Conversation
|
This pull request does not have a backport label. Could you fix it @jeniawhite? 🙏
|
📊 Allure Report - 💚 No failures were reported.
|
|
This pull request is now in conflicts. Could you fix it? 🙏 |
amirbenun
left a comment
amirbenun
left a comment
There was a problem hiding this comment.
Looks good, can you please print a single vulnerability?
vulnerability/events_creator.go
Outdated
|
|
||
| type Machine struct { | ||
| Type string `json:"type,omitempty"` | ||
| Key AuthInfo `json:"key,omitempty"` |
There was a problem hiding this comment.
This will create cloud.machine.key.key, please rename to authentication
jeniawhite
force-pushed
the
evgb-VulnIndexChanges
branch
from
d4299ff to
a1ff8bc
Compare
vulnerability/events_creator.go
Outdated
| func getMacAddresses(interfaces []ec2Types.InstanceNetworkInterface) []string { | ||
| macAddresses := make([]string, len(interfaces)) | ||
| for i, iface := range interfaces { | ||
| macAddresses[i] = *iface.MacAddress | ||
| } | ||
| return macAddresses | ||
| } | ||
|
|
||
| func getInstanceTags(tags []ec2Types.Tag) map[string]string { | ||
| instanceTags := make(map[string]string, len(tags)) | ||
| for _, tag := range tags { | ||
| instanceTags[*tag.Key] = *tag.Value | ||
| } | ||
| return instanceTags | ||
| } | ||
|
|
||
| func getSecurityGroups(groups []ec2Types.GroupIdentifier) []SecurityGroupInfo { | ||
| securityGroups := make([]SecurityGroupInfo, len(groups)) | ||
| for i, group := range groups { | ||
| securityGroups[i] = SecurityGroupInfo{ | ||
| GroupId: group.GroupId, | ||
| GroupName: group.GroupName, | ||
| } | ||
| } | ||
| return securityGroups | ||
| } | ||
|
|
There was a problem hiding this comment.
just wondering if maybe those methods should reside under the ec2 provider.
jeniawhite
force-pushed
the
evgb-VulnIndexChanges
branch
from
c01cc7e to
81c1376
Compare
|
@amirbenun The current PR is reliant on the above PR to merge and map the ECS fields. |
@amirbenun the The fields
@nick-alayil, in that case, are we going to review the naming in Kibana according to the new fields? cc @kfirpeled for awareness and prioritization |
|
Thanks @opauloh, so as a first step we will just add the new fields and use them in kibana instead.
@nick-alayil what do you think? Do real users exploring CNVM? If not I would make this change before CNVM goes GA. |
In this case, we can create a migration flow like we already had in other cases, that will map these fields to the right place. I'm not sure if it was an ingest pipeline or something else in Kibana itself but I do remember we had something like that already @orouz @kfirpeled |
|
Hey @amirbenun / @oren-zohar I opened a Kibana ticket for us to track the required changes on Kibana to deprecate the resource fields to the new fields. I believe it's not a blocker for this PR since new fields were added without removing the resource fields, so this PR can be merged. |
5 participants
Summary of your changes
Enhancing the CNVM index with additional data from the instance that is being scanned.
Added cloud, network, host, and security group information to the index.
Note that the cloud and host data is regarding scanned instances and not the scanner instance.
This is why we did not use cloud and host processors because they collect information for the scanner machine.
Example of event:
{ "_index": ".ds-logs-cloud_security_posture.vulnerabilities-default-2023.07.16-000001", "_id": "K7c5YYkBz2hMpetn5RA-", "_version": 1, "_score": 0, "_ignored": [ "vulnerability.description" ], "_source": { "agent": { "name": "ip-172-31-32-84.eu-west-1.compute.internal", "id": "1f859814-361a-4693-8717-fdbd2b9c45c7", "type": "cloudbeat", "ephemeral_id": "39524697-5b09-4a5e-bfdc-abdd1bc0983f", "version": "8.9.0" }, "package": { "path": "Python", "fixed_version": "39.0.1", "name": "cryptography", "type": "python-pkg", "version": "3.4.8" }, "resource": { "name": "amir-env-imV", "id": "0214c95f3c81ea3bc" }, "elastic_agent": { "id": "1f859814-361a-4693-8717-fdbd2b9c45c7", "version": "8.9.0", "snapshot": false }, "vulnerability": { "severity": "HIGH", "package": { "fixed_version": "39.0.1", "name": "cryptography", "version": "3.4.8" }, "description": "There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.", "title": "X.400 address type confusion in X.509 GeneralName", "classification": "CVSS", "data_source": { "ID": "ghsa", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip", "Name": "GitHub Security Advisory Pip" }, "cwe": [ "CWE-843" ], "reference": "https://avd.aquasec.com/nvd/cve-2023-0286", "score": { "version": "3.1", "base": 7.4 }, "report_id": 1689519799, "scanner": { "vendor": "Trivy", "version": "v0.35.0" }, "id": "CVE-2023-0286", "enumeration": "CVE", "category": "lang-pkgs", "class": "lang-pkgs", "cvss": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "V3Score": 7.4 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "V3Score": 7.4 }, "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "V3Score": 7.4 } }, "published_date": "2023-02-08T20:15:00Z" }, "network": { "public_ip": "54.154.24.188", "private_ip": "172.31.13.27", "mac_addresses": [ "02:bf:d7:76:6b:4d" ] }, "cloud": { "availability_zone": "eu-west-1a", "instance": { "name": "amir-env-imV", "id": "0214c95f3c81ea3bc" }, "provider": "aws", "service": { "name": "AWS EC2" }, "machine": { "launch_time": "2023-06-28T14:23:33Z", "image": "ami-0a5b3305c37e58e04", "type": "c5.4xlarge", "authentication": { "key": "cloudbeat-generated-4c687128" } }, "region": "eu-west-1", "account": { "name": "elastic-security-cloud-security-dev", "id": "704479110758" }, "tags": { "division": "engineering", "provisioner": "terraform", "org": "security", "ec2_type": "kspm", "project": "test-environments", "team": "cloud-security-posture", "id": "4c687128", "Name": "amir-env-imV" } }, "security": { "security_groups": [ { "group_id": "sg-040c153bec4b15dc2", "group_name": "terraform-20230628142329353700000001" } ] }, "@timestamp": "2023-07-17T00:22:03.491Z", "ecs": { "version": "8.6.0" }, "cloudbeat": { "commit_sha": "2a9a2de4d2cac154d4bb7fddf453abd7add47c17", "commit_time": "2023-07-16T13:35:59Z", "version": "8.9.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "cloud_security_posture.vulnerabilities" }, "host": { "os": { "platform": "Linux/UNIX" }, "name": "amir-env-imV", "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "sequence": 1689519799, "ingested": "2023-07-17T00:22:11Z", "created": "2023-07-17T00:22:03.491025338Z", "kind": "state", "id": "0048cfc1-ed60-489c-8558-76291d1ec259", "category": [ "vulnerability" ], "type": [ "info" ], "dataset": "cloud_security_posture.vulnerabilities", "outcome": "success" } }, "fields": { "vulnerability.package.version": [ "3.4.8" ], "event.category": [ "vulnerability" ], "elastic_agent.version": [ "8.9.0" ], "vulnerability.cvss.nvd.V3Vector": [ "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H" ], "vulnerability.cvss.ghsa.V3Vector": [ "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H" ], "vulnerability.scanner.vendor": [ "Trivy" ], "vulnerability.data_source.ID": [ "ghsa" ], "cloud.availability_zone": [ "eu-west-1a" ], "package.type": [ "python-pkg" ], "cloud.tags.id": [ "4c687128" ], "vulnerability.data_source.URL": [ "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" ], "agent.name": [ "ip-172-31-32-84.eu-west-1.compute.internal" ], "host.name": [ "amir-env-imV" ], "event.agent_id_status": [ "verified" ], "event.kind": [ "state" ], "cloud.tags.project": [ "test-environments" ], "event.outcome": [ "success" ], "package.version": [ "3.4.8" ], "cloud.region": [ "eu-west-1" ], "package.path": [ "Python" ], "vulnerability.title": [ "X.400 address type confusion in X.509 GeneralName" ], "cloud.machine.image": [ "ami-0a5b3305c37e58e04" ], "data_stream.type": [ "logs" ], "cloud.tags.org": [ "security" ], "host.architecture": [ "x86_64" ], "cloud.provider": [ "aws" ], "cloud.machine.type": [ "c5.4xlarge" ], "cloudbeat.version": [ "8.9.0" ], "cloud.tags.Name": [ "amir-env-imV" ], "agent.id": [ "1f859814-361a-4693-8717-fdbd2b9c45c7" ], "cloud.service.name": [ "AWS EC2" ], "ecs.version": [ "8.6.0" ], "event.created": [ "2023-07-17T00:22:03.491Z" ], "cloud.machine.launch_time": [ "2023-06-28T14:23:33Z" ], "agent.version": [ "8.9.0" ], "vulnerability.reference": [ "https://avd.aquasec.com/nvd/cve-2023-0286" ], "vulnerability.cvss.nvd.V3Score": [ 7.4 ], "cloudbeat.commit_sha": [ "2a9a2de4d2cac154d4bb7fddf453abd7add47c17" ], "vulnerability.package.fixed_version": [ "39.0.1" ], "vulnerability.enumeration": [ "CVE" ], "vulnerability.cvss.redhat.V3Vector": [ "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H" ], "vulnerability.published_date": [ "2023-02-08T20:15:00Z" ], "resource.name": [ "amir-env-imV" ], "vulnerability.package.name": [ "cryptography" ], "event.sequence": [ 1689519799 ], "cloud.instance.id": [ "0214c95f3c81ea3bc" ], "agent.type": [ "cloudbeat" ], "vulnerability.id": [ "CVE-2023-0286" ], "vulnerability.score.version": [ "3.1" ], "package.name": [ "cryptography" ], "vulnerability.score.base": [ 7.4 ], "elastic_agent.snapshot": [ false ], "network.mac_addresses": [ "02:bf:d7:76:6b:4d" ], "vulnerability.report_id": [ "1.689519799E9" ], "cloud.tags.division": [ "engineering" ], "cloud.account.name": [ "elastic-security-cloud-security-dev" ], "vulnerability.classification": [ "CVSS" ], "elastic_agent.id": [ "1f859814-361a-4693-8717-fdbd2b9c45c7" ], "data_stream.namespace": [ "default" ], "cloud.machine.authentication.key": [ "cloudbeat-generated-4c687128" ], "vulnerability.class": [ "lang-pkgs" ], "security.security_groups.group_id": [ "sg-040c153bec4b15dc2" ], "vulnerability.cwe": [ "CWE-843" ], "vulnerability.scanner.version": [ "v0.35.0" ], "cloud.tags.provisioner": [ "terraform" ], "resource.id": [ "0214c95f3c81ea3bc" ], "vulnerability.category": [ "lang-pkgs" ], "network.private_ip": [ "172.31.13.27" ], "cloud.tags.ec2_type": [ "kspm" ], "event.ingested": [ "2023-07-17T00:22:11.000Z" ], "@timestamp": [ "2023-07-17T00:22:03.491Z" ], "vulnerability.severity": [ "HIGH" ], "security.security_groups.group_name": [ "terraform-20230628142329353700000001" ], "cloud.account.id": [ "704479110758" ], "host.os.platform": [ "Linux/UNIX" ], "event.type": [ "info" ], "data_stream.dataset": [ "cloud_security_posture.vulnerabilities" ], "package.fixed_version": [ "39.0.1" ], "vulnerability.data_source.Name": [ "GitHub Security Advisory Pip" ], "agent.ephemeral_id": [ "39524697-5b09-4a5e-bfdc-abdd1bc0983f" ], "vulnerability.cvss.redhat.V3Score": [ 7.4 ], "vulnerability.cvss.ghsa.V3Score": [ 7.4 ], "vulnerability.description.text": [ "There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network." ], "event.id": [ "0048cfc1-ed60-489c-8558-76291d1ec259" ], "cloudbeat.commit_time": [ "2023-07-16T13:35:59.000Z" ], "network.public_ip": [ "54.154.24.188" ], "cloud.tags.team": [ "cloud-security-posture" ], "event.dataset": [ "cloud_security_posture.vulnerabilities" ], "cloud.instance.name": [ "amir-env-imV" ] }, "ignored_field_values": { "vulnerability.description": [ "There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network." ] } }Related Issues
Checklist