-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade macOS package cases for Vulnerability Scanner E2E are not properly configured #5312
Comments
After a meeting with @wazuh/devel-qa-div2, change issue description to coordinate with the implementation of this issue. Changes made in the branch: |
UpdateChanges made, still to be checked by launching the new VD test. |
Moved to on hold due to 4.8.0 - rc1 release testing. |
UpdateTime of the VD test with only one macOS agent ≈ 1h 30min After launching the test with the changes it still fails. |
UpdateTime of the VD test with only one macOS agent and only the issue's VD case ≈ 50min After launching the test with only the issue's VD case it still fails. |
Manual test (upgrade_package_nonvulnerable_to_vulnerable) 🟢Install luxon 2.5.2 (no vulnerabilities)macOS agentsh-3.2# npm install -g [email protected]
added 1 package in 298ms
sh-3.2# npm list -g
/usr/local/lib
├── [email protected]
├── [email protected]
└── [email protected]
sh-3.2# Manager{"timestamp":"2024-05-07T14:56:26.872+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"ip-172-31-15-154"},"manager":{"name":"ip-172-31-15-154"},"id":"1715093786.2812802","cluster":{"name":"wazuh","node":"master"},"full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2024-05-07T14:57:46.251+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"agent1"},"manager":{"name":"ip-172-31-15-154"},"id":"1715093866.2813060","cluster":{"name":"wazuh","node":"master"},"full_log":"ossec: Agent started: 'agent1->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"agent1->any"},"location":"wazuh-agent"} Upgrade to luxon 3.0.0 (new vulnerability)macOS agentsh-3.2# npm install -g [email protected]
changed 1 package in 133ms
sh-3.2# npm list -g
/usr/local/lib
├── [email protected]
├── [email protected]
└── [email protected] Manager{"timestamp":"2024-05-07T14:56:26.872+0000","rule":{"level":3,"description":"Wazuh server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"ip-172-31-15-154"},"manager":{"name":"ip-172-31-15-154"},"id":"1715093786.2812802","cluster":{"name":"wazuh","node":"master"},"full_log":"ossec: Manager started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2024-05-07T14:57:46.251+0000","rule":{"level":3,"description":"Wazuh agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"agent1"},"manager":{"name":"ip-172-31-15-154"},"id":"1715093866.2813060","cluster":{"name":"wazuh","node":"master"},"full_log":"ossec: Agent started: 'agent1->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"agent1->any"},"location":"wazuh-agent"}
{"timestamp":"2024-05-07T15:02:18.205+0000","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"ip-172-31-15-154"},"manager":{"name":"ip-172-31-15-154"},"id":"1715094138.2813383","cluster":{"name":"wazuh","node":"master"},"previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 172.31.15.154:68 0.0.0.0:* 493/systemd-network\ntcp 0.0.0.0:443 0.0.0.0:* 82210/node\ntcp 0.0.0.0:1514 0.0.0.0:* 105914/wazuh-remote\ntcp 0.0.0.0:1515 0.0.0.0:* 105777/wazuh-authd\ntcp6 172.31.15.154:9200 :::* 13222/java\ntcp6 172.31.15.154:9300 :::* 13222/java\ntcp 0.0.0.0:55000 0.0.0.0:* 105729/python3","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 172.31.15.154:68 0.0.0.0:* 493/systemd-network\ntcp 0.0.0.0:443 0.0.0.0:* 82210/node\ntcp 0.0.0.0:1514 0.0.0.0:* 105914/wazuh-remote\ntcp 0.0.0.0:1515 0.0.0.0:* 105777/wazuh-authd\ntcp 0.0.0.0:1516 0.0.0.0:* 106354/python3\ntcp6 172.31.15.154:9200 :::* 13222/java\ntcp6 172.31.15.154:9300 :::* 13222/java\ntcp 0.0.0.0:55000 0.0.0.0:* 105729/python3","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 495/systemd-resolve\nudp 172.31.15.154:68 0.0.0.0:* 493/systemd-network\ntcp 0.0.0.0:443 0.0.0.0:* 82210/node\ntcp 0.0.0.0:1514 0.0.0.0:* 105914/wazuh-remote\ntcp 0.0.0.0:1515 0.0.0.0:* 105777/wazuh-authd\ntcp6 172.31.15.154:9200 :::* 13222/java\ntcp6 172.31.15.154:9300 :::* 13222/java\ntcp 0.0.0.0:55000 0.0.0.0:* 105729/python3","location":"netstat listening ports"}
{"timestamp":"2024-05-07T15:04:17.784+0000","rule":{"level":7,"description":"CVE-2022-31129 affects luxon","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"agent1","ip":"192.168.64.7"},"manager":{"name":"ip-172-31-15-154"},"id":"1715094257.2814761","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"GitHub_M","cve":"CVE-2022-31129","cvss":{"cvss2":{"base_score":"5","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"PARTIAL","confidentiality_impact":"NONE","integrity_impact":"NONE"}}},"cwe_reference":"CWE-1333","enumeration":"CVE","package":{"architecture":" ","condition":"Package less than 3.2.1","name":"luxon","source":" ","version":"3.0.0"},"published":"2022-07-06T18:15:19Z","rationale":"moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.","reference":"https://github.com/moment/moment/pull/6015#issuecomment-1152961973, https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/, https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g, https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html, https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3, https://security.netapp.com/advisory/ntap-20221014-0003/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/","severity":"Medium","status":"Active","title":"CVE-2022-31129 affects luxon","type":"Packages","updated":"2023-11-07T03:47:32Z"}},"location":"vulnerability-detector"} |
Having checked that it is correct manually and looking at the report we can see the following:
|
LGTM |
Description
The recent replacement of Vulnerability Detection End-to-End (E2E) test cases for the macOS agent in PR #5174 introduced an issue where upgrade cases lack the necessary setup steps to install the specified package, leading to test failures on macOS endpoints.
Issue
In case such as
upgrade_package_nonvulnerable_to_vulnerable
, the goal is to confirm that theluxon-2.5.2
version does not present any vulnerability and that the new vulnerability associated with the updated version,luxon-3.0.0
, emerge. However, the current upgrade package structure only installs the package specified in the to field, assuming it is already present on the host system. This approach was likely implemented to avoid redundant package installations.The text was updated successfully, but these errors were encountered: