fleet/cmd/fleetctl/vulnerability_data_stream.go

package main

import (
	"context"
	"errors"
	"os"

	"github.com/fleetdm/fleet/v4/server/vulnerabilities/macoffice"
	"github.com/fleetdm/fleet/v4/server/vulnerabilities/msrc"
	"github.com/fleetdm/fleet/v4/server/vulnerabilities/nvd"
	"github.com/fleetdm/fleet/v4/server/vulnerabilities/oval"
	klog "github.com/go-kit/log"
	"github.com/urfave/cli/v2"
)

func vulnerabilityDataStreamCommand() *cli.Command {
	var dir string
	return &cli.Command{
		Name:  "vulnerability-data-stream",
		Usage: "Download the vulnerability data stream",
		UsageText: `
fleetctl vulnerability-data-stream [options]

Downloads (if needed) the data streams that can be used by the Fleet server to process software for vulnerabilities.
`,
		Flags: []cli.Flag{
			&cli.StringFlag{
				Name:        "dir",
				EnvVars:     []string{"DIR"},
				Value:       "",
				Destination: &dir,
				Usage:       "Directory to place the data streams in",
			},
			configFlag(),
			contextFlag(),
			debugFlag(),
		},
		Action: func(c *cli.Context) error {
			if dir == "" {
				return errors.New("No directory provided")
			}
			err := os.MkdirAll(dir, 0o700)
			if err != nil {
				return err
			}

			log(c, "[-] Downloading CPE database...")
			err = nvd.DownloadCPEDBFromGithub(dir, "")
			if err != nil {
				return err
			}
			log(c, " Done\n")

			log(c, "[-] Downloading CPE translations...")
			err = nvd.DownloadCPETranslationsFromGithub(dir, "")
			if err != nil {
				return err
			}
			log(c, " Done\n")

			log(c, "[-] Downloading NVD CVE feed...")
			err = nvd.DownloadNVDCVEFeed(dir, "", false, klog.NewNopLogger())
			if err != nil {
				return err
			}
			log(c, " Done\n")

			log(c, "[-] Downloading EPSS feed...")
			err = nvd.DownloadEPSSFeed(dir)
			if err != nil {
				return err
			}
			log(c, " Done\n")

			log(c, "[-] Downloading CISA known exploits feed...")
			err = nvd.DownloadCISAKnownExploitsFeed(dir)
			if err != nil {
				return err
			}
			log(c, " Done\n")

			log(c, "[-] Downloading Oval definitions...")
			err = oval.Sync(dir, nil)
			if err != nil {
				return err
			}
			log(c, " Done\n")

			log(c, "[-] Downloading MSRC artifacts...")
			ctx := context.Background()
			err = msrc.SyncFromGithub(ctx, dir, nil)
			if err != nil {
				return err
			}
			log(c, " Done\n")

			log(c, "[-] Downloading MacOffice release notes...")
			err = macoffice.SyncFromGithub(ctx, dir)
			if err != nil {
				return err
			}
			log(c, " Done\n")

			log(c, "[+] Data streams successfully downloaded!\n")
			return nil
		},
	}
}
Issue 1963 vulnerabilities no sync (#1976) * wip * Add tests for skip sync * Add changes file * Fix lint 2021-09-14 13:58:35 +00:00			`package main`

			`import (`
Feature 7494: Use the MSRC security bulletin artifacts for detecting Win OS vulnerabilities (#7889) Use the MSRC security bulletin artifacts for detecting Win OS vulnerabilities 2022-10-28 15:12:21 +00:00			`"context"`
Use new error handling approach in other packages (#2954) 2021-11-22 14:13:26 +00:00			`"errors"`
Issue 1963 vulnerabilities no sync (#1976) * wip * Add tests for skip sync * Add changes file * Fix lint 2021-09-14 13:58:35 +00:00			`"os"`

Feature 9386: Parse the Mac Office release notes for vulnerability processing (#9993) This PR adds the capability of parsing the release notes posted in https://learn.microsoft.com/en-us/officeupdates/release-notes-office-for-mac into a JSON metadata file (to be released in the NVD repo) and use it for detecting vulnerabilities on Mac Office apps. 2023-02-24 18:18:25 +00:00			`"github.com/fleetdm/fleet/v4/server/vulnerabilities/macoffice"`
Feature 7494: Use the MSRC security bulletin artifacts for detecting Win OS vulnerabilities (#7889) Use the MSRC security bulletin artifacts for detecting Win OS vulnerabilities 2022-10-28 15:12:21 +00:00			`"github.com/fleetdm/fleet/v4/server/vulnerabilities/msrc"`
Fixes various bugs with NVD vulnerability detection (#7963) - Improved NVD CPE matching process. - Fixed bug with the 'software/<id>' endpoint not showing the generated_cpe value. 2022-10-04 11:04:48 +00:00			`"github.com/fleetdm/fleet/v4/server/vulnerabilities/nvd"`
Improve vulnerability detection for Ubuntu (#6102) Feature: Improve our capability to detect vulnerable software on Ubuntu hosts To improve the capability of detecting vulnerable software on Ubuntu, we are now using OVAL definitions to detect vulnerable software on Ubuntu hosts. If data sync is enabled (disable_data_sync=false) OVAL definitions are automatically kept up to date (they are 'refreshed' once per day) - there's also the option to manually download the OVAL definitions using the 'fleetctl vulnerability-data-stream' command. Downloaded definitions are then parsed into an intermediary format and then used to identify vulnerable software on Ubuntu hosts. Finally, any 'recent' detected vulnerabilities are sent to any third-party integrations. 2022-06-08 01:09:47 +00:00			`"github.com/fleetdm/fleet/v4/server/vulnerabilities/oval"`
Use NVD API 2.0 to download CVE information (#15102) #14888 @getvictor This is ready for review, but keeping as draft as there are probably many tests that need amending. I used the new version of the `./tools/nvd/nvdvuln/nvdvuln.go` to compare the current vulnerabilities found in our dogfood environment with the vulnerabilities found by the code in this PR and both results match: ``` go run -race -tags fts5 ./tools/nvd/nvdvuln/nvdvuln.go --debug --db_dir ./local --software_from_url <dogfood URL> --software_from_api_token <API_TOKEN> --sync 2>&1 \| tee out.txt [...] CVEs found and expected matched! ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Added/updated tests - [X] Manual QA for all new/changed functionality --------- Co-authored-by: Victor Lyuboslavsky <victor@fleetdm.com> Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com> 2023-11-21 18:30:07 +00:00			`klog "github.com/go-kit/log"`
Issue 1963 vulnerabilities no sync (#1976) * wip * Add tests for skip sync * Add changes file * Fix lint 2021-09-14 13:58:35 +00:00			`"github.com/urfave/cli/v2"`
			`)`

			`func vulnerabilityDataStreamCommand() *cli.Command {`
			`var dir string`
			`return &cli.Command{`
			`Name: "vulnerability-data-stream",`
			`Usage: "Download the vulnerability data stream",`
			UsageText: `
			`fleetctl vulnerability-data-stream [options]`

			`Downloads (if needed) the data streams that can be used by the Fleet server to process software for vulnerabilities.`
			`,
			`Flags: []cli.Flag{`
			`&cli.StringFlag{`
			`Name: "dir",`
			`EnvVars: []string{"DIR"},`
			`Value: "",`
			`Destination: &dir,`
			`Usage: "Directory to place the data streams in",`
			`},`
			`configFlag(),`
			`contextFlag(),`
			`debugFlag(),`
			`},`
			`Action: func(c *cli.Context) error {`
			`if dir == "" {`
			`return errors.New("No directory provided")`
			`}`
			`err := os.MkdirAll(dir, 0o700)`
			`if err != nil {`
			`return err`
			`}`

			`log(c, "[-] Downloading CPE database...")`
Fleet server and tooling to use `NETWORK_TEST_GITHUB_TOKEN` when environment variable is set. (#9143) * WIP * Add more logging * Check rate limit at end of action * Add github client in more places * Add new published firefox 93 vulnerabilities to tests * Remove fmt printfs * Restore CI check settings * Readd newline 2023-01-03 17:56:11 +00:00			`err = nvd.DownloadCPEDBFromGithub(dir, "")`
improve vuln cpe matching on macos (#6985) * add cpe translations * fix matching on target_sw 2022-09-01 16:02:07 +00:00			`if err != nil {`
			`return err`
			`}`
			`log(c, " Done\n")`

			`log(c, "[-] Downloading CPE translations...")`
Fleet server and tooling to use `NETWORK_TEST_GITHUB_TOKEN` when environment variable is set. (#9143) * WIP * Add more logging * Check rate limit at end of action * Add github client in more places * Add new published firefox 93 vulnerabilities to tests * Remove fmt printfs * Restore CI check settings * Readd newline 2023-01-03 17:56:11 +00:00			`err = nvd.DownloadCPETranslationsFromGithub(dir, "")`
Issue 1963 vulnerabilities no sync (#1976) * wip * Add tests for skip sync * Add changes file * Fix lint 2021-09-14 13:58:35 +00:00			`if err != nil {`
			`return err`
			`}`
			`log(c, " Done\n")`

Sync CVE scores periodically (#5838) 2022-06-01 16:06:57 +00:00			`log(c, "[-] Downloading NVD CVE feed...")`
Use NVD API 2.0 to download CVE information (#15102) #14888 @getvictor This is ready for review, but keeping as draft as there are probably many tests that need amending. I used the new version of the `./tools/nvd/nvdvuln/nvdvuln.go` to compare the current vulnerabilities found in our dogfood environment with the vulnerabilities found by the code in this PR and both results match: ``` go run -race -tags fts5 ./tools/nvd/nvdvuln/nvdvuln.go --debug --db_dir ./local --software_from_url <dogfood URL> --software_from_api_token <API_TOKEN> --sync 2>&1 \| tee out.txt [...] CVEs found and expected matched! ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Added/updated tests - [X] Manual QA for all new/changed functionality --------- Co-authored-by: Victor Lyuboslavsky <victor@fleetdm.com> Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com> 2023-11-21 18:30:07 +00:00			`err = nvd.DownloadNVDCVEFeed(dir, "", false, klog.NewNopLogger())`
Sync CVE scores periodically (#5838) 2022-06-01 16:06:57 +00:00			`if err != nil {`
			`return err`
			`}`
			`log(c, " Done\n")`

			`log(c, "[-] Downloading EPSS feed...")`
Fleet server and tooling to use `NETWORK_TEST_GITHUB_TOKEN` when environment variable is set. (#9143) * WIP * Add more logging * Check rate limit at end of action * Add github client in more places * Add new published firefox 93 vulnerabilities to tests * Remove fmt printfs * Restore CI check settings * Readd newline 2023-01-03 17:56:11 +00:00			`err = nvd.DownloadEPSSFeed(dir)`
Sync CVE scores periodically (#5838) 2022-06-01 16:06:57 +00:00			`if err != nil {`
			`return err`
			`}`
			`log(c, " Done\n")`

			`log(c, "[-] Downloading CISA known exploits feed...")`
Fleet server and tooling to use `NETWORK_TEST_GITHUB_TOKEN` when environment variable is set. (#9143) * WIP * Add more logging * Check rate limit at end of action * Add github client in more places * Add new published firefox 93 vulnerabilities to tests * Remove fmt printfs * Restore CI check settings * Readd newline 2023-01-03 17:56:11 +00:00			`err = nvd.DownloadCISAKnownExploitsFeed(dir)`
Issue 1963 vulnerabilities no sync (#1976) * wip * Add tests for skip sync * Add changes file * Fix lint 2021-09-14 13:58:35 +00:00			`if err != nil {`
			`return err`
			`}`
Improve vulnerability detection for Ubuntu (#6102) Feature: Improve our capability to detect vulnerable software on Ubuntu hosts To improve the capability of detecting vulnerable software on Ubuntu, we are now using OVAL definitions to detect vulnerable software on Ubuntu hosts. If data sync is enabled (disable_data_sync=false) OVAL definitions are automatically kept up to date (they are 'refreshed' once per day) - there's also the option to manually download the OVAL definitions using the 'fleetctl vulnerability-data-stream' command. Downloaded definitions are then parsed into an intermediary format and then used to identify vulnerable software on Ubuntu hosts. Finally, any 'recent' detected vulnerabilities are sent to any third-party integrations. 2022-06-08 01:09:47 +00:00			`log(c, " Done\n")`
improve vuln cpe matching on macos (#6985) * add cpe translations * fix matching on target_sw 2022-09-01 16:02:07 +00:00
Improve vulnerability detection for Ubuntu (#6102) Feature: Improve our capability to detect vulnerable software on Ubuntu hosts To improve the capability of detecting vulnerable software on Ubuntu, we are now using OVAL definitions to detect vulnerable software on Ubuntu hosts. If data sync is enabled (disable_data_sync=false) OVAL definitions are automatically kept up to date (they are 'refreshed' once per day) - there's also the option to manually download the OVAL definitions using the 'fleetctl vulnerability-data-stream' command. Downloaded definitions are then parsed into an intermediary format and then used to identify vulnerable software on Ubuntu hosts. Finally, any 'recent' detected vulnerabilities are sent to any third-party integrations. 2022-06-08 01:09:47 +00:00			`log(c, "[-] Downloading Oval definitions...")`
Fleet server and tooling to use `NETWORK_TEST_GITHUB_TOKEN` when environment variable is set. (#9143) * WIP * Add more logging * Check rate limit at end of action * Add github client in more places * Add new published firefox 93 vulnerabilities to tests * Remove fmt printfs * Restore CI check settings * Readd newline 2023-01-03 17:56:11 +00:00			`err = oval.Sync(dir, nil)`
Improve vulnerability detection for Ubuntu (#6102) Feature: Improve our capability to detect vulnerable software on Ubuntu hosts To improve the capability of detecting vulnerable software on Ubuntu, we are now using OVAL definitions to detect vulnerable software on Ubuntu hosts. If data sync is enabled (disable_data_sync=false) OVAL definitions are automatically kept up to date (they are 'refreshed' once per day) - there's also the option to manually download the OVAL definitions using the 'fleetctl vulnerability-data-stream' command. Downloaded definitions are then parsed into an intermediary format and then used to identify vulnerable software on Ubuntu hosts. Finally, any 'recent' detected vulnerabilities are sent to any third-party integrations. 2022-06-08 01:09:47 +00:00			`if err != nil {`
			`return err`
			`}`
Issue 1963 vulnerabilities no sync (#1976) * wip * Add tests for skip sync * Add changes file * Fix lint 2021-09-14 13:58:35 +00:00			`log(c, " Done\n")`

Feature 7494: Use the MSRC security bulletin artifacts for detecting Win OS vulnerabilities (#7889) Use the MSRC security bulletin artifacts for detecting Win OS vulnerabilities 2022-10-28 15:12:21 +00:00			`log(c, "[-] Downloading MSRC artifacts...")`
			`ctx := context.Background()`
Fleet server and tooling to use `NETWORK_TEST_GITHUB_TOKEN` when environment variable is set. (#9143) * WIP * Add more logging * Check rate limit at end of action * Add github client in more places * Add new published firefox 93 vulnerabilities to tests * Remove fmt printfs * Restore CI check settings * Readd newline 2023-01-03 17:56:11 +00:00			`err = msrc.SyncFromGithub(ctx, dir, nil)`
Feature 7494: Use the MSRC security bulletin artifacts for detecting Win OS vulnerabilities (#7889) Use the MSRC security bulletin artifacts for detecting Win OS vulnerabilities 2022-10-28 15:12:21 +00:00			`if err != nil {`
			`return err`
			`}`
			`log(c, " Done\n")`

Feature 9386: Parse the Mac Office release notes for vulnerability processing (#9993) This PR adds the capability of parsing the release notes posted in https://learn.microsoft.com/en-us/officeupdates/release-notes-office-for-mac into a JSON metadata file (to be released in the NVD repo) and use it for detecting vulnerabilities on Mac Office apps. 2023-02-24 18:18:25 +00:00			`log(c, "[-] Downloading MacOffice release notes...")`
			`err = macoffice.SyncFromGithub(ctx, dir)`
			`if err != nil {`
			`return err`
			`}`
			`log(c, " Done\n")`

Issue 1963 vulnerabilities no sync (#1976) * wip * Add tests for skip sync * Add changes file * Fix lint 2021-09-14 13:58:35 +00:00			`log(c, "[+] Data streams successfully downloaded!\n")`
			`return nil`
			`},`
			`}`
			`}`