Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 2

Document created by Sean Nicholson Employee on Apr 23, 2020
Version 1Show Document
  • View in full screen mode

This document is a continuation of Assess Vulnerabilities and Misconfigurations in CICD Pipelines: Part 2

 

Parse Scan Results 

Get list of QIDs 

To obtain scan results via the Qualys API, you must query the Scans API endpoint, the host detection API endpoint, or the Reports API endpoint. This example will query for the Scans API Endpoint since we already have all the information from the previous steps to query this endpoint and do not have to wait on much backend processing of the results.   

Query for the list of results using the output_format=json_extended option to retrieve the list of scan results with vulnerability information returned in the scan findings. The vulnerability findings start on the third item of the returned list of JSON objects. Iterate the list of results and capture the QID field, Severity, related CVSS information, and additional threat information. If you choose the “output_format=json” option, you can use the QID to query the Qualys Knowledge Base for additional information on the QID. An example of this will be covered in the next section. 

Required headers: 

  • Accept: text/xml 
  • Content-Type: text/xml 
  • X-Requested-With: Curl 

Body Parameters 

Type  

 Parameter List 

Request  

action=fetch(required), echo_request 

output_format={csv|json| 

csv_extended| 

json_extended} 

(Optional) output_format=json_extended 

Specify whether to return scan results in JSON/CSV 

Default: results returned as CSV 

Scan List Filters  

Example query uses scan_ref=scan/1234567890.12345 

mode={brief|extended} 

Example query uses mode=extended  

The verbosity of the scan results 

details: brief (the default) or extended. The brief output includes 

this information: IP address, DNS hostname, NetBIOS hostname, 

QID and scan test results if applicable. The extended output 

includes the brief output plus this extended information: 

protocol, port, an SSL flag (“yes” is returned when SSL was used 

for the detection, “no” is returned when SSL was not used), and 

FQDN if applicable. 

Information on running scans using the Qualys API can be found Qualys API VM & PC User Guide in Chapter 3 - Scans 

Example API Call 

(QualysPlatformURL)/api/2.0/fo/scan/?action=fetch&scan_ref=scan/1234567890.12345&mode=extended&output_format=json_extended 

Example Response  

Example finding for output_format=json&mode=extended (json return in list format [{scan info}, {ip info}, {finding1}, {finding2}….((findings info to length of list) - 1),{scan and host summary}) 

[{"ip":"1.2.3.4","dns":"ec2-1-2-3-4.us-east-2.compute.amazonaws.com","netbios":null,"qid":6,"instance":null,"result":"IP address\tHost name\n1.2.3.4\tec2-1-2-3-4.us-east-2.compute.amazonaws.com"} 

 

Example finding for output_format=json_extended&mode=extended (json return in list format [{scan info}, {ip info}, {finding1}, {finding2}….((findings info to length of list) - 1),{scan and host summary}) 

{"ip":"1.2.3.4","dns":" ec2-1-2-3-4.us-east-2.compute.amazonaws.com ","netbios":null,"os":"Linux 2.6","ip_status":"host scanned, found vuln","qid":82040,"title":"ICMP Replies Received","type":"Ig","severity":"1","port":"","protocol":"","fqdn":"","ssl":"no","cve_id":null,"vendor_reference":null,"bugtraq_id":null,"cvss_base":null,"cvss_temporal":null,"cvss3_base":null,"cvss3_temporal":null,"threat":"ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMP's principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and accessibility of other gateways or hosts. \r\n \r\nWe have sent the following types of packets to trigger the host to send us ICMP replies: \r\n \r\nEcho Request (to trigger Echo Reply) \r\nTimestamp Request (to trigger Timestamp Reply) \r\nAddress Mask Request (to trigger Address Mask Reply) \r\nUDP Packet (to trigger Port Unreachable Reply) \r\nIP Packet with Protocol>= 250 (to trigger Protocol Unreachable Reply)\r\n \r\nListed in the \"Result\" section are the ICMP replies that we have received.","impact":null,"solution":null,"exploitability":null,"associated_malware":null,"results":"ICMP Reply Type\tTriggered By\tAdditional Information\nEcho (type=0 code=0)\tEcho Request\tEcho Reply\nTime Stamp (type=14 code=0)\tTime Stamp Request\t17:43:24 GMT\nUnreachable (type=3 code=3)\tUDP Port 1\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 18354\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 5060\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 11000\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 2001\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 6912\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 464\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 7300\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 1812\tPort Unreachable\nUnreachable (type=3 code=3)\tUDP Port 52352\tPort Unreachable","pci_vuln":"no","instance":null,"os_cpe":null,"category":"TCP\/IP"} 

 

Querying the Qualys Knowledge Base 

 To query the Qualys Knowledge Base API endpoint, submit a query with the body parameters qid=12345 or quid=12345,23456,34567 to return information on a single QID or a list of QIDs. This body parameter will accept a list of QIDs so you can either iterate the list of QIDs detected in the scan results and make a single call per QID or you can pass all the QIDs from the scan results and iterate the returned XML information. The implementation here is based on your own internal requirements and build failure logic gates. By submitting  

If you are failing a build on a single Severity 4 or 5 QID, you may choose to iterate the list of QID with a single call to the knowledge base and if a severity if 4 or 5, fail the build.  

If you are failing a build on total number of critical vulnerabilities or some other metric that looks at an average, median, or high water mark, then return the whole list of QIDs in a single query should be more efficient. 

The Associated CVEs and CVSS scores for the QID are also included in the results with the body parameter details=Basic, this can also be used to decide to pass or fail a build as well. Example results are shown below. 

Required headers: 

  • Accept: text/xml 
  • Content-Type: text/xml 
  • X-Requested-With: Curl 

Body Parameters 

Type  

 Parameter List 

Request  

action=list(required), echo_request 

Details 

Example Query details=Basic 

(Optional) Show the requested amount of information for each 

vulnerability in the XML output. A valid value is: Basic (default), 

All, or None. Basic includes basic elements plus CVSS Base and 

Temporal scores. All includes all vulnerability details, including 

the Basic details. 

QID 

Example query uses ids= 351425 

This parameter accepts a single QID or a list of QIDs 

ids= 351425 or ids= 351425,156789,125674 

Information on running scans using the Qualys API can be found Qualys API VM & PC User Guide in Chapter 4 – Scan Configuration. 

 

Example API Call 

(QualysPlatformURL)/api/2.0/fo/knowledge_base/vuln/?action=list&details=Basic&ids=351425 

Example Response 

<?xml version="1.0" encoding="UTF-8" ?> 

<!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://QualysAPI-URL/api/2.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd"> 

<KNOWLEDGE_BASE_VULN_LIST_OUTPUT> 

    <RESPONSE> 

        <DATETIME>2019-06-12T20:42:01Z</DATETIME> 

        <VULN_LIST> 

            <VULN> 

                <QID>351425</QID> 

                <VULN_TYPE>Vulnerability</VULN_TYPE> 

                <SEVERITY_LEVEL>3</SEVERITY_LEVEL> 

                <TITLE> 

                    <![CDATA[Amazon Linux Security Advisory for openssl: ALAS-2018-1102]]> 

                </TITLE> 

                <CATEGORY>Amazon Linux</CATEGORY> 

                <LAST_SERVICE_MODIFICATION_DATETIME>2018-12-12T09:38:57Z</LAST_SERVICE_MODIFICATION_DATETIME> 

                <PUBLISHED_DATETIME>2018-12-12T09:38:57Z</PUBLISHED_DATETIME> 

                <BUGTRAQ_LIST> 

                    <BUGTRAQ> 

                        <ID> 

                            <![CDATA[103518]]> 

                        </ID> 

                        <URL> 

                            <![CDATA[http://www.securityfocus.com/bid/103518]]> 

                        </URL> 

                    </BUGTRAQ> 

                    <BUGTRAQ> 

                        <ID> 

                            <![CDATA[105609]]> 

                        </ID> 

                        <URL> 

                            <![CDATA[http://www.securityfocus.com/bid/105609]]> 

                        </URL> 

                    </BUGTRAQ> 

                    <BUGTRAQ> 

                        <ID> 

                            <![CDATA[100515]]> 

                        </ID> 

                        <URL> 

                            <![CDATA[http://www.securityfocus.com/bid/100515]]> 

                        </URL> 

                    </BUGTRAQ> 

                </BUGTRAQ_LIST> 

                <PATCHABLE>1</PATCHABLE> 

                <SOFTWARE_LIST> 

                    <SOFTWARE> 

                        <PRODUCT> 

                            <![CDATA[openssl]]> 

                        </PRODUCT> 

                        <VENDOR> 

                            <![CDATA[openssl]]> 

                        </VENDOR> 

                    </SOFTWARE> 

                </SOFTWARE_LIST> 

                <VENDOR_REFERENCE_LIST> 

                    <VENDOR_REFERENCE> 

                        <ID> 

                            <![CDATA[ALAS-2018-1102]]> 

                        </ID> 

                        <URL> 

                            <![CDATA[https://alas.aws.amazon.com/ALAS-2018-1102.html]]> 

                        </URL> 

                    </VENDOR_REFERENCE> 

                </VENDOR_REFERENCE_LIST> 

                <CVE_LIST> 

                    <CVE> 

                        <ID> 

                            <![CDATA[CVE-2018-0495]]> 

                        </ID> 

                        <URL> 

                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495]]> 

                        </URL> 

                    </CVE> 

                    <CVE> 

                        <ID> 

                            <![CDATA[CVE-2017-3735]]> 

                        </ID> 

                        <URL> 

                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3735]]> 

                        </URL> 

                    </CVE> 

                    <CVE> 

                        <ID> 

                            <![CDATA[CVE-2018-0739]]> 

                        </ID> 

                        <URL> 

                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739]]> 

                        </URL> 

                    </CVE> 

                </CVE_LIST> 

                <DIAGNOSIS> 

                    <![CDATA[Libgcrypt  allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.(<A HREF="https://access.redhat.com/security/cve/CVE-2018-0495" TARGET="_blank">CVE-2018-0495 </A>)</P><P>While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006.(<A HREF="https://access.redhat.com/security/cve/CVE-2017-3735" TARGET="_blank">CVE-2017-3735 </A>)</P><P>Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe.(<A HREF="https://access.redhat.com/security/cve/CVE-2018-0739" TARGET="_blank">CVE-2018-0739 </A>)</P> 

]]> 

        </DIAGNOSIS> 

        <CONSEQUENCE> 

            <![CDATA[Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.]]> 

        </CONSEQUENCE> 

        <SOLUTION> 

            <![CDATA[Please refer to Amazon advisory <A HREF="https://alas.aws.amazon.com/ALAS-2018-1102.html" TARGET="_blank">ALAS-2018-1102</A> for affected packages and patching details, or update with your package manager.<P>Patch:<BR> 

Following are links for downloading patches to fix the vulnerabilities: 

<P><A HREF="https://alas.aws.amazon.com/ALAS-2018-1102.html" TARGET="_blank">ALAS-2018-1102: Amazon Linux (openssl (1.0.2k-16.146.amzn1) on i686)</A><P><A HREF="https://alas.aws.amazon.com/ALAS-2018-1102.html" TARGET="_blank">ALAS-2018-1102: Amazon Linux (openssl (1.0.2k-16.146.amzn1) on x86_64)</A><P><A HREF="https://alas.aws.amazon.com/ALAS-2018-1102.html" TARGET="_blank">ALAS-2018-1102: Amazon Linux (openssl (1.0.2k-16.146.amzn1) on src)</A>]]> 

        </SOLUTION> 

        <CVSS> 

            <BASE>5</BASE> 

            <TEMPORAL>3.7</TEMPORAL> 

            <VECTOR_STRING>CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C</VECTOR_STRING> 

        </CVSS> 

        <CVSS_V3> 

            <BASE>6.5</BASE> 

            <TEMPORAL>5.2</TEMPORAL> 

            <VECTOR_STRING>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:U</VECTOR_STRING> 

        </CVSS_V3> 

        <PCI_FLAG>1</PCI_FLAG> 

        <THREAT_INTELLIGENCE> 

            <THREAT_INTEL id="5"> 

                <![CDATA[Easy_Exploit]]> 

            </THREAT_INTEL> 

        </THREAT_INTELLIGENCE> 

        <DISCOVERY> 

            <REMOTE>0</REMOTE> 

            <AUTH_TYPE_LIST> 

                <AUTH_TYPE>Unix</AUTH_TYPE> 

            </AUTH_TYPE_LIST> 

            <ADDITIONAL_INFO>Patch Available</ADDITIONAL_INFO> 

        </DISCOVERY> 

    </VULN> 

</VULN_LIST> 

</RESPONSE> 

</KNOWLEDGE_BASE_VULN_LIST_OUTPUT> 

<!-- CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2019, Qualys, Inc. //--> 

 

Implementation 

Part of the success criteria in using vulnerability scan results to pass or fail an image build requires the scan results to be available to the DevOps teams when a build fails.  Depending on your implementation, this can be done a variety of ways.  

Examples would be 

  1. Create a scan report and store it in a secure storage and provide a link upon failure of the build 
  1. Provide the list of vulnerabilities names, QIDs, and Severities in the log for the build failure. Optionally, include a list of CVE links as well so they can know what needs to be fixed to comply your organizations security governance policies. This information can be found in the response of the query to Qualys QID Knowledge Base 

 

The decision to automatically pass or fail a build will depend on your own internal security governance and risk tolerances. It is best to work with your DevOps teams to develop these thresholds together. You may end up with different risk tolerances and failure thresholds depending on the application data types and categorizations across business units.  The key to success is cooperation within your organization. Ensure you also look at tracking Key Performance Indicators (KPIs) for the reduction in vulnerabilities in your environments and to track progress of your implementation. This will help show the value of the time spent implementing when it comes time to report progress to management. 

 

Tips for Success 

  1. If just getting started with integrating vulnerability scanning into your pipelines you may decide to implement an iterative approach, where you set a time period and high-water mark of Severity 4 and 5 to fail a build for containing a critical vulnerability. Then as your processes mature, look to add medium severity vulnerabilities to the failure criteria so that over time you work to reduce the number of vulnerabilities in your environment. 
  1. Choose a champion for your organization. Identifying a single team, application pipeline, or Business Unit to work on the initial implementation. Working with a smaller group, initially, will allow for faster implementation and show success quicker as well. This will allow you to resolve any potential design or implementation problems prior to larger adoption. Use the success with this smaller implementation as the success story for a broader implementation across your organization. 

Attachments

    Outcomes