evdenis / cvehound Goto Github PK

View Code? Open in Web Editor NEW

120.0 8.0 16.0 12.84 MB

Check linux sources dump for known CVEs.

License: GNU General Public License v3.0

Python 24.82% SmPL 75.18%

linux kernel cve cve-scanning coccinelle

cvehound's Introduction

cvehound's People

Contributors

Stargazers

Watchers

Forkers

crackercat zenhumany fengjixuchui menv1s screwer xuehua312741499 pombredanne chinrw harshimogalapalli 0rphan 17451k ghettiguru 26597925 p0prxx stnert leopardxu

cvehound's Issues

9 CVE bugs in Linux-next.

It's an interesting project, but I'm wondering why there are still 9 CVE bugs in Linux-next.

I use coccinelle rules in /cve directly.

Thanks

speedup tests

keep .git in ram?
keep whole tree in ram?
mount tmpfs temp && mount --bind linux temp?

making data directory for storing kernel_cves.json.gz configurable

Would it be possible to make the directory for storing kernel_cves.json.gz configurable?

Which license is this project using?

According to LICENSE it is GPLv3.

According to setup.py it is GPLv2.

Finally, is it supposed to be GPLv{2,3} only, or also any later version?

CVE-2016-9793 fails on latest coccinelle

FAILED tests/test_03_on_fix.py::test_on_fix[CVE-2016-9793] - AssertionError: CVE-2016-9793 fails to detect fix~ commit
FAILED tests/test_04_on_fixes.py::test_on_fixes[CVE-2016-9793] - AssertionError: fails to detect on fixes tag

CVE-2014-0101 fails CI tests

CVE-2014-0101 works locally, but CI tests fail.

Earliest version of Linux kernel that is supported?

I couldn't find anywhere which versions of the Linux kernel are supported. I tried with a 2.4 source tree and got this error:

$ cvehound -k=/tmp/src/EdiLinux/linux-2.4.18-adm/
Traceback (most recent call last):
  File "/nix/store/ibiwly61jv0gz5fjxfcv6y3absgwhiwp-cvehound-1.0.4/bin/.cvehound-wrapped", line 9, in <module>
    sys.exit(main())
  File "/nix/store/ibiwly61jv0gz5fjxfcv6y3absgwhiwp-cvehound-1.0.4/lib/python3.9/site-packages/cvehound/__main__.py", line 128, in main
    report['kernel'] = get_kernel_version(cmdargs.kernel)
  File "/nix/store/ibiwly61jv0gz5fjxfcv6y3absgwhiwp-cvehound-1.0.4/lib/python3.9/site-packages/cvehound/util.py", line 48, in get_kernel_version
    version['name'] = getparam()
  File "/nix/store/ibiwly61jv0gz5fjxfcv6y3absgwhiwp-cvehound-1.0.4/lib/python3.9/site-packages/cvehound/util.py", line 43, in getparam
    return line.split('=')[1].strip()
IndexError: list index out of range

(don't worry about the strange paths, I am deploying cvehound with Nix)

Is 2.4 too old to be scanned?

AttributeError: 'str' object has no attribute 'removesuffix'

Hi, getting some errors:

solt@Holodeck:~$ python3 -V
Python 3.8.5
solt@Holodeck:~$ cvehound --dir ~/workspace/linux-source-5.4.0 --verbose
Traceback (most recent call last):
  File "/home/solt/.local/bin/cvehound", line 8, in <module>
    sys.exit(main())
  File "/home/solt/.local/lib/python3.8/site-packages/cvehound/__init__.py", line 142, in main
    known_cves = get_all_cves()
  File "/home/solt/.local/lib/python3.8/site-packages/cvehound/__init__.py", line 124, in get_all_cves
    return [cve.removesuffix('.cocci').removesuffix('.grep')
  File "/home/solt/.local/lib/python3.8/site-packages/cvehound/__init__.py", line 124, in <listcomp>
    return [cve.removesuffix('.cocci').removesuffix('.grep')
AttributeError: 'str' object has no attribute 'removesuffix'```

Output more info about found CVEs

Take data from https://github.com/nluedtke/linux_kernel_cves/blob/master/data/kernel_cves.json and output more info about detected CVEs in sources.

Add rules for CVEs with exploits

According to the https://bdu.fstec.ru/vul following CVEs have public/private exploits:

Public exploits:

Private exploits:

Test multiple coccinelle versions

CVE-2021-28971 crash and wrong architecture

I have 4.14.193 arm64 kernel.

The CVE is x86 specific.

$ ~/.local/bin/cvehound --kernel my_kernel --config my_kernel_config --cve CVE-2021-28971
Found: CVE-2021-28971
MSG: perf/x86/intel: Fix a crash caused by zero PEBS status
CWE: Uncontrolled Resource Consumption
CVSS2: 4.9
CVSS3: 5.5
FIX DATE: 2021-03-16
https://www.linuxkernelcves.com/cves/CVE-2021-28971
Affected Files:
Traceback (most recent call last):
  File "/home/jere/.local/bin/cvehound", line 8, in <module>
    sys.exit(main())
  File "/home/jere/.local/lib/python3.9/site-packages/cvehound/__main__.py", line 147, in main
    result = hound.check_cve(cve, cmdargs.all_files)
  File "/home/jere/.local/lib/python3.9/site-packages/cvehound/__init__.py", line 231, in check_cve
    self._print_affected_files(config_result)
  File "/home/jere/.local/lib/python3.9/site-packages/cvehound/__init__.py", line 109, in _print_affected_files
    logging.info(' - ' + file + ': ' + logic + '\n   ' + self.config_file + ': ' + affected)
TypeError: can only concatenate str (not "bool") to str

Then I remove logic variable on line 109 above I'll get:

$ ~/.local/bin/cvehound --kernel my_kernel --config my_kernel_config --cve CVE-2021-28971 --report
Found: CVE-2021-28971
MSG: perf/x86/intel: Fix a crash caused by zero PEBS status
CWE: Uncontrolled Resource Consumption
CVSS2: 4.9
CVSS3: 5.5
FIX DATE: 2021-03-16
https://www.linuxkernelcves.com/cves/CVE-2021-28971
Affected Files:
 - arch/x86/events/intel/ds.c:
   my_kernel_config: affected
Config: my_kernel_config affected

Report saved to: report.json

report.json.txt

Test fails on CVE-2015-8961

With spatch version 1.0.8 works fine.
Seems like coccinelle 1.0.4 is the reason.

About getting the latest rules

Hi! Is it necessary to install from the source code to obtain the complete and latest CVE data? If so, whether to consider separating the regular rules from the program, so that the rules can be obtained from the cloud without updating the program.

--exploit shows KeyError: 'CVE-2022-0185'

torvalds (master *)$ cvehound -k . -e
Traceback (most recent call last):
  File "/usr/bin/cvehound", line 33, in <module>
    sys.exit(load_entry_point('cvehound==1.0.8', 'console_scripts', 'cvehound')())
  File "/usr/lib/python3/site-packages/cvehound/__main__.py", line 141, in main
    if cmdargs.exploit and not hound.get_cve_exploit(cve):
  File "/usr/lib/python3/site-packages/cvehound/__init__.py", line 284, in get_cve_exploit
    return self.metadata[cve]['exploit']
KeyError: 'CVE-2022-0185'

Failed to check CVE

Hi,

I downloaded kernel source on Ubuntu 20.04.1 LTS with sudo apt install linux-source.
I then unpacked the linux-source.5.4.0.tar.bz2 to a folder and tried running cvehound but it's saying Failed to check CVE-####.
I suppose it doesn't mean it's fine, but it failed. How can I debug it?

lscpu: failed to determine number of CPUs: /sys/devices/system/cpu/possible: No such file or directory

In restricted env without /sys (such as some CI-like build setups) lscpu outputs error

lscpu: failed to determine number of CPUs: /sys/devices/system/cpu/possible: No such file or directory

I think to continue running cvehound even with incorrect threads number is preferable (robust) than to detect this system configuration (which end-user may even not able to solve). Can you add fallback to this? For example:

diff --git a/cvehound/cpu.py b/cvehound/cpu.py
index db89c84..ffe32fb 100644
--- a/cvehound/cpu.py
+++ b/cvehound/cpu.py
@@ -8,11 +8,14 @@ def get_active_cores():
     return len(os.sched_getaffinity(0))

 def get_threads_per_core():
-    lscpu = (subprocess.run(['lscpu'],
-                stdout=PIPE, stderr=PIPE, check=True)
+    try:
+        lscpu = (subprocess.run(['lscpu'],
+            stdout=PIPE, stderr=PIPE, check=True)
             .stdout.decode('utf-8'))
-    line = next(line for line in lscpu.split('\n') if line.startswith('Thread(s)'))
-    return int(line.split(':')[1])
+        line = next(line for line in lscpu.split('\n') if line.startswith('Thread(s)'))
+        return int(line.split(':')[1])
+    except subprocess.CalledProcessError:
+        return 1


 class CPU():

suggestion: split spatch output for easier postprocessing of results

Currently the results of cvehound do not include the name of the files in which issues were found separately although that information is included in the spatch output, for example:

"spatch_output": "/tmp/linux-3.10.36/arch/x86/mm/mmap.c:38:20-40: ERROR: CVE-2015-1593\n/tmp/linux-3.10.36/fs/binfmt_elf.c:559:18-19: ERROR: CVE-2015-1593"

It would be nice if the affected files and line ranges could be added to the output separately so people don't have to write their own postprocessing code.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.