timesysgit / vigiles-openwrt Goto Github PK

--whitelist-cves does not appear to work.

Using the --whitelist-cves vigiles-cve-whitelist.csv option, where vigiles-cve-whitelist.csv looks as follows:

CVE-2020-7982
CVE-2020-24342
CVE-2020-15888
CVE-2020-15945
CVE-2020-15889
CVE-2021-0326
CVE-2020-36254
CVE-2021-43523
CVE-2021-3711
CVE-2021-20305
CVE-2021-3580

does not result in whitelisted CVEs (they remain marked Unfixed) in the vigiles CVE Dashboard.

Our build root includes acl which has an two symlinks in its include directory similar to this:

[dustin@rigel include]$ ls -l
total 0
lrwxrwxrwx 1 dustin dustin 2 Oct 14 12:40 acl -> ..
lrwxrwxrwx 1 dustin dustin 2 Oct 14 12:40 sys -> ..
[dustin@rigel include]$ 

This causes a vigiles-openwrt.py to spin possible combinations directory paths permutations of sys and acl until it hits ELOOP.

vigiles-openwrt does not detect all packages configured in the openwrt build config.

Some configured packages from base openwrt buildroot are excluded that should not be - It seems to only select a small subset of packages from the openwrt buildroot config.

Also all packages configured in the config that exist in the openwrt feeds are excluded.

These packages are all included through the standard OpenWrt build process thus we should not have to specify them using the -A / --additional-packages mechanism.

The python3 version is not specified in any meaningful way. All the libraries used are from the python standard library, but are often used with deprecated function arguments.

For example, the encoding option (file lib/libapi.py line 50) has been deprecated since python 3.1 and was removed in python 3.9. Executing this code throws an exception and results in the error:

Error: Unable to parse key file: /home/$user/timesys/linuxlink_key

I can verify the file /home/$user/timesys/linuxlink_key exists, is accessible, and is legal JSON.

Removing this argument or using python 3.8.10 gets us past this error. We then receive a communication error:

	Vigiles Communication Error:	Invalid credentials were sent to the LinuxLink Server.
	
	Current Time:	2022-01-30T20:10:02.073147
	Message:	HTTP Error 403: FORBIDDEN
	Parameter(s):	https://linuxlink.timesys.com/api/v1/vigiles/manifests

I have not dug any deeper into the code determine why API authentication / communications are failing.

Hello, I have tried to run a scan on an openwrt generic x86 build.
The scan runs fine and find userspace vulnerabilities until the kernel config is retrieved and I get the Warning message :
"Vigiles WARNING: Kernel Config: Kernel Build directory not found."

Using the -k option with specific path to the kernel configuration in the debug messages i can see that the kernel configuration is taken into account, but if I read the documentation correctly, this option only allows you to filter the CVEs ?

How can I get Vigiles to find my Kernel build directory? Or what is the default path to use in order to retrieve this configuration?

Thank you for your answer