漏洞数据

2 分钟阅读

简要概述

漏洞数据的来源，数据库的下载与制作。

数据库下载

通过 trivy 下载漏洞库

各组件安全漏洞列表已由工具 trivy-db 通过 GitHub Action 每 6 小时聚合并更新漏洞库，上传至 GHCR（为 GitHub 镜像中心服务），我们可同步该漏洞库用于离线扫描镜像、K8S 集群、本地文件系统等。

通过 trivy 工具下载至本地缓存，取保网络连接可达：

# 线路加速，根据事情情况是否开启
#export HTTPS_PROXY=http://127.0.0.1:1087

trivy --cache-dir ./cache image --download-db-only

制作私有漏洞库

TODO;

思路：

获取仓库 https://github.com/aquasecurity/trivy-db.git
更改流水线 .github/workflows/cron.yml
生成漏洞库上传至内部存储中心

漏洞数据来源

操作系统

名称	漏洞库	地址
Alpine Linux	secdb	https://secdb.alpinelinux.org/
	aquasecurity	https://github.com/aquasecurity/vuln-list
Debian	Security Bug Tracker	https://security-tracker.debian.org/tracker/
	OVAL	https://www.debian.org/security/oval/
	aquasecurity	https://github.com/aquasecurity/vuln-list-debian
Ubuntu	Ubuntu CVE Tracker	https://ubuntu.com/security/cve
	aquasecurity	https://github.com/aquasecurity/vuln-list
RHEL/CentOS	OVAL	https://www.redhat.com/security/data/oval/v2/
	Security Data	https://www.redhat.com/security/data/metrics/
	aquasecurity	https://github.com/aquasecurity/vuln-list-redhat
Arch Linux	Vulnerable Issues	https://security.archlinux.org/
Wolfi Linux	secdb	https://secdb.alpinelinux.org/
Chainguard	secdb	https://secdb.alpinelinux.org/
Amazon Linux	Amazon Linux Security Center	https://alas.aws.amazon.com/
AlmaLinux	AlmaLinux Product Errata	https://errata.almalinux.org/
Rocky Linux	Rocky Linux UpdateInfo	https://download.rockylinux.org/pub/rocky/
Oracle Linux	OVAL	https://linux.oracle.com/security/oval/
CBL-Mariner	OVAL	https://github.com/microsoft/CBL-MarinerVulnerabilityData/
OpenSUSE/SLES	CVRF	http://ftp.suse.com/pub/projects/security/cvrf/
Photon OS	Photon Security Advisory	https://packages.vmware.com/photon/photon_cve_metadata/

语言框架

名称	漏洞库	地址
PHP	PHP Security Advisories Database	https://github.com/FriendsOfPHP/security-advisories
	GitHub Advisory Database (Composer)	https://github.com/advisories?query=ecosystem%3Acomposer
Python	GitHub Advisory Database (pip)	https://github.com/advisories?query=ecosystem%3Apip
	Open Source Vulnerabilities (PyPI)	https://osv.dev/list?q=&ecosystem=PyPI
Ruby	Ruby Advisory Database	https://github.com/rubysec/ruby-advisory-db
	GitHub Advisory Database (RubyGems)	https://github.com/advisories?query=ecosystem%3Arubygems
Node.js	Ecosystem Security Working Group	https://github.com/nodejs/security-wg
	GitHub Advisory Database (npm)	https://github.com/advisories?query=ecosystem%3Anpm
Java	GitHub Advisory Database (Maven)	https://github.com/advisories?query=ecosystem%3Amaven
Go	GitHub Advisory Database (Go)	https://github.com/advisories?query=ecosystem%3Ago
Rust	Open Source Vulnerabilities (crates.io)	https://osv.dev/list?q=&ecosystem=crates.io
.NET	GitHub Advisory Database (NuGet)	https://github.com/advisories?query=ecosystem%3Anuget
C/C++	GitLab Advisories Community	https://gitlab.com/gitlab-org/advisories-community
Dart	GitHub Advisory Database (Pub)	https://github.com/advisories?query=ecosystem%3Apub
Elixir	GitHub Advisory Database (Erlang)	https://github.com/advisories?query=ecosystem%3Aerlang
Swift	GitHub Advisory Database (Swift)	https://github.com/advisories?query=ecosystem%3Aswift

Kubernetes

名称	漏洞库	地址
Bitnami	bitnami	https://github.com/bitnami/vulndb
Kubernetes	CVE feed	https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
	aquasecurity	https://github.com/aquasecurity/vuln-list-k8s

其他来源

名称	漏洞库	地址
GitHub	GitHub	https://github.com/github/advisory-database
NVD	NVD	https://nvd.nist.gov/
	aquasecurity	https://github.com/aquasecurity/vuln-list-nvd
CocoaPods	CocoaPods	https://github.com/CocoaPods/Specs

使用 bbolt 存储的数据结构

获取 buckets 列表

$ bbolt buckets assets/trivy.db
$
...
pub::GitHub Security Advisory Pub
rocky 8
rocky 9
rubygems::GitHub Security Advisory RubyGems
...
ubuntu 22.04
...
vulnerability
wolfi
$

查找 buckets 下的 keys

$ bbolt keys assets/trivy.db vulnerability
$
CVE-1234-0007
CVE-1234-1234
CVE-1999-0150
CVE-1999-0163
CVE-1999-0199
CVE-1999-0236
...
openSUSE-SU-2023:0396-1
openSUSE-SU-2023:0397-1
openSUSE-SU-2023:0404-1
openSUSE-SU-2023:0405-1

获取 buckets 下 key 内容

$ bbolt get assets/trivy.db vulnerability CVE-1999-0150

{
    "Title": "CVE-1999-0150 affecting package finger 0.17-4",
    "Description": "The Perl fingerd program allows arbitrary command execution from remote users.",
    "Severity": "HIGH",
    "VendorSeverity": {
        "cbl-mariner": 3,
        "nvd": 3
    },
    "CVSS": {
        "nvd": {
            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "V2Score": 7.5
        }
    },
    "References": [
        "https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0150",
        "https://nvd.nist.gov/vuln/detail/CVE-1999-0150"
    ],
    "PublishedDate": "1997-07-01T04:00:00Z",
    "LastModifiedDate": "2022-08-17T07:15:00Z"
}

几个关键的 buckets

漏洞官方数据来源

data-source

$ bbolt get assets/trivy.db data-source "k8s::Official Kubernetes CVE Feed"

{
    "ID": "k8s",
    "Name": "Official Kubernetes CVE Feed",
    "URL": "https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json"
}

希望您的反馈

该页面的内容对您有帮助吗?

感谢您的支持! 如有其他建议，请告诉我们！

非常抱歉，您有什么改进建议？请告诉我们！

最后修改 2024.01.05: docs: 添加 falco 内容 (b084241)