ThreatMapper
ThreatMapper copied to clipboard
Published
20 hours ago •
deepfence
deepfence
[v2] Data sent to ES Integration doesn't have host/container/etc., fields
Describe the bug data sent to ES integration is missing fields useful to identify the node where the scan was run
Steps To Reproduce
- Go to Integrations
- Configure a ES integration to send vulnerability/secret data
- Run a vulnerability or secret scab
- Check data in the configured index
Expected behavior the fields related to which node scan belongs to is missing
Sample Vulnerability from data in ES
{
"_index" : "scans",
"_type" : "_doc",
"_id" : "1AljbYkB9I5oKUBekxXj",
"_score" : 1.0,
"_ignored" : [
"cve_description.keyword"
],
"_source" : {
"cve_attack_vector" : "cvss:3.1/av:n/ac:l/pr:n/ui:n/s:u/c:h/i:n/a:n",
"cve_caused_by_package" : "libgcrypt20:1.8.7-6",
"cve_caused_by_package_path" : "",
"cve_container_layer" : "",
"cve_cvss_score" : 7.5,
"cve_description" : "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.",
"cve_fixed_in" : "",
"cve_id" : "CVE-2021-33560",
"cve_link" : "https://www.oracle.com/security-alerts/cpuoct2021.html",
"cve_overall_score" : 7.5,
"cve_severity" : "high",
"cve_type" : "",
"exploit_poc" : "",
"has_live_connection" : false,
"masked" : false,
"node_id" : "libgcrypt20:1.8.7-6CVE-2021-33560",
"parsed_attack_vector" : "network",
"resources" : null,
"updated_at" : 1689757363792,
"urls" : [
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33560.json",
"https://access.redhat.com/security/cve/CVE-2021-33560",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33560",
"https://dev.gnupg.org/T5305",
"https://dev.gnupg.org/T5328",
"https://dev.gnupg.org/T5466",
"https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61",
"https://eprint.iacr.org/2021/923",
"https://errata.almalinux.org/8/ALSA-2021-4409.html",
"https://linux.oracle.com/cve/CVE-2021-33560.html",
"https://linux.oracle.com/errata/ELSA-2022-9263.html",
"https://lists.debian.org/debian-lts-announce/2021/06/msg00021.html",
"https://lists.fedoraproject.org/archives/list/[email protected]/message/BKKTOIGFW2SGN3DO2UHHVZ7MJSYN4AAB/",
"https://lists.fedoraproject.org/archives/list/[email protected]/message/R7OAPCUGPF3VLA7QAJUQSL255D4ITVTL/",
"https://nvd.nist.gov/vuln/detail/CVE-2021-33560",
"https://security.gentoo.org/glsa/202210-13",
"https://ubuntu.com/security/notices/USN-5080-1",
"https://ubuntu.com/security/notices/USN-5080-2",
"https://www.cve.org/CVERecord?id=CVE-2021-33560",
"https://www.oracle.com/security-alerts/cpuapr2022.html",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://www.oracle.com/security-alerts/cpujul2022.html",
"https://www.oracle.com/security-alerts/cpuoct2021.html"
]
}
}
Sample data for Secret in ES
{
"_index" : "secrets",
"_type" : "_doc",
"_id" : "NQlnbYkB9I5oKUBesRaB",
"_score" : 1.0,
"_source" : {
"full_filename" : "etc/shadow",
"level" : "medium",
"masked" : false,
"matched_content" : "\"etc/shadow\"",
"name" : "Potential Linux shadow file",
"node_id" : "84_etc_shadow",
"part" : "path",
"relative_ending_index" : 10,
"relative_starting_index" : 0,
"resources" : null,
"rule_id" : 84,
"score" : 5,
"signature_to_match" : "etc/shadow$",
"starting_index" : 0,
"updated_at" : 1689757628653
}
}
This is consistent across all the integration. We have no way to associate the result with the entity (host, image or container). We should be putting an "Identifier" in the results to accomplish this association. Identifier could be "ScanID" or "Name" of the entity (hostname, image name+tag, container name).
