wp.FixedIn)})
				} else {
					data = append(data, []string{"WordPress",
						fmt.Sprintf("%s-%s, Update: %s, FixedIn: %s, %s",
							wp.Name, p.Version, p.Update, wp.FixedIn, p.Status)})
				}
			} else {
				data = append(data, []string{"WordPress",
					fmt.Sprintf("%s", wp.Name)})
			}
		}

		for _, confidence := range vuln.Confidences {
			data = append(data, []string{"Confidence", confidence.String()})
		}

		if strings.HasPrefix(vuln.CveID, "CVE-") {
			links := vuln.CveContents.SourceLinks(
				config.Conf.Lang, r.Family, vuln.CveID)
			data = append(data, []string{"Source", links[0].Value})

			if 0 < len(vuln.Cvss2Scores(r.Family)) {
				data = append(data, []string{"CVSSv2 Calc", vuln.Cvss2CalcURL()})
			}
			if 0 < len(vuln.Cvss3Scores()) {
				data = append(data, []string{"CVSSv3 Calc", vuln.Cvss3CalcURL()})
			}
		}

		vlinks := vuln.VendorLinks(r.Family)
		for name, url := range vlinks {
			data = append(data, []string{name, url})
		}
		for _, url := range cweURLs {
			data = append(data, []string{"CWE", url})
		}
		for _, exploit := range vuln.Exploits {
			data = append(data, []string{string(exploit.ExploitType), exploit.URL})
		}
		for _, url := range top10URLs {
			data = append(data, []string{"OWASP Top10", url})
		}

		for _, alert := range vuln.AlertDict.Ja {
			data = append(data, []string{"JPCERT Alert", alert.URL})
		}

		for _, alert := range vuln.AlertDict.En {
			data = append(data, []string{"USCERT Alert", alert.URL})
		}

		// for _, rr := range vuln.CveContents.References(r.Family) {
		// for _, ref := range rr.Value {
		// data = append(data, []string{ref.Source, ref.Link})
		// }
		// }

		b := bytes.Buffer{}
		table := tablewriter.NewWriter(&b)
		table.SetColWidth(80)
		table.SetHeaderAlignment(tablewriter.ALIGN_LEFT)
		table.SetHeader([]string{
			vuln.CveID,
			vuln.PatchStatus(r.Packages),
		})
		table.SetBorder(true)
		table.AppendBulk(data)
		table.Render()
		lines += b.String() + "\n"
	}
	return
}

func cweURL(cweID string) string {
	return fmt.Sprintf("https://cwe.mitre.org/data/definitions/%s.html",
		strings.TrimPrefix(cweID, "CWE-"))
}

func cweJvnURL(cweID string) string {
	return fmt.Sprintf("http://jvndb.jvn.jp/ja/cwe/%s.html", cweID)
}

func formatChangelogs(r models.ScanResult) string {
	buf := []string{}
	for _, p := range r.Packages {
		if p.NewVersion == "" {
			continue
		}
		clog := p.FormatChangelog()
		buf = append(buf, clog, "\n\n")
	}
	return strings.Join(buf, "\n")
}
func ovalSupported(r *models.ScanResult) bool {
	switch r.Family {
	case
		config.Amazon,
		config.FreeBSD,
		config.Raspbian:
		return false
	}
	return true
}

func needToRefreshCve(r models.ScanResult) bool {
	if r.Lang != config.Conf.Lang {
		return true
	}

	for _, cve := range r.ScannedCves {
		if 0 < len(cve.CveContents) {
			return false
		}
	}
	return true
}

func overwriteJSONFile(dir string, r models.ScanResult) error {
	before := config.Conf.FormatJSON
	beforeDiff := config.Conf.Diff
	config.Conf.FormatJSON = true
	config.Conf.Diff = false
	w := LocalFileWriter{CurrentDir: dir}
	if err := w.Write(r); err != nil {
		return xerrors.Errorf("Failed to write summary report: %w", err)

	}
	config.Conf.FormatJSON = before
	config.Conf.Diff = beforeDiff
	return nil
}

func loadPrevious(currs models.ScanResults) (prevs models.ScanResults, err error) {
	dirs, err := ListValidJSONDirs()
	if err != nil {
		return
	}

	for _, result := range currs {
		filename := result.ServerName + ".json"
		if result.Container.Name != "" {
			filename = fmt.Sprintf("%s@%s.json", result.Container.Name, result.ServerName)
		}
		for _, dir := range dirs[1:] {
			path := filepath.Join(dir, filename)
			r, err := loadOneServerScanResult(path)
			if err != nil {
				util.Log.Errorf("%+v", err)
				continue
			}
			if r.Family == result.Family && r.Release == result.Release {
				prevs = append(prevs, *r)
				util.Log.Infof("Previous json found: %s", path)
				break
			} else {
				util.Log.Infof("Previous json is different family.Release: %s, pre: %s.%s cur: %s.%s",
					path, r.Family, r.Release, result.Family, result.Release)
			}
		}
	}
	return prevs, nil
}

func diff(curResults, preResults models.ScanResults) (diffed models.ScanResults, err error) {
	for _, current := range curResults {
		found := false
		var previous models.ScanResult
		for _, r := range preResults {
			if current.ServerName == r.ServerName && current.Container.Name == r.Container.Name {
				found = true
				previous = r
				break
			}
		}

		if found {
			current.ScannedCves = getDiffCves(previous, current)
			packages := models.Packages{}
			for _, s := range current.ScannedCves {
				for _, affected := range s.AffectedPackages {
					p := current.Packages[affected.Name]
					packages[affected.Name] = p
				}
			}
			current.Packages = packages
		}

		diffed = append(diffed, current)
	}
	return diffed, err
}

func getDiffCves(previous, current models.ScanResult) models.VulnInfos {
	previousCveIDsSet := map[string]bool{}
	for _, previousVulnInfo := range previous.ScannedCves {
		previousCveIDsSet[previousVulnInfo.CveID] = true
	}

	new := models.VulnInfos{}
	updated := models.VulnInfos{}
	for _, v := range current.ScannedCves {
		if previousCveIDsSet[v.CveID] {
			if isCveInfoUpdated(v.CveID, previous, current) {
				updated[v.CveID] = v
				util.Log.Debugf("updated: %s", v.CveID)

				// TODO commented out beause  a bug of diff logic when multiple oval defs found for a certain CVE-ID and same updated_at
				// if these OVAL defs have different affected packages, this logic detects as updated.
				// This logic will be uncommented after integration with ghost https://github.com/knqyf263/gost
				// } else if isCveFixed(v, previous) {
				// updated[v.CveID] = v
				// util.Log.Debugf("fixed: %s", v.CveID)

			} else {
				util.Log.Debugf("same: %s", v.CveID)
			}
		} else {
			util.Log.Debugf("new: %s", v.CveID)
			new[v.CveID] = v
		}
	}

	for cveID, vuln := range new {
		updated[cveID] = vuln
	}
	return updated
}

func isCveFixed(current models.VulnInfo, previous models.ScanResult) bool {
	preVinfo, _ := previous.ScannedCves[current.CveID]
	pre := map[string]bool{}
	for _, h := range preVinfo.AffectedPackages {
		pre[h.Name] = h.NotFixedYet
	}

	cur := map[string]bool{}
	for _, h := range current.AffectedPackages {
		cur[h.Name] = h.NotFixedYet
	}

	return !reflect.DeepEqual(pre, cur)
}

func isCveInfoUpdated(cveID string, previous, current models.ScanResult) bool {
	cTypes := []models.CveContentType{
		models.NvdXML,
		models.Jvn,
		models.NewCveContentType(current.Family),
	}

	prevLastModified := map[models.CveContentType]time.Time{}
	preVinfo, ok := previous.ScannedCves[cveID]
	if !ok {
		return true
	}
	for _, cType := range cTypes {
		if content, ok := preVinfo.CveContents[cType]; ok {
			prevLastModified[cType] = content.LastModified
		}
	}

	curLastModified := map[models.CveContentType]time.Time{}
	curVinfo, ok := current.ScannedCves[cveID]
	if !ok {
		return true
	}
	for _, cType := range cTypes {
		if content, ok := curVinfo.CveContents[cType]; ok {
			curLastModified[cType] = content.LastModified
		}
	}

	for _, t := range cTypes {
		if !curLastModified[t].Equal(prevLastModified[t]) {
			util.Log.Debugf("%s LastModified not equal: \n%s\n%s",
				cveID, curLastModified[t], prevLastModified[t])
			return true
		}
	}
	return false
}

// jsonDirPattern is file name pattern of JSON directory
// 2016-11-16T10:43:28+09:00
// 2016-11-16T10:43:28Z
var jsonDirPattern = regexp.MustCompile(
	`^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:Z|[+-]\d{2}:\d{2})$`)

// ListValidJSONDirs returns valid json directory as array
// Returned array is sorted so that recent directories are at the head
func ListValidJSONDirs() (dirs []string, err error) {
	var dirInfo []os.FileInfo
	if dirInfo, err = ioutil.ReadDir(config.Conf.ResultsDir); err != nil {
		err = xerrors.Errorf("Failed to read %s: %w",

			config.Conf.ResultsDir, err)
		return
	}
	for _, d := range dirInfo {
		if d.IsDir() && jsonDirPattern.MatchString(d.Name()) {
			jsonDir := filepath.Join(config.Conf.ResultsDir, d.Name())
			dirs = append(dirs, jsonDir)
		}
	}
	sort.Slice(dirs, func(i, j int) bool {
		return dirs[j] < dirs[i]
	})
	return
}

// JSONDir returns
// If there is an arg, check if it is a valid format and return the corresponding path under results.
// If arg passed via PIPE (such as history subcommand), return that path.
// Otherwise, returns the path of the latest directory
func JSONDir(args []string) (string, error) {
	var err error
	dirs := []string{}

	if 0 < len(args) {
		if dirs, err = ListValidJSONDirs(); err != nil {
			return "", err
		}

		path := filepath.Join(config.Conf.ResultsDir, args[0])
		for _, d := range dirs {
			ss := strings.Split(d, string(os.PathSeparator))
			timedir := ss[len(ss)-1]
			if timedir == args[0] {
				return path, nil
			}
		}

		return "", xerrors.Errorf("Invalid path: %s", path)
	}

	// PIPE
	if config.Conf.Pipe {
		bytes, err := ioutil.ReadAll(os.Stdin)
		if err != nil {
			return "", xerrors.Errorf("Failed to read stdin: %w", err)

		}
		fields := strings.Fields(string(bytes))
		if 0 < len(fields) {
			return filepath.Join(config.Conf.ResultsDir, fields[0]), nil
		}
		return "", xerrors.Errorf("Stdin is invalid: %s", string(bytes))
	}

	// returns latest dir when no args or no PIPE
	if dirs, err = ListValidJSONDirs(); err != nil {
		return "", err
	}
	if len(dirs) == 0 {
		return "", xerrors.Errorf("No results under %s",
			config.Conf.ResultsDir)
	}
	return dirs[0], nil
}

// LoadScanResults read JSON data
func LoadScanResults(jsonDir string) (results models.ScanResults, err error) {
	var files []os.FileInfo
	if files, err = ioutil.ReadDir(jsonDir); err != nil {
		return nil, xerrors.Errorf("Failed to read %s: %w", jsonDir, err)

	}
	for _, f := range files {
		if filepath.Ext(f.Name()) != ".json" || strings.HasSuffix(f.Name(), "_diff.json") {
			continue
		}

		var r *models.ScanResult
		path := filepath.Join(jsonDir, f.Name())
		if r, err = loadOneServerScanResult(path); err != nil {
			return nil, err
		}
		results = append(results, *r)
	}
	if len(results) == 0 {
		return nil, xerrors.Errorf("There is no json file under %s", jsonDir)
	}
	return
}

// loadOneServerScanResult read JSON data of one server
func loadOneServerScanResult(jsonFile string) (*models.ScanResult, error) {
	var (
		data []byte
		err  error
	)
	if data, err = ioutil.ReadFile(jsonFile); err != nil {
		return nil, xerrors.Errorf("Failed to read %s: %w", jsonFile, err)

	}
	result := &models.ScanResult{}
	if err := json.Unmarshal(data, result); err != nil {
		return nil, xerrors.Errorf("Failed to parse %s: %w", jsonFile, err)

	}
	return result, nil
}


1			/* Vuls - Vulnerability Scanner
2			Copyright (C) 2016 Future Corporation , Japan.
3
4			This program is free software: you can redistribute it and/or modify
5			it under the terms of the GNU General Public License as published by
6			the Free Software Foundation, either version 3 of the License, or
7			(at your option) any later version.
8
9			This program is distributed in the hope that it will be useful,
10			but WITHOUT ANY WARRANTY; without even the implied warranty of
11			MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12			GNU General Public License for more details.
13
14			You should have received a copy of the GNU General Public License
15			along with this program. If not, see <http://www.gnu.org/licenses/>.
16			*/
17
18			package report
19
20			import (
21			"bytes"
22			"encoding/json"
23			"fmt"
24			"io/ioutil"
25			"os"
26			"path/filepath"
27			"reflect"
28			"regexp"
29			"sort"
30			"strings"
31			"time"
32
33			"github.com/future-architect/vuls/config"
34			"github.com/future-architect/vuls/models"
35			"github.com/future-architect/vuls/util"
36			"github.com/gosuri/uitable"
37			"github.com/olekukonko/tablewriter"
38			"golang.org/x/xerrors"
39			)
40
41			const maxColWidth = 100
42
43			func formatScanSummary(rs ...models.ScanResult) string {
44			table := uitable.New()
45			table.MaxColWidth = maxColWidth
46			table.Wrap = true
47			for _, r := range rs {
48			var cols []interface{}
49			if len(r.Errors) == 0 {
50			cols = []interface{}{
51			r.FormatServerName(),
52			fmt.Sprintf("%s%s", r.Family, r.Release),
53			r.FormatUpdatablePacksSummary(),
54			}
55			} else {
56			cols = []interface{}{
57			r.FormatServerName(),
58			"Error",
59			"",
60			"Run with --debug to view the details",
61			}
62			}
63			table.AddRow(cols...)
64			}
65			return fmt.Sprintf("%s\n", table)
66			}
67
68			func formatOneLineSummary(rs ...models.ScanResult) string {
69			table := uitable.New()
70			table.MaxColWidth = maxColWidth
71			table.Wrap = true
72			for _, r := range rs {
73			var cols []interface{}
74			if len(r.Errors) == 0 {
75			cols = []interface{}{
76			r.FormatServerName(),
77			r.ScannedCves.FormatCveSummary(),
78			r.ScannedCves.FormatFixedStatus(r.Packages),
79			r.FormatUpdatablePacksSummary(),
80			r.FormatExploitCveSummary(),
81			r.FormatAlertSummary(),
82			}
83			} else {
84			cols = []interface{}{
85			r.FormatServerName(),
86			"Error: Scan with --debug to view the details",
87			"",
88			}
89			}
90			table.AddRow(cols...)
91			}
92			return fmt.Sprintf("%s\n", table)
93			}
94
95			func formatList(r models.ScanResult) string {
96			header := r.FormatTextReportHeadedr()
97			if len(r.Errors) != 0 {
98			return fmt.Sprintf(
99			"%s\nError: Scan with --debug to view the details\n%s\n\n",
100			header, r.Errors)
101			}
102
103			if len(r.ScannedCves) == 0 {
104			return fmt.Sprintf(`
105			%s
106			No CVE-IDs are found in updatable packages.
107			%s
108			`, header, r.FormatUpdatablePacksSummary())
109			}
110
111			data := [][]string{}
112			for _, vinfo := range r.ScannedCves.ToSortedSlice() {
113			max := vinfo.MaxCvssScore().Value.Score
114			// v2max := vinfo.MaxCvss2Score().Value.Score
115			// v3max := vinfo.MaxCvss3Score().Value.Score
116
117			// packname := vinfo.AffectedPackages.FormatTuiSummary()
118			// packname += strings.Join(vinfo.CpeURIs, ", ")
119
120			exploits := ""
121			if 0 < len(vinfo.Exploits) {
122			exploits = " Y"
123			}
124
125			link := ""
126			if strings.HasPrefix(vinfo.CveID, "CVE-") {
127			link = fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", vinfo.CveID)
128			} else if strings.HasPrefix(vinfo.CveID, "WPVDBID-") {
129			link = fmt.Sprintf("https://wpvulndb.com/vulnerabilities/%s", strings.TrimPrefix(vinfo.CveID, "WPVDBID-"))
130			}
131
132			data = append(data, []string{
133			vinfo.CveID,
134			fmt.Sprintf("%7s", vinfo.PatchStatus(r.Packages)),
135			vinfo.AlertDict.FormatSource(),
136			fmt.Sprintf("%4.1f", max),
137			// fmt.Sprintf("%4.1f", v2max),
138			// fmt.Sprintf("%4.1f", v3max),
139			fmt.Sprintf("%2s", vinfo.AttackVector()),
140			exploits,
141			link,
142			})
143			}
144
145			b := bytes.Buffer{}
146			table := tablewriter.NewWriter(&b)
147			table.SetHeader([]string{
148			"CVE-ID",
149			"Fixed",
150			"CERT",
151			"CVSS",
152			// "v3",
153			// "v2",
154			"AV",
155			"PoC",
156			"NVD",
157			})
158			table.SetBorder(true)
159			table.AppendBulk(data)
160			table.Render()
161			return fmt.Sprintf("%s\n%s", header, b.String())
162			}
163
164			func formatFullPlainText(r models.ScanResult) (lines string) {
165			header := r.FormatTextReportHeadedr()
166			if len(r.Errors) != 0 {
167			return fmt.Sprintf(
168			"%s\nError: Scan with --debug to view the details\n%s\n\n",
169			header, r.Errors)
170			}
171
172			if len(r.ScannedCves) == 0 {
173			return fmt.Sprintf(`
174			%s
175			No CVE-IDs are found in updatable packages.
176			%s
177			`, header, r.FormatUpdatablePacksSummary())
178			}
179
180			lines = header + "\n"
181
182			for _, vuln := range r.ScannedCves.ToSortedSlice() {
183			data := [][]string{}
184			data = append(data, []string{"Max Score", vuln.FormatMaxCvssScore()})
185			for _, cvss := range vuln.Cvss3Scores() {
186			if cvssstr := cvss.Value.Format(); cvssstr != "" {
187			data = append(data, []string{string(cvss.Type), cvssstr})
188			}
189			}
190
191			for _, cvss := range vuln.Cvss2Scores(r.Family) {
192			if cvssstr := cvss.Value.Format(); cvssstr != "" {
193			data = append(data, []string{string(cvss.Type), cvssstr})
194			}
195			}
196
197			data = append(data, []string{"Summary", vuln.Summaries(
198			config.Conf.Lang, r.Family)[0].Value})
199
200			mitigation := vuln.Mitigations(r.Family)[0]
201			if mitigation.Type != models.Unknown {
202			data = append(data, []string{"Mitigation", mitigation.Value})
203			}
204
205			cweURLs, top10URLs := []string{}, []string{}
206			for _, v := range vuln.CveContents.UniqCweIDs(r.Family) {
207			name, url, top10Rank, top10URL := r.CweDict.Get(v.Value, r.Lang)
208			if top10Rank != "" {
209			data = append(data, []string{"CWE",
210			fmt.Sprintf("[OWASP Top%s] %s: %s (%s)",
211			top10Rank, v.Value, name, v.Type)})
212			top10URLs = append(top10URLs, top10URL)
213			} else {
214			data = append(data, []string{"CWE", fmt.Sprintf("%s: %s (%s)",
215			v.Value, name, v.Type)})
216			}
217			cweURLs = append(cweURLs, url)
218			}
219
220			vuln.AffectedPackages.Sort()
221			for _, affected := range vuln.AffectedPackages {
222			if pack, ok := r.Packages[affected.Name]; ok {
223			var line string
224			if pack.Repository != "" {
225			line = fmt.Sprintf("%s (%s)",
226			pack.FormatVersionFromTo(affected.NotFixedYet, affected.FixState),
227			pack.Repository)
228			} else {
229			line = fmt.Sprintf("%s",
230			pack.FormatVersionFromTo(affected.NotFixedYet, affected.FixState),
231			)
232			}
233			data = append(data, []string{"Affected Pkg", line})
234
235			if len(pack.AffectedProcs) != 0 {
236			for _, p := range pack.AffectedProcs {
237			data = append(data, []string{"",
238			fmt.Sprintf(" - PID: %s %s", p.PID, p.Name)})
239			}
240			}
241			}
242			}
243			sort.Strings(vuln.CpeURIs)
244			for _, name := range vuln.CpeURIs {
245			data = append(data, []string{"CPE", name})
246			}
247
248			for _, alert := range vuln.GitHubSecurityAlerts {
249			data = append(data, []string{"GitHub", alert.PackageName})
250			}
251
252			for _, wp := range vuln.WpPackageFixStats {
253			if p, ok := r.WordPressPackages.Find(wp.Name); ok {
254			if p.Type == models.WPCore {
255			data = append(data, []string{"WordPress",
256			fmt.Sprintf("%s-%s, FixedIn: %s", wp.Name, p.Version, wp.FixedIn)})
257			} else {
258			data = append(data, []string{"WordPress",
259			fmt.Sprintf("%s-%s, Update: %s, FixedIn: %s, %s",
260			wp.Name, p.Version, p.Update, wp.FixedIn, p.Status)})
261			}
262			} else {
263			data = append(data, []string{"WordPress",
264			fmt.Sprintf("%s", wp.Name)})
265			}
266			}
267
268			for _, confidence := range vuln.Confidences {
269			data = append(data, []string{"Confidence", confidence.String()})
270			}
271
272			if strings.HasPrefix(vuln.CveID, "CVE-") {
273			links := vuln.CveContents.SourceLinks(
274			config.Conf.Lang, r.Family, vuln.CveID)
275			data = append(data, []string{"Source", links[0].Value})
276
277			if 0 < len(vuln.Cvss2Scores(r.Family)) {
278			data = append(data, []string{"CVSSv2 Calc", vuln.Cvss2CalcURL()})
279			}
280			if 0 < len(vuln.Cvss3Scores()) {
281			data = append(data, []string{"CVSSv3 Calc", vuln.Cvss3CalcURL()})
282			}
283			}
284
285			vlinks := vuln.VendorLinks(r.Family)
286			for name, url := range vlinks {
287			data = append(data, []string{name, url})
288			}
289			for _, url := range cweURLs {
290			data = append(data, []string{"CWE", url})
291			}
292			for _, exploit := range vuln.Exploits {
293			data = append(data, []string{string(exploit.ExploitType), exploit.URL})
294			}
295			for _, url := range top10URLs {
296			data = append(data, []string{"OWASP Top10", url})
297			}
298
299			for _, alert := range vuln.AlertDict.Ja {
300			data = append(data, []string{"JPCERT Alert", alert.URL})
301			}
302
303			for _, alert := range vuln.AlertDict.En {
304			data = append(data, []string{"USCERT Alert", alert.URL})
305			}
306
307			// for _, rr := range vuln.CveContents.References(r.Family) {
308			// for _, ref := range rr.Value {
309			// data = append(data, []string{ref.Source, ref.Link})
310			// }
311			// }
312
313			b := bytes.Buffer{}
314			table := tablewriter.NewWriter(&b)
315			table.SetColWidth(80)
316			table.SetHeaderAlignment(tablewriter.ALIGN_LEFT)
317			table.SetHeader([]string{
318			vuln.CveID,
319			vuln.PatchStatus(r.Packages),
320			})
321			table.SetBorder(true)
322			table.AppendBulk(data)
323			table.Render()
324			lines += b.String() + "\n"
325			}
326			return
327			}
328
329			func cweURL(cweID string) string {
330			return fmt.Sprintf("https://cwe.mitre.org/data/definitions/%s.html",
331			strings.TrimPrefix(cweID, "CWE-"))
332			}
333
334			func cweJvnURL(cweID string) string {
335			return fmt.Sprintf("http://jvndb.jvn.jp/ja/cwe/%s.html", cweID)
336			}
337
338			func formatChangelogs(r models.ScanResult) string {
339			buf := []string{}
340			for _, p := range r.Packages {
341			if p.NewVersion == "" {
342			continue
343			}
344			clog := p.FormatChangelog()
345			buf = append(buf, clog, "\n\n")
346			}
347			return strings.Join(buf, "\n")
348			}
349			func ovalSupported(r *models.ScanResult) bool {
350			switch r.Family {
351			case
352			config.Amazon,
353			config.FreeBSD,
354			config.Raspbian:
355			return false
356			}
357			return true
358			}
359
360			func needToRefreshCve(r models.ScanResult) bool {
361			if r.Lang != config.Conf.Lang {
362			return true
363			}
364
365			for _, cve := range r.ScannedCves {
366			if 0 < len(cve.CveContents) {
367			return false
368			}
369			}
370			return true
371			}
372
373			func overwriteJSONFile(dir string, r models.ScanResult) error {
374			before := config.Conf.FormatJSON
375			beforeDiff := config.Conf.Diff
376			config.Conf.FormatJSON = true
377			config.Conf.Diff = false
378			w := LocalFileWriter{CurrentDir: dir}
379			if err := w.Write(r); err != nil {
380			return xerrors.Errorf("Failed to write summary report: %w", err)
			0 ignored issues – show introduced 2019-04-08 04:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this unrecognized printf verb 'w' Loading history...
381			}
382			config.Conf.FormatJSON = before
383			config.Conf.Diff = beforeDiff
384			return nil
385			}
386
387			func loadPrevious(currs models.ScanResults) (prevs models.ScanResults, err error) {
388			dirs, err := ListValidJSONDirs()
389			if err != nil {
390			return
391			}
392
393			for _, result := range currs {
394			filename := result.ServerName + ".json"
395			if result.Container.Name != "" {
396			filename = fmt.Sprintf("%s@%s.json", result.Container.Name, result.ServerName)
397			}
398			for _, dir := range dirs[1:] {
399			path := filepath.Join(dir, filename)
400			r, err := loadOneServerScanResult(path)
401			if err != nil {
402			util.Log.Errorf("%+v", err)
403			continue
404			}
405			if r.Family == result.Family && r.Release == result.Release {
406			prevs = append(prevs, *r)
407			util.Log.Infof("Previous json found: %s", path)
408			break
409			} else {
410			util.Log.Infof("Previous json is different family.Release: %s, pre: %s.%s cur: %s.%s",
411			path, r.Family, r.Release, result.Family, result.Release)
412			}
413			}
414			}
415			return prevs, nil
416			}
417
418			func diff(curResults, preResults models.ScanResults) (diffed models.ScanResults, err error) {
419			for _, current := range curResults {
420			found := false
421			var previous models.ScanResult
422			for _, r := range preResults {
423			if current.ServerName == r.ServerName && current.Container.Name == r.Container.Name {
424			found = true
425			previous = r
426			break
427			}
428			}
429
430			if found {
431			current.ScannedCves = getDiffCves(previous, current)
432			packages := models.Packages{}
433			for _, s := range current.ScannedCves {
434			for _, affected := range s.AffectedPackages {
435			p := current.Packages[affected.Name]
436			packages[affected.Name] = p
437			}
438			}
439			current.Packages = packages
440			}
441
442			diffed = append(diffed, current)
443			}
444			return diffed, err
445			}
446
447			func getDiffCves(previous, current models.ScanResult) models.VulnInfos {
448			previousCveIDsSet := map[string]bool{}
449			for _, previousVulnInfo := range previous.ScannedCves {
450			previousCveIDsSet[previousVulnInfo.CveID] = true
451			}
452
453			new := models.VulnInfos{}
454			updated := models.VulnInfos{}
455			for _, v := range current.ScannedCves {
456			if previousCveIDsSet[v.CveID] {
457			if isCveInfoUpdated(v.CveID, previous, current) {
458			updated[v.CveID] = v
459			util.Log.Debugf("updated: %s", v.CveID)
460
461			// TODO commented out beause a bug of diff logic when multiple oval defs found for a certain CVE-ID and same updated_at
462			// if these OVAL defs have different affected packages, this logic detects as updated.
463			// This logic will be uncommented after integration with ghost https://github.com/knqyf263/gost
464			// } else if isCveFixed(v, previous) {
465			// updated[v.CveID] = v
466			// util.Log.Debugf("fixed: %s", v.CveID)
467
468			} else {
469			util.Log.Debugf("same: %s", v.CveID)
470			}
471			} else {
472			util.Log.Debugf("new: %s", v.CveID)
473			new[v.CveID] = v
474			}
475			}
476
477			for cveID, vuln := range new {
478			updated[cveID] = vuln
479			}
480			return updated
481			}
482
483			func isCveFixed(current models.VulnInfo, previous models.ScanResult) bool {
484			preVinfo, _ := previous.ScannedCves[current.CveID]
485			pre := map[string]bool{}
486			for _, h := range preVinfo.AffectedPackages {
487			pre[h.Name] = h.NotFixedYet
488			}
489
490			cur := map[string]bool{}
491			for _, h := range current.AffectedPackages {
492			cur[h.Name] = h.NotFixedYet
493			}
494
495			return !reflect.DeepEqual(pre, cur)
496			}
497
498			func isCveInfoUpdated(cveID string, previous, current models.ScanResult) bool {
499			cTypes := []models.CveContentType{
500			models.NvdXML,
501			models.Jvn,
502			models.NewCveContentType(current.Family),
503			}
504
505			prevLastModified := map[models.CveContentType]time.Time{}
506			preVinfo, ok := previous.ScannedCves[cveID]
507			if !ok {
508			return true
509			}
510			for _, cType := range cTypes {
511			if content, ok := preVinfo.CveContents[cType]; ok {
512			prevLastModified[cType] = content.LastModified
513			}
514			}
515
516			curLastModified := map[models.CveContentType]time.Time{}
517			curVinfo, ok := current.ScannedCves[cveID]
518			if !ok {
519			return true
520			}
521			for _, cType := range cTypes {
522			if content, ok := curVinfo.CveContents[cType]; ok {
523			curLastModified[cType] = content.LastModified
524			}
525			}
526
527			for _, t := range cTypes {
528			if !curLastModified[t].Equal(prevLastModified[t]) {
529			util.Log.Debugf("%s LastModified not equal: \n%s\n%s",
530			cveID, curLastModified[t], prevLastModified[t])
531			return true
532			}
533			}
534			return false
535			}
536
537			// jsonDirPattern is file name pattern of JSON directory
538			// 2016-11-16T10:43:28+09:00
539			// 2016-11-16T10:43:28Z
540			var jsonDirPattern = regexp.MustCompile(
541			`^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:Z\|[+-]\d{2}:\d{2})$`)
542
543			// ListValidJSONDirs returns valid json directory as array
544			// Returned array is sorted so that recent directories are at the head
545			func ListValidJSONDirs() (dirs []string, err error) {
546			var dirInfo []os.FileInfo
547			if dirInfo, err = ioutil.ReadDir(config.Conf.ResultsDir); err != nil {
548			err = xerrors.Errorf("Failed to read %s: %w",
			0 ignored issues – show introduced 2019-04-08 04:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this unrecognized printf verb 'w' Loading history...
549			config.Conf.ResultsDir, err)
550			return
551			}
552			for _, d := range dirInfo {
553			if d.IsDir() && jsonDirPattern.MatchString(d.Name()) {
554			jsonDir := filepath.Join(config.Conf.ResultsDir, d.Name())
555			dirs = append(dirs, jsonDir)
556			}
557			}
558			sort.Slice(dirs, func(i, j int) bool {
559			return dirs[j] < dirs[i]
560			})
561			return
562			}
563
564			// JSONDir returns
565			// If there is an arg, check if it is a valid format and return the corresponding path under results.
566			// If arg passed via PIPE (such as history subcommand), return that path.
567			// Otherwise, returns the path of the latest directory
568			func JSONDir(args []string) (string, error) {
569			var err error
570			dirs := []string{}
571
572			if 0 < len(args) {
573			if dirs, err = ListValidJSONDirs(); err != nil {
574			return "", err
575			}
576
577			path := filepath.Join(config.Conf.ResultsDir, args[0])
578			for _, d := range dirs {
579			ss := strings.Split(d, string(os.PathSeparator))
580			timedir := ss[len(ss)-1]
581			if timedir == args[0] {
582			return path, nil
583			}
584			}
585
586			return "", xerrors.Errorf("Invalid path: %s", path)
587			}
588
589			// PIPE
590			if config.Conf.Pipe {
591			bytes, err := ioutil.ReadAll(os.Stdin)
592			if err != nil {
593			return "", xerrors.Errorf("Failed to read stdin: %w", err)
			0 ignored issues – show introduced 2019-04-08 04:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this unrecognized printf verb 'w' Loading history...
594			}
595			fields := strings.Fields(string(bytes))
596			if 0 < len(fields) {
597			return filepath.Join(config.Conf.ResultsDir, fields[0]), nil
598			}
599			return "", xerrors.Errorf("Stdin is invalid: %s", string(bytes))
600			}
601
602			// returns latest dir when no args or no PIPE
603			if dirs, err = ListValidJSONDirs(); err != nil {
604			return "", err
605			}
606			if len(dirs) == 0 {
607			return "", xerrors.Errorf("No results under %s",
608			config.Conf.ResultsDir)
609			}
610			return dirs[0], nil
611			}
612
613			// LoadScanResults read JSON data
614			func LoadScanResults(jsonDir string) (results models.ScanResults, err error) {
615			var files []os.FileInfo
616			if files, err = ioutil.ReadDir(jsonDir); err != nil {
617			return nil, xerrors.Errorf("Failed to read %s: %w", jsonDir, err)
			0 ignored issues – show introduced 2019-04-08 04:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this unrecognized printf verb 'w' Loading history...
618			}
619			for _, f := range files {
620			if filepath.Ext(f.Name()) != ".json" \|\| strings.HasSuffix(f.Name(), "_diff.json") {
621			continue
622			}
623
624			var r *models.ScanResult
625			path := filepath.Join(jsonDir, f.Name())
626			if r, err = loadOneServerScanResult(path); err != nil {
627			return nil, err
628			}
629			results = append(results, *r)
630			}
631			if len(results) == 0 {
632			return nil, xerrors.Errorf("There is no json file under %s", jsonDir)
633			}
634			return
635			}
636
637			// loadOneServerScanResult read JSON data of one server
638			func loadOneServerScanResult(jsonFile string) (*models.ScanResult, error) {
639			var (
640			data []byte
641			err error
642			)
643			if data, err = ioutil.ReadFile(jsonFile); err != nil {
644			return nil, xerrors.Errorf("Failed to read %s: %w", jsonFile, err)
			0 ignored issues – show introduced 2019-04-08 04:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this unrecognized printf verb 'w' Loading history...
645			}
646			result := &models.ScanResult{}
647			if err := json.Unmarshal(data, result); err != nil {
648			return nil, xerrors.Errorf("Failed to parse %s: %w", jsonFile, err)
			0 ignored issues – show introduced 2019-04-08 04:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this unrecognized printf verb 'w' Loading history...
649			}
650			return result, nil
651			}
652

future-architect / vuls

Issues (121)

report/util.go (6 issues)

Severity

Introduced By

Duplication Side-by-Side

Filter issues like