https://github.com/osquery/osquery logo
w

wennan.he

12/22/2022, 2:52 AM
Hi Osquery team, may i know all the libs under osquery/libraries/ are only used for building osquery, is that correct?
m

Mike Myers

12/22/2022, 2:53 AM
Do you want to know a complete list of them?
Yes, they are for building (statically linked) osquery
w

wennan.he

12/22/2022, 2:54 AM
Do you want to know a complete list of them? can you offer it?
m

Mike Myers

12/22/2022, 2:54 AM
We have a list, just a moment
w

wennan.he

12/22/2022, 2:56 AM
the reason i am asking this question is because we are scanning the code of osquery for static code analysis, and we found there are a lot of warning from libs under this folder, can you make sure all the libs under this folder only used for building, because we can ignore these warning if that is the case.
m

Mike Myers

12/22/2022, 3:01 AM
We recently set up our own monitoring of known CVEs for libraries, and so we are aware of many of them and have been delaying updating of some that are known not to affect osquery. Static analysis can sometimes be a false positive because it detects a library but doesn't know how much of it is used or in what way.
So, we have a new workflow where we address every known CVE with our rationale for why it does or does not impact osquery. https://github.com/osquery/osquery/issues?q=is%3Aissue+label%3Acve
The issues are
closed
when we have either provided an analysis on the issue and told our monitoring script to ignore it for now, or, when we have updated the affected library.
s

Stefano Bonicatti

12/22/2022, 10:23 AM
I’m curious though @wennan.he what you mean with “only used for building”, as opposed to what? Those are third party libraries that are linked against the osquery binary to provide core functionality and table functionality. The osquery community doesn’t develop them/maintain them, a part from one that comes from ToB (ebpfpub).
And for completeness sake, in some cases there are some patches prepared by us, due to the fact that some libraries do not expect to be used outside of their CLI executable they were written for, or osquery needs a behavior that was not properly supported. They attempt to be very minor.
s

seph

12/22/2022, 2:28 PM
They are used to build, linked in, and the the result is run.
w

wennan.he

12/22/2022, 6:01 PM
@Stefano Bonicatti i messed it up, i just thought they are only tools used for building and yes they are included in the package.
Hi guys, may i know what tools you use to scan the code of osquery?
m

Mike Myers

12/23/2022, 5:17 AM
We don't scan the code itself, we have a CI job to check a public database for any news on a list of topics called CPEs that correspond to the manually created list of libraries (the manifest)
w

wennan.he

12/23/2022, 5:38 AM
i dont get it
you mean the cve is created manually?
s

Stefano Bonicatti

12/23/2022, 10:29 AM
No, we search for CVEs of the third party libraries we use on the NVD database, using the information in the libraries manifest that we update manually (https://github.com/osquery/osquery/blob/master/libraries/third_party_libraries_manifest.json), to create a query using the CPE format.
For the CPE one needs the vendor, the product and the version, so lets say we want to search for CVEs of libmagic, that becomes
cpe:2.3:a:file_project:file:5.40:*:*:*:*:*:*:*
When a CVE is created (by the NIST on their database) it is “linked” to a (single or series, depending on how many versions are affected) product CPE.
w

wennan.he

12/23/2022, 8:15 PM
ok so what third party osquery leverages?
s

Stefano Bonicatti

12/23/2022, 11:42 PM
Third party … libraries? The list is the one provided previously by Mike, and it’s basically the same you can find under the
libraries/cmake/source
folder (+
openssl
which is in
libraries/cmake/formula
).
If that’s not what you’re asking, you need to be more specific.
m

Mike Myers

12/24/2022, 5:47 PM
I think we were having a miscommunication, but, to be clear, the libraries in
osquery/libraries
in the source tree (that are git submodules, and populated during the 'configure' step of the build) are built into the compiled osquery. Because osquery only uses some of the functionality of each library, sometimes only part of the library's source code is built into osquery. This is one reason that static analysis can indicate a CVE in the libraries in the source tree, but it is not present in osquery. Another reason is that osquery doesn't use the library in a way that would ever be impacted by the vulnerability. For instance, a compression library like
zlib
that has a vulnerability in compression, but osquery only ever uses it to decompress and would not be affected. Or vice versa.
w

wennan.he

12/25/2022, 5:25 AM
that make sense, and one more question, why is NVD, how could you be confident this is most comprehensive data source of cve?
m

Mike Myers

12/29/2022, 6:06 AM
We evaluated several vulnerability knowledge repositories, and chose this one. If a vulnerability has a CVE, we are confident it will be published at the NVD. For vulnerabilities without a CVE, they are effectively unknown and there is nothing we can track. For libraries without a CPE, if there are any, then NVD will not work well to track CVEs in those libraries. Did you have a different database in mind to suggest?
w

wennan.he

12/29/2022, 6:44 PM
i don't have it more.