forked from future-architect/vuls
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserver.go
145 lines (126 loc) · 4.46 KB
/
server.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
//go:build !scanner
// +build !scanner
package server
import (
"bytes"
"encoding/json"
"fmt"
"io"
"mime"
"net/http"
"time"
"github.com/future-architect/vuls/config"
"github.com/future-architect/vuls/detector"
"github.com/future-architect/vuls/gost"
"github.com/future-architect/vuls/logging"
"github.com/future-architect/vuls/models"
"github.com/future-architect/vuls/reporter"
"github.com/future-architect/vuls/scanner"
)
// VulsHandler is used for vuls server mode
type VulsHandler struct {
ToLocalFile bool
}
// ServeHTTP is http handler
func (h VulsHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
var err error
r := models.ScanResult{ScannedCves: models.VulnInfos{}}
contentType := req.Header.Get("Content-Type")
mediatype, _, err := mime.ParseMediaType(contentType)
if err != nil {
logging.Log.Error(err)
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
if mediatype == "application/json" {
if err = json.NewDecoder(req.Body).Decode(&r); err != nil {
logging.Log.Error(err)
http.Error(w, "Invalid JSON", http.StatusBadRequest)
return
}
} else if mediatype == "text/plain" {
buf := new(bytes.Buffer)
if _, err := io.Copy(buf, req.Body); err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
if r, err = scanner.ViaHTTP(req.Header, buf.String(), h.ToLocalFile); err != nil {
logging.Log.Error(err)
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
} else {
logging.Log.Error(mediatype)
http.Error(w, fmt.Sprintf("Invalid Content-Type: %s", contentType), http.StatusUnsupportedMediaType)
return
}
if err := detector.DetectPkgCves(&r, config.Conf.OvalDict, config.Conf.Gost, config.Conf.LogOpts); err != nil {
logging.Log.Errorf("Failed to detect Pkg CVE: %+v", err)
http.Error(w, err.Error(), http.StatusServiceUnavailable)
return
}
logging.Log.Infof("Fill CVE detailed with gost")
if err := gost.FillCVEsWithRedHat(&r, config.Conf.Gost, config.Conf.LogOpts); err != nil {
logging.Log.Errorf("Failed to fill with gost: %+v", err)
http.Error(w, err.Error(), http.StatusServiceUnavailable)
}
logging.Log.Infof("Fill CVE detailed with CVE-DB")
if err := detector.FillCvesWithNvdJvn(&r, config.Conf.CveDict, config.Conf.LogOpts); err != nil {
logging.Log.Errorf("Failed to fill with CVE: %+v", err)
http.Error(w, err.Error(), http.StatusServiceUnavailable)
}
nExploitCve, err := detector.FillWithExploit(&r, config.Conf.Exploit, config.Conf.LogOpts)
if err != nil {
logging.Log.Errorf("Failed to fill with exploit: %+v", err)
http.Error(w, err.Error(), http.StatusServiceUnavailable)
}
logging.Log.Infof("%s: %d PoC detected", r.FormatServerName(), nExploitCve)
nMetasploitCve, err := detector.FillWithMetasploit(&r, config.Conf.Metasploit, config.Conf.LogOpts)
if err != nil {
logging.Log.Errorf("Failed to fill with metasploit: %+v", err)
http.Error(w, err.Error(), http.StatusServiceUnavailable)
}
logging.Log.Infof("%s: %d exploits are detected", r.FormatServerName(), nMetasploitCve)
if err := detector.FillWithKEVuln(&r, config.Conf.KEVuln, config.Conf.LogOpts); err != nil {
logging.Log.Errorf("Failed to fill with Known Exploited Vulnerabilities: %+v", err)
http.Error(w, err.Error(), http.StatusServiceUnavailable)
}
if err := detector.FillWithCTI(&r, config.Conf.Cti, config.Conf.LogOpts); err != nil {
logging.Log.Errorf("Failed to fill with Cyber Threat Intelligences: %+v", err)
http.Error(w, err.Error(), http.StatusServiceUnavailable)
}
detector.FillCweDict(&r)
// set ReportedAt to current time when it's set to the epoch, ensures that ReportedAt will be set
// properly for scans sent to vuls when running in server mode
if r.ReportedAt.IsZero() {
r.ReportedAt = time.Now()
}
// report
reports := []reporter.ResultWriter{
reporter.HTTPResponseWriter{Writer: w},
}
if h.ToLocalFile {
scannedAt := r.ScannedAt
if scannedAt.IsZero() {
scannedAt = time.Now().Truncate(1 * time.Hour)
r.ScannedAt = scannedAt
}
dir, err := scanner.EnsureResultDir(config.Conf.ResultsDir, scannedAt)
if err != nil {
logging.Log.Errorf("Failed to ensure the result directory: %+v", err)
http.Error(w, err.Error(), http.StatusServiceUnavailable)
return
}
// sever subcmd doesn't have diff option
reports = append(reports, reporter.LocalFileWriter{
CurrentDir: dir,
FormatJSON: true,
})
}
for _, w := range reports {
if err := w.Write(r); err != nil {
logging.Log.Errorf("Failed to report. err: %+v", err)
return
}
}
}