-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add test to scan all python packages #1652
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should investigate the possibility of using safety as a library, this way we would avoid depending on subprocess and having to hardcode the safety executable into subprocess call.
In addition, we should move the security folder and leave it next to the system folder, not inside it.
UPDATEPytest support added: now this script is used by pytest in which it fails if exist a vulnerable package in the requirements.txt provided. Examples:Successful⬦⬦⬦ ~/git/wazuh-qa/tests/security ⨘ python3 -m pytest --repo wazuh --branch master --path framework/requirements.txt --disable-warnings
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.9.5, pytest-6.2.4, py-1.10.0, pluggy-0.13.1
rootdir: /home/kondent/git/wazuh-qa/tests/security
plugins: asyncio-0.15.1, html-3.1.1, metadata-1.11.0, cov-2.12.1
collected 1 item
test_package_vuln_scan/test_package_vuln_scan.py . [100%]
================================================================================ 1 passed, 1 warning in 1.03s ================================================================================ Failed⬦⬦⬦ ~/git/wazuh-qa/tests/security ⨘ python3 -m pytest --repo wazuh-qa --branch master --path requirements.txt --disable-warnings
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.9.5, pytest-6.2.4, py-1.10.0, pluggy-0.13.1
rootdir: /home/kondent/git/wazuh-qa/tests/security
plugins: asyncio-0.15.1, html-3.1.1, metadata-1.11.0, cov-2.12.1
collected 1 item
test_package_vuln_scan/test_package_vuln_scan.py F [100%]
========================================================================================== FAILURES ==========================================================================================
___________________________________________________________________________________ test_package_vuln_scan ___________________________________________________________________________________
pytestconfig = <_pytest.config.Config object at 0x7fa51a862e20>
def test_package_vuln_scan(pytestconfig):
branch = pytestconfig.getoption('branch')
repo = pytestconfig.getoption('repo')
path = pytestconfig.getoption('path')
requirements_url = f'https://raw.githubusercontent.com/wazuh/{repo}/{branch}/{path}'
urlretrieve(requirements_url, REQUIREMENTS_TEMP_FILE.name)
result = report_for_pytest(REQUIREMENTS_TEMP_FILE.name)
REQUIREMENTS_TEMP_FILE.close()
export_report(result, REPORT_FILE)
> assert loads(result)['vulnerabilities_found'] == 0, f'Vulnerables packages were found, full report at: ' \
f'{REPORT_FILE}'
E AssertionError: Vulnerables packages were found, full report at: test_package_vuln_scan/report_file.json
E assert 27 == 0
test_package_vuln_scan/test_package_vuln_scan.py:20: AssertionError
================================================================================== short test summary info ===================================================================================
FAILED test_package_vuln_scan/test_package_vuln_scan.py::test_package_vuln_scan - AssertionError: Vulnerables packages were found, full report at: test_package_vuln_scan/report_file.json
===================================================================================== 1 failed in 3.60s ====================================================================================== report_file.jsonClick to expand{
"report_date": "2021-07-28T15:25:53.503866",
"vulnerabilities_found": 27,
"packages": [
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<6.2.2",
"vuln_description": "libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. See: CVE-2020-5310.",
"safety_id": "37779"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<6.2.2",
"vuln_description": "libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. See: CVE-2020-5313.",
"safety_id": "37782"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<6.2.2",
"vuln_description": "libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.",
"safety_id": "37780"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<6.2.2",
"vuln_description": "libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.",
"safety_id": "37781"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<6.2.3",
"vuln_description": "In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c. See: CVE-2020-10379.",
"safety_id": "38450"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<6.2.3",
"vuln_description": "In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. See: CVE-2020-10378.",
"safety_id": "38449"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<7.0.0",
"vuln_description": "In libImaging/Jpeg2KDecode.c in Pillow before 7.0.0, there are multiple out-of-bounds reads via a crafted JP2 file. See: CVE-2020-10994.",
"safety_id": "38451"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.0.1",
"vuln_description": "Pillow 8.0.1 updates FreeType used in binary wheels to 2.10.4 to fix CVE-2020-15999.",
"safety_id": "40264"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.0",
"vuln_description": "Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175.",
"safety_id": "40265"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.0",
"vuln_description": "Pillow 8.1.0 includes a fix for Read Overflow in PCX Decoding. CVE-2020-35653 #5174.",
"safety_id": "40270"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.0",
"vuln_description": "Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173.",
"safety_id": "40271"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.1",
"vuln_description": "Pillow 8.1.1 uses more specific regex chars to prevent ReDoS. CVE-2021-25292.",
"safety_id": "40266"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.1",
"vuln_description": "Pillow 8.1.1 fixes OOB Read in TiffDecode.c, and checks the tile validity before reading. CVE-2021-25291.",
"safety_id": "40272"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.1",
"vuln_description": "Pillow 8.1.1 fixes OOB read in SgiRleDecode.c. CVE-2021-25293.",
"safety_id": "40273"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.1",
"vuln_description": "Pillow 8.1.1 fixes incorrect error code checking in TiffDecode.c. CVE-2021-25289.",
"safety_id": "40274"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.1",
"vuln_description": "Pillow 8.1.1 fixes negative size read in TiffDecode.c. CVE-2021-25290.",
"safety_id": "40275"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.2",
"vuln_description": "Pillow 8.1.2 fixes memory DOS in BLP Image Plugin (CVE-2021-27921).",
"safety_id": "40263"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.2",
"vuln_description": "Pillow 8.1.2 fixes memory DOS in ICNS Image Plugin (CVE-2021-27922).",
"safety_id": "40267"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.2",
"vuln_description": "Pillow 8.1.2 fixes memory DOS in ICO Image Plugin (CVE-2021-27923).",
"safety_id": "40268"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.2",
"vuln_description": "Pillow 8.1.2 fixes memory DOS in ICNS Image Plugin (CVE-2021-27922).",
"safety_id": "40269"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.2.0",
"vuln_description": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.",
"safety_id": "40592"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.2.0",
"vuln_description": "An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.",
"safety_id": "40596"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.2.0",
"vuln_description": "An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.",
"safety_id": "40594"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.2.0",
"vuln_description": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.",
"safety_id": "40593"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.2.0",
"vuln_description": "An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \\r and \\n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.",
"safety_id": "40595"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<=7.0.0",
"vuln_description": "In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files. See: CVE-2020-11538. Note that this is a different issue than CVE-2020-5311.",
"safety_id": "38452"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": ">6.0,<6.2.2",
"vuln_description": "There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer. See: CVE-2019-19911.",
"safety_id": "37772"
}
]
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job, but some changes are required.
tests/security/test_package_vuln_scan/test_package_vuln_scan.py
Outdated
Show resolved
Hide resolved
tests/security/test_package_vuln_scan/test_package_vuln_scan.py
Outdated
Show resolved
Hide resolved
This test seems to work correctly, running without fail if python3.9.6 is used and failing for python3.6
In order to use this test in the Jenkins environment, it should be necessary to install a proper python version, otherwise, false positives will be generated. Also, it could affect to the development tool qactl. We should consider the python version in environment provision. |
UpdateRequested changes were reviewed and added. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -0,0 +1,21 @@ | |||
import tempfile |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add the Wazuh header:
# Copyright (C) 2015-2021, Wazuh Inc.
# Created by Wazuh, Inc. <info@wazuh.com>.
# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe test_package_vuln_scan
is not a very accurate name due to this tests check used python packages in a requirements file. Maybe test_python_packages_vuln_scan.py
is more descriptive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
PR UPDATEIn the last commit, I did some minor fixes to adapt this test and tool to wazuh-qa repository file structure.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing docs/index.md changes
Related PR #1659 is already handling this so I think it's no needed, let me know if I'm wrong |
Added those changes here too. PR updated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor changes are required
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
44f753f
Description
This PR closes #1612.
I made a tool to check vulnerabilities in all python packages used by wazuh specified from a requirements file or directly from pip.
Example of use