Home » Security Bloggers Network » VulnReport Install

VulnReport Install

by malicious.link on February 28, 2019

A co-worker referenced a pretty cool tool released by @SalesForce’s security team called “VulnReport“

I wanted to try it out so I checked out their Github report to start the install: https://github.com/salesforce/vulnreport – but there really wasn’t much in the way of documentation on how to get it rolling unless you were deploying it to a Heroku app. I’m not really a fan of putting vulnerability information, especially Red Team findings into the cloud so I decided to deploy it locally. Here are the steps I went through to install it and get it up and running:

Note: I started with a Debian 9.3 ISO that I had on-hand, if you use another repo your mileage may vary.

Install dependancies:

This project uses Ruby, and many of the gems needed for the project require compiling in libraries.

Sponsorships Available

apt install -y git ruby ruby-dev ruby-bundler build-essential libssl-dev libpq-dev zlib1g-dev postgresql-server-dev-all authbind

Next we install a Redis and Postgres server. If you already have these on the system or wish to use an established server on another systems you can most definitely do that instead of this step.

apt install -y redis-server postgresql

Setup Database

Next we just need to create the database and user we will be using for the database:

root@vulnreportio:~# su - postgrespostgres@vulnreportio:~$ createuser -P vulnreportuserEnter password for new role: vulnreportpassword (NOT DISPLAYED)Enter it again: vulnreportpassword (NOT DISPLAYED)postgres@vulnreportio:~$ createdb -O vulnreportuser vulnreportdbpostgres@vulnreportio:~$ exitlogoutroot@vulnreportio:~#

Clone the repo

Toss the repo in /opt/ so that we can run this under another user to better secure it later but just for example we’ll get this running as root.

root@vulnreportio:~# cd /opt/root@vulnreportio:/opt# git clone https://github.com/salesforce/vulnreportCloning into 'vulnreport'...remote: Enumerating objects: 1191, done.remote: Total 1191 (delta 0), reused 0 (delta 0), pack-reused 1191Receiving objects: 100% (1191/1191), 2.93 MiB | 3.92 MiB/s, done.Resolving deltas: 100% (694/694), done.root@vulnreportio:/opt# cd vulnreport/root@vulnreportio:/opt/vulnreport#

Setup Ruby

At the current version the Ruby version is fixed to 2.1.2 but works just fine with later versions so you can remove the fixed Ruby version in the Gemfile:

root@vulnreportio:/opt/vulnreport# bundle installDon't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all non-root users on this machine.Your Ruby version is 2.3.3, but your Gemfile specified 2.1.2

Just comment out the line and things should work:

root@vulnreportio:/opt/vulnreport# bundle installDon't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all non-root users on thismachine.Fetching gem metadata from https://rubygems.org/..............Fetching version metadata from https://rubygems.org/...Fetching dependency metadata from https://rubygems.org/..Installing i18n 0.7.0Using json 1.8.3Installing minitest 5.8.4Installing thread_safe 0.3.5Installing addressable 2.4.0Installing builder 3.2.2Installing mini_portile2 2.0.0Installing bcrypt 3.1.11 with native extensionsInstalling chronic 0.10.2Installing daemons 1.2.3Installing fastercsv 1.5.5Installing json_pure 1.8.3Installing multi_json 1.11.3Installing stringex 1.5.1Installing uuidtools 2.1.5Installing dotenv 2.1.1Installing eventmachine 1.0.7 with native extensionsInstalling multi_xml 0.5.5Installing rack 1.6.4Installing systemu 2.6.5Installing mime-types-data 3.2016.0221Installing multipart-post 2.0.0Installing nori 2.6.0Installing oauth 0.5.1Installing pdfkit 0.8.2Installing pg 0.18.4 with native extensionsInstalling redis 3.3.0Installing rubyzip 1.2.0Installing rufus-scheduler 3.2.0Installing tilt 2.0.2Installing wkhtmltopdf-heroku 2.12.3.0Installing xml-simple 1.1.5Installing yard 0.8.7.6Installing yard-dm 0.1.1Using bundler 1.13.6Installing tzinfo 1.2.2Installing dm-core 1.2.1Installing data_objects 0.10.17Installing gyoku 1.3.1Installing nokogiri 1.6.7.2 with native extensionsInstalling bcrypt-ruby 3.1.5Installing rollbar 2.10.0Installing httparty 0.13.7Installing httpi 2.4.1Installing rack-protection 1.5.3Installing rack-ssl 1.4.1Installing rack_csrf 2.5.0Installing thin 1.6.4 with native extensionsInstalling macaddr 1.7.1Installing mime-types 3.0Installing rforce 0.13Installing yard-sinatra 1.0.0Installing activesupport 4.2.6Installing dm-aggregates 1.2.0Installing dm-constraints 1.2.0Installing dm-migrations 1.2.0Installing dm-serializer 1.2.2Installing dm-timestamps 1.2.0Installing dm-transactions 1.2.0Installing dm-validations 1.2.0Installing dm-do-adapter 1.2.0Installing do_postgres 0.10.17 with native extensionsInstalling akami 1.3.1Installing dm-types 1.2.2Installing wasabi 3.5.0Installing sinatra 1.4.7Installing uuid 2.3.8Installing mail 2.6.4Installing dm-postgres-adapter 1.2.0Installing data_mapper 1.2.0Installing savon 2.11.1Installing ruby-saml 1.0.0Installing pony 1.11Bundle complete! 29 Gemfile dependencies, 73 gems now installed.Use `bundle show [gemname]` to see where a bundled gem is installed.Post-install message from bcrypt-ruby:#######################################################The bcrypt-ruby gem has changed its name to just bcrypt.  Instead ofinstalling `bcrypt-ruby`, you should install `bcrypt`.  Please update yourdependencies accordingly.#######################################################Post-install message from httparty:When you HTTParty, you must party hard!

Configure VulnReport

Create a .env file that looks like this:

export RACK_ENV=productionexport VR_SESSION_SECRET=ADD_RANDOM_STRING_HEREexport DATABASE_URL=postgres://vulnreportuser:vulnreportpassword@localhost:5432/vulnreportdbexport REDIS_URL=redis://localhost:6379/export ROLLBAR_ACCESS_TOKEN=ROLLBARTOKEN

Next we want to replace the VR_SESSION_SECRET with a strong relatively random string. I used a sha256 hash of a OpenSSL random string. It’s definitely not perfect random but it’s in the good-enough realm that it would be very hard for someone to brute force it.

sed -i "s/ADD_RANDOM_STRING_HERE/$(openssl rand -base64 32 | sha256sum | cut -d ' ' -f 1 )/" .env

After we are done we’ll have something like this:

root@vulnreportio:/opt/vulnreport# cat .envexport RACK_ENV=productionexport VR_SESSION_SECRET=0e40e9367e35bc7f6f6a0e1966a8c108c87b7f6a60e96c119779ae3b1dc08352export DATABASE_URL=postgres://vulnreportuser:vulnreportpassword@localhost:5432/vulnreportdbexport REDIS_URL=redis://localhost:6379/export ROLLBAR_ACCESS_TOKEN=ROLLBARTOKEN

Create a self-signed cert

VulnReport looks for it’s SSL certificate in the same directory as it’s started in and called server.key so we create a self-signed certifcate in the same directory as the git repo:

root@vulnreportio:/opt/vulnreport# openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crtGenerating a RSA private key........+++++.......................................................+++++writing new private key to 'server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []:Email Address []:root@vulnreportio:/opt/vulnreport# ls -alh server.*-rw-r--r-- 1 root root 1.3K Feb 28 19:56 server.crt-rw------- 1 root root 1.7K Feb 28 19:56 server.key

Of course feel free to put in any information you wish in the certificate, I just went with the defaults to make it easy.

Start VulnReport

First we need to SEED the database with information and tables using the SEED.rb file:

root@vulnreportio:/opt/vulnreport# ruby SEED.rbVulnreport 3.0.3 seed scriptWARNING: This script should be run ONCE immediately after deploying and then DELETEDSetting up Vulnreport now...Setting up the PostgreSQL database...        DoneSeeding the database...        DoneUser ID 1 created for youALL DONE! :)Login to Vulnreport now and go through the rest of the settings!

Then we can start up the application:

root@vulnreportio:/opt/vulnreport# ./start.shUsing rack adapter[28/Feb/2019 19:59:02] WARNING: RUNNING IN DEVELOPMENT ENVIRONMENT[28/Feb/2019 19:59:02] Dev environment: CRON JOBS SCHEDULER NOT ENABLED[28/Feb/2019 19:59:02] VRCron Registered: Monthly Allocation Notification[28/Feb/2019 19:59:02]  Type: cron, Schedule: 0 7 1 * *[28/Feb/2019 19:59:02]  Cron registered as not enabled, did not schedule[28/Feb/2019 19:59:02] VRCron Registered: Monthly Allocation Preset[28/Feb/2019 19:59:02]  Type: cron, Schedule: 0 0 1 * *[28/Feb/2019 19:59:02]  Cron registered as not enabled, did not scheduleThin web server (v1.6.4 codename Gob Bluth)Maximum connections set to 1024Listening on 0.0.0.0:443, CTRL+C to stop

Once it’s started, we can log in with the default user admin and the default password admin which is quite hilariously ironic for a vulnerability reporting platform. I think the SEED file should be updated to add a vulnerability report example including the default password for it’s own service.

There are quite a few bugs that I’ve run into that result in a ‘NulClass’. I think this is the result of lacking enough SEED data. But once you create a user, vuln, or whatever, you’ll get this error but the creat will go through and you only really see this error once per action type.

Side note: I submitted this install guide as a short version to the repository itself because of the lacking installation steps here: https://github.com/salesforce/vulnreport/pull/30 but they require you to sign a document before they will accept pull requests: https://cla.salesforce.com/sign-cla. I don’t really have time to look over that document nor do I want to spend the time to get a lawyer to do so, so I will leave it at making a blog post about how to install it and hope that is enough to help others get this installed.