v0.8.0

Vulsrepo GitHub issue moved

GitHub issue of usiusi360 no more available.
If you find a issue of usiusi360/vulsrepo, add it to future-architect/vuls.

How to Update to v0.8.0

Update Go

Go over v1.12 needed.
Compile error will be occurred with Go under v11.

update and re-fetch with a new database

• goval-dictionary
• go-cve-dictinoary
• Vuls

New features

Container Image Scan

#829

[servers]

[servers.image]
type="pseudo"

    # GCR
    [servers.image.images.hyperkube]
    name="gcr.io/google-containers/hyperkube"
    tag="v1.11.10"
    
    # Local
    [servers.image.images.web-dvwa]
    name="vulnerables/web-dvwa"
    tag="latest"

    # Local
    [servers.image.images.gcr]
    name="asia.gcr.io/bizshift-stg/api"
    tag="latest"
        [servers.image.images.gcr.dockerOption]
        gcpCredPath="/Users/amachi/Downloads/key.json"

Smart Programming Language Library Scan

#829

[servers]

[servers.abuntu]
host         = "xxx.xxx.xxx"
port        = "22"
user        = "tamachi"
keyPath     = "/Users/amachi/.ssh/id_dsa"
findLock = true # auto detect lockfile
lockfiles = [
  "/home/tamachi/lockfiles/package-lock.json"
  "/home/tamachi/lockfiles/yarn.lock"
]

Speed up Oval Reporting

#834

os	before	after
alpine3.9	over 1hour	0.26s
Ubuntu	180s	3s

Support Amazon OVAL Scan

#824

Support OVAL scanning for Amazon Linux 1/2.
You should update to the latest version of goval-dictionary and fetch-amazon

$ goval-dictionary fetch-amazon

see also

• vulsio/goval-dictionary#63
• https://github.com/kotakanbe/goval-dictionary#usage-fetch-amazon-alas-as-oval-data-type

Support RHEL8

You have to fetch RedHat OVAL before reporting.
To fetch

$ goval-dictionary fetch-redhat 5 6 7 8

see

• https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-redhat
• #813

Bug Fix

• fix(scan): false negative of kernel related vulns on Ubuntu 16 #819
• fix(scan): a bug of kernel Vulns detection on Ubuntu18
• fix(report): Critical Bug Fix for CPE based scanning
• fix(report): fix the number of fixed/total in reporting

Changelog

4cf9a72 set GO111MODULE=on in .goreleaser.yml
bd1b135 Add vulsrepo issue template
8c3b305 fix(readme): typo in news (#841)
a371903 fix(scan): scan Amazon Linux with offline mode (#840)
c68a261 Update README.md
75fea79 feat(scan): Support RHEL8 (#813)
eb9f968 refactor(scan): remove yum-security related code (#836)
3634afd enhance issue_template (#837)
77b5df8 update goval-dictionary dependency to valid version (#839)
b81f640 fix(report): remove extra check logic #802 (#835)
a8a90d7 refactor(report): speed up oval reporting #833 (#834)
17bb575 fix(scan): enable to report if some warnings occured on scanning (#805)
abcea1a add Library Scan (with image scan) (#829)
10942f7 fix(scan): fetch only updatable package changelogs (#815)
87ee829 fix(scan): exec yum makecache to update metadata on RedHat based linux (#810)
fcc2c1e Changing the scannedAt time in the original result (#823)
269095d feat(report): support Amazon OVAL scanning (#824)
40492ee fix typos, extraneous text (#831)
64cdd5a fix(report): WordPress(WPVULNDB API) 429 Too Many Requests (#826)
3bb650c fix(report-redhat): fix false negative of affected vulns #827 (#828)
774544c fix(report): warning only if the kernel version is unknown (#822)
299805a [WIP]fix(scan): false negative of kernel related vulns on Ubuntu 16 (#819)
276363e fix(scan): a bug of kernel Vulns detection on Ubuntu18 (#818)
e750bd5 fix(report): fix the number of fixed/total in reporting (#817)
98fee7b Implement Vuls's own error code (#812)
53aaea9 add scannedVia field to know the way of access such as SSH, local or pseudo (#811)
824fbb6 Updated config.toml reference url (#809)
80566b9 fix(report): exit 1 when scan result has errors (#804)
533d05a fix(report): Error when GitHub integration failed (#800)