vuls
vuls copied to clipboard
feat(server): Apply filters for IgnoreCves and PkgsRegexps on server mode
What did you implement:
Closes #1267
The default settings should be applied to vuls server scans as well.
I applied the filters for ignoreCves and PkgsRegexps to the result from server mode.
Type of change
- [x] New feature (non-breaking change which adds functionality)
How Has This Been Tested?
How to reproduce this?
To get the same kind of results, simply run the vuls server
command with the same config on listed below on run the same POST command.
- Tested with the listed config below
[default]
ignorePkgsRegexp = [
"^openssh"
]
ignoreCves = [
"CVE-2004-0230"
]
[servers.via-server]
host = "localhost"
port = "local"
- Commands that were used to test
dpkg-query -W -f='${binary:Package},${db:Status-Abbrev},${Version},${Source},${source:Version}\n' |
curl -sS -o - -X POST \
-H "content-type: text/plain" -H 'X-Vuls-OS-Family: debian' \
-H "X-Vuls-Server-Name: via-server" \
-H "X-Vuls-OS-Release: $(cat /etc/debian_version)" \
-H "X-Vuls-Kernel-Release: $(uname -r)" \
-H "X-Vuls-Kernel-Version: $(uname -a | awk '{print $7}')" \
http://127.0.0.1:5515/vuls \
--data-binary @- | jq . > via-server-without-openssh.json
Then, Checked the result by myself.
Results for ignoreCves
- before
❯ grep CVE-2004-0230 via-server.json
"CVE-2004-0230": {
"cveID": "CVE-2004-0230",
"cveID": "CVE-2004-0230",
"sourceLink": "https://security-tracker.debian.org/tracker/CVE-2004-0230",
"cveID": "CVE-2004-0230",
"link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230",
"link": "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2004-0230",
"cveID": "CVE-2004-0230",
"sourceLink": "https://nvd.nist.gov/vuln/detail/CVE-2004-0230",
- after
❯ grep CVE-2004-0230 via-server.json
empty
Results for PkgsRegexps
CVE-2019-16905
is one of the cves that includes openssh
- before
❯ grep CVE-2019-16905 via-server-without-opnessh.json
"CVE-2019-16905": {
"cveID": "CVE-2019-16905",
"cveID": "CVE-2019-16905",
"sourceLink": "https://security-tracker.debian.org/tracker/CVE-2019-16905",
"cveID": "CVE-2019-16905",
"link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16905",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-16905",
"cveID": "CVE-2019-16905",
"sourceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-16905",
- after
❯ grep CVE-2019-16905 via-server-without-opnessh.json
empty
Checklist:
- [ ] Write tests
- [x] Write documentation
- [x] Check that there aren't other open pull requests for the same issue/feature
- [x] Format your source code by
make fmt
- [x] Pass the test by
make test
- [x] Provide verification config / commands
- [x] Enable "Allow edits from maintainers" for this PR
- [x] Update the messages below
Is this ready for review?: YES
References
- https://github.com/vulsdoc/vuls/pull/161
Can't you also support this?
what exactly do you want me to implement here?
Can't you also support this?
what exactly do you want me to implement here?
I am sorry that my English is not good enough to convey my intentions. The following is an additional task. If you don't want to be included in this PR, or don't feel the need to do it, please express your intention and I will do it for you. Please don't hesitate to tell me.
There are three tasks that I would like you to do in this PR.
The first is to add an example of ignorePkgsRegexp
to the discover command.
The second is to add a description of ignorePkgsRegexp
in the section describing config.toml of vulsdoc/vuls.
Third, -ignore-unscored-cves
and -ignore-unfixed
are available as options of the server command, but they don't work because they are not implemented in the server command. This may be the same as ignorePkgsRegexp
.
Thanks for the reply! <3
I am sorry that my English is not good enough to convey my intentions.
Your English is totally fine!! i just wanted more context which you added for me! thanks!
If you don't want to be included in this PR, or don't feel the need to do it, please express your intention and I will do it for you.
I would love to work on this so ill try to fix the -ignore-unscored-cves
and -ignore-unfixed
options to work.
Thanksss!!