wazuh 4.8でAPIからvulnerbilityエンドポイントが消失した(The vulnerability endpoint has disappeared from the API in Wazuh 4.8.)

まじかよ?って感じなんだけど、同僚の@hibomaが気づいてくれた。そりゃopensearchで引けるのはそりゃそうなんだろうけどって思うけど、クライアントサイドから見るとエンドポイント複数あるの結構だるくね?って思いの方が強い。

僕らの場合は結構いくつかのリポジトリで使ってたから変換用のエンドポイントをSinatraでぴっとやった。

I can’t believe it! My colleague @hiboma noticed it. While it makes sense that you can retrieve vulnerabilities with OpenSearch, from a client-side perspective, having multiple endpoints is quite inconvenient.

In our case, we used the vulnerability endpoint in several repositories, so we quickly set up a conversion endpoint using Sinatra.

from japanese
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# server.rb
require 'sinatra'
require 'faraday'
require 'oj'
set :server, :puma
# OpenSearchへの検索リクエストを行う関数
def search_vulnerabilities(agent_id, page, per_page)
  connection = Faraday.new(
    headers: { 'Content-Type' => 'application/json' }
  )
 
  from = page * per_page # Pagination offset
  body = {
    query: {
      bool: {
        must: [
          { match: { "agent.id": agent_id } }
        ]
      }
    },
    from: from,
    size: per_page
  }
 
  response = connection.post do |req|
    req.url '/wazuh-states-vulnerabilities-*/_search'
    req.body = Oj.dump(body, mode: :compat)
  end
 
  Oj.load(response.body)
end
 
get '/health' do
  status 200
  body ''
end
 
get '/vulnerability/:agent_id' do
  agent_id = params['agent_id']
  page = (params['offset'] || 0).to_i
  per_page = (params['limit'] || 500).to_i
 
  result = search_vulnerabilities(agent_id, page, per_page)
 
  affected_items = result['hits']['hits'].map do |hit|
    {
      cve: hit['_source']['vulnerability']['id'],
      architecture: hit['_source']['package']['architecture'],
      version: hit['_source']['package']['version'],
      name: hit['_source']['package']['name']
    }
  end
 
  response_body = {
    data: {
      affected_items: affected_items,
      total_affected_items: result['hits']['total']['value'],
      total_failed_items: 0,
      failed_items: []
    },
    message: 'All selected vulnerabilities were returned',
    error: 0
  }
 
  content_type :json
  Oj.dump(response_body, mode: :compat)
end

とりあえず現在は一つだけだからピッと書いたけど、今後も増えるようならOSSにしたり、あれこれしたい。

For now, I’ve written it quickly since there’s only one endpoint to handle. However, if more endpoints are added in the future, I plan to make it open source and consider other improvements.

from japanese