wazuh 4.8でAPIからvulnerbilityエンドポイントが消失した(The vulnerability endpoint has disappeared from the API in Wazuh 4.8.)

by pyamaon 投稿日:
GitHub
Remove vulnerability API endpoints by mhamra · Pull Request #20119 · wazuh/wazuh
https://github.com/wazuh/wazuh/pull/20119
Related issue#20116DescriptionRemove the vulnerabiity API endpoints from API and Framework.TestsCompilation without warnings in every supported platform Linux Windows MAC OS X ...

まじかよ?って感じなんだけど、同僚の@hibomaが気づいてくれた。そりゃopensearchで引けるのはそりゃそうなんだろうけどって思うけど、クライアントサイドから見るとエンドポイント複数あるの結構だるくね?って思いの方が強い。

僕らの場合は結構いくつかのリポジトリで使ってたから変換用のエンドポイントをSinatraでぴっとやった。

I can’t believe it! My colleague @hiboma noticed it. While it makes sense that you can retrieve vulnerabilities with OpenSearch, from a client-side perspective, having multiple endpoints is quite inconvenient.

In our case, we used the vulnerability endpoint in several repositories, so we quickly set up a conversion endpoint using Sinatra.

from japanese
# server.rb
require 'sinatra'
require 'faraday'
require 'oj'
set :server, :puma
# OpenSearchへの検索リクエストを行う関数
def search_vulnerabilities(agent_id, page, per_page)
  connection = Faraday.new(
    url: 'http://your-opensearch-endpoint:9200',
    headers: { 'Content-Type' => 'application/json' }
  )

  from = page * per_page # Pagination offset
  body = {
    query: {
      bool: {
        must: [
          { match: { "agent.id": agent_id } }
        ]
      }
    },
    from: from,
    size: per_page
  }

  response = connection.post do |req|
    req.url '/wazuh-states-vulnerabilities-*/_search'
    req.body = Oj.dump(body, mode: :compat)
  end

  Oj.load(response.body)
end

get '/health' do
  status 200
  body ''
end

get '/vulnerability/:agent_id' do
  agent_id = params['agent_id']
  page = (params['offset'] || 0).to_i
  per_page = (params['limit'] || 500).to_i

  result = search_vulnerabilities(agent_id, page, per_page)

  affected_items = result['hits']['hits'].map do |hit|
    {
      cve: hit['_source']['vulnerability']['id'],
      architecture: hit['_source']['package']['architecture'],
      version: hit['_source']['package']['version'],
      name: hit['_source']['package']['name']
    }
  end

  response_body = {
    data: {
      affected_items: affected_items,
      total_affected_items: result['hits']['total']['value'],
      total_failed_items: 0,
      failed_items: []
    },
    message: 'All selected vulnerabilities were returned',
    error: 0
  }

  content_type :json
  Oj.dump(response_body, mode: :compat)
end

とりあえず現在は一つだけだからピッと書いたけど、今後も増えるようならOSSにしたり、あれこれしたい。

For now, I’ve written it quickly since there’s only one endpoint to handle. However, if more endpoints are added in the future, I plan to make it open source and consider other improvements.

from japanese