Title
#general
t

Tao Jiang

12/13/2020, 2:36 PM
Hi, I built the osquery from the latest master branch on ubuntu and upload the built osqueryi for blackduck scanning. It has 4 critical and 27 high vulnerabilities. Most of them are due to outdated dependency libraries. Is there any plan to upgrade those libraries? Thanks!
zwass

zwass

12/13/2020, 6:04 PM
Can you link to or provide the CVE numbers for the high severity issues?
t

Tao Jiang

12/13/2020, 8:49 PM
osqeryi is for linux and osuqeryd is for mac.
Mike Myers

Mike Myers

12/15/2020, 7:19 PM
t

Tao Jiang

12/16/2020, 1:14 AM
Just did a fresh checkout and rebuild from master on mac a moment ago. Here are the issues.
Mike Myers

Mike Myers

12/16/2020, 2:57 AM
the number of vulnerabilities went...up?
t

Tao Jiang

12/16/2020, 3:41 AM
It’s the same. https://github.com/osquery/osquery/pull/6804 was merged 3 days ago but sqlite3 still shows vulnerable.
zwass

zwass

12/16/2020, 5:01 PM
Perhaps your scanner has some issue there... 3.34.0 fixes many (all?) of the listed sqlite vulns according to NVD.
Mike Myers

Mike Myers

12/16/2020, 6:08 PM
yea, 3.4.2 is not the version of sqlite we build with but Sleuthkit might still be building with that old version
6:08 PM
so the ntfs forensics and disk information tables in particular
6:13 PM
Does Blackduck pick up version strings in the compiled binary? Or from source?
a

Atisha Caprice Starnes

12/28/2020, 10:42 AM
Godet Metric
Mike Myers

Mike Myers

12/28/2020, 11:35 PM
Stefano seems to have now removed the use of the outdated sqlite3 from within sleuthkit
t

Tao Jiang

01/04/2021, 2:20 PM
Just did a fresh checkout and build on mater branch. Issues remain.
Mike Myers

Mike Myers

01/04/2021, 2:26 PM
We're building with sqlite 3.34.0 according to this submodule https://github.com/osquery/osquery/tree/master/libraries/cmake/source/sqlite We removed sqlite3 from the dependency chain of sleuthkit. https://github.com/osquery/osquery/pull/6858 How do we find other sqlite3 uses?
Stefano Bonicatti

Stefano Bonicatti

01/04/2021, 2:37 PM
Which by the way those were ony header usages, and sqlite version was 3.8.11.1
2:38 PM
but also, if Black Duck scans all the source it will always find false positives, because not all source is compiled. I've never used the software/I don't know how intelligent it is, but we would need to know what is doing and what is scanning.
3:00 PM
the .csv seems to be saying that what has been scanned is the binary. In any case, the other versions of sqlite we have in the source (but we don't compile), is sleuthkit and berkeley-db. None of them is version 3.4.2. Also grepping for "sqlite3_" doesn't show functions defined outside of the ones we already know (the correct one, the berkeley db ones, the sleuthkit ones).
t

Tao Jiang

01/05/2021, 12:47 AM
I just scanned osquery downloads from https://osquery.io/downloads/official/4.6.0. Looks like windows version has majority of security issues fixed. macOS still has some issues.
Mike Myers

Mike Myers

01/05/2021, 6:07 PM
I was talking with Stefano and it looks like lz4 is unnecessarily compiled in with libarchive, and we can just omit it with some change to the CMake
5:27 PM
@Tao Jiang I just merged a PR that should remove lz4 completely (it was not used before, but it ought to not appear in your report now)