wazuh 4.8でAPIからvulnerbilityエンドポイントが消失した(The vulnerability endpoint has disappeared from the API in Wazuh 4.8.)
https://github.com/wazuh/wazuh/pull/20119
まじかよ?って感じなんだけど、同僚の@hibomaが気づいてくれた。そりゃopensearchで引けるのはそりゃそうなんだろうけどって思うけど、クライアントサイドから見るとエンドポイント複数あるの結構だるくね?って思いの方が強い。
僕らの場合は結構いくつかのリポジトリで使ってたから変換用のエンドポイントをSinatraでぴっとやった。
I can’t believe it! My colleague @hiboma noticed it. While it makes sense that you can retrieve vulnerabilities with OpenSearch, from a client-side perspective, having multiple endpoints is quite inconvenient.
In our case, we used the vulnerability endpoint in several repositories, so we quickly set up a conversion endpoint using Sinatra.
from japanese
# server.rb
require 'sinatra'
require 'faraday'
require 'oj'
set :server, :puma
# OpenSearchへの検索リクエストを行う関数
def search_vulnerabilities(agent_id, page, per_page)
connection = Faraday.new(
url: 'http://your-opensearch-endpoint:9200',
headers: { 'Content-Type' => 'application/json' }
)
from = page * per_page # Pagination offset
body = {
query: {
bool: {
must: [
{ match: { "agent.id": agent_id } }
]
}
},
from: from,
size: per_page
}
response = connection.post do |req|
req.url '/wazuh-states-vulnerabilities-*/_search'
req.body = Oj.dump(body, mode: :compat)
end
Oj.load(response.body)
end
get '/health' do
status 200
body ''
end
get '/vulnerability/:agent_id' do
agent_id = params['agent_id']
page = (params['offset'] || 0).to_i
per_page = (params['limit'] || 500).to_i
result = search_vulnerabilities(agent_id, page, per_page)
affected_items = result['hits']['hits'].map do |hit|
{
cve: hit['_source']['vulnerability']['id'],
architecture: hit['_source']['package']['architecture'],
version: hit['_source']['package']['version'],
name: hit['_source']['package']['name']
}
end
response_body = {
data: {
affected_items: affected_items,
total_affected_items: result['hits']['total']['value'],
total_failed_items: 0,
failed_items: []
},
message: 'All selected vulnerabilities were returned',
error: 0
}
content_type :json
Oj.dump(response_body, mode: :compat)
end
とりあえず現在は一つだけだからピッと書いたけど、今後も増えるようならOSSにしたり、あれこれしたい。
For now, I’ve written it quickly since there’s only one endpoint to handle. However, if more endpoints are added in the future, I plan to make it open source and consider other improvements.
from japanese