Common available tools find full file matches between a scanned file and a vulnerable one. VSF allows you to go one step further and find vulnerable code snippets embedded in the scanned code even when a full file match does not exist.
How it works
VSF uses extended client functionality to perform a check for vulnerable snippets. Code is compared against the FossID security volume (security volumes must be enabled in case of offline deployment).
Assumptions
- In Linux:
- The CLI tools are by default installed at ‘/usr/bin’
- The system uses a deb or rpm package manager
- In Windows:
- The CLI tools are added to the current working directory
Access deliverables
Access information to the FossID deliverables is provided in the delivery mail.
Download and extract the fossid-cli-tools-VERSION.zip.
Install FossID deliverable
Debian / Ubuntu
sudo dpkg -i fossid-cli-tools-VERSION_amd64.deb
RedHat
sudo yum localinstall fossid-cli-tools-VERSION_amd64.rpm -y
Windows
You can run the fossid-cli.exe in windows directory from Windows command prompt.
FossID CLI pre-requisites
Install packages required by CLI
Debian / Ubuntu
Update package repository:
sudo apt-get update
Install packages:
sudo apt-get install default-jre -y
Redhat
Install packages:
sudo yum install java-11-openjdk -y
Test that all is installed correctly
Run the following test command to test whether CLI tools have access to the can server.
fossid-cli --host YOUR_SERVER_HOST --token YOUR_TOKEN --test-route
Note: The host address and the token have been provided to you at your FossID delivery site. If you fo do not use FossID’s scan servers, tokens are administered by your scan server administrator.
FossID configuration
Basic fossid.conf settings
Fossid configuration file can be used to configure the scan server credentials and additional scan options.
To configure the scan server credentials:
- In Linux: Edit /etc/fossid.conf
- In Windows: Edit fossid.conf in the fossid-cli executable location
Update these config options with info at your FossID delivery site, or by your scan server admin if you do not use FossID’s scan servers and save the fossid.conf file.
cli_server_host = YOUR_SERVER_HOST
cli_token = YOUR_TOKEN
Note: The change to configuration is immediate, no restart is required.
Proxy configuration and additional options for the CLI tools is available in the same file.
Using FossID Vulnerability Snippet Finder
A target code can be scanned for vulnerabilities using the --vsf parameter. You will need jq installed on your system to be able to do this.
To install jq on a Debian-based system, run
sudo apt install jq -y
To install jq on RedHat, run
sudo yum install jq -y
Usage example
./fossid-cli --vsf '/tmp/t1_lib.c'
Result
The output below has been ‘prettified’ and abbreviated for readability purposes.
{
"date": "2020-11-03T12:32:33Z",
"file": {
"available": true,
"encoding": "UTF-8",
"id": "c66dd54d05901afad2a2eaa900000000",
"md5": "c66dd54d05901afad2a2eaa900000000",
"path": "CVE-2016-2177",
"size": 145142
},
"local_path": "/tmp/t1_lib.c",
"snippet": {
"id": "37b03c7c0df744a1659a44cd06f6b0a3",
"local_coverage": 0.03,
"local_highlight": {
"blocks": [
{
"byte_range": {
"begin": 39643,
"end": 39765
},
"char_range": {
"begin": 39643,
"end": 39765
},
"hash_range": {
"begin": 1017,
"end": 1022
},
"id": "12bff91f4092e0405ccbac07d92b155c"
}
],
"encoding": "UTF-8",
"id": "37b03c7c0df744a1659a44cd06f6b0a3",
"pfm_format": 2
},
"local_size": 54,
"remote_coverage": 0.02,
"remote_highlight": {
"blocks": [
{
"byte_range": {
"begin": 85581,
"end": 85732
},
"char_range": {
"begin": 85581,
"end": 85732
},
"hash_range": {
"begin": 2066,
"end": 2071
},
"id": "12bff91f4092e0405ccbac07d92b155c"
}
],
"encoding": "UTF-8",
"id": "37b03c7c0df744a1659a44cd06f6b0a3",
"pfm_format": 2
},
"remote_size": 54
},
"type": "vulnerability",
"vulnerability": {
"details": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:hp:icewall_sso:10.0:*:*:*:dfw:*:*:*",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-2177"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-190"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2019-12-27T16:08Z",
"publishedDate": "2016-06-20T01:59Z"
},
"id": "CVE-2016-2177",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2177"
}
}
Obtaining the snippet and highlighting
You can grab the local highlight or remote highlight data from the match, and have the cli highlight it. First, extract the highlight information using the following command:
$ fossid-cli --vsf '/tmp/t1_lib.c' | head -1 | jq .snippet.local_highlight -rc
{"blocks":[{"byte_range":{"begin":39643,"end":39765},"char_range":{"begin":39643,"end":39765},"hash_range":{"begin":1017,"end":1022},"id":"12bff91f4092e0405ccbac07d92b155c"}],"encoding":"UTF-8","id":"37b03c7c0df744a1659a44cd06f6b0a3","pfm_format":2}
Use the highlight information (the output above) as an input to fossid-cli using the --highlight-input command line argument:
$ fossid-cli --highlight '/tmp/t1_lib.c' --highlight-input '{"blocks":[{"byte_range":{"begin":39643,"end":39765},"char_range":{"begin":39643,"end":39765},"hash_range":{"begin":1017,"end":1022},"id":"12bff91f4092e0405ccbac07d92b155c"}],"encoding":"UTF-8","id":"37b03c7c0df744a1659a44cd06f6b0a3","pfm_format":2}'
[ ]#ifndef OPENSSL_NO_NEXTPROTONEG
[ ] s->s3->next_proto_neg_seen = 0;
[ ]#endif
[ ]
[ ]#ifndef OPENSSL_NO_HEARTBEATS
[ ] s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
[ ] SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
[===]#endif
[===]
[===] if (data >= (d+n-2))
[===] goto ri_check;
[===]
[===] n2s(data,length);
[===] if (data+length != d+n)
[===] {
[===] *al = SSL_AD_DECODE_ERROR;
[ ] return 0;
[ ] }
[ ]
[ ] while(data <= (d+n-4))
[ ] {