Open Vulnerability and Assessment Language, OVAL, Interpreter
VulnIQ Security Scanner, Terzi, supports executing OVAL definitions to determine vulnerabilities with high accuracy.
OVAL interpreter code is developed in-house and does not rely on external libraries or programs.
Most vendors, especially Linux vendors like Red Hat, Debian, Ubuntu, Suse, Oracle publish OVAL definitions for
issues affecting their products.
VulnIQ allows customers to make use of these freely available OVAL data.
Case Study: Checking if an Ubuntu System is affected by a CVE with 100% accuracy
Canonical publishes OVAL definitions for all CVEs affecting Ubuntu systems.
You can download the definitions file for your version of Ubuntu and run the checks for no additional cost.
In this example we want to check if a docker container running Ubuntu 18.04 (bionic) is vulnerable to CVE-2018-6954.
First we download OVAL definitions for Ubuntu bionic and find the OVAL definition for CVE-2018-6954,
which is oval:com.ubuntu.bionic:def:201869540000000.
Instead of running a full scan we can simply run only this definition using the oval.sh script provided
with Terzi, in the bin folder.
Running an OVAL check is as simple as running the following command:
#bin/oval.sh -t Docker -n container_name -f ~/Downloads/com.ubuntu.bionic.cve.oval.xml -o oval:com.ubuntu.bionic:def:201869540000000
Running this command will generate the following output.
By default, oval.sh generates a verbose plain text output, but you can adjust the verbosity by providing an option or switch to json output mode as you like.
OVALDefinitions
Loading definitions
OVALDefinitions
Finished loading definitions
Definition oval:com.ubuntu.bionic:def:201869540000000
Starting to evaluate definition
Definition oval:com.ubuntu.bionic:def:201869540000000
Loaded definition
- name CVE-2018-6954 on Ubuntu 18.04 LTS (bionic) - medium.
- class VULNERABILITY
Criteria
Starting to evaluate criteria
ExtendedDefinitionoval:com.ubuntu.bionic:def:100
Found child extended definition
Definition oval:com.ubuntu.bionic:def:100
Starting to evaluate definition
Definition oval:com.ubuntu.bionic:def:100
Loaded definition
- name Check that Ubuntu 18.04 LTS (bionic) is installed.
- class INVENTORY
Criteria
Starting to evaluate criteria
Criteria
Found child criterion
- commentForChild The host is part of the unix family.
Test oval:com.ubuntu.bionic:tst:100
Starting to evaluate test
Test oval:com.ubuntu.bionic:tst:100
Loaded test
- comment Is the host part of the unix family?
Test oval:com.ubuntu.bionic:tst:100
Finished evaluating test
- comment Is the host part of the unix family?
- result TRUE
Criteria
Evaluated child criterion
- criterionComment The host is part of the unix family.
- test oval:com.ubuntu.bionic:tst:100
- result TRUE
Criteria
Found child criterion
- commentForChild The host is running Ubuntu bionic.
Test oval:com.ubuntu.bionic:tst:101
Starting to evaluate test
Test oval:com.ubuntu.bionic:tst:101
Loaded test
- comment Is the host running Ubuntu bionic?
Test oval:com.ubuntu.bionic:tst:101
Starting to analyze test
Object oval:com.ubuntu.bionic:obj:101
Loaded object
- comment The singleton release codename object.
Object oval:com.ubuntu.bionic:obj:101
Collected object
- value [bionic]
Object oval:com.ubuntu.bionic:obj:101
Analyzing object
- existenceStatus EXISTS
- collectionStatus EXISTS
Object oval:com.ubuntu.bionic:obj:101
Existence result
- existenceResult TRUE
Object oval:com.ubuntu.bionic:obj:101
Results for state
- state oval:com.ubuntu.bionic:ste:101
- resultsForState [TRUE]
Test oval:com.ubuntu.bionic:tst:101
Object collection status is EXISTS and test has states. Final result after evaluating states: TRUE
- finalResult TRUE
- check AT_LEAST_ONE
- stateResults [TRUE]
Test oval:com.ubuntu.bionic:tst:101
Finished evaluating test
- comment Is the host running Ubuntu bionic?
- result TRUE
Criteria
Evaluated child criterion
- criterionComment The host is running Ubuntu bionic.
- test oval:com.ubuntu.bionic:tst:101
- result TRUE
Criteria
Final result after combining results
- operator AND
- finalResult TRUE
Definition oval:com.ubuntu.bionic:def:100
Evaluated definition criteria
- result TRUE
Definition oval:com.ubuntu.bionic:def:100
Finished evaluating definition
- name Check that Ubuntu 18.04 LTS (bionic) is installed.
- result TRUE
Criteria
Finished evaluating extended definition
- childResult TRUE
ExtendedDefinitionoval:com.ubuntu.bionic:def:100
Child result is TRUE, applicability check will not change the outcome
Criteria
Found child criterion
- commentForChild systemd package in bionic was vulnerable but has been fixed (note: '237-3ubuntu10.9').
Test oval:com.ubuntu.bionic:tst:2018168880000000
Starting to evaluate test
Test oval:com.ubuntu.bionic:tst:2018168880000000
Loaded test
- comment Does the 'systemd' package exist and is the version less than '237-3ubuntu10.9'?
Test oval:com.ubuntu.bionic:tst:2018168880000000
Starting to analyze test
Object oval:com.ubuntu.bionic:obj:2018168880000000
Loaded object
- comment The 'systemd' package binaries.
Object oval:com.ubuntu.bionic:obj:2018168880000000
Package is not installed.
- package libpam-systemd
Object oval:com.ubuntu.bionic:obj:2018168880000000
Package is installed.
- package libsystemd0
- version 237-3ubuntu10.6
Object oval:com.ubuntu.bionic:obj:2018168880000000
Package is installed.
- package libudev1
- version 237-3ubuntu10.6
Object oval:com.ubuntu.bionic:obj:2018168880000000
Package is not installed.
- package systemd
Object oval:com.ubuntu.bionic:obj:2018168880000000
Collected object
- value [237-3ubuntu10.6, 237-3ubuntu10.6]
Object oval:com.ubuntu.bionic:obj:2018168880000000
Analyzing object
- existenceStatus EXISTS
- collectionStatus EXISTS
Object oval:com.ubuntu.bionic:obj:2018168880000000
Existence result
- existenceResult TRUE
Object oval:com.ubuntu.bionic:obj:2018168880000000
Results for state
- state oval:com.ubuntu.bionic:ste:2018168880000000
- resultsForState [TRUE]
Object oval:com.ubuntu.bionic:obj:2018168880000000
Results for state
- state oval:com.ubuntu.bionic:ste:2018168880000000
- resultsForState [TRUE]
Test oval:com.ubuntu.bionic:tst:2018168880000000
Object collection status is EXISTS and test has states. Final result after evaluating states: TRUE
- finalResult TRUE
- check AT_LEAST_ONE
- stateResults [TRUE, TRUE]
Test oval:com.ubuntu.bionic:tst:2018168880000000
Finished evaluating test
- comment Does the 'systemd' package exist and is the version less than '237-3ubuntu10.9'?
- result TRUE
Criteria
Evaluated child criterion
- criterionComment systemd package in bionic was vulnerable but has been fixed (note: '237-3ubuntu10.9').
- test oval:com.ubuntu.bionic:tst:2018168880000000
- result TRUE
Criteria
Final result after combining results
- operator AND
- finalResult TRUE
Definition oval:com.ubuntu.bionic:def:201869540000000
Evaluated definition criteria
- result TRUE
Definition oval:com.ubuntu.bionic:def:201869540000000
Finished evaluating definition
- name CVE-2018-6954 on Ubuntu 18.04 LTS (bionic) - medium.
- result TRUE
=========================================================
RESULTS
=========================================================
TRUE CVE-2018-6954 on Ubuntu 18.04 LTS (bionic) - medium.
- vulnerability oval:com.ubuntu.bionic:def:201869540000000
- [CVE-2018-6954]
=========================================================