diff --git a/README.ja.md b/README.ja.md index 74c7ea4230..6eae94e32f 100644 --- a/README.ja.md +++ b/README.ja.md @@ -568,8 +568,8 @@ Prepareサブコマンドは、Vuls内部で利用する以下のパッケージ |:------------|-------------------:|:-------------| | Ubuntu | 12, 14, 16| - | | Debian | 7, 8| aptitude | -| CentOS | 5| yum-plugin-security, yum-changelog | -| CentOS | 6, 7| yum-plugin-security, yum-plugin-changelog | +| CentOS | 5| yum-changelog | +| CentOS | 6, 7| yum-plugin-changelog | | Amazon | All | - | | RHEL | 4, 5, 6, 7 | - | | FreeBSD | 10 | - | @@ -588,8 +588,6 @@ prepare /path/to/toml (default "$PWD/config.toml") -debug debug mode - -use-unattended-upgrades - [Deprecated] For Ubuntu, install unattended-upgrades ``` ---- @@ -675,11 +673,6 @@ scan: Write report to text files ($PWD/results/current) -ssh-external Use external ssh command. Default: Use the Go native implementation - -use-unattended-upgrades - [Deprecated] For Ubuntu. Scan by unattended-upgrades or not (use apt-get upgrade --dry-run by default) - -use-yum-plugin-security - [Deprecated] For CentOS 5. Scan by yum-plugin-security or not (use yum check-update by default) - ``` ## -ssh-external option diff --git a/README.md b/README.md index c684b0c44a..4386aad683 100644 --- a/README.md +++ b/README.md @@ -566,8 +566,8 @@ Prepare subcommand installs required packages on each server. |:------------|-------------------:|:-------------| | Ubuntu | 12, 14, 16| - | | Debian | 7, 8| aptitude | -| CentOS | 5| yum-plugin-security, yum-changelog | -| CentOS | 6, 7| yum-plugin-security, yum-plugin-changelog | +| CentOS | 5| yum-changelog | +| CentOS | 6, 7| yum-plugin-changelog | | Amazon | All | - | | RHEL | 4, 5, 6, 7 | - | | FreeBSD | 10 | - | @@ -586,8 +586,6 @@ prepare /path/to/toml (default "$PWD/config.toml") -debug debug mode - -use-unattended-upgrades - [Deprecated] For Ubuntu, install unattended-upgrades ``` ---- @@ -672,11 +670,6 @@ scan: Write report to text files ($PWD/results/current) -ssh-external Use external ssh command. Default: Use the Go native implementation - -use-unattended-upgrades - [Deprecated] For Ubuntu. Scan by unattended-upgrades or not (use apt-get upgrade --dry-run by default) - -use-yum-plugin-security - [Deprecated] For CentOS 5. Scan by yum-plugin-security or not (use yum check-update by default) - ``` ## -ssh-external option diff --git a/commands/prepare.go b/commands/prepare.go index 43b392031c..1053da97e3 100644 --- a/commands/prepare.go +++ b/commands/prepare.go @@ -37,8 +37,6 @@ type PrepareCmd struct { askSudoPassword bool askKeyPassword bool - - useUnattendedUpgrades bool } // Name return subcommand name @@ -46,7 +44,6 @@ func (*PrepareCmd) Name() string { return "prepare" } // Synopsis return synopsis func (*PrepareCmd) Synopsis() string { - // return "Install packages Ubuntu: unattended-upgrade, CentOS: yum-plugin-security)" return `Install required packages to scan. CentOS: yum-plugin-security, yum-plugin-changelog Amazon: None @@ -91,13 +88,6 @@ func (p *PrepareCmd) SetFlags(f *flag.FlagSet) { false, "[Deprecated] THIS OPTION WAS REMOVED FOR SECURITY REASON. Define NOPASSWD in /etc/sudoers on tareget servers and use SSH key-based authentication", ) - - f.BoolVar( - &p.useUnattendedUpgrades, - "use-unattended-upgrades", - false, - "[Deprecated] For Ubuntu, install unattended-upgrades", - ) } // Execute execute @@ -143,7 +133,6 @@ func (p *PrepareCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{ } c.Conf.Debug = p.debug - c.Conf.UseUnattendedUpgrades = p.useUnattendedUpgrades // Set up custom logger logger := util.NewCustomLogger(c.ServerInfo{}) diff --git a/commands/scan.go b/commands/scan.go index a2036138b8..8d87d05062 100644 --- a/commands/scan.go +++ b/commands/scan.go @@ -71,9 +71,6 @@ type ScanCmd struct { azureKey string azureContainer string - useYumPluginSecurity bool - useUnattendedUpgrades bool - sshExternal bool } @@ -212,21 +209,6 @@ func (p *ScanCmd) SetFlags(f *flag.FlagSet) { false, "[Deprecated] THIS OPTION WAS REMOVED FOR SECURITY REASONS. Define NOPASSWD in /etc/sudoers on tareget servers and use SSH key-based authentication", ) - - f.BoolVar( - &p.useYumPluginSecurity, - "use-yum-plugin-security", - false, - "[Deprecated] For CentOS 5. Scan by yum-plugin-security or not (use yum check-update by default)", - ) - - f.BoolVar( - &p.useUnattendedUpgrades, - "use-unattended-upgrades", - false, - "[Deprecated] For Ubuntu. Scan by unattended-upgrades or not (use apt-get upgrade --dry-run by default)", - ) - } // Execute execute @@ -362,8 +344,6 @@ func (p *ScanCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}) c.Conf.IgnoreUnscoredCves = p.ignoreUnscoredCves c.Conf.SSHExternal = p.sshExternal c.Conf.HTTPProxy = p.httpProxy - c.Conf.UseYumPluginSecurity = p.useYumPluginSecurity - c.Conf.UseUnattendedUpgrades = p.useUnattendedUpgrades Log.Info("Validating Config...") if !c.Conf.Validate() { diff --git a/config/config.go b/config/config.go index 39e690d0d5..13c6e67747 100644 --- a/config/config.go +++ b/config/config.go @@ -60,8 +60,6 @@ type Config struct { // CpeNames []string // SummaryMode bool - UseYumPluginSecurity bool - UseUnattendedUpgrades bool } // Validate configuration diff --git a/scan/debian.go b/scan/debian.go index 52e6161d51..e352ea03c2 100644 --- a/scan/debian.go +++ b/scan/debian.go @@ -124,7 +124,6 @@ func (o *debian) checkIfSudoNoPasswd() error { } func (o *debian) install() error { - // apt-get update o.log.Infof("apt-get update...") cmd := util.PrependProxyEnv("apt-get update") @@ -144,27 +143,6 @@ func (o *debian) install() error { } o.log.Infof("Installed: aptitude") } - - // install unattended-upgrades - if !config.Conf.UseUnattendedUpgrades { - return nil - } - - if r := o.ssh("type unattended-upgrade", noSudo); r.isSuccess() { - o.log.Infof( - "Ignored: unattended-upgrade already installed") - return nil - } - - cmd = util.PrependProxyEnv( - "apt-get install --force-yes -y unattended-upgrades") - if r := o.ssh(cmd, sudo); !r.isSuccess() { - msg := fmt.Sprintf("Failed to SSH: %s", r) - o.log.Errorf(msg) - return fmt.Errorf(msg) - } - - o.log.Infof("Installed: unattended-upgrades") return nil } @@ -229,9 +207,7 @@ func (o *debian) parseScannedPackagesLine(line string) (name, version string, er return "", "", fmt.Errorf("Unknown format: %s", line) } -// unattended-upgrade command need to check security upgrades). func (o *debian) checkRequiredPackagesInstalled() error { - if o.Family == "debian" { if r := o.ssh("test -f /usr/bin/aptitude", noSudo); !r.isSuccess() { msg := fmt.Sprintf("aptitude is not installed: %s", r) @@ -239,16 +215,6 @@ func (o *debian) checkRequiredPackagesInstalled() error { return fmt.Errorf(msg) } } - - if !config.Conf.UseUnattendedUpgrades { - return nil - } - - if r := o.ssh("type unattended-upgrade", noSudo); !r.isSuccess() { - msg := fmt.Sprintf("unattended-upgrade is not installed: %s", r) - o.log.Errorf(msg) - return fmt.Errorf(msg) - } return nil } @@ -260,18 +226,9 @@ func (o *debian) scanUnsecurePackages(packs []models.PackageInfo) ([]CvePacksInf return nil, fmt.Errorf("Failed to SSH: %s", r) } - var upgradablePackNames []string - var err error - if config.Conf.UseUnattendedUpgrades { - upgradablePackNames, err = o.GetUnsecurePackNamesUsingUnattendedUpgrades() - if err != nil { - return []CvePacksInfo{}, err - } - } else { - upgradablePackNames, err = o.GetUpgradablePackNames() - if err != nil { - return []CvePacksInfo{}, err - } + upgradablePackNames, err := o.GetUpgradablePackNames() + if err != nil { + return []CvePacksInfo{}, err } // Convert package name to PackageInfo struct @@ -358,42 +315,6 @@ func (o *debian) fillCandidateVersion(packs []models.PackageInfo) ([]models.Pack return result, nil } -func (o *debian) GetUnsecurePackNamesUsingUnattendedUpgrades() (packNames []string, err error) { - cmd := util.PrependProxyEnv("unattended-upgrades --dry-run -d 2>&1 ") - release, err := strconv.ParseFloat(o.Release, 64) - if err != nil { - return packNames, fmt.Errorf( - "OS Release Version is invalid, %s, %s", o.Family, o.Release) - } - switch { - case release < 12: - return packNames, fmt.Errorf( - "Support expired. %s, %s", o.Family, o.Release) - - case 12 < release && release < 14: - cmd += `| grep 'pkgs that look like they should be upgraded:' | - sed -e 's/pkgs that look like they should be upgraded://g'` - - case 14 < release: - cmd += `| grep 'Packages that will be upgraded:' | - sed -e 's/Packages that will be upgraded://g'` - - default: - return packNames, fmt.Errorf( - "Not supported yet. %s, %s", o.Family, o.Release) - } - - r := o.ssh(cmd, sudo) - if r.isSuccess(0, 1) { - packNames = strings.Split(strings.TrimSpace(r.Stdout), " ") - return packNames, nil - } - - return packNames, fmt.Errorf( - "Failed to %s. status: %d, stdout: %s, stderr: %s", - cmd, r.ExitStatus, r.Stdout, r.Stderr) -} - func (o *debian) GetUpgradablePackNames() (packNames []string, err error) { cmd := util.PrependProxyEnv("LANG=en_US.UTF-8 apt-get upgrade --dry-run") r := o.ssh(cmd, sudo) diff --git a/scan/redhat.go b/scan/redhat.go index 4006dae405..fb5b0a981d 100644 --- a/scan/redhat.go +++ b/scan/redhat.go @@ -108,41 +108,21 @@ func (o *redhat) checkIfSudoNoPasswd() error { return nil } -// CentOS 5 ... yum-plugin-security, yum-changelog -// CentOS 6 ... yum-plugin-security, yum-plugin-changelog -// CentOS 7 ... yum-plugin-security, yum-plugin-changelog +// CentOS 5 ... yum-changelog +// CentOS 6 ... yum-plugin-changelog +// CentOS 7 ... yum-plugin-changelog // RHEL, Amazon ... no additinal packages needed func (o *redhat) install() error { - switch o.Family { case "rhel", "amazon": o.log.Infof("Nothing to do") return nil } - - if err := o.installYumPluginSecurity(); err != nil { - return err - } + // CentOS return o.installYumChangelog() } -func (o *redhat) installYumPluginSecurity() error { - - if r := o.ssh("rpm -q yum-plugin-security", noSudo); r.isSuccess() { - o.log.Infof("Ignored: yum-plugin-security already installed") - return nil - } - - o.log.Info("Installing yum-plugin-security...") - cmd := util.PrependProxyEnv("yum install -y yum-plugin-security") - if r := o.ssh(cmd, sudo); !r.isSuccess() { - return fmt.Errorf("Failed to SSH: %s", r) - } - return nil -} - func (o *redhat) installYumChangelog() error { - if o.Family == "centos" { var majorVersion int if 0 < len(o.Release) { @@ -177,20 +157,6 @@ func (o *redhat) installYumChangelog() error { } func (o *redhat) checkRequiredPackagesInstalled() error { - if config.Conf.UseYumPluginSecurity { - // check if yum-plugin-security is installed. - // Amazon Linux, REHL can execute 'yum updateinfo --security updates' without yum-plugin-security - if o.Family == "centos" { - cmd := "rpm -q yum-plugin-security" - if r := o.ssh(cmd, noSudo); !r.isSuccess() { - msg := "yum-plugin-security is not installed" - o.log.Errorf(msg) - return fmt.Errorf(msg) - } - } - return nil - } - if o.Family == "centos" { var majorVersion int if 0 < len(o.Release) { @@ -274,7 +240,7 @@ func (o *redhat) parseScannedPackagesLine(line string) (models.PackageInfo, erro } func (o *redhat) scanUnsecurePackages() ([]CvePacksInfo, error) { - if o.Family != "centos" || config.Conf.UseYumPluginSecurity { + if o.Family != "centos" { // Amazon, RHEL has yum updateinfo as default // yum updateinfo can collenct vendor advisory information. return o.scanUnsecurePackagesUsingYumPluginSecurity() @@ -286,7 +252,6 @@ func (o *redhat) scanUnsecurePackages() ([]CvePacksInfo, error) { //TODO return whether already expired. func (o *redhat) scanUnsecurePackagesUsingYumCheckUpdate() (CvePacksList, error) { - cmd := "LANG=en_US.UTF-8 yum --color=never check-update" r := o.ssh(util.PrependProxyEnv(cmd), sudo) if !r.isSuccess(0, 100) {