django-DefectDojo
django-DefectDojo copied to clipboard
DefectDojo
Wazuh 4.8.x new File Format CSV or JSON format
Bug description Wazuh 4.7.x had a API to export Vulnerability information in JSON format.
Since Wazuh 4.8.x there is now API for Vulnerabilities. They use know a separate Index called wazuh-states-vulnerabilities-*.
You can now use the wazuh dev tool or curl or opensearch API.
Example only for one Wazuh Endpoint with an agent installed:
GET wazuh-states-vulnerabilities-snooss-wazuh-cluster/_search
{
"sort": [
{
"_score": {
"order": "desc"
}
}
],
"size": 500,
"version": true,
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "package.installed",
"format": "date_time"
},
{
"field": "vulnerability.detected_at",
"format": "date_time"
},
{
"field": "vulnerability.published_at",
"format": "date_time"
}
],
"_source": {
"excludes": []
},
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"match": {
"agent.id": "002"
}
}
],
"minimum_should_match": 1
}
}
],
"should": [],
"must_not": []
}
},
"highlight": {
"pre_tags": [
"@opensearch-dashboards-highlighted-field@"
],
"post_tags": [
"@/opensearch-dashboards-highlighted-field@"
],
"fields": {
"*": {}
},
"fragment_size": 2147483647
}
}
But you can also know export all vulnerability information, with the wazuh dev tool or curl or opensearch API
Example: GET wazuh-states-vulnerabilities-snooss-wazuh-cluster/_search
Output is still in JSON but different format.
Example output:
{
"took": 288,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 659,
"relation": "eq"
},
"max_score": 0,
"hits": [
{
"_index": "wazuh-states-vulnerabilities-snooss-wazuh-cluster",
"_id": "002_0074b31978a8ac3dc55d9c619bc57a5b76546c86_CVE-2022-48340",
"_version": 2,
"_score": 0,
"_source": {
"agent": {
"id": "002",
"name": "pve01",
"type": "wazuh",
"version": "v4.7.2"
},
"host": {
"os": {
"full": "Debian GNU/Linux 12 (bookworm)",
"kernel": "6.5.11-7-pve",
"name": "Debian GNU/Linux",
"platform": "debian",
"type": "debian",
"version": "12"
}
},
"package": {
"architecture": "amd64",
"description": "GlusterFS glusterd shared library",
"name": "libglusterd0",
"size": 3049,
"type": "deb",
"version": "10.3-5"
},
"vulnerability": {
"category": "Packages",
"classification": "CVSS",
"description": "In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.",
"detected_at": "2024-06-18T09:28:05.815Z",
"enumeration": "CVE",
"id": "CVE-2022-48340",
"published_at": "2023-02-21T02:15:10Z",
"reference": "https://github.com/gluster/glusterfs/issues/3732, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UE6K2DXP4QZVKP32Z7BSYDSRBL4H7JSE/",
"scanner": {
"vendor": "Wazuh"
},
"score": {
"base": 7.5,
"version": "3.1"
},
"severity": "High"
},
"wazuh": {
"cluster": {
"name": "snooss-wazuh-cluster"
},
"schema": {
"version": "1.0.0"
}
}
},
"fields": {
"vulnerability.published_at": [
"2023-02-21T02:15:10.000Z"
],
"vulnerability.detected_at": [
"2024-06-18T09:28:05.815Z"
]
},
"highlight": {
"agent.id": [
"@opensearch-dashboards-highlighted-field@002@/opensearch-dashboards-highlighted-field@"
]
}
},
{
"_index": "wazuh-states-vulnerabilities-snooss-wazuh-cluster",
"_id": "002_07eb9bff7b17683052ae12974bcf2ea6f36cec79_CVE-2023-1801",
"_version": 2,
"_score": 0,
"_source": {
"agent": {
"id": "002",
"name": "pve01",
"type": "wazuh",
"version": "v4.7.2"
},
"host": {
"os": {
"full": "Debian GNU/Linux 12 (bookworm)",
"kernel": "6.5.11-7-pve",
"name": "Debian GNU/Linux",
"platform": "debian",
"type": "debian",
"version": "12"
}
},
"package": {
"architecture": "amd64",
"description": "command-line network traffic analyzer",
"name": "tcpdump",
"size": 1332,
"type": "deb",
"version": "4.99.3-1"
},
"vulnerability": {
"category": "Packages",
"classification": "CVSS",
"description": "The SMB protocol decoder in tcpdump version 4.99.3 can perform an out-of-bounds write when decoding a crafted network packet.",
"detected_at": "2024-06-18T09:28:05.882Z",
"enumeration": "CVE",
"id": "CVE-2023-1801",
"published_at": "2023-04-07T21:15:06Z",
"reference": "https://github.com/the-tcpdump-group/tcpdump/commit/03c037bbd75588beba3ee09f26d17783d21e30bc, https://github.com/the-tcpdump-group/tcpdump/commit/7578e1c04ee280dda50c4c2813e7d55f539c6501, https://lists.fedoraproject.org/archives/list/[email protected]/message/KOA2BJFERAC3VRQIRHJOWN4HZY4ZA7CH/, https://lists.fedoraproject.org/archives/list/[email protected]/message/WYL5DEVHRJYF2CM5LTCZKEYFYDZAIZSN/, https://lists.fedoraproject.org/archives/list/[email protected]/message/ZLLZCG23MU6O4QOG2CX3DLEL3YXP6LAI/, https://support.apple.com/kb/HT213844, https://support.apple.com/kb/HT213845",
"scanner": {
"vendor": "Wazuh"
},
"score": {
"base": 6.5,
"version": "3.1"
},
"severity": "Medium"
},
"wazuh": {
"cluster": {
"name": "snooss-wazuh-cluster"
},
"schema": {
"version": "1.0.0"
}
}
},
"fields": {
"vulnerability.published_at": [
"2023-04-07T21:15:06.000Z"
],
"vulnerability.detected_at": [
"2024-06-18T09:28:05.882Z"
]
},
"highlight": {
"agent.id": [
"@opensearch-dashboards-highlighted-field@002@/opensearch-dashboards-highlighted-field@"
]
}
},
{
"_index": "wazuh-states-vulnerabilities-snooss-wazuh-cluster",
"_id": "002_07eb9bff7b17683052ae12974bcf2ea6f36cec79_CVE-2018-19519",
"_version": 2,
"_score": 0,
"_source": {
"agent": {
"id": "002",
"name": "pve01",
"type": "wazuh",
"version": "v4.7.2"
},
"host": {
"os": {
"full": "Debian GNU/Linux 12 (bookworm)",
"kernel": "6.5.11-7-pve",
"name": "Debian GNU/Linux",
"platform": "debian",
"type": "debian",
"version": "12"
}
},
"package": {
"architecture": "amd64",
"description": "command-line network traffic analyzer",
"name": "tcpdump",
"size": 1332,
"type": "deb",
"version": "4.99.3-1"
},
"vulnerability": {
"category": "Packages",
"classification": "CVSS",
"description": "In tcpdump 4.9.2, a stack-based buffer over-read exists in the print_prefix function of print-hncp.c via crafted packet data because of missing initialization.",
"detected_at": "2024-06-18T09:28:05.883Z",
"enumeration": "CVE",
"id": "CVE-2018-19519",
"published_at": "2018-11-25T20:29:00Z",
"reference": "https://github.com/zyingp/temp/blob/master/tcpdump.md, http://www.securityfocus.com/bid/106098, https://access.redhat.com/errata/RHSA-2019:3976, https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/, https://usn.ubuntu.com/4252-1/, https://usn.ubuntu.com/4252-2/",
"scanner": {
"vendor": "Wazuh"
},
"score": {
"base": 4.3,
"version": "2.0"
},
"severity": "Medium"
},
"wazuh": {
"cluster": {
"name": "snooss-wazuh-cluster"
},
"schema": {
"version": "1.0.0"
}
}
},
"fields": {
"vulnerability.published_at": [
"2018-11-25T20:29:00.000Z"
],
"vulnerability.detected_at": [
"2024-06-18T09:28:05.883Z"
]
},
"highlight": {
"agent.id": [
"@opensearch-dashboards-highlighted-field@002@/opensearch-dashboards-highlighted-field@"
]
}
},
{
"_index": "wazuh-states-vulnerabilities-snooss-wazuh-cluster",
"_id": "002_07eb9bff7b17683052ae12974bcf2ea6f36cec79_CVE-2019-1010220",
"_version": 2,
"_score": 0,
"_source": {
"agent": {
"id": "002",
"name": "pve01",
"type": "wazuh",
"version": "v4.7.2"
},
"host": {
"os": {
"full": "Debian GNU/Linux 12 (bookworm)",
"kernel": "6.5.11-7-pve",
"name": "Debian GNU/Linux",
"platform": "debian",
"type": "debian",
"version": "12"
}
},
"package": {
"architecture": "amd64",
"description": "command-line network traffic analyzer",
"name": "tcpdump",
"size": 1332,
"type": "deb",
"version": "4.99.3-1"
},
"vulnerability": {
"category": "Packages",
"classification": "CVSS",
"description": """tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". The attack vector is: The victim must open a specially crafted pcap file.""",
"detected_at": "2024-06-18T09:28:05.883Z",
"enumeration": "CVE",
"id": "CVE-2019-1010220",
"published_at": "2019-07-22T18:15:11Z",
"reference": "https://github.com/the-tcpdump-group/tcpdump/blob/master/print-hncp.c, https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9.2/print-hncp.c, https://github.com/the-tcpdump-group/tcpdump/commits/master/print-hncp.c, http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00065.html, http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html, http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/, https://usn.ubuntu.com/4252-1/, https://usn.ubuntu.com/4252-2/",
"scanner": {
"vendor": "Wazuh"
},
"score": {
"base": 4.3,
"version": "2.0"
},
"severity": "Medium"
},
"wazuh": {
"cluster": {
"name": "snooss-wazuh-cluster"
},
"schema": {
"version": "1.0.0"
}
}
},
"fields": {
"vulnerability.published_at": [
"2019-07-22T18:15:11.000Z"
],
"vulnerability.detected_at": [
"2024-06-18T09:28:05.883Z"
]
},
"highlight": {
"agent.id": [
"@opensearch-dashboards-highlighted-field@002@/opensearch-dashboards-highlighted-field@"
]
}
}
]
}
Request: Please can you provide a new importer for Wazuh 4.8.x for DefectDojo.
THX
