Common available tools find full file matches between a scanned file and a vulnerable one. VSF allows you to go one step further and find vulnerable code snippets embedded in the scanned code even when a full file match does not exist.
How it works
VSF uses extended client functionality to perform a check for vulnerable snippets. This functionality is accessible form the Client and the Workbench. Code is compared against the FossID security volume (security volumes must be enabled).
Using the Workbench
The Workbench provides you with a testing interface to scan code and look for vulnerable code snippets. It resides within the tools section in the main menu. Each Workbench user has its own VSF scan and can upload and view code using this interface.
This functionality can be accessed in the Workbench by adding the VSF_ACCESS permission to a user. Note that this permission only grants access to the VSF interface in the Workbench. To actually get VSF results when scanning files (either using the Workbench or the CLI) a VSF enabled cli token must be configured. Contact FossID support or sales for any questions regarding this.
When accessing VSF in the Workbench you are presented with an initial interface where source code can be uploaded for scan.
After the scan is performed you will be presented with overview information grouped by CVSS base score severity (both CVSS2 and CVSS3 are considered).
Each CVE is listed with the vulnerability description. You can see the list of files in which each vulnerability resides expanding the item.
Selecting a file will give you information on any CVE found with their corresponding security metadata and will shown you the match highlighting the local code with the one found in the security volume.
Using the Client
A target code can be scanned for vulnerabilities using the --vsf parameter. You will need jq installed on your system to be able to do this.
To install jq on a Debian-based system, run
sudo apt install jq
To install jq on RedHat run
sudo yum install jq
Usage example
./fossid-cli --vsf '/tmp/t1_lib.c'
Result
The output below has been ‘prettified’ and abbreviated for readability purposes.
{
"date": "2020-11-03T12:32:33Z",
"file": {
"available": true,
"encoding": "UTF-8",
"id": "c66dd54d05901afad2a2eaa900000000",
"md5": "c66dd54d05901afad2a2eaa900000000",
"path": "CVE-2016-2177",
"size": 145142
},
"local_path": "/tmp/t1_lib.c",
"snippet": {
"id": "37b03c7c0df744a1659a44cd06f6b0a3",
"local_coverage": 0.03,
"local_highlight": {
"blocks": [
{
"byte_range": {
"begin": 39643,
"end": 39765
},
"char_range": {
"begin": 39643,
"end": 39765
},
"hash_range": {
"begin": 1017,
"end": 1022
},
"id": "12bff91f4092e0405ccbac07d92b155c"
}
],
"encoding": "UTF-8",
"id": "37b03c7c0df744a1659a44cd06f6b0a3",
"pfm_format": 2
},
"local_size": 54,
"remote_coverage": 0.02,
"remote_highlight": {
"blocks": [
{
"byte_range": {
"begin": 85581,
"end": 85732
},
"char_range": {
"begin": 85581,
"end": 85732
},
"hash_range": {
"begin": 2066,
"end": 2071
},
"id": "12bff91f4092e0405ccbac07d92b155c"
}
],
"encoding": "UTF-8",
"id": "37b03c7c0df744a1659a44cd06f6b0a3",
"pfm_format": 2
},
"remote_size": 54
},
"type": "vulnerability",
"vulnerability": {
"details": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:hp:icewall_sso:10.0:*:*:*:dfw:*:*:*",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-2177"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-190"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2019-12-27T16:08Z",
"publishedDate": "2016-06-20T01:59Z"
},
"id": "CVE-2016-2177",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2177"
}
}
Obtaining the snippet and highlighting
You can grab the local highlight or remote highlight data from the match, and have the cli highlight it. First, extract the highlight information using the following command:
$ fossid-cli --vsf '/tmp/t1_lib.c' | head -1 | jq .snippet.local_highlight -rc
{"blocks":[{"byte_range":{"begin":39643,"end":39765},"char_range":{"begin":39643,"end":39765},"hash_range":{"begin":1017,"end":1022},"id":"12bff91f4092e0405ccbac07d92b155c"}],"encoding":"UTF-8","id":"37b03c7c0df744a1659a44cd06f6b0a3","pfm_format":2}
Use the highlight information (the output above) as an input to fossid-cli using the --highlight-input command line argument:
$ fossid-cli --highlight '/tmp/t1_lib.c' --highlight-input '{"blocks":[{"byte_range":{"begin":39643,"end":39765},"char_range":{"begin":39643,"end":39765},"hash_range":{"begin":1017,"end":1022},"id":"12bff91f4092e0405ccbac07d92b155c"}],"encoding":"UTF-8","id":"37b03c7c0df744a1659a44cd06f6b0a3","pfm_format":2}'
[ ]#ifndef OPENSSL_NO_NEXTPROTONEG
[ ] s->s3->next_proto_neg_seen = 0;
[ ]#endif
[ ]
[ ]#ifndef OPENSSL_NO_HEARTBEATS
[ ] s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
[ ] SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
[===]#endif
[===]
[===] if (data >= (d+n-2))
[===] goto ri_check;
[===]
[===] n2s(data,length);
[===] if (data+length != d+n)
[===] {
[===] *al = SSL_AD_DECODE_ERROR;
[ ] return 0;
[ ] }
[ ]
[ ] while(data <= (d+n-4))
[ ] {