timesysgit / vigiles-openwrt Goto Github PK
View Code? Open in Web Editor NEWVulnerability management tool that provides OpenWRT SBOM generation and CVE Analysis of target images.
Vulnerability management tool that provides OpenWRT SBOM generation and CVE Analysis of target images.
--whitelist-cves
does not appear to work.
Using the --whitelist-cves vigiles-cve-whitelist.csv
option, where vigiles-cve-whitelist.csv
looks as follows:
CVE-2020-7982
CVE-2020-24342
CVE-2020-15888
CVE-2020-15945
CVE-2020-15889
CVE-2021-0326
CVE-2020-36254
CVE-2021-43523
CVE-2021-3711
CVE-2021-20305
CVE-2021-3580
does not result in whitelisted CVEs (they remain marked Unfixed
) in the vigiles CVE Dashboard.
Our build root includes acl which has an two symlinks in its include directory similar to this:
[dustin@rigel include]$ ls -l
total 0
lrwxrwxrwx 1 dustin dustin 2 Oct 14 12:40 acl -> ..
lrwxrwxrwx 1 dustin dustin 2 Oct 14 12:40 sys -> ..
[dustin@rigel include]$
This causes a vigiles-openwrt.py to spin possible combinations directory paths permutations of sys and acl until it hits ELOOP.
vigiles-openwrt
does not detect all packages configured in the openwrt build config.
Some configured packages from base openwrt
buildroot are excluded that should not be - It seems to only select a small subset of packages from the openwrt buildroot config
.
Also all packages configured in the config
that exist in the openwrt feeds are excluded.
These packages are all included through the standard OpenWrt build process thus we should not have to specify them using the -A / --additional-packages
mechanism.
The python3 version is not specified in any meaningful way. All the libraries used are from the python standard library, but are often used with deprecated function arguments.
For example, the encoding option (file lib/libapi.py
line 50) has been deprecated since python 3.1 and was removed in python 3.9. Executing this code throws an exception and results in the error:
Error: Unable to parse key file: /home/$user/timesys/linuxlink_key
I can verify the file /home/$user/timesys/linuxlink_key
exists, is accessible, and is legal JSON.
Removing this argument or using python 3.8.10 gets us past this error. We then receive a communication error:
Vigiles Communication Error: Invalid credentials were sent to the LinuxLink Server.
Current Time: 2022-01-30T20:10:02.073147
Message: HTTP Error 403: FORBIDDEN
Parameter(s): https://linuxlink.timesys.com/api/v1/vigiles/manifests
I have not dug any deeper into the code determine why API authentication / communications are failing.
Hello, I have tried to run a scan on an openwrt generic x86 build.
The scan runs fine and find userspace vulnerabilities until the kernel config is retrieved and I get the Warning message :
"Vigiles WARNING: Kernel Config: Kernel Build directory not found."
Using the -k option with specific path to the kernel configuration in the debug messages i can see that the kernel configuration is taken into account, but if I read the documentation correctly, this option only allows you to filter the CVEs ?
How can I get Vigiles to find my Kernel build directory? Or what is the default path to use in order to retrieve this configuration?
Thank you for your answer
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.