ConPan icon indicating copy to clipboard operation
ConPan copied to clipboard

Published 20 hours ago verified publisher icon AhmedZerouali

Executing Simple Conpan Command

Open SalehChoueib opened this issue 2 years ago • 1 comments

Hi,

I am trying to execute the example provided in the README, sudo conpan -p debian -c 127labs/blog -d example, but I am not having any luck. It is difficult for me to pinpoint the exact issue from the error message: " (docker) sc@sc-VirtualBox:~/Documents/docker/conpan/ConPan$ sudo conpan -p debian -c 127labs/blog -d example [sudo] password for sc: Connecting to DockerHub... Done Pulling the Docker image... Done Extracting installed packages... Done Tracking installed packages... Done 65it [00:00, 31938.82it/s]s... list index out of range Traceback (most recent call last): File "/usr/local/lib/python3.10/dist-packages/ConPan-1.0.0-py3.10.egg/EGG-INFO/scripts/conpan", line 78, in main general_info, installed_packages, tracked_packages, vulnerabilities, bugs = cp.analyze() File "/usr/local/lib/python3.10/dist-packages/ConPan-1.0.0-py3.10.egg/conpan/conpan.py", line 93, in analyze vulnerabilities = self.vulnerabilities() File "/usr/local/lib/python3.10/dist-packages/ConPan-1.0.0-py3.10.egg/conpan/conpan.py", line 158, in vulnerabilities return self.backend.get_vuls(self.trackedPackages) File "/usr/local/lib/python3.10/dist-packages/ConPan-1.0.0-py3.10.egg/conpan/backend/debian.py", line 338, in get_vuls vuls = self.final_vuls(tracked_packages) File "/usr/local/lib/python3.10/dist-packages/ConPan-1.0.0-py3.10.egg/conpan/backend/debian.py", line 329, in final_vuls df[col] = tcsv[index] IndexError: list index out of range

""

I am running the latest version of Ubuntu in a virtual machine. Do anyone have any ideas as to why this may be occurring?

If I try to run conpan with images other than 127labs I get the following error:

sc@sc-VirtualBox:~/Documents/docker/conpan/ConPan$ sudo conpan -p debian -c apache2 -d example Connecting to DockerHub... Done Pulling the Docker image... Unable to find image 'apache2:latest' locally docker: Error response from daemon: pull access denied for apache2, repository does not exist or may require 'docker login': denied: requested access to the resource is denied. See 'docker run --help'. Unable to find image 'apache2:latest' locally docker: Error response from daemon: pull access denied for apache2, repository does not exist or may require 'docker login': denied: requested access to the resource is denied. See 'docker run --help'. Done Extracting installed packages... Done Tracking installed packages... Cannot set a DataFrame with multiple columns to the single column missing_updates Traceback (most recent call last): File "/usr/local/lib/python3.10/dist-packages/ConPan-1.0.0-py3.10.egg/EGG-INFO/scripts/conpan", line 78, in main general_info, installed_packages, tracked_packages, vulnerabilities, bugs = cp.analyze() File "/usr/local/lib/python3.10/dist-packages/ConPan-1.0.0-py3.10.egg/conpan/conpan.py", line 90, in analyze tracked_packages = self.tracked_packages() ### TRACK THE INSTALLED PACKAGES File "/usr/local/lib/python3.10/dist-packages/ConPan-1.0.0-py3.10.egg/conpan/conpan.py", line 152, in tracked_packages self.trackedPackages = self.backend.track_packages(installed_packages) File "/usr/local/lib/python3.10/dist-packages/ConPan-1.0.0-py3.10.egg/conpan/backend/debian.py", line 217, in track_packages tracked = self.oudated_packages(tracked_packages[['package', 'version', 'first_seen']], File "/usr/local/lib/python3.10/dist-packages/ConPan-1.0.0-py3.10.egg/conpan/backend/debian.py", line 189, in oudated_packages tracked['missing_updates'] = tracked.apply(lambda d: File "/usr/local/lib/python3.10/dist-packages/pandas-1.5.1-py3.10-linux-x86_64.egg/pandas/core/frame.py", line 3967, in setitem self._set_item_frame_value(key, value) File "/usr/local/lib/python3.10/dist-packages/pandas-1.5.1-py3.10-linux-x86_64.egg/pandas/core/frame.py", line 4122, in _set_item_frame_value raise ValueError( ValueError: Cannot set a DataFrame with multiple columns to the single column missing_updates

Thank you in advance.

SalehChoueib avatar Nov 10 '22 21:11 SalehChoueib

Hi @SalehChoueib,

This project is not maintained anymore and that's why some issues like this one may occur.

The problem here is due to the list of vulnerability reports from the Debian security tracker. After extracting the list of installed package releases, we first identify the right distribution of each used package release and then check whether the package on this distribution has any vulnerabilities (https://github.com/AhmedZerouali/ConPan/blob/master/conpan/backend/debian.py#L293). Later, we compare the version numbers of the used release and the release with the fix. The problem here is that some packages found in Docker images are old, for example coming from Jessie. When we check the security tracker JSON file we don't find any mention of this distribution, and thus the program stops the analysis of vulnerabilities.

You can modify the code to get all vulnerabilities without comparing version numbers of releases from the same Debian distribution, but in this case you will have a lot of false positives i.e., vulnerabilities that are not affecting the used package release.

It seems that this issue only occurs with the Debian issue tracker. So if you are interested to have the list of installed packages, track them to their origin distribution and then compute the outdatedness with bugs, you can use ConPan as a Python package as follows:

from conpan.conpan import ConPan
kind = 'debian'
image = '127labs/blog'
cp = ConPan(packages=kind, image=image)

and then call

cp.general_info()
cp.installed_packages()
cp.tracked_packages()
cp.bugs()

but not

cp.vulnerabilities()

Note that the list of packages is outdated (https://github.com/neglectos/datasets/blob/master/debian_packages.csv), which means that you might miss package versions released after 18-09-2019.

AhmedZerouali avatar Nov 10 '22 23:11 AhmedZerouali