Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add test to scan all python packages #1652

Merged
merged 16 commits into from
Oct 1, 2021
Merged

Conversation

Kondent
Copy link
Contributor

@Kondent Kondent commented Jul 26, 2021

Related issue
#1612

Description

This PR closes #1612.
I made a tool to check vulnerabilities in all python packages used by wazuh specified from a requirements file or directly from pip.

⬦⬦⬦ ~/git/wazuh-qa/tests/system/security ⨘ python3 package_vuln_scan.py -h
usage: package_vuln_scan.py [-h] (-r INPUT | -p) -o OUTPUT

optional arguments:
  -h, --help  show this help message and exit
  -r INPUT    specify requirements file path.
  -p          enable pip scan mode.
  -o OUTPUT   specify output file.

Example of use

⬦⬦⬦ ~/git/wazuh-qa/tests/system/security ⨘ python3 package_vuln_scan.py -p -o prueba.txt
⬦⬦⬦ ~/git/wazuh-qa/tests/system/security ⨘ cat prueba.txt 
{
    "report_date": "26/07/2021 - 17:37:45",
    "vulnerabilities_found": 1,
    "packages": [
        {
            "package_name": "insecure-package",
            "package_version": "0.1.0",
            "package_affected_version": "<0.2.0",
            "vuln_description": "This is an insecure package with lots of exploitable security vulnerabilities.",
            "safety_id": "25853"
        }
    ]
}

@Kondent Kondent self-assigned this Jul 26, 2021
Copy link
Contributor

@AdriiiPRodri AdriiiPRodri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should investigate the possibility of using safety as a library, this way we would avoid depending on subprocess and having to hardcode the safety executable into subprocess call.

In addition, we should move the security folder and leave it next to the system folder, not inside it.

tests/system/security/package_vuln_scan.py Outdated Show resolved Hide resolved
tests/system/security/package_vuln_scan.py Outdated Show resolved Hide resolved
tests/system/security/package_vuln_scan.py Outdated Show resolved Hide resolved
tests/system/security/package_vuln_scan.py Outdated Show resolved Hide resolved
tests/system/security/package_vuln_scan.py Outdated Show resolved Hide resolved
tests/system/security/package_vuln_scan.py Outdated Show resolved Hide resolved
tests/system/security/package_vuln_scan.py Outdated Show resolved Hide resolved
tests/system/security/package_vuln_scan.py Outdated Show resolved Hide resolved
tests/system/security/package_vuln_scan.py Outdated Show resolved Hide resolved
tests/system/security/package_vuln_scan.py Outdated Show resolved Hide resolved
@AdriiiPRodri
Copy link
Contributor

It is possible that we can use a local database, we should investigate this option.

image

@Kondent
Copy link
Contributor Author

Kondent commented Jul 28, 2021

UPDATE

Pytest support added: now this script is used by pytest in which it fails if exist a vulnerable package in the requirements.txt provided.
It also can be called with three parameters:
--repo: name of the repository under wazuh. Default: 'wazuh'.
--branch: repository branch. Default: 'master'.
--path: path to requirements.txt under repository. Default: 'framework/requirements.txt'

Examples:

Successful

⬦⬦⬦ ~/git/wazuh-qa/tests/security ⨘ python3 -m pytest --repo wazuh --branch master --path framework/requirements.txt --disable-warnings
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.9.5, pytest-6.2.4, py-1.10.0, pluggy-0.13.1
rootdir: /home/kondent/git/wazuh-qa/tests/security
plugins: asyncio-0.15.1, html-3.1.1, metadata-1.11.0, cov-2.12.1
collected 1 item                                                                                                                                                                             

test_package_vuln_scan/test_package_vuln_scan.py .                                                                                                                                     [100%]

================================================================================ 1 passed, 1 warning in 1.03s ================================================================================

Failed

⬦⬦⬦ ~/git/wazuh-qa/tests/security ⨘ python3 -m pytest --repo wazuh-qa --branch master --path requirements.txt --disable-warnings
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.9.5, pytest-6.2.4, py-1.10.0, pluggy-0.13.1
rootdir: /home/kondent/git/wazuh-qa/tests/security
plugins: asyncio-0.15.1, html-3.1.1, metadata-1.11.0, cov-2.12.1
collected 1 item                                                                                                                                                                             

test_package_vuln_scan/test_package_vuln_scan.py F                                                                                                                                     [100%]

========================================================================================== FAILURES ==========================================================================================
___________________________________________________________________________________ test_package_vuln_scan ___________________________________________________________________________________

pytestconfig = <_pytest.config.Config object at 0x7fa51a862e20>

    def test_package_vuln_scan(pytestconfig):
        branch = pytestconfig.getoption('branch')
        repo = pytestconfig.getoption('repo')
        path = pytestconfig.getoption('path')
        requirements_url = f'https://raw.githubusercontent.com/wazuh/{repo}/{branch}/{path}'
        urlretrieve(requirements_url, REQUIREMENTS_TEMP_FILE.name)
        result = report_for_pytest(REQUIREMENTS_TEMP_FILE.name)
        REQUIREMENTS_TEMP_FILE.close()
        export_report(result, REPORT_FILE)
>       assert loads(result)['vulnerabilities_found'] == 0, f'Vulnerables packages were found, full report at: ' \
                                                            f'{REPORT_FILE}'
E       AssertionError: Vulnerables packages were found, full report at: test_package_vuln_scan/report_file.json
E       assert 27 == 0

test_package_vuln_scan/test_package_vuln_scan.py:20: AssertionError
================================================================================== short test summary info ===================================================================================
FAILED test_package_vuln_scan/test_package_vuln_scan.py::test_package_vuln_scan - AssertionError: Vulnerables packages were found, full report at: test_package_vuln_scan/report_file.json
===================================================================================== 1 failed in 3.60s ======================================================================================

report_file.json

Click to expand
{
    "report_date": "2021-07-28T15:25:53.503866",
    "vulnerabilities_found": 27,
    "packages": [
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<6.2.2",
            "vuln_description": "libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. See: CVE-2020-5310.",
            "safety_id": "37779"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<6.2.2",
            "vuln_description": "libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. See: CVE-2020-5313.",
            "safety_id": "37782"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<6.2.2",
            "vuln_description": "libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.",
            "safety_id": "37780"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<6.2.2",
            "vuln_description": "libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.",
            "safety_id": "37781"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<6.2.3",
            "vuln_description": "In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c. See: CVE-2020-10379.",
            "safety_id": "38450"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<6.2.3",
            "vuln_description": "In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. See: CVE-2020-10378.",
            "safety_id": "38449"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<7.0.0",
            "vuln_description": "In libImaging/Jpeg2KDecode.c in Pillow before 7.0.0, there are multiple out-of-bounds reads via a crafted JP2 file. See: CVE-2020-10994.",
            "safety_id": "38451"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.0.1",
            "vuln_description": "Pillow 8.0.1 updates FreeType used in binary wheels to 2.10.4 to fix CVE-2020-15999.",
            "safety_id": "40264"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.1.0",
            "vuln_description": "Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175.",
            "safety_id": "40265"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.1.0",
            "vuln_description": "Pillow 8.1.0 includes a fix for Read Overflow in PCX Decoding. CVE-2020-35653 #5174.",
            "safety_id": "40270"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.1.0",
            "vuln_description": "Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173.",
            "safety_id": "40271"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.1.1",
            "vuln_description": "Pillow 8.1.1 uses more specific regex chars to prevent ReDoS. CVE-2021-25292.",
            "safety_id": "40266"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.1.1",
            "vuln_description": "Pillow 8.1.1 fixes OOB Read in TiffDecode.c, and checks the tile validity before reading. CVE-2021-25291.",
            "safety_id": "40272"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.1.1",
            "vuln_description": "Pillow 8.1.1 fixes OOB read in SgiRleDecode.c. CVE-2021-25293.",
            "safety_id": "40273"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.1.1",
            "vuln_description": "Pillow 8.1.1 fixes incorrect error code checking in TiffDecode.c. CVE-2021-25289.",
            "safety_id": "40274"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.1.1",
            "vuln_description": "Pillow 8.1.1 fixes negative size read in TiffDecode.c. CVE-2021-25290.",
            "safety_id": "40275"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.1.2",
            "vuln_description": "Pillow 8.1.2 fixes memory DOS in BLP Image Plugin (CVE-2021-27921).",
            "safety_id": "40263"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.1.2",
            "vuln_description": "Pillow 8.1.2 fixes memory DOS in ICNS Image Plugin (CVE-2021-27922).",
            "safety_id": "40267"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.1.2",
            "vuln_description": "Pillow 8.1.2 fixes memory DOS in ICO Image Plugin (CVE-2021-27923).",
            "safety_id": "40268"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.1.2",
            "vuln_description": "Pillow 8.1.2 fixes memory DOS in ICNS Image Plugin (CVE-2021-27922).",
            "safety_id": "40269"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.2.0",
            "vuln_description": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.",
            "safety_id": "40592"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.2.0",
            "vuln_description": "An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.",
            "safety_id": "40596"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.2.0",
            "vuln_description": "An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.",
            "safety_id": "40594"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.2.0",
            "vuln_description": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.",
            "safety_id": "40593"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<8.2.0",
            "vuln_description": "An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \\r and \\n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.",
            "safety_id": "40595"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": "<=7.0.0",
            "vuln_description": "In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files. See: CVE-2020-11538. Note that this is a different issue than CVE-2020-5311.",
            "safety_id": "38452"
        },
        {
            "package_name": "pillow",
            "package_version": "6.2.0",
            "package_affected_version": ">6.0,<6.2.2",
            "vuln_description": "There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer. See: CVE-2019-19911.",
            "safety_id": "37772"
        }
    ]
}

@Kondent Kondent requested a review from AdriiiPRodri July 28, 2021 18:46
@Kondent Kondent requested a review from AdriiiPRodri July 29, 2021 14:34
AdriiiPRodri
AdriiiPRodri previously approved these changes Jul 29, 2021
Copy link
Contributor

@AdriiiPRodri AdriiiPRodri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copy link
Member

@Rebits Rebits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job, but some changes are required.

tests/security/test_package_vuln_scan/README.md Outdated Show resolved Hide resolved
tests/security/test_package_vuln_scan/README.md Outdated Show resolved Hide resolved
tests/security/test_package_vuln_scan/README.md Outdated Show resolved Hide resolved
tests/security/test_package_vuln_scan/conftest.py Outdated Show resolved Hide resolved
@Rebits
Copy link
Member

Rebits commented Aug 26, 2021

This test seems to work correctly, running without fail if python3.9.6 is used and failing for python3.6

Local-3.9.6 Status Report
R1 🟢 R1
R2 🟢 R2
R3 🟢 R3
Local-3.6.8 Status Report
R 🔴 R

In order to use this test in the Jenkins environment, it should be necessary to install a proper python version, otherwise, false positives will be generated. Also, it could affect to the development tool qactl. We should consider the python version in environment provision.

@Kondent
Copy link
Contributor Author

Kondent commented Aug 26, 2021

Update

Requested changes were reviewed and added.
Regards,
Alexis

@Kondent Kondent requested a review from Rebits August 26, 2021 15:32
@Rebits
Copy link
Member

Rebits commented Aug 27, 2021

Works correctly after review changes

Local-3.9.6 Status Report
R1 🟢 R1
R2 🟢 R2
R3 🟢 R3

Copy link
Member

@Rebits Rebits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@snaow snaow changed the title Add test to scan all python packages used by Wazuh Add test to scan all python packages Sep 2, 2021
@@ -0,0 +1,21 @@
import tempfile
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add the Wazuh header:

# Copyright (C) 2015-2021, Wazuh Inc.
# Created by Wazuh, Inc. <info@wazuh.com>.
# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe test_package_vuln_scan is not a very accurate name due to this tests check used python packages in a requirements file. Maybe test_python_packages_vuln_scan.py is more descriptive.

@Kondent Kondent requested a review from Rebits September 2, 2021 12:30
Rebits
Rebits previously approved these changes Sep 6, 2021
Copy link
Member

@Rebits Rebits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Kondent
Copy link
Contributor Author

Kondent commented Sep 10, 2021

PR UPDATE

In the last commit, I did some minor fixes to adapt this test and tool to wazuh-qa repository file structure.
Overall, what I did:

  • What started as a script, is a module with a couple of functions now. Available under tools directory and it's used by pytest.
  • Few names changed (test, functions, etc).
  • Read.me fixed.
    Regards,
    Alexis

@Kondent Kondent requested a review from Rebits September 10, 2021 16:14
tests/scans/dependencies/README.md Outdated Show resolved Hide resolved
tests/scans/dependencies/README.md Outdated Show resolved Hide resolved
tests/scans/dependencies/test_dependencies.py Show resolved Hide resolved
Copy link
Contributor

@AdriiiPRodri AdriiiPRodri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing docs/index.md changes

@Kondent
Copy link
Contributor Author

Kondent commented Sep 14, 2021

Missing docs/index.md changes

Related PR #1659 is already handling this so I think it's no needed, let me know if I'm wrong

@Kondent
Copy link
Contributor Author

Kondent commented Sep 14, 2021

Missing docs/index.md changes

Related PR #1659 is already handling this so I think it's no needed, let me know if I'm wrong

Added those changes here too. PR updated.

Copy link
Member

@Rebits Rebits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor changes are required

README.md Outdated Show resolved Hide resolved
tests/scans/dependencies/test_dependencies.py Outdated Show resolved Hide resolved
tests/scans/dependencies/test_dependencies.py Outdated Show resolved Hide resolved
tests/scans/dependencies/conftest.py Outdated Show resolved Hide resolved
tests/scans/conftest.py Outdated Show resolved Hide resolved
@Rebits
Copy link
Member

Rebits commented Sep 15, 2021

Local-3.9.6 Status
R1 🟢
R2 🟢
R3 🟢

@Kondent Kondent requested a review from Rebits September 23, 2021 19:50
AdriiiPRodri
AdriiiPRodri previously approved these changes Sep 24, 2021
Copy link
Contributor

@AdriiiPRodri AdriiiPRodri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

davidjiglesias
davidjiglesias previously approved these changes Sep 29, 2021
@Rebits
Copy link
Member

Rebits commented Sep 29, 2021

Local-3.9.6 Status
R1 🟢
R2 🟢
R3 🟢

Rebits
Rebits previously approved these changes Sep 29, 2021
Copy link
Member

@Rebits Rebits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@snaow snaow dismissed stale reviews from Rebits, davidjiglesias, and AdriiiPRodri via 44f753f October 1, 2021 08:13
@snaow snaow merged commit 252dbdf into master Oct 1, 2021
@snaow snaow deleted the feature/1612-package-vuln-scanner branch October 1, 2021 08:14
@snaow snaow mentioned this pull request Jan 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Develop an automatic test/tool to detect new security flaws in the embedded python or dependencies
5 participants