Choices and features of scan methods

FutureVuls has multiple scan methods for each scan target.

Here are the options and their features:

Scan Linux host OS

When the scan target is connected to the Internet

If the scan result JSON can be uploaded from the scan target server to FutureVuls, it is recommended to use Scan Linux with scanner which can automatically reflect configuration information in FutureVuls at the time of package update.

• Local scan
  • A method of installing a scanner on each server to be scanned
  • Pros
    • Easy installation (complete with just one command)
    • Can also obtain information about relevant processes.
    • Automatically reflected on the screen even if the configuration information changes due to updates, etc.
    • Scanner program is automatically updated
  • Considerations
    • Can the scanner program be placed on the server?
• Remote scan via SSH
  • A method of scanning via SSH from a scanner installed in the scan target network to the scan target server
  • Pros
    • Can also obtain information about relevant processes.
    • Automatically reflected on the screen even if the configuration information changes due to updates, etc.
    • OK even if the scanner program cannot be placed on the server
    • Can scan servers that can be reached via SSH from the scanner by using SSH tunnels, etc.
    • CIDR range can be specified to scan servers in a network all at once
  • Considerations
    • More difficult to set up than local scan (definition required in configuration file)

When the scan target is on a closed network

• Paste scan
  • Pros
    • Detect CVE by copying and pasting a list of packages on FutureVuls screen
    • Detect servers in closed network (air gap environment)
    • No need for a scanner program on the managed server
  • Considerations
    • Need to update the package list on the screen when the configuration information changes due to updates, etc.
    • Less information can be obtained than from the scanner
      • Process information (port listening information) cannot be obtained

Scan Windows

• When connected to Internet Windows Update
  • Windows Scanner
• When under WSUS control
  • Scan Windows under WSUS control…
• Remote scan via SSH
  • A method of scanning via SSH from a scanner installed in the scan target network to the scan target server
  • Pros
    • Can also obtain information about relevant processes.
    • Automatically reflected on the screen even if the configuration information changes due to updates, etc.
    • OK even if the scanner program cannot be placed on the server
    • Can scan servers that can be reached via SSH from the scanner by using SSH tunnels, etc.
    • CIDR range can be specified to scan servers in a network all at once
  • Considerations
    • More difficult to set up than local scan (definition required in configuration file)

Scan Containers

• Scan container images
  • Trivy integration (recommended)
    • Pros
      • Detects application libraries within container images
      • Can be integrated into CI/CD
        • GitHub Actions integration
  • Scan Amazon ECR images externally
    • Pros
      • Easy integration
    • Considerations
      • Note that ECR extended scans do not display modified package versions on the screen
  • Scan GCP GAR images externally
    • Pros
      • Easy integration
    • Considerations
      • Trivy has better detection accuracy
      • Vulnerability detection for libraries must be achieved using other methods
  • Scan running containers
    • Vuls (Help is being prepared. Please inquire immediately if you need it)

Scan Application Dependency Libraries

This is a method for detecting vulnerabilities in OSS libraries that frameworks such as Java and Python and web applications depend on internally. Refer to Supported Environments for a list of supported languages and lockfiles.

• If you want to scan the lockfile on the host OS
  • If you also want to scan OS packages together
    • Scan lockfile with Vuls specified
      • Pros
        • In an OS with a setup for Vuls scanner, only config.toml needs to be modified.
      • Considerations
        • The Lockfile to be detected must be listed in config.toml.
  • If you want to scan only libraries
    • Scan the file system path with Trivy specified
      • Pros
        • Binary files for Go and jar files for Java are also targeted for scanning
        • Automatically detects directories specified recursively, making setup easy
        • Can be integrated into CI/CD
          • GitHub Actions integration
• If you want to scan the installed dependency libraries in a container image
  • Trivy integration
• If the lockfile is on a closed network
  • Register by pasting the lockfile on the screen Pasted scan of lockfile
    • Pros
      • Lock files can be registered by copying and pasting from the browser if they exist
    • Considerations
      • If the lockfile is changed due to an update, it must be updated using one of the following methods:
        • Update by pasting it on the screen
• To update via REST API: API methods
• If you want to scan GitHub lockfiles or libraries:
  • See How to automatically update lockfile on push with GitHub Actions
    • Pros:
      • Automatically updates on git push
    • Considerations:
      • Go binaries and Java JAR files are not supported.
  • Refer to Scanning with Trivy by specifying a lockfile and set up GitHub Actions like the example.
    • Pros:
      • Supports scanning Go binaries and Java JAR files, and detects directories recursively.
    • Considerations:
      • Periodic version upgrades are required for associated modules (trivy, trivy-to-vuls, futurevuls).
  • We recommend using GitHub Security Alerts integration in conjunction.
    • Pros:
      • Easy to set up.
• If you want to scan dependencies in a source code management service other than GitHub:
  • Refer to How to automatically update lockfile on push with GitHub Actions and create your own script.
    • (Please share the script you created if possible.)
  • Refer to Scanning with Trivy by specifying a lockfile and run it periodically.

Scanning for paid middleware or self-compiled software

• CPE scanning
  • Middleware not covered by OS package management (e.g., Tomcat, Oracle), compiled software, Japanese software, network equipment OS such as CISCO IOS, etc.

Scanning WordPress plugins and themes

• WordPress integration