Display exploit codes information for each detected CVE-IDs (future-architect#729)

* add exploit

* bug fix while loading config in TUI, display in format-full-text

* fix readme

Author: sadayuki-matsuno

Gopkg.lock

@@ -67,6 +67,7 @@ Vuls uses Multiple vulnerability databases
 - [Debian Security Bug Tracker](https://security-tracker.debian.org/tracker/)
 - Commands(yum, zypper, pkg-audit)
 	- RHSA/ALAS/ELSA/FreeBSD-SA
+- [Exploit Database](https://www.exploit-db.com/)
 - Changelog
 
 ## Fast scan and Deep scan

README.md

@@ -91,24 +91,27 @@ func (p *DiscoverCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface
 func printConfigToml(ips []string) (err error) {
 	const tomlTemplate = `
 
-# TODO Doc Link
+# https://vuls.io/docs/en/usage-settings.html
 [cveDict]
 type        = "sqlite3"
 sqlite3Path = "/path/to/cve.sqlite3"
 #url        = ""
 
-# TODO Doc Link
 [ovalDict]
 type        = "sqlite3"
 sqlite3Path = "/path/to/oval.sqlite3"
 #url        = ""
 
-# TODO Doc Link
 [gost]
 type        = "sqlite3"
 sqlite3Path = "/path/to/gost.sqlite3"
 #url        = ""
 
+[exploit]
+type        = "sqlite3"
+sqlite3Path = "/path/to/go-exploitdb.sqlite3"
+#url        = ""
+
 # https://vuls.io/docs/en/usage-settings.html#slack-section
 #[slack]
 #hookURL      = "https://hooks.slack.com/services/abc123/defghijklmnopqrstuvwxyz"

commands/discover.go

@@ -24,6 +24,7 @@ import (
 	"path/filepath"
 
 	c "github.com/future-architect/vuls/config"
+	"github.com/future-architect/vuls/exploit"
 	"github.com/future-architect/vuls/gost"
 	"github.com/future-architect/vuls/models"
 	"github.com/future-architect/vuls/oval"
@@ -36,11 +37,12 @@ import (
 
 // ReportCmd is subcommand for reporting
 type ReportCmd struct {
-	configPath string
-	cveDict    c.GoCveDictConf
-	ovalDict   c.GovalDictConf
-	gostConf   c.GostConf
-	httpConf   c.HTTPConf
+	configPath  string
+	cveDict     c.GoCveDictConf
+	ovalDict    c.GovalDictConf
+	gostConf    c.GostConf
+	exploitConf c.ExploitConf
+	httpConf    c.HTTPConf
 }
 
 // Name return subcommand name
@@ -93,6 +95,9 @@ func (*ReportCmd) Usage() string {
 		[-gostdb-type=sqlite3|mysql|redis]
 		[-gostdb-sqlite3-path=/path/to/gost.sqlite3]
 		[-gostdb-url=http://127.0.0.1:1325 or DB connection string]
+		[-exploitdb-type=sqlite3|mysql|redis]
+		[-exploitdb-sqlite3-path=/path/to/exploitdb.sqlite3]
+		[-exploitdb-url=http://127.0.0.1:1325 or DB connection string]
 		[-http="http://vuls-report-server"]
 
 		[RFC3339 datetime format under results dir]
@@ -183,6 +188,12 @@ func (p *ReportCmd) SetFlags(f *flag.FlagSet) {
 	f.StringVar(&p.gostConf.URL, "gostdb-url", "",
 		"http://gost.com:1325 or DB connection string")
 
+	f.StringVar(&p.exploitConf.Type, "exploitdb-type", "",
+		"DB type of exploit (sqlite3, mysql, postgres or redis)")
+	f.StringVar(&p.exploitConf.SQLite3Path, "exploitdb-sqlite3-path", "", "/path/to/sqlite3")
+	f.StringVar(&p.exploitConf.URL, "exploitdb-url", "",
+		"http://exploit.com:1326 or DB connection string")
+
 	f.StringVar(&p.httpConf.URL, "http", "", "-to-http http://vuls-report")
 
 }
@@ -200,6 +211,7 @@ func (p *ReportCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}
 	c.Conf.CveDict.Overwrite(p.cveDict)
 	c.Conf.OvalDict.Overwrite(p.ovalDict)
 	c.Conf.Gost.Overwrite(p.gostConf)
+	c.Conf.Exploit.Overwrite(p.exploitConf)
 	c.Conf.HTTP.Overwrite(p.httpConf)
 
 	var dir string
@@ -378,10 +390,25 @@ func (p *ReportCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}
 				util.Log.Infof("gost: %s", c.Conf.Gost.SQLite3Path)
 			}
 		}
+
+		if c.Conf.Exploit.URL != "" {
+			util.Log.Infof("exploit: %s", c.Conf.Exploit.URL)
+			err := exploit.CheckHTTPHealth()
+			if err != nil {
+				util.Log.Errorf("exploit HTTP server is not running. err: %s", err)
+				util.Log.Errorf("Run exploit as server mode before reporting or run with -exploitdb-sqlite3-path option instead of -exploitdb-url")
+				return subcommands.ExitFailure
+			}
+		} else {
+			if c.Conf.Exploit.Type == "sqlite3" {
+				util.Log.Infof("exploit: %s", c.Conf.Exploit.SQLite3Path)
+			}
+		}
 		dbclient, locked, err := report.NewDBClient(report.DBClientConf{
 			CveDictCnf:  c.Conf.CveDict,
 			OvalDictCnf: c.Conf.OvalDict,
 			GostCnf:     c.Conf.Gost,
+			ExploitCnf:  c.Conf.Exploit,
 			DebugSQL:    c.Conf.DebugSQL,
 		})
 		if locked {

commands/report.go

@@ -24,7 +24,10 @@ import (
 	"path/filepath"
 
 	c "github.com/future-architect/vuls/config"
+	"github.com/future-architect/vuls/exploit"
+	"github.com/future-architect/vuls/gost"
 	"github.com/future-architect/vuls/models"
+	"github.com/future-architect/vuls/oval"
 	"github.com/future-architect/vuls/report"
 	"github.com/future-architect/vuls/util"
 	"github.com/google/subcommands"
@@ -33,10 +36,11 @@ import (
 
 // TuiCmd is Subcommand of host discovery mode
 type TuiCmd struct {
-	configPath string
-	cvelDict   c.GoCveDictConf
-	ovalDict   c.GovalDictConf
-	gostConf   c.GostConf
+	configPath  string
+	cvelDict    c.GoCveDictConf
+	ovalDict    c.GovalDictConf
+	gostConf    c.GostConf
+	exploitConf c.ExploitConf
 }
 
 // Name return subcommand name
@@ -124,6 +128,13 @@ func (p *TuiCmd) SetFlags(f *flag.FlagSet) {
 	f.StringVar(&p.gostConf.SQLite3Path, "gostdb-path", "", "/path/to/sqlite3")
 	f.StringVar(&p.gostConf.URL, "gostdb-url", "",
 		"http://gost.com:1325 or DB connection string")
+
+	f.StringVar(&p.exploitConf.Type, "exploitdb-type", "",
+		"DB type of exploit (sqlite3, mysql, postgres or redis)")
+	f.StringVar(&p.exploitConf.SQLite3Path, "exploitdb-sqlite3-path", "", "/path/to/sqlite3")
+	f.StringVar(&p.exploitConf.URL, "exploitdb-url", "",
+		"http://exploit.com:1326 or DB connection string")
+
 }
 
 // Execute execute
@@ -142,11 +153,7 @@ func (p *TuiCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}) s
 	c.Conf.CveDict.Overwrite(p.cvelDict)
 	c.Conf.OvalDict.Overwrite(p.ovalDict)
 	c.Conf.Gost.Overwrite(p.gostConf)
-
-	util.Log.Info("Validating config...")
-	if !c.Conf.ValidateOnTui() {
-		return subcommands.ExitUsageError
-	}
+	c.Conf.Exploit.Overwrite(p.exploitConf)
 
 	var dir string
 	var err error
@@ -159,17 +166,78 @@ func (p *TuiCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}) s
 		util.Log.Errorf("Failed to read from JSON: %s", err)
 		return subcommands.ExitFailure
 	}
+
+	util.Log.Info("Validating config...")
+	if !c.Conf.ValidateOnTui() {
+		return subcommands.ExitUsageError
+	}
+
 	var res models.ScanResults
 	if res, err = report.LoadScanResults(dir); err != nil {
 		util.Log.Error(err)
 		return subcommands.ExitFailure
 	}
 	util.Log.Infof("Loaded: %s", dir)
 
+	if err := report.CveClient.CheckHealth(); err != nil {
+		util.Log.Errorf("CVE HTTP server is not running. err: %s", err)
+		util.Log.Errorf("Run go-cve-dictionary as server mode before reporting or run with -cvedb-sqlite3-path option instead of -cvedb-url")
+		return subcommands.ExitFailure
+	}
+	if c.Conf.CveDict.URL != "" {
+		util.Log.Infof("cve-dictionary: %s", c.Conf.CveDict.URL)
+	} else {
+		if c.Conf.CveDict.Type == "sqlite3" {
+			util.Log.Infof("cve-dictionary: %s", c.Conf.CveDict.SQLite3Path)
+		}
+	}
+
+	if c.Conf.OvalDict.URL != "" {
+		util.Log.Infof("oval-dictionary: %s", c.Conf.OvalDict.URL)
+		err := oval.Base{}.CheckHTTPHealth()
+		if err != nil {
+			util.Log.Errorf("OVAL HTTP server is not running. err: %s", err)
+			util.Log.Errorf("Run goval-dictionary as server mode before reporting or run with -ovaldb-sqlite3-path option instead of -ovaldb-url")
+			return subcommands.ExitFailure
+		}
+	} else {
+		if c.Conf.OvalDict.Type == "sqlite3" {
+			util.Log.Infof("oval-dictionary: %s", c.Conf.OvalDict.SQLite3Path)
+		}
+	}
+
+	if c.Conf.Gost.URL != "" {
+		util.Log.Infof("gost: %s", c.Conf.Gost.URL)
+		err := gost.Base{}.CheckHTTPHealth()
+		if err != nil {
+			util.Log.Errorf("gost HTTP server is not running. err: %s", err)
+			util.Log.Errorf("Run gost as server mode before reporting or run with -gostdb-sqlite3-path option instead of -gostdb-url")
+			return subcommands.ExitFailure
+		}
+	} else {
+		if c.Conf.Gost.Type == "sqlite3" {
+			util.Log.Infof("gost: %s", c.Conf.Gost.SQLite3Path)
+		}
+	}
+
+	if c.Conf.Exploit.URL != "" {
+		util.Log.Infof("exploit: %s", c.Conf.Exploit.URL)
+		err := exploit.CheckHTTPHealth()
+		if err != nil {
+			util.Log.Errorf("exploit HTTP server is not running. err: %s", err)
+			util.Log.Errorf("Run exploit as server mode before reporting or run with -exploitdb-sqlite3-path option instead of -exploitdb-url")
+			return subcommands.ExitFailure
+		}
+	} else {
+		if c.Conf.Exploit.Type == "sqlite3" {
+			util.Log.Infof("exploit: %s", c.Conf.Exploit.SQLite3Path)
+		}
+	}
 	dbclient, locked, err := report.NewDBClient(report.DBClientConf{
 		CveDictCnf:  c.Conf.CveDict,
 		OvalDictCnf: c.Conf.OvalDict,
 		GostCnf:     c.Conf.Gost,
+		ExploitCnf:  c.Conf.Exploit,
 		DebugSQL:    c.Conf.DebugSQL,
 	})
 	if locked {

commands/tui.go

@@ -122,6 +122,7 @@ type Config struct {
 	CveDict  GoCveDictConf `json:"cveDict"`
 	OvalDict GovalDictConf `json:"ovalDict"`
 	Gost     GostConf      `json:"gost"`
+	Exploit  ExploitConf   `json:"exploit"`
 
 	Slack    SlackConf    `json:"-"`
 	EMail    SMTPConf     `json:"-"`
@@ -889,6 +890,59 @@ func (cnf *GostConf) Overwrite(cmdOpt GostConf) {
 	cnf.setDefault()
 }
 
+// ExploitConf is exploit config
+type ExploitConf struct {
+	// DB type for exploit dictionary (sqlite3, mysql, postgres or redis)
+	Type string
+
+	// http://exploit-dictionary.com:1324 or DB connection string
+	URL string `json:"-"`
+
+	// /path/to/exploit.sqlite3
+	SQLite3Path string `json:"-"`
+}
+
+func (cnf *ExploitConf) setDefault() {
+	if cnf.Type == "" {
+		cnf.Type = "sqlite3"
+	}
+	if cnf.URL == "" && cnf.SQLite3Path == "" {
+		wd, _ := os.Getwd()
+		cnf.SQLite3Path = filepath.Join(wd, "go-exploitdb.sqlite3")
+	}
+}
+
+const exploitDBType = "EXPLOITDB_TYPE"
+const exploitDBURL = "EXPLOITDB_URL"
+const exploitDBPATH = "EXPLOITDB_SQLITE3_PATH"
+
+// Overwrite set options with the following priority.
+// 1. Command line option
+// 2. Environment variable
+// 3. config.toml
+func (cnf *ExploitConf) Overwrite(cmdOpt ExploitConf) {
+	if os.Getenv(exploitDBType) != "" {
+		cnf.Type = os.Getenv(exploitDBType)
+	}
+	if os.Getenv(exploitDBURL) != "" {
+		cnf.URL = os.Getenv(exploitDBURL)
+	}
+	if os.Getenv(exploitDBPATH) != "" {
+		cnf.SQLite3Path = os.Getenv(exploitDBPATH)
+	}
+
+	if cmdOpt.Type != "" {
+		cnf.Type = cmdOpt.Type
+	}
+	if cmdOpt.URL != "" {
+		cnf.URL = cmdOpt.URL
+	}
+	if cmdOpt.SQLite3Path != "" {
+		cnf.SQLite3Path = cmdOpt.SQLite3Path
+	}
+	cnf.setDefault()
+}
+
 // AWS is aws config
 type AWS struct {
 	// AWS profile to use

config/config.go

@@ -51,6 +51,7 @@ func (c TOMLLoader) Load(pathToToml, keyPass string) error {
 	Conf.CveDict = conf.CveDict
 	Conf.OvalDict = conf.OvalDict
 	Conf.Gost = conf.Gost
+	Conf.Exploit = conf.Exploit
 
 	d := conf.Default
 	Conf.Default = d