Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
t
Tao Jiang
12/13/2020, 2:36 PMHi, I built the osquery from the latest master branch on ubuntu and upload the built osqueryi for blackduck scanning. It has 4 critical and 27 high vulnerabilities. Most of them are due to outdated dependency libraries. Is there any plan to upgrade those libraries? Thanks!
z
zwass
12/13/2020, 6:04 PMCan you link to or provide the CVE numbers for the high severity issues?
t
Tao Jiang
12/13/2020, 8:49 PMosqeryi is for linux and osuqeryd is for mac.
m
Mike Myers
12/15/2020, 7:19 PMI think you'll see some or all of these updated in 4.6, https://github.com/osquery/osquery/pull/6786/
https://github.com/osquery/osquery/pull/6804
t
Tao Jiang
12/16/2020, 1:14 AMJust did a fresh checkout and rebuild from master on mac a moment ago. Here are the issues.
m
Mike Myers
12/16/2020, 2:57 AMthe number of vulnerabilities went...up?
t
Tao Jiang
12/16/2020, 3:41 AMIt’s the same. https://github.com/osquery/osquery/pull/6804 was merged 3 days ago but sqlite3 still shows vulnerable.
z
zwass
12/16/2020, 5:01 PMPerhaps your scanner has some issue there... 3.34.0 fixes many (all?) of the listed sqlite vulns according to NVD.
m
Mike Myers
12/16/2020, 6:08 PMyea, 3.4.2 is not the version of sqlite we build with but Sleuthkit might still be building with that old version
so the ntfs forensics and disk information tables in particular
Does Blackduck pick up version strings in the compiled binary? Or from source?
a
Atisha Caprice Starnes
12/28/2020, 10:42 AMGodet Metric
m
Mike Myers
12/28/2020, 11:35 PM☝️ Stefano seems to have now removed the use of the outdated sqlite3 from within sleuthkit
t
Tao Jiang
01/04/2021, 2:20 PMJust did a fresh checkout and build on mater branch. Issues remain.
m
Mike Myers
01/04/2021, 2:26 PMWe're building with sqlite 3.34.0 according to this submodule https://github.com/osquery/osquery/tree/master/libraries/cmake/source/sqlite
We removed sqlite3 from the dependency chain of sleuthkit. https://github.com/osquery/osquery/pull/6858
How do we find other sqlite3 uses?
s
Stefano Bonicatti
01/04/2021, 2:37 PMWhich by the way those were ony header usages, and sqlite version was 3.8.11.1
but also, if Black Duck scans all the source it will always find false positives, because not all source is compiled.
I've never used the software/I don't know how intelligent it is, but we would need to know what is doing and what is scanning.
the .csv seems to be saying that what has been scanned is the binary.
In any case, the other versions of sqlite we have in the source (but we don't compile), is sleuthkit and berkeley-db. None of them is version 3.4.2.
Also grepping for "sqlite3_" doesn't show functions defined outside of the ones we already know (the correct one, the berkeley db ones, the sleuthkit ones).
t
Tao Jiang
01/05/2021, 12:47 AMI just scanned osquery downloads from https://osquery.io/downloads/official/4.6.0. Looks like windows version has majority of security issues fixed. macOS still has some issues.
m
Mike Myers
01/05/2021, 6:07 PMI was talking with Stefano and it looks like lz4 is unnecessarily compiled in with libarchive, and we can just omit it with some change to the CMake
@Tao Jiang I just merged a PR that should remove lz4 completely (it was not used before, but it ought to not appear in your report now)