Sysdig Platform CLI - Scanning Vulnerabilities
This section explains concepts and notations in the set of the Scanning vulnerability commands provided.
Usage
The scanning vulnerability section allows the user to fetch information from a vulnerability and define vulnerability exceptions in the image scanning. The full list of subcommands is the following:
$ sdc-cli scanning vulnerability --help
Usage: sdc-cli scanning vulnerability [OPTIONS] COMMAND [ARGS]...
Options:
--help Show this message and exit.
Commands:
add_exception Adds a vulnerability exception to a bundle
bundle Vulnerability bundle operations
del_exception Deletes a vulnerability exception from a bundle
get_info Retrieves information about a vulnerability
report Downloads a vulnerability report in CSV format
Usage: Retrieve info from a vulnerability
You can fetch information for a particular vulnerability directly with the sdc-cli, for example, let’s say you
need to review what packages are affected by VULNDB-1 and the impact of this vulnerability in the system:
$ sdc-cli scanning vulnerability get_info VULNDB-1
id: VULNDB-1
severity: High
description: ColdFusion contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker specifies the OpenFilePath variable in the Expression Evaluator. This allows an attacker to view the contents of arbitrary files on the server and may result in a loss of confidentiality.
link: https://secure.sysdig.com/#/scanning/vulnerabilities/VULNDB-1
CVE Scores:
id severity access vector base score exploitability score impact score
CVE-1999-0455 CVSS v2 High NETWORK 7.5 10 6.4
References:
source url
Mail List Post http://archives.neohapsis.com/archives/bugtraq/1999_2/0216.html
CVE ID http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0455
Generic Exploit URL http://web.archive.org/web/*/http://www.phrack.org/phrack/54/P54-08
Other Advisory URL http://wiretrip.net/rfp/txt/phrack54.txt
Vendor Specific Advisory URL http://www.adobe.com/devnet/security/security_zone/asb99-01.html
Exploit Database http://www.exploit-db.com/exploits/19093
Vendor Specific Advisory URL http://www.macromedia.com/devnet/security/security_zone/asb99-01.html
Nessus Script ID http://www.nessus.org/plugins/index.php?view=single&id=10001
Bugtraq ID http://www.securityfocus.com/bid/115
Snort Signature ID http://www.snort.org/search/sid/911?r=1
ISS X-Force ID https://exchange.xforce.ibmcloud.com/vulnerabilities/1740
Affected Packages:
name version
coldfusion 4.0
coldfusion 3.1
coldfusion 3.0
coldfusion 2.0
Looks like this vulnerability is a severe problem for your systems, it can lead to unauthorized information disclosure
and the exploitability score is 10 because there are existing exploits on the wild for an attacker to use.
If you were using the coldfusion<=4.0 package, you would need to update it to be safe.
Usage: Vulnerability exception bundles
All the vulnerability exceptions are organized in bundles, for better management.
By default, all accounts come with a global bundle, where users can store their vulnerability
exceptions.
$ sdc-cli scanning vulnerability bundle list
id name comment item number
global Default exceptions list Default exceptions list 0
Users can define new ones, to organize their exceptions:
$ sdc-cli scanning vulnerability bundle add "Nginx Exceptions" --description "This bundle contains all the exceptions for Nginx"
id: vulnexception_1iUrqU3dfDkcUYbPAGVMz37oGNg
name: Nginx Exceptions
comment: This bundle contains all the exceptions for Nginx
You will now be able to add exceptions to this bundle:
$ sdc-cli scanning vulnerability add_exception vulnexception_1iUrqU3dfDkcUYbPAGVMz37oGNg CVE-2009-2629
enabled: True
name: CVE-2009-2629
description: Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0....
notes: ---
expiration date: Never
If you retrieve information from the bundle, you will see the added exception:
$ sdc-cli scanning vulnerability bundle get vulnexception_1iUrqU3dfDkcUYbPAGVMz37oGNg
id: vulnexception_1iUrqU3dfDkcUYbPAGVMz37oGNg
name: Nginx Exceptions
comment: This bundle contains all the exceptions for Nginx
item number: 1
Items:
enabled name description notes expiration date
True CVE-2009-2629 Buffer underflow in src/http/ngx_http_parse.c in n... --- Never
You can also remove this exception from the bundle:
$ sdc-cli scanning vulnerability del_exception vulnexception_1iUrqU3dfDkcUYbPAGVMz37oGNg CVE-2009-2629
Succeed
$ sdc-cli scanning vulnerability bundle get vulnexception_1iUrqU3dfDkcUYbPAGVMz37oGNg
id: vulnexception_1iUrqU3dfDkcUYbPAGVMz37oGNg
name: Nginx Exceptions
comment: This bundle contains all the exceptions for Nginx
item number: 0
In case you also want to remove the bundle itself, you can do so by it’s ID:
$ sdc-cli scanning vulnerability bundle list
id name comment item number
global Default exceptions list Default exceptions list 0
vulnexception_1iUrqU3dfDkcUYbPAGVMz37oGNg Nginx Exceptions This bundle contains all the exceptions for Nginx 0
$ sdc-cli scanning vulnerability bundle del vulnexception_1iUrqU3dfDkcUYbPAGVMz37oGNg
Succeed
$ sdc-cli scanning vulnerability bundle list
id name comment item number
global Default exceptions list Default exceptions list 0
Usage: Retrieve the vulnerability report as CSV
This use case is very simple, downloading a vulnerability report in CSV with all the registered images in your installation, or only the currently detected ones at runtime.
$ sdc-cli scanning vulnerability report --help
Usage: sdc-cli scanning vulnerability report [OPTIONS] REPORT_PATH
Downloads a vulnerability report at the given path.
Options:
--runtime Generate vulnerability report for runtime images only
--os Generates a vulnerability report for OS images only. By default
generates for OS and NonOS.
--non-os Generates a vulnerability report for NonOS images (pip, npm,
java, ...) only. By default generates for OS and NonOS.
--help Show this message and exit.
By default the output will contain all the images in the installation, with OS-related vulns and NonOS-related vulns, for packages like Python, Node, Java, etc.
For example, to download them:
$ sdc-cli scanning vulnerability report all_vulnerabilities.csv
Downloading report at all_vulnerabilities.csv.
It looks like the report is taking more time than expected.
This may be due to the high amount of images in your system.
Report downloaded
In case we only want to download the images detected running in our system:
$ sdc-cli scanning vulnerability report --runtime runtime_only.csv
Downloading report at runtime_only.csv.
It looks like the report is taking more time than expected.
This may be due to the high amount of images in your system.
Report downloaded
In case we only want to download OS-related CVEs for runtime images:
$ sdc-cli scanning vulnerability report --runtime --os runtime_os_cve_only.csv
Downloading report at runtime_os_cve_only.csv.
It looks like the report is taking more time than expected.
This may be due to the high amount of images in your system.
Report downloaded