Linux OS Package Scan

As of October 2021, vulnerabilities in software under the Linux package manager’s management can be identified by the following methods:

  • Vuls scan
  • Trivy scan (Docker image)
  • Paste scan

Let’s explain the features of each of them.

Vuls scan

This is a method of scanning via Vuls scanner and uploading configuration information to cloud services. Refer to supported environments for the scan targets.

Container scan

It is recommended to detect images in the container registry using trivy and upload to FutureVuls. It can also be integrated into a CI/CD pipeline. Refer to supported environments for the scan targets.

A method of integrating with cloud service container registries is also available. This is compatible with AWS and GCP DockerRegistries. Refer to supported environments for the scan targets.

Paste scan

Paste scan allows for vulnerability management in environments where it is difficult to introduce scanners.

  • Closed area environment isolated from the Internet
  • Environment where uploading to external SaaS is prohibited
  • Environment where the scanner program cannot be installed on the server

Execute several commands to obtain configuration information on the server, and just copy and paste the execution result of the command onto the FutureVuls screen to complete registration.

How to register a Paste scan

Let’s explain the steps from registering configuration information to performing vulnerability scans.

  • Server > Add server > Add PASTE server
  • Enter server name
  • Select the type of OS
  • Paste OS version information
  • Paste information on the currently running kernel release
  • Paste the list of installed packages
  • Click “Manual scan” on the server detail screen

Refer to supported environments for the scan targets.

Add PASTE server Add PASTE server button

Enter server name, OS type, etc. image

Paste the list of installed packages image

Once registered, you can detect vulnerabilities by clicking on Manual Scan.

Updating paste server by package update

If you update the package of the relevant server and change the configuration information, update it from the Edit button in the Server Information section on the server details screen. In the next scan, detection processing will be performed based on the updated configuration information. Tasks resolved by package updates are automatically changed to the “Patch_Applied” status.

Required information and acquisition method for paste server registration

 OS Version Kernel Release Kernel Version Packages
CentOS cat /etc/redhat-release uname -r - rpm -qa –queryformat “%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH}\n”
RHEL cat /etc/redhat-release uname -r - rpm -qa –queryformat “%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH}\n”
Amazon Linux awk ‘{if ($0 ~ /Amazon Linux release (2022 2023)/) print $4; else if ($0 ~ /Amazon Linux release 2/) printf("%s %s “,$4, $5); else if ($0 ~ /Amazon Linux 2/) for (i=3; i<=NF; i++) printf("%s “, $i); else if (NF==5) print $5}’ /etc/system-release uname -r -
Debian cat /etc/debian_version uname -r uname -a | awk ‘{print $7}’ dpkg-query -W -f=”${binary:Package},${db:Status-Abbrev},${Version},${Source},${source:Version}\n”
Ubuntu lsb_release -sr | awk ‘{print $1}’ uname -r - dpkg-query -W -f="${binary:Package},${db:Status-Abbrev},${Version},${Source},${source:Version}\n"
Windows - - - (Get-Hotfix | Select-Object -Property HotFixID | % { If ($_ -match ‘(KB\d{6,7})’) { $Matches[0] }}) -Join ‘,’

If you want to register an OS other than the above, display the dialog box for creating a paste server on the FutureVuls screen and confirm it.

Mechanism of OS package scan

Linux packages are updated using the backport mechanism. In FutureVuls, detection processing is performed using Security Tracker or OVAL provided by Linux distributors. These vulnerability databases contain “actually backported version numbers” corresponding to each OS, allowing for accurate detection.

Please refer to the source code of OSS for detailed detection logic of each scan method.

We are often asked if we can accurately detect vulnerabilities by registering OS or package CPEs. Due to frequent false positives, CPE scans for OS packages are not recommended. For more information, please refer to the FAQ>CPE Scan section.