Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. I just had to do the final test. Many thanks to them for this!
Alternative video link (for Russia): https://vk.com/video-149273431_456239113
How can the support of these two APIs in Scanvus be useful?
- Now there is no binding to one vendor. Choose which service and price you prefer.
- The set of supported operating systems varies between Vulners.com and Vulns.io. If a particular Linux distribution is not supported by one vendor, it may be supported by another vendor.
- Vulners and Vulns.io implemented vulnerability checks independently of each other. If the results differ when scanning the same host/image, then implementation errors will be clearly visible.
- Scanvus is released under the MIT license, so you can use it as an example of working with the Vulners.com and Vulns.io APIs and use this code in your projects.
How to use it?
Basically, everything works exactly the same. You only need to specify the API you want to use in the –audit-service parameter. This can be “vulners” (default) or “vulnsio”.
Localhost
To begin, I scanned my localhost. This is a completely updated Ubuntu host. Vulners and Vulns.io did not detect security bulletin vulnerabilities there. And this is correct.
Vulners did not detect any vulnerabilities at all.
$ python3.8 scanvus.py --audit-service vulners --assessment-type localhost /$$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$$ /$$ /$$/$$ /$$ /$$$$$$$ /$$_____/ /$$_____/ |____ $$| $$__ $$| $$ /$$/ $$ | $$ /$$_____/ | $$$$$$ | $$ /$$$$$$$| $$ \ $$ \ $$/$$/| $$ | $$| $$$$$$ \____ $$| $$ /$$__ $$| $$ | $$ \ $$$/ | $$ | $$ \____ $$ /$$$$$$$/| $$$$$$$| $$$$$$$| $$ | $$ \ $/ | $$$$$$/ /$$$$$$$/ |_______/ \_______/ \_______/|__/ |__/ \_/ \______/ |_______/ Getting assessment target... assessment_type: localhost host: localhost Getting OS inventory data... os_name: ubuntu os_version: 20.04 package_list_len: 2899 Getting vulnerability data... Getting vulnerability report... ------------- Vulnerability Report for localhost (localhost, ubuntu 20.04, linux kernel 5.4.0-135-generic, 2899 packages) 0 vulnerabilities were found
And Vulns.io detected some vulnerabilities.
$ python3.8 scanvus.py --audit-service vulnsio --assessment-type localhost /$$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$$ /$$ /$$/$$ /$$ /$$$$$$$ /$$_____/ /$$_____/ |____ $$| $$__ $$| $$ /$$/ $$ | $$ /$$_____/ | $$$$$$ | $$ /$$$$$$$| $$ \ $$ \ $$/$$/| $$ | $$| $$$$$$ \____ $$| $$ /$$__ $$| $$ | $$ \ $$$/ | $$ | $$ \____ $$ /$$$$$$$/| $$$$$$$| $$$$$$$| $$ | $$ \ $/ | $$$$$$/ /$$$$$$$/ |_______/ \_______/ \_______/|__/ |__/ \_/ \______/ |_______/ Getting assessment target... assessment_type: localhost host: localhost Getting OS inventory data... os_name: ubuntu os_version: 20.04 package_list_len: 2899 Getting vulnerability data... Getting vulnerability report... ------------- Vulnerability Report for localhost (localhost, ubuntu 20.04, linux kernel 5.4.0-135-generic, 2899 packages) 3 vulnerabilities with levels ['Medium', 'Critical', 'High'] were found +---+----------+-------------+------------------+-------------------------------------------------------------------------------+ | N | Level | Bulletin | CVE | Proof | +---+----------+-------------+------------------+-------------------------------------------------------------------------------+ | 1 | Critical | no advisory | CVE-2021-21783 | apparmor-2.13.3-7ubuntu5.1.amd64 >= 0:0.0.0 | | | | | CVE-2022-2207 | libapparmor1-2.13.3-7ubuntu5.1.amd64 >= 0:0.0.0 | | | | | CVE-2020-12390 | libapparmor1-2.13.3-7ubuntu5.1.i386 >= 0:0.0.0 | | | | | CVE-2021-3773 | chromium-codecs-ffmpeg-extra-1:85.0.4183.83-0ubuntu0.20.04.2.amd64 >= 0:0.0.0 | | | | | CVE-2022-25236 | gstreamer1.0-libav-1.16.2-2.amd64 >= 0:0.0.0 | | | | | CVE-2022-24791 | libqt5webengine-data-5.12.8+dfsg-0ubuntu1.1.all >= 0:0.0.0 | | | | | CVE-2019-15232 | libqt5webengine5-5.12.8+dfsg-0ubuntu1.1.amd64 >= 0:0.0.0 | | | | | CVE-2020-26972 | libqt5webenginecore5-5.12.8+dfsg-0ubuntu1.1.amd64 >= 0:0.0.0 | | | | | CVE-2020-12389 | libqt5webenginewidgets5-5.12.8+dfsg-0ubuntu1.1.amd64 >= 0:0.0.0 | | | | | CVE-2022-2042 | firefox-108.0+build2-0ubuntu0.20.04.1.amd64 >= 0:0.0.0 | | | | | CVE-2020-13576 | firefox-locale-en-108.0+build2-0ubuntu0.20.04.1.amd64 >= 0:0.0.0 | | | | | CVE-2022-23852 | firefox-locale-ru-108.0+build2-0ubuntu0.20.04.1.amd64 >= 0:0.0.0 | | | | | CVE-2022-1253 | thunderbird-1:102.4.2+build2-0ubuntu0.20.04.1.amd64 >= 0:0.0.0 | | | | | CVE-2021-29462 | thunderbird-gnome-support-1:102.4.2+build2-0ubuntu0.20.04.1.amd64 >= 0:0.0.0 | | | | | CVE-2021-30475 | thunderbird-locale-en-1:102.4.2+build2-0ubuntu0.20.04.1.amd64 >= 0:0.0.0 | ...
Why? Because Vulners and Vulns.io work differently. Vulners only detects vulnerabilities mentioned in bulletins, while Vulns.io also shows vulnerabilities for which there are no bulletins and patches that fix the vulnerability. Such vulnerabilities are grouped by severity with “no advisory” instead of a bulletin identifier. Whether you want to see vulnerabilities that you can’t fix yet is up to you.
Linux host
Next, I scanned a test upatched Debian 11 host.
$ ssh-copy-id -i ~/.ssh/id_rsa.pub vmuser@192.168.56.105
$ ssh -i ~/.ssh/id_rsa.pub vmuser@192.168.56.105
In this case, vulnerabilities related to security bulletins were detected. And there are not many of them, so the reports can be easily analyzed manually.
$ python3.8 scanvus.py --audit-service "vulners" --assessment-type "remote_ssh" --host "192.168.56.105" --user-name "vmuser" --key-path "/home/alexander/.ssh/id_rsa.pub" /$$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$$ /$$ /$$/$$ /$$ /$$$$$$$ /$$_____/ /$$_____/ |____ $$| $$__ $$| $$ /$$/ $$ | $$ /$$_____/ | $$$$$$ | $$ /$$$$$$$| $$ \ $$ \ $$/$$/| $$ | $$| $$$$$$ \____ $$| $$ /$$__ $$| $$ | $$ \ $$$/ | $$ | $$ \____ $$ /$$$$$$$/| $$$$$$$| $$$$$$$| $$ | $$ \ $/ | $$$$$$/ /$$$$$$$/ |_______/ \_______/ \_______/|__/ |__/ \_/ \______/ |_______/ Getting assessment target... assessment_type: remote_ssh host: 192.168.56.105 user_name: vmuser key_path: /home/alexander/.ssh/id_rsa.pub Getting OS inventory data... os_name: debian os_version: 11 package_list_len: 364 Getting vulnerability data... Getting vulnerability report... ------------- Vulnerability Report for 192.168.56.105 (remote_ssh, debian 11, linux kernel 5.10.0-17-amd64, 364 packages) 3 vulnerabilities with levels ['High', 'Medium'] were found +---+--------+-------------------------+----------------+------------------------------------------------------------+ | N | Level | Bulletin | CVE | Proof | +---+--------+-------------------------+----------------+------------------------------------------------------------+ | 1 | High | DEBIAN:DLA-3152-1:9B676 | CVE-2016-10228 | libc-bin 2.31-13+deb11u3 amd64 < 2.31-13+deb11u4 | | | | | CVE-2019-19126 | libc6 2.31-13+deb11u3 amd64 < 2.31-13+deb11u4 | | | | | CVE-2019-25013 | locales 2.31-13+deb11u3 all < 2.31-13+deb11u4 | | | | | CVE-2020-10029 | libc-l10n 2.31-13+deb11u3 all < 2.31-13+deb11u4 | | | | | CVE-2020-1752 | | | | | | CVE-2020-27618 | | | | | | CVE-2020-6096 | | | | | | CVE-2021-27645 | | | | | | CVE-2021-3326 | | | | | | CVE-2021-33574 | | | | | | CVE-2021-35942 | | | | | | CVE-2021-3999 | | | | | | CVE-2022-23218 | | | | | | CVE-2022-23219 | | +---+--------+-------------------------+----------------+------------------------------------------------------------+ | 2 | Medium | DEBIAN:DLA-3206-1:5481E | CVE-2019-14870 | krb5-locales 1.18.3-6+deb11u1 all < 1.18.3-6+deb11u3 | | | | | CVE-2021-3671 | libkrb5-3 1.18.3-6+deb11u1 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2021-44758 | libk5crypto3 1.18.3-6+deb11u1 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2022-3437 | libkrb5support0 1.18.3-6+deb11u1 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2022-41916 | libgssapi-krb5-2 1.18.3-6+deb11u1 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2022-42898 | | | | | | CVE-2022-44640 | | +---+--------+-------------------------+----------------+------------------------------------------------------------+ | 3 | Medium | DEBIAN:DSA-5287-1:12BD4 | CVE-2021-3671 | krb5-locales 1.18.3-6+deb11u1 all < 1.18.3-6+deb11u3 | | | | | CVE-2021-44758 | libkrb5-3 1.18.3-6+deb11u1 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2022-3437 | libk5crypto3 1.18.3-6+deb11u1 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2022-41916 | libkrb5support0 1.18.3-6+deb11u1 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2022-42898 | libgssapi-krb5-2 1.18.3-6+deb11u1 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2022-44640 | | +---+--------+-------------------------+----------------+------------------------------------------------------------+
$ python3.8 scanvus.py --audit-service "vulnsio" --assessment-type "remote_ssh" --host "192.168.56.105" --user-name "vmuser" --key-path "/home/alexander/.ssh/id_rsa.pub" /$$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$$ /$$ /$$/$$ /$$ /$$$$$$$ /$$_____/ /$$_____/ |____ $$| $$__ $$| $$ /$$/ $$ | $$ /$$_____/ | $$$$$$ | $$ /$$$$$$$| $$ \ $$ \ $$/$$/| $$ | $$| $$$$$$ \____ $$| $$ /$$__ $$| $$ | $$ \ $$$/ | $$ | $$ \____ $$ /$$$$$$$/| $$$$$$$| $$$$$$$| $$ | $$ \ $/ | $$$$$$/ /$$$$$$$/ |_______/ \_______/ \_______/|__/ |__/ \_/ \______/ |_______/ Getting assessment target... assessment_type: remote_ssh host: 192.168.56.105 user_name: vmuser key_path: /home/alexander/.ssh/id_rsa.pub Getting OS inventory data... os_name: debian os_version: 11 package_list_len: 364 Getting vulnerability data... Getting vulnerability report... ------------- Vulnerability Report for 192.168.56.105 (remote_ssh, debian 11, linux kernel 5.10.0-17-amd64, 364 packages) 7 vulnerabilities with levels ['Medium', 'Critical', 'High'] were found +---+----------+-------------+------------------+----------------------------------------------------------------+ | N | Level | Bulletin | CVE | Proof | +---+----------+-------------+------------------+----------------------------------------------------------------+ | 1 | Critical | DSA-5236-1 | CVE-2022-40674 | libexpat1-2.2.10-2+deb11u3.amd64 < 0:2.2.10-2+deb11u4 | +---+----------+-------------+------------------+----------------------------------------------------------------+ | 2 | Critical | no advisory | CVE-2022-23303 | apparmor-2.13.6-10.amd64 >= 0:0.0.0 | | | | | CVE-2021-45952 | libapparmor1-2.13.6-10.amd64 >= 0:0.0.0 | | | | | CVE-2022-3491 | bluetooth-5.55-3.1.all >= 0:0.0.0 | | | | | CVE-2020-27619 | bluez-5.55-3.1.amd64 >= 0:0.0.0 | | | | | CVE-2021-43400 | libbluetooth3-5.55-3.1.amd64 >= 0:0.0.0 | | | | | CVE-2021-29921 | busybox-1:1.30.1-6+b3.amd64 >= 0:0.0.0 | | | | | CVE-2022-37454 | dnsmasq-base-2.85-1.amd64 >= 0:0.0.0 | | | | | CVE-2019-1010022 | libc-bin-2.31-13+deb11u3.amd64 >= 0:0.0.0 | | | | | CVE-2005-2541 | libc-l10n-2.31-13+deb11u3.all >= 0:0.0.0 | | | | | CVE-2021-45957 | libc6-2.31-13+deb11u3.amd64 >= 0:0.0.0 | | | | | CVE-2022-46908 | locales-2.31-13+deb11u3.all >= 0:0.0.0 | | | | | CVE-2021-42377 | libdb5.3-5.3.28+dfsg1-0.8.amd64 >= 0:0.0.0 | | | | | CVE-2021-46848 | libpcre2-8-0-10.36-2.amd64 < 0:10.36-2+deb11u1 | | | | | CVE-2022-23304 | libpython3.9-minimal-3.9.2-1.amd64 >= 0:0.0.0 | | | | | CVE-2019-8457 | libpython3.9-stdlib-3.9.2-1.amd64 >= 0:0.0.0 | | | | | CVE-2022-2210 | python3.9-3.9.2-1.amd64 >= 0:0.0.0 | | | | | CVE-2022-2042 | python3.9-minimal-3.9.2-1.amd64 >= 0:0.0.0 | | | | | CVE-2022-1586 | libsqlite3-0-3.34.1-3.amd64 >= 0:0.0.0 | | | | | CVE-2021-45954 | libtasn1-6-4.16.0-2.amd64 < 0:4.16.0-2+deb11u1 | | | | | CVE-2022-1587 | tar-1.34+dfsg-1.amd64 >= 0:0.0.0 | | | | | CVE-2021-45953 | vim-common-2:8.2.2434-3+deb11u1.all >= 0:0.0.0 | | | | | CVE-2016-1585 | vim-tiny-2:8.2.2434-3+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2021-45955 | xxd-2:8.2.2434-3+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2021-45956 | wpasupplicant-2:2.9.0-21.amd64 >= 0:0.0.0 | | | | | CVE-2021-45951 | | | | | | CVE-2015-20107 | | | | | | CVE-2022-2207 | | | | | | CVE-2022-0318 | | | | | | CVE-2022-1927 | | +---+----------+-------------+------------------+----------------------------------------------------------------+ | 3 | High | DSA-5207-1 | CVE-2022-26373 | linux-image-5.10.0-16-amd64-5.10.127-2.amd64 < 0:5.10.136-1 | | | | | CVE-2022-2585 | | | | | | CVE-2022-23816 | | | | | | CVE-2022-2588 | | | | | | CVE-2022-29901 | | | | | | CVE-2022-36946 | | | | | | CVE-2022-2586 | | | | | | CVE-2022-29900 | | | | | | CVE-2022-36879 | | +---+----------+-------------+------------------+----------------------------------------------------------------+ | 4 | High | DSA-5235-1 | CVE-2022-3080 | bind9-dnsutils-1:9.16.27-1~deb11u1.amd64 < 1:9.16.33-1~deb11u1 | | | | | CVE-2022-38177 | bind9-host-1:9.16.27-1~deb11u1.amd64 < 1:9.16.33-1~deb11u1 | | | | | CVE-2022-2795 | bind9-libs-1:9.16.27-1~deb11u1.amd64 < 1:9.16.33-1~deb11u1 | | | | | CVE-2022-38178 | | +---+----------+-------------+------------------+----------------------------------------------------------------+ | 5 | High | no advisory | CVE-2022-1616 | bash-completion-1:2.11-2.all >= 0:0.0.0 | | | | | CVE-2022-31782 | bluetooth-5.55-3.1.all >= 0:0.0.0 | | | | | CVE-2022-0361 | bluez-5.55-3.1.amd64 >= 0:0.0.0 | | | | | CVE-2020-15778 | libbluetooth3-5.55-3.1.amd64 >= 0:0.0.0 | | | | | CVE-2022-3534 | busybox-1:1.30.1-6+b3.amd64 >= 0:0.0.0 | | | | | CVE-2021-28831 | cpio-2.13+dfsg-4.amd64 >= 0:0.0.0 | | | | | CVE-2022-43680 | dnsmasq-base-2.85-1.amd64 >= 0:0.0.0 | | | | | CVE-2022-43551 | e2fsprogs-1.46.2-2.amd64 >= 0:0.0.0 | | | | | CVE-2022-0629 | libcom-err2-1.46.2-2.amd64 >= 0:0.0.0 | | | | | CVE-2022-2284 | libext2fs2-1.46.2-2.amd64 >= 0:0.0.0 | | | | | CVE-2021-4173 | libss2-1.46.2-2.amd64 >= 0:0.0.0 | | | | | CVE-2022-0729 | logsave-1.46.2-2.amd64 >= 0:0.0.0 | | | | | CVE-2021-3999 | grub-common-2.04-20.amd64 < 0:2.06-3~deb11u1 | | | | | CVE-2022-2206 | grub-pc-2.04-20.amd64 < 0:2.06-3~deb11u1 | | | | | CVE-2021-3903 | grub-pc-bin-2.04-20.amd64 < 0:2.06-3~deb11u1 | | | | | CVE-2022-1733 | grub2-common-2.04-20.amd64 < 0:2.06-3~deb11u1 | | | | | CVE-2022-1851 | iptables-1.8.7-1.amd64 >= 0:0.0.0 | | | | | CVE-2019-19378 | libip4tc2-1.8.7-1.amd64 >= 0:0.0.0 | | | | | CVE-2016-9918 | libip6tc2-1.8.7-1.amd64 >= 0:0.0.0 | | | | | CVE-2021-42385 | libxtables12-1.8.7-1.amd64 >= 0:0.0.0 | | | | | CVE-2022-2581 | krb5-locales-1.18.3-6+deb11u1.all >= 0:0.0.0 | | | | | CVE-2021-42384 | libgssapi-krb5-2-1.18.3-6+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2021-39537 | libk5crypto3-1.18.3-6+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2022-42919 | libkrb5-3-1.18.3-6+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2021-3973 | libkrb5support0-1.18.3-6+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2022-2129 | libbpf0-1:0.3-2.amd64 >= 0:0.0.0 | | | | | CVE-2021-4136 | libc-bin-2.31-13+deb11u3.amd64 >= 0:0.0.0 | | | | | CVE-2017-15131 | libc-l10n-2.31-13+deb11u3.all >= 0:0.0.0 | | | | | CVE-2022-3176 | libc6-2.31-13+deb11u3.amd64 >= 0:0.0.0 | | | | | CVE-2022-2344 | locales-2.31-13+deb11u3.all >= 0:0.0.0 | | | | | CVE-2021-3697 | libcurl3-gnutls-7.74.0-1.3+deb11u2.amd64 >= 0:0.0.0 | | | | | CVE-2017-7246 | libexpat1-2.2.10-2+deb11u3.amd64 < 0:2.2.10-2+deb11u5 | | | | | CVE-2020-26560 | libfreetype6-2.10.4+dfsg-1+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2020-26559 | libgcrypt20-1.8.7-6.amd64 >= 0:0.0.0 | | | | | CVE-2021-39686 | libjansson4-2.13.1-1.1.amd64 >= 0:0.0.0 | | | | | CVE-2022-1247 | libldap-2.4-2-2.4.57+dfsg-3+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2021-42382 | libldap-common-2.4.57+dfsg-3+deb11u1.all >= 0:0.0.0 | | | | | CVE-2017-17740 | libncurses6-6.2+20201114-2.amd64 >= 0:0.0.0 | | | | | CVE-2020-36325 | libncursesw6-6.2+20201114-2.amd64 >= 0:0.0.0 | | | | | CVE-2022-2257 | libtinfo6-6.2+20201114-2.amd64 >= 0:0.0.0 | | | | | CVE-2022-1154 | ncurses-base-6.2+20201114-2.all >= 0:0.0.0 | | | | | CVE-2022-0392 | ncurses-bin-6.2+20201114-2.amd64 >= 0:0.0.0 | | | | | CVE-2022-3297 | ncurses-term-6.2+20201114-2.all >= 0:0.0.0 | | | | | CVE-2021-4192 | libpcre3-2:8.39-13.amd64 >= 0:0.0.0 | | | | | CVE-2022-2287 | libperl5.32-5.32.1-4+deb11u2.amd64 >= 0:0.0.0 | | | | | CVE-2022-0408 | perl-5.32.1-4+deb11u2.amd64 >= 0:0.0.0 | | | | | CVE-2022-2571 | perl-base-5.32.1-4+deb11u2.amd64 >= 0:0.0.0 | | | | | CVE-2022-0393 | perl-modules-5.32-5.32.1-4+deb11u2.all >= 0:0.0.0 | | | | | CVE-2022-1619 | libpolkit-agent-1-0-0.105-31+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2017-7245 | libpolkit-gobject-1-0-0.105-31+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2022-2345 | policykit-1-0.105-31+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2022-1886 | libpython3.9-minimal-3.9.2-1.amd64 >= 0:0.0.0 | | | | | CVE-2021-4204 | libpython3.9-stdlib-3.9.2-1.amd64 >= 0:0.0.0 | | | | | CVE-2022-0943 | python3.9-3.9.2-1.amd64 >= 0:0.0.0 | | | | | CVE-2022-2264 | python3.9-minimal-3.9.2-1.amd64 >= 0:0.0.0 | | | | | CVE-2022-0359 | libsqlite3-0-3.34.1-3.amd64 >= 0:0.0.0 | | | | | CVE-2022-0572 | linux-image-5.10.0-16-amd64-5.10.127-2.amd64 >= 0:0.0.0 | | | | | CVE-2022-0391 | linux-image-5.10.0-17-amd64-5.10.136-1.amd64 >= 0:0.0.0 | | | | | CVE-2017-11164 | linux-image-amd64-5.10.136-1.amd64 >= 0:0.0.0 | | | | | CVE-2022-0413 | login-1:4.8.1-1.amd64 >= 0:0.0.0 | | | | | CVE-2021-3974 | passwd-1:4.8.1-1.amd64 >= 0:0.0.0 | | | | | CVE-2022-1769 | openssh-client-1:8.4p1-5+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2021-42378 | openssh-server-1:8.4p1-5+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2022-0554 | openssh-sftp-server-1:8.4p1-5+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2022-2175 | python3-httplib2-0.18.1-3.all >= 0:0.0.0 | | | | | CVE-2022-0685 | vim-common-2:8.2.2434-3+deb11u1.all >= 0:0.0.0 | | | | | CVE-2022-1621 | vim-tiny-2:8.2.2434-3+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2021-36690 | xxd-2:8.2.2434-3+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2019-1010023 | xdg-user-dirs-0.17-2.amd64 >= 0:0.0.0 | | | | | CVE-2022-2946 | | | | | | CVE-2018-20796 | | | | | | CVE-2021-38185 | | | | | | CVE-2018-6829 | | | | | | CVE-2022-3424 | | | | | | CVE-2021-21240 | | | | | | CVE-2022-1735 | | | | | | CVE-2022-0204 | | | | | | CVE-2019-9192 | | | | | | CVE-2016-9917 | | | | | | CVE-2022-2849 | | | | | | CVE-2022-2304 | | | | | | CVE-2022-0407 | | | | | | CVE-2021-3737 | | | | | | CVE-2022-2602 | | | | | | CVE-2022-1898 | | | | | | CVE-2022-2845 | | | | | | CVE-2022-0417 | | | | | | CVE-2022-1882 | | | | | | CVE-2013-7445 | | | | | | CVE-2019-20838 | | | | | | CVE-2021-42386 | | | | | | CVE-2022-2289 | | | | | | CVE-2022-1304 | | | | | | CVE-2022-2889 | | | | | | CVE-2022-1629 | | | | | | CVE-2021-41617 | | | | | | CVE-2022-2183 | | | | | | CVE-2022-0351 | | | | | | CVE-2020-11725 | | | | | | CVE-2021-4166 | | | | | | CVE-2022-2817 | | | | | | CVE-2020-26557 | | | | | | CVE-2022-29458 | | | | | | CVE-2021-3968 | | | | | | CVE-2022-25265 | | | | | | CVE-2019-19070 | | | | | | CVE-2021-4037 | | | | | | CVE-2019-12456 | | | | | | CVE-2019-19882 | | | | | | CVE-2021-33560 | | | | | | CVE-2022-2522 | | | | | | CVE-2022-2182 | | | | | | CVE-2012-2663 | | | | | | CVE-2022-1796 | | | | | | CVE-2022-2862 | | | | | | CVE-2022-2286 | | | | | | CVE-2020-16156 | | | | | | CVE-2022-1942 | | | | | | CVE-2022-1679 | | | | | | CVE-2021-26934 | | | | | | CVE-2018-1000500 | | | | | | CVE-2008-4609 | | | | | | CVE-2019-19449 | | | | | | CVE-2021-42381 | | | | | | CVE-2022-0368 | | | | | | CVE-2022-1720 | | | | | | CVE-2022-2125 | | | | | | CVE-2021-3847 | | | | | | CVE-2022-4139 | | | | | | CVE-2022-4378 | | | | | | CVE-2022-1620 | | | | | | CVE-2021-3872 | | | | | | CVE-2022-2126 | | | | | | CVE-2022-0934 | | | | | | CVE-2021-3928 | | | | | | CVE-2022-2000 | | | | | | CVE-2021-42383 | | | | | | CVE-2022-2816 | | | | | | CVE-2021-3984 | | | | | | CVE-2019-19814 | | | | | | CVE-2022-28733 | | | | | | CVE-2021-3927 | | | | | | CVE-2020-12362 | | | | | | CVE-2018-5709 | | | | | | CVE-2011-4116 | | | | | | CVE-2022-35737 | | | | | | CVE-2022-30065 | | | | | | CVE-2022-28734 | | | | | | CVE-2018-7738 | | | | | | CVE-2021-4187 | | | | | | CVE-2021-4069 | | | | | | CVE-2016-2568 | | | | | | CVE-2022-2343 | | | | | | CVE-2021-32078 | | | | | | CVE-2021-28861 | | | | | | CVE-2021-42380 | | | | | | CVE-2022-2819 | | | | | | CVE-2022-1785 | | | | | | CVE-2021-3864 | | | | | | CVE-2022-0443 | | | | | | CVE-2022-2124 | | | | | | CVE-2021-4019 | | | | | | CVE-2022-1968 | | | | | | CVE-2022-28391 | | | | | | CVE-2022-0500 | | | | | | CVE-2022-3775 | | | | | | CVE-2022-1897 | | | | | | CVE-2022-0261 | | | | | | CVE-2021-42379 | | | | | | CVE-2022-2285 | | +---+----------+-------------+------------------+----------------------------------------------------------------+ | 6 | Medium | DSA-5251-1 | CVE-2022-2929 | isc-dhcp-client-4.4.1-2.3.amd64 < 0:4.4.1-2.3+deb11u1 | | | | | CVE-2022-2928 | isc-dhcp-common-4.4.1-2.3.amd64 < 0:4.4.1-2.3+deb11u1 | +---+----------+-------------+------------------+----------------------------------------------------------------+ | 7 | Medium | no advisory | CVE-2019-12380 | avahi-autoipd-0.8-5.amd64 < 0:0.8-5+deb11u1 | | | | | CVE-2021-42376 | bash-5.1-2+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2019-16234 | bluetooth-5.55-3.1.all >= 0:0.0.0 | | | | | CVE-2022-3586 | bluez-5.55-3.1.amd64 >= 0:0.0.0 | | | | | CVE-2008-5367 | libbluetooth3-5.55-3.1.amd64 >= 0:0.0.0 | | | | | CVE-2022-1674 | bsdextrautils-2.36.1-8+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2021-31879 | bsdutils-1:2.36.1-8+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2018-15919 | eject-2.36.1-8+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2022-1771 | fdisk-2.36.1-8+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2020-36516 | libblkid1-2.36.1-8+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2022-1280 | libfdisk1-2.36.1-8+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2021-3669 | libmount1-2.36.1-8+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2010-5321 | libsmartcols1-2.36.1-8+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2007-6755 | libuuid1-2.36.1-8+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2020-15719 | mount-2.36.1-8+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2021-42374 | util-linux-2.36.1-8+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2022-28736 | busybox-1:1.30.1-6+b3.amd64 >= 0:0.0.0 | | | | | CVE-2016-9804 | coreutils-8.32-4+b1.amd64 >= 0:0.0.0 | | | | | CVE-2021-42375 | grub-common-2.04-20.amd64 < 0:2.06-3~deb11u1 | | | | | CVE-2021-3696 | grub-pc-2.04-20.amd64 < 0:2.06-3~deb11u1 | | | | | CVE-2018-17977 | grub-pc-bin-2.04-20.amd64 < 0:2.06-3~deb11u1 | | | | | CVE-2022-0156 | grub2-common-2.04-20.amd64 < 0:2.06-3~deb11u1 | | | | | CVE-2022-3542 | initramfs-tools-0.140.all >= 0:0.0.0 | | | | | CVE-2016-9799 | initramfs-tools-core-0.140.all >= 0:0.0.0 | | | | | CVE-2011-3389 | krb5-locales-1.18.3-6+deb11u1.all < 0:1.18.3-6+deb11u3 | | | | | CVE-2020-26555 | libgssapi-krb5-2-1.18.3-6+deb11u1.amd64 < 0:1.18.3-6+deb11u3 | | | | | CVE-2019-16229 | libk5crypto3-1.18.3-6+deb11u1.amd64 < 0:1.18.3-6+deb11u3 | | | | | CVE-2020-24504 | libkrb5-3-1.18.3-6+deb11u1.amd64 < 0:1.18.3-6+deb11u3 | | | | | CVE-2017-16231 | libkrb5support0-1.18.3-6+deb11u1.amd64 < 0:1.18.3-6+deb11u3 | | | | | CVE-2021-4193 | libbpf0-1:0.3-2.amd64 >= 0:0.0.0 | | | | | CVE-2022-2874 | libc-bin-2.31-13+deb11u3.amd64 >= 0:0.0.0 | | | | | CVE-2012-4542 | libc-l10n-2.31-13+deb11u3.all >= 0:0.0.0 | | | | | CVE-2022-3715 | libc6-2.31-13+deb11u3.amd64 >= 0:0.0.0 | | | | | CVE-2013-4235 | locales-2.31-13+deb11u3.all >= 0:0.0.0 | | | | | CVE-2016-9798 | libcurl3-gnutls-7.74.0-1.3+deb11u2.amd64 >= 0:0.0.0 | | | | | CVE-2020-0347 | libexpat1-2.2.10-2+deb11u3.amd64 >= 0:0.0.0 | | | | | CVE-2021-22923 | libglib2.0-0-2.66.8-1.amd64 >= 0:0.0.0 | | | | | CVE-2017-14159 | libglib2.0-data-2.66.8-1.all >= 0:0.0.0 | | | | | CVE-2021-3468 | libgnutls30-3.7.1-5+deb11u2.amd64 >= 0:0.0.0 | | | | | CVE-2008-5366 | libldap-2.4-2-2.4.57+dfsg-3+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2012-0039 | libldap-common-2.4.57+dfsg-3+deb11u1.all >= 0:0.0.0 | | | | | CVE-2020-14145 | libnss-systemd-247.3-7.amd64 >= 0:0.0.0 | | | | | CVE-2017-18018 | libpam-systemd-247.3-7.amd64 >= 0:0.0.0 | | | | | CVE-2022-4415 | libsystemd0-247.3-7.amd64 >= 0:0.0.0 | | | | | CVE-2021-44879 | libudev1-247.3-7.amd64 >= 0:0.0.0 | | | | | CVE-2021-3502 | systemd-247.3-7.amd64 >= 0:0.0.0 | | | | | CVE-2022-4095 | systemd-sysv-247.3-7.amd64 >= 0:0.0.0 | | | | | CVE-2022-1420 | systemd-timesyncd-247.3-7.amd64 >= 0:0.0.0 | | | | | CVE-2016-3709 | udev-247.3-7.amd64 >= 0:0.0.0 | | | | | CVE-2019-15794 | libpcre3-2:8.39-13.amd64 >= 0:0.0.0 | | | | | CVE-2022-0213 | libpng16-16-1.6.37-3.amd64 >= 0:0.0.0 | | | | | CVE-2022-42328 | libpolkit-agent-1-0-0.105-31+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2022-42329 | libpolkit-gobject-1-0-0.105-31+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2022-42898 | policykit-1-0.105-31+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2015-3276 | libprotobuf-c1-1.3.3-1+b2.amd64 >= 0:0.0.0 | | | | | CVE-2011-4917 | libpython3.9-minimal-3.9.2-1.amd64 >= 0:0.0.0 | | | | | CVE-2010-4756 | libpython3.9-stdlib-3.9.2-1.amd64 >= 0:0.0.0 | | | | | CVE-2021-4189 | python3.9-3.9.2-1.amd64 >= 0:0.0.0 | | | | | CVE-2019-16233 | python3.9-minimal-3.9.2-1.amd64 >= 0:0.0.0 | | | | | CVE-2022-2231 | libsqlite3-0-3.34.1-3.amd64 >= 0:0.0.0 | | | | | CVE-2021-4214 | libssl1.1-1.1.1n-0+deb11u3.amd64 >= 0:0.0.0 | | | | | CVE-2014-9892 | openssl-1.1.1n-0+deb11u3.amd64 >= 0:0.0.0 | | | | | CVE-2008-4677 | libxml2-2.9.10+dfsg-6.7+deb11u2.amd64 >= 0:0.0.0 | | | | | CVE-2008-4996 | linux-image-5.10.0-16-amd64-5.10.127-2.amd64 >= 0:0.0.0 | | | | | CVE-2020-12364 | linux-image-5.10.0-17-amd64-5.10.136-1.amd64 >= 0:0.0.0 | | | | | CVE-2022-2598 | linux-image-amd64-5.10.136-1.amd64 >= 0:0.0.0 | | | | | CVE-2017-1000382 | login-1:4.8.1-1.amd64 >= 0:0.0.0 | | | | | CVE-2021-3426 | passwd-1:4.8.1-1.amd64 >= 0:0.0.0 | | | | | CVE-2010-0928 | openssh-client-1:8.4p1-5+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2022-2097 | openssh-server-1:8.4p1-5+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2017-13084 | openssh-sftp-server-1:8.4p1-5+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2008-5135 | os-prober-1.79.amd64 >= 0:0.0.0 | | | | | CVE-2016-9803 | ppp-2.4.9-1+1.amd64 >= 0:0.0.0 | | | | | CVE-2015-3243 | rsyslog-8.2102.0-2+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2017-0630 | vim-common-2:8.2.2434-3+deb11u1.all >= 0:0.0.0 | | | | | CVE-2007-2768 | vim-tiny-2:8.2.2434-3+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2021-45941 | xxd-2:8.2.2434-3+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2016-10723 | wget-1.21-1+deb11u1.amd64 >= 0:0.0.0 | | | | | CVE-2022-3857 | wpasupplicant-2:2.9.0-21.amd64 >= 0:0.0.0 | | | | | CVE-2021-3658 | | | | | | CVE-2020-26142 | | | | | | CVE-2022-2208 | | | | | | CVE-2022-2873 | | | | | | CVE-2021-45346 | | | | | | CVE-2022-4662 | | | | | | CVE-2022-0714 | | | | | | CVE-2021-4023 | | | | | | CVE-2007-5686 | | | | | | CVE-2019-6129 | | | | | | CVE-2022-3061 | | | | | | CVE-2022-0171 | | | | | | CVE-2020-12363 | | | | | | CVE-2022-33070 | | | | | | CVE-2017-13694 | | | | | | CVE-2021-3714 | | | | | | CVE-2022-1184 | | | | | | CVE-2020-26143 | | | | | | CVE-2019-1010025 | | | | | | CVE-2020-13529 | | | | | | CVE-2019-16089 | | | | | | CVE-2022-0563 | | | | | | CVE-2019-15213 | | | | | | CVE-2019-12379 | | | | | | CVE-2014-9900 | | | | | | CVE-2022-2923 | | | | | | CVE-2019-5062 | | | | | | CVE-2021-30004 | | | | | | CVE-2016-9797 | | | | | | CVE-2016-9801 | | | | | | CVE-2017-13693 | | | | | | CVE-2007-2243 | | | | | | CVE-2019-6110 | | | | | | CVE-2022-0696 | | | | | | CVE-2019-12381 | | | | | | CVE-2021-4115 | | | | | | CVE-2019-16231 | | | | | | CVE-2019-12382 | | | | | | CVE-2022-3344 | | | | | | CVE-2020-14304 | | | | | | CVE-2022-23825 | | | | | | CVE-2019-12455 | | | | | | CVE-2004-0230 | | | | | | CVE-2022-3707 | | | | | | CVE-2019-16230 | | | | | | CVE-2019-1010024 | | | | | | CVE-2020-26140 | | | | | | CVE-2016-20012 | | | | | | CVE-2021-22922 | | | | | | CVE-2021-3759 | | | | | | CVE-2022-0480 | | | | | | CVE-2011-4916 | | | | | | CVE-2005-3660 | | | | | | CVE-2010-4563 | | | | | | CVE-2016-8660 | | | | | | CVE-2008-3234 | | | | | | CVE-2013-0340 | | | | | | CVE-2019-20794 | | | | | | CVE-2016-2781 | | | | | | CVE-2019-16232 | | | | | | CVE-2021-33061 | | | | | | CVE-2022-3628 | | | | | | CVE-2018-12928 | | | | | | CVE-2022-28735 | | | | | | CVE-2018-1121 | | | | | | CVE-2022-1462 | | | | | | CVE-2022-43552 | | | | | | CVE-2016-9800 | | | | | | CVE-2019-12378 | | | | | | CVE-2021-4149 | | | | | | CVE-2011-4915 | | | | | | CVE-2020-15802 | | | | | | CVE-2021-45940 | | | | | | CVE-2022-2153 | | | | | | CVE-2022-4543 | | | | | | CVE-2021-41229 | | | | | | CVE-2008-2544 | | | | | | CVE-2016-9802 | | | | | | CVE-2022-3606 | | | | | | CVE-2022-0400 | | | | | | CVE-2022-0319 | | | | | | CVE-2022-21505 | | | | | | CVE-2021-3733 | | | | | | CVE-2021-42373 | | | | | | CVE-2021-3695 | | +---+----------+-------------+------------------+----------------------------------------------------------------+
And we can see that the APIs returned different detection results for the DSA/DLA bulletins. The intersection of the sets is empty.
Vulners ∖ VulnsIO: 3 {'DLA-3206-1', 'DSA-5287-1', 'DLA-3152-1'}
Vulners ∩ VulnsIO: 0 set()
VulnsIO ∖ Vulners: 4 {'DSA-5207-1', 'DSA-5235-1', 'DSA-5236-1', 'DSA-5251-1'}
At the same time, proofs look convincing at first glance. In this episode, I won’t go into why there is such a difference in Debian vulnerability detection results. Perhaps the answer is in the operation of the API, and perhaps in the collection of data from the host. I think we will solve this with colleagues from Vulners and Vulns.io. I’m just pointing out again that vulnerability detection is not that easy and it’s good when you can use several independent detection engines and compare the results.
Docker image
Next, I check the vulnerabilities for the Docker image. It is also based on Debian 11.
$ python3.8 scanvus.py --audit-service vulners --assessment-type "docker_image" --docker-image "python:3.9.6-slim-bullseye" /$$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$$ /$$ /$$/$$ /$$ /$$$$$$$ /$$_____/ /$$_____/ |____ $$| $$__ $$| $$ /$$/ $$ | $$ /$$_____/ | $$$$$$ | $$ /$$$$$$$| $$ \ $$ \ $$/$$/| $$ | $$| $$$$$$ \____ $$| $$ /$$__ $$| $$ | $$ \ $$$/ | $$ | $$ \____ $$ /$$$$$$$/| $$$$$$$| $$$$$$$| $$ | $$ \ $/ | $$$$$$/ /$$$$$$$/ |_______/ \_______/ \_______/|__/ |__/ \_/ \______/ |_______/ Getting assessment target... assessment_type: docker_image docker_image: python:3.9.6-slim-bullseye Getting OS inventory data... os_name: debian os_version: 11 package_list_len: 105 Getting vulnerability data... Getting vulnerability report... ------------- Vulnerability Report for python:3.9.6-slim-bullseye (docker_image, debian 11, linux kernel 5.4.0-135-generic, 105 packages) 22 vulnerabilities with levels ['Critical', 'High', 'Medium'] were found +----+----------+-------------------------+----------------+----------------------------------------------------+ | N | Level | Bulletin | CVE | Proof | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 1 | Critical | DEBIAN:DLA-2904-1:6B1FD | CVE-2021-45960 | libexpat1 2.2.10-2 amd64 < 2.2.10-2+deb11u1 | | | | | CVE-2021-46143 | | | | | | CVE-2022-22822 | | | | | | CVE-2022-22823 | | | | | | CVE-2022-22824 | | | | | | CVE-2022-22825 | | | | | | CVE-2022-22826 | | | | | | CVE-2022-22827 | | | | | | CVE-2022-23852 | | | | | | CVE-2022-23990 | | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 2 | Critical | DEBIAN:DLA-3008-1:E2717 | CVE-2022-1292 | libssl1.1 1.1.1k-1 amd64 < 1.1.1n-0+deb11u2 | | | | | | openssl 1.1.1k-1 amd64 < 1.1.1n-0+deb11u2 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 3 | Critical | DEBIAN:DSA-5073-1:5DBA9 | CVE-2021-45960 | libexpat1 2.2.10-2 amd64 < 2.2.10-2+deb11u1 | | | | | CVE-2021-46143 | | | | | | CVE-2022-22822 | | | | | | CVE-2022-22823 | | | | | | CVE-2022-22824 | | | | | | CVE-2022-22825 | | | | | | CVE-2022-22826 | | | | | | CVE-2022-22827 | | | | | | CVE-2022-23852 | | | | | | CVE-2022-23990 | | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 4 | Critical | DEBIAN:DSA-5139-1:0E208 | CVE-2022-1292 | libssl1.1 1.1.1k-1 amd64 < 1.1.1n-0+deb11u2 | | | | | | openssl 1.1.1k-1 amd64 < 1.1.1n-0+deb11u2 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 5 | Critical | DEBIAN:DSA-5169-1:87483 | CVE-2022-2068 | libssl1.1 1.1.1k-1 amd64 < 1.1.1n-0+deb11u3 | | | | | | openssl 1.1.1k-1 amd64 < 1.1.1n-0+deb11u3 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 6 | High | DEBIAN:DLA-2935-1:EEAAD | CVE-2022-23852 | libexpat1 2.2.10-2 amd64 < 2.2.10-2+deb11u1 | | | | | CVE-2022-25235 | | | | | | CVE-2022-25236 | | | | | | CVE-2022-25313 | | | | | | CVE-2022-25315 | | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 7 | High | DEBIAN:DLA-3022-1:26EFE | CVE-2022-1664 | dpkg 1.20.9 amd64 < 1.20.10 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 8 | High | DEBIAN:DLA-3152-1:9B676 | CVE-2016-10228 | libc-bin 2.31-13 amd64 < 2.31-13+deb11u3 | | | | | CVE-2019-19126 | libc6 2.31-13 amd64 < 2.31-13+deb11u3 | | | | | CVE-2019-25013 | | | | | | CVE-2020-10029 | | | | | | CVE-2020-1752 | | | | | | CVE-2020-27618 | | | | | | CVE-2020-6096 | | | | | | CVE-2021-27645 | | | | | | CVE-2021-3326 | | | | | | CVE-2021-33574 | | | | | | CVE-2021-35942 | | | | | | CVE-2021-3999 | | | | | | CVE-2022-23218 | | | | | | CVE-2022-23219 | | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 9 | High | DEBIAN:DSA-4963-1:90BFC | CVE-2021-3711 | libssl1.1 1.1.1k-1 amd64 < 1.1.1k-1+deb11u1 | | | | | CVE-2021-3712 | openssl 1.1.1k-1 amd64 < 1.1.1k-1+deb11u1 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 10 | High | DEBIAN:DSA-4963-1:DA7BC | CVE-2021-3711 | libssl1.1 1.1.1k-1 amd64 < 1.1.1k-1+deb11u1 | | | | | CVE-2021-3712 | openssl 1.1.1k-1 amd64 < 1.1.1k-1+deb11u1 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 11 | High | DEBIAN:DSA-5085-1:EC5E7 | CVE-2022-25235 | libexpat1 2.2.10-2 amd64 < 2.2.10-2+deb11u2 | | | | | CVE-2022-25236 | | | | | | CVE-2022-25313 | | | | | | CVE-2022-25314 | | | | | | CVE-2022-25315 | | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 12 | High | DEBIAN:DSA-5085-2:292DA | CVE-2022-25236 | libexpat1 2.2.10-2 amd64 < 2.2.10-2+deb11u3 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 13 | High | DEBIAN:DSA-5147-1:638F9 | CVE-2022-1664 | dpkg 1.20.9 amd64 < 1.20.10 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 14 | Medium | DEBIAN:DLA-2766-1:9EFDC | CVE-2021-3712 | libssl1.1 1.1.1k-1 amd64 < 1.1.1k-1+deb11u1 | | | | | | openssl 1.1.1k-1 amd64 < 1.1.1k-1+deb11u1 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 15 | Medium | DEBIAN:DLA-2771-1:D1964 | CVE-2018-20217 | libk5crypto3 1.18.3-6 amd64 < 1.18.3-6+deb11u1 | | | | | CVE-2018-5729 | libkrb5-3 1.18.3-6 amd64 < 1.18.3-6+deb11u1 | | | | | CVE-2018-5730 | libgssapi-krb5-2 1.18.3-6 amd64 < 1.18.3-6+deb11u1 | | | | | CVE-2021-37750 | libkrb5support0 1.18.3-6 amd64 < 1.18.3-6+deb11u1 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 16 | Medium | DEBIAN:DLA-2774-1:D8CE0 | CVE-2021-3712 | libssl1.1 1.1.1k-1 amd64 < 1.1.1k-1+deb11u1 | | | | | | openssl 1.1.1k-1 amd64 < 1.1.1k-1+deb11u1 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 17 | Medium | DEBIAN:DLA-2952-1:7651B | CVE-2019-1551 | libssl1.1 1.1.1k-1 amd64 < 1.1.1k-1+deb11u2 | | | | | CVE-2022-0778 | openssl 1.1.1k-1 amd64 < 1.1.1k-1+deb11u2 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 18 | Medium | DEBIAN:DLA-2953-1:551CB | CVE-2022-0778 | libssl1.1 1.1.1k-1 amd64 < 1.1.1k-1+deb11u2 | | | | | | openssl 1.1.1k-1 amd64 < 1.1.1k-1+deb11u2 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 19 | Medium | DEBIAN:DLA-3206-1:5481E | CVE-2019-14870 | libk5crypto3 1.18.3-6 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2021-3671 | libkrb5-3 1.18.3-6 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2021-44758 | libgssapi-krb5-2 1.18.3-6 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2022-3437 | libkrb5support0 1.18.3-6 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2022-41916 | | | | | | CVE-2022-42898 | | | | | | CVE-2022-44640 | | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 20 | Medium | DEBIAN:DSA-5103-1:C47DD | CVE-2021-4160 | libssl1.1 1.1.1k-1 amd64 < 1.1.1k-1+deb11u2 | | | | | CVE-2022-0778 | openssl 1.1.1k-1 amd64 < 1.1.1k-1+deb11u2 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 21 | Medium | DEBIAN:DSA-5174-1:32717 | CVE-2022-34903 | gpgv 2.2.27-2 amd64 < 2.2.27-2+deb11u2 | +----+----------+-------------------------+----------------+----------------------------------------------------+ | 22 | Medium | DEBIAN:DSA-5287-1:12BD4 | CVE-2021-3671 | libk5crypto3 1.18.3-6 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2021-44758 | libkrb5-3 1.18.3-6 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2022-3437 | libgssapi-krb5-2 1.18.3-6 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2022-41916 | libkrb5support0 1.18.3-6 amd64 < 1.18.3-6+deb11u3 | | | | | CVE-2022-42898 | | | | | | CVE-2022-44640 | | +----+----------+-------------------------+----------------+----------------------------------------------------+
$ python3.8 scanvus.py --audit-service vulnsio --assessment-type "docker_image" --docker-image "python:3.9.6-slim-bullseye" /$$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$$ /$$ /$$/$$ /$$ /$$$$$$$ /$$_____/ /$$_____/ |____ $$| $$__ $$| $$ /$$/ $$ | $$ /$$_____/ | $$$$$$ | $$ /$$$$$$$| $$ \ $$ \ $$/$$/| $$ | $$| $$$$$$ \____ $$| $$ /$$__ $$| $$ | $$ \ $$$/ | $$ | $$ \____ $$ /$$$$$$$/| $$$$$$$| $$$$$$$| $$ | $$ \ $/ | $$$$$$/ /$$$$$$$/ |_______/ \_______/ \_______/|__/ |__/ \_/ \______/ |_______/ Getting assessment target... assessment_type: docker_image docker_image: python:3.9.6-slim-bullseye Getting OS inventory data... os_name: debian os_version: 11 package_list_len: 105 Getting vulnerability data... Getting vulnerability report... ------------- Vulnerability Report for python:3.9.6-slim-bullseye (docker_image, debian 11, linux kernel 5.4.0-135-generic, 105 packages) 19 vulnerabilities with levels ['Critical', 'High', 'Medium'] were found +----+----------+-------------+------------------+--------------------------------------------------------+ | N | Level | Bulletin | CVE | Proof | +----+----------+-------------+------------------+--------------------------------------------------------+ | 1 | Critical | DSA-4963-1 | CVE-2021-3711 | libssl1.1-1.1.1k-1.amd64 < 0:1.1.1k-1+deb11u1 | | | | | CVE-2021-3712 | openssl-1.1.1k-1.amd64 < 0:1.1.1k-1+deb11u1 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 2 | Critical | DSA-5073-1 | CVE-2022-23852 | libexpat1-2.2.10-2.amd64 < 0:2.2.10-2+deb11u1 | | | | | CVE-2022-23990 | | | | | | CVE-2021-46143 | | | | | | CVE-2022-22824 | | | | | | CVE-2022-22827 | | | | | | CVE-2021-45960 | | | | | | CVE-2022-22822 | | | | | | CVE-2022-22825 | | | | | | CVE-2022-22823 | | | | | | CVE-2022-22826 | | +----+----------+-------------+------------------+--------------------------------------------------------+ | 3 | Critical | DSA-5085-1 | CVE-2022-25236 | libexpat1-2.2.10-2.amd64 < 0:2.2.10-2+deb11u2 | | | | | CVE-2022-25314 | | | | | | CVE-2022-25235 | | | | | | CVE-2022-25315 | | | | | | CVE-2022-25313 | | +----+----------+-------------+------------------+--------------------------------------------------------+ | 4 | Critical | DSA-5139-1 | CVE-2022-1292 | libssl1.1-1.1.1k-1.amd64 < 0:1.1.1n-0+deb11u2 | | | | | | openssl-1.1.1k-1.amd64 < 0:1.1.1n-0+deb11u2 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 5 | Critical | DSA-5147-1 | CVE-2022-1664 | dpkg-1.20.9.amd64 < 0:1.20.10 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 6 | Critical | DSA-5169-1 | CVE-2022-2068 | libssl1.1-1.1.1k-1.amd64 < 0:1.1.1n-0+deb11u3 | | | | | | openssl-1.1.1k-1.amd64 < 0:1.1.1n-0+deb11u3 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 7 | Critical | DSA-5218-1 | CVE-2022-37434 | zlib1g-1:1.2.11.dfsg-2.amd64 < 1:1.2.11.dfsg-2+deb11u2 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 8 | Critical | DSA-5236-1 | CVE-2022-40674 | libexpat1-2.2.10-2.amd64 < 0:2.2.10-2+deb11u4 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 9 | Critical | no advisory | CVE-2022-23218 | libc-bin-2.31-13.amd64 < 0:2.31-13+deb11u3 | | | | | CVE-2022-46908 | libc6-2.31-13.amd64 < 0:2.31-13+deb11u3 | | | | | CVE-2019-1010022 | libdb5.3-5.3.28+dfsg1-0.8.amd64 >= 0:0.0.0 | | | | | CVE-2022-23219 | libpcre2-8-0-10.36-2.amd64 < 0:10.36-2+deb11u1 | | | | | CVE-2019-8457 | libsqlite3-0-3.34.1-3.amd64 >= 0:0.0.0 | | | | | CVE-2021-33574 | libtasn1-6-4.16.0-2.amd64 < 0:4.16.0-2+deb11u1 | | | | | CVE-2005-2541 | tar-1.34+dfsg-1.amd64 >= 0:0.0.0 | | | | | CVE-2022-1587 | | | | | | CVE-2022-1586 | | | | | | CVE-2021-46848 | | +----+----------+-------------+------------------+--------------------------------------------------------+ | 10 | High | DSA-5103-1 | CVE-2022-0778 | libssl1.1-1.1.1k-1.amd64 < 0:1.1.1k-1+deb11u2 | | | | | CVE-2021-4160 | openssl-1.1.1k-1.amd64 < 0:1.1.1k-1+deb11u2 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 11 | High | DSA-5111-1 | CVE-2018-25032 | zlib1g-1:1.2.11.dfsg-2.amd64 < 1:1.2.11.dfsg-2+deb11u1 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 12 | High | DSA-5122-1 | CVE-2022-1271 | gzip-1.10-4.amd64 < 0:1.10-4+deb11u1 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 13 | High | DSA-5123-1 | CVE-2022-1271 | liblzma5-5.2.5-2.amd64 < 0:5.2.5-2.1~deb11u1 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 14 | High | DSA-5200-1 | CVE-2021-46828 | libtirpc-common-1.3.1-1.all < 0:1.3.1-1+deb11u1 | | | | | | libtirpc3-1.3.1-1.amd64 < 0:1.3.1-1+deb11u1 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 15 | High | DSA-5203-1 | CVE-2022-2509 | libgnutls30-3.7.1-5.amd64 < 0:3.7.1-5+deb11u2 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 16 | High | no advisory | CVE-2022-29458 | e2fsprogs-1.46.2-2.amd64 >= 0:0.0.0 | | | | | CVE-2018-6829 | libcom-err2-1.46.2-2.amd64 >= 0:0.0.0 | | | | | CVE-2021-43618 | libext2fs2-1.46.2-2.amd64 >= 0:0.0.0 | | | | | CVE-2019-20838 | libss2-1.46.2-2.amd64 >= 0:0.0.0 | | | | | CVE-2021-36690 | logsave-1.46.2-2.amd64 >= 0:0.0.0 | | | | | CVE-2019-19882 | libc-bin-2.31-13.amd64 < 0:2.31-13+deb11u3 | | | | | CVE-2011-4116 | libc6-2.31-13.amd64 < 0:2.31-13+deb11u3 | | | | | CVE-2022-1304 | libexpat1-2.2.10-2.amd64 < 0:2.2.10-2+deb11u5 | | | | | CVE-2017-7246 | libgcrypt20-1.8.7-6.amd64 >= 0:0.0.0 | | | | | CVE-2018-20796 | libgmp10-2:6.2.1+dfsg-1.amd64 < 2:6.2.1+dfsg-1+deb11u1 | | | | | CVE-2019-1010023 | libgssapi-krb5-2-1.18.3-6.amd64 >= 0:0.0.0 | | | | | CVE-2021-39537 | libk5crypto3-1.18.3-6.amd64 >= 0:0.0.0 | | | | | CVE-2020-16156 | libkrb5-3-1.18.3-6.amd64 >= 0:0.0.0 | | | | | CVE-2022-43680 | libkrb5support0-1.18.3-6.amd64 >= 0:0.0.0 | | | | | CVE-2018-5709 | libncursesw6-6.2+20201114-2.amd64 >= 0:0.0.0 | | | | | CVE-2019-9192 | libtinfo6-6.2+20201114-2.amd64 >= 0:0.0.0 | | | | | CVE-2021-3999 | ncurses-base-6.2+20201114-2.all >= 0:0.0.0 | | | | | CVE-2017-7245 | ncurses-bin-6.2+20201114-2.amd64 >= 0:0.0.0 | | | | | CVE-2017-11164 | libpcre3-2:8.39-13.amd64 >= 0:0.0.0 | | | | | CVE-2022-35737 | libsqlite3-0-3.34.1-3.amd64 >= 0:0.0.0 | | | | | CVE-2021-43396 | login-1:4.8.1-1.amd64 >= 0:0.0.0 | | | | | CVE-2021-33560 | passwd-1:4.8.1-1.amd64 >= 0:0.0.0 | | | | | | perl-base-5.32.1-4+deb11u1.amd64 >= 0:0.0.0 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 17 | Medium | DSA-5055-1 | CVE-2021-3996 | bsdutils-1:2.36.1-8.amd64 < 0:2.36.1-8+deb11u1 | | | | | CVE-2021-3995 | libblkid1-2.36.1-8.amd64 < 0:2.36.1-8+deb11u1 | | | | | | libmount1-2.36.1-8.amd64 < 0:2.36.1-8+deb11u1 | | | | | | libsmartcols1-2.36.1-8.amd64 < 0:2.36.1-8+deb11u1 | | | | | | libuuid1-2.36.1-8.amd64 < 0:2.36.1-8+deb11u1 | | | | | | mount-2.36.1-8.amd64 < 0:2.36.1-8+deb11u1 | | | | | | util-linux-2.36.1-8.amd64 < 0:2.36.1-8+deb11u1 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 18 | Medium | DSA-5174-1 | CVE-2022-34903 | gpgv-2.2.27-2.amd64 < 0:2.2.27-2+deb11u2 | +----+----------+-------------+------------------+--------------------------------------------------------+ | 19 | Medium | no advisory | CVE-2022-2097 | bash-5.1-2+b3.amd64 >= 0:0.0.0 | | | | | CVE-2013-4235 | bsdutils-1:2.36.1-8.amd64 >= 0:0.0.0 | | | | | CVE-2019-1010024 | libblkid1-2.36.1-8.amd64 >= 0:0.0.0 | | | | | CVE-2010-0928 | libmount1-2.36.1-8.amd64 >= 0:0.0.0 | | | | | CVE-2021-4209 | libsmartcols1-2.36.1-8.amd64 >= 0:0.0.0 | | | | | CVE-2016-2781 | libuuid1-2.36.1-8.amd64 >= 0:0.0.0 | | | | | CVE-2017-16231 | mount-2.36.1-8.amd64 >= 0:0.0.0 | | | | | CVE-2022-42898 | util-linux-2.36.1-8.amd64 >= 0:0.0.0 | | | | | CVE-2017-18018 | coreutils-8.32-4+b1.amd64 >= 0:0.0.0 | | | | | CVE-2021-45346 | libc-bin-2.31-13.amd64 >= 0:0.0.0 | | | | | CVE-2021-37750 | libc6-2.31-13.amd64 >= 0:0.0.0 | | | | | CVE-2007-6755 | libexpat1-2.2.10-2.amd64 >= 0:0.0.0 | | | | | CVE-2010-4756 | libgnutls30-3.7.1-5.amd64 >= 0:0.0.0 | | | | | CVE-2013-0340 | libgssapi-krb5-2-1.18.3-6.amd64 < 0:1.18.3-6+deb11u1 | | | | | CVE-2021-3997 | libk5crypto3-1.18.3-6.amd64 < 0:1.18.3-6+deb11u1 | | | | | CVE-2011-3389 | libkrb5-3-1.18.3-6.amd64 < 0:1.18.3-6+deb11u1 | | | | | CVE-2022-3715 | libkrb5support0-1.18.3-6.amd64 < 0:1.18.3-6+deb11u1 | | | | | CVE-2022-0563 | libpcre3-2:8.39-13.amd64 >= 0:0.0.0 | | | | | CVE-2020-13529 | libsqlite3-0-3.34.1-3.amd64 >= 0:0.0.0 | | | | | CVE-2022-4415 | libssl1.1-1.1.1k-1.amd64 >= 0:0.0.0 | | | | | CVE-2019-1010025 | openssl-1.1.1k-1.amd64 >= 0:0.0.0 | | | | | CVE-2007-5686 | libsystemd0-247.3-6.amd64 < 0:247.3-7 | | | | | | libudev1-247.3-6.amd64 < 0:247.3-7 | | | | | | login-1:4.8.1-1.amd64 >= 0:0.0.0 | | | | | | passwd-1:4.8.1-1.amd64 >= 0:0.0.0 | +----+----------+-------------+------------------+--------------------------------------------------------+
In this case, more vulnerabilities were detected. We can also see a big difference in the results, but there is already some intersection of the sets.
Vulners ∖ VulnsIO: 13 {'DSA-5287-1', 'DLA-2771-1', 'DLA-2904-1', 'DLA-3022-1', 'DLA-3206-1', 'DLA-2766-1', 'DLA-2935-1', 'DLA-2774-1', 'DLA-3008-1', 'DLA-3152-1', 'DLA-2953-1', 'DSA-5085-2', 'DLA-2952-1'}
Vulners ∩ VulnsIO: 8 {'DSA-5147-1', 'DSA-5073-1', 'DSA-5174-1', 'DSA-4963-1', 'DSA-5169-1', 'DSA-5139-1', 'DSA-5085-1', 'DSA-5103-1'}
VulnsIO ∖ Vulners: 8 {'DSA-5111-1', 'DSA-5055-1', 'DSA-5123-1', 'DSA-5122-1', 'DSA-5236-1', 'DSA-5203-1', 'DSA-5218-1', 'DSA-5200-1'}
We can look at one bulletin that was detected by two APIs.
Vulners:
| 13 | High | DEBIAN:DSA-5147-1:638F9 | CVE-2022-1664 | dpkg 1.20.9 amd64 < 1.20.10 |
Vulns.io:
| 5 | Critical | DSA-5147-1 | CVE-2022-1664 | dpkg-1.20.9.amd64 < 0:1.20.10 |
As you can see from the proofs, the detection criteria are the same. And this is good. I would also like to draw attention to the different values of the criticality level for the bulletin. Debian does not provide a this criticality level, apparently it is calculated by the vendors based on CVSS, but in different ways.
What’s next?
As we can see, support for the Vulners.com and Vulns.io APIs in Scanvus opens up new opportunities for testing the correctness of the detection for all supported Linux distributions.
Currently, support for the Vulners.com API and support for the Vulns.io API are implemented equally, but they are implemented independently. The bash inventory scripts for each of the APIs are different. Two independent reporting functions are also used. It seems right to unify the inventory script so that the same inventory results can be checked with Vulners.com and Vulns.io. It also seems right to create a single format for presenting detection results and convert raw results from APIs into this format. This format could be used for reporting and further integrations. In this way, it will be possible to debug the scheme for adding new APIs to Scanvus.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: How Debian OVAL content is structured | Alexander V. Leonov
Pingback: February 2024: Vulremi, Vuldetta, PT VM Course relaunch, PT TrendVulns digests, Ivanti, Fortinet, MSPT, Linux PW | Alexander V. Leonov