diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 00000000..7a68d227 --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,64 @@ +FROM debian + +# This is not an ultra fast build, takes appx. 10 min on a powerful PC. +# It strictly follows the installation instructions, so everything +# is running in one container. + +# Prepare the OS +RUN apt-get update && apt-get -y upgrade +RUN apt install -y pipx git make gcc g++ make cmake autoconf automake libtool python3 libssl-dev +RUN pipx install poetry && env +ENV PATH=/root/.local/bin:$PATH + +# Install Redis from source +RUN git clone https://github.com/redis/redis.git +RUN cd redis && git checkout 7.2 +RUN cd redis && make + +# Install KVRocks from source (takes a moment) +RUN git clone --recursive https://github.com/apache/incubator-kvrocks.git kvrocks +RUN cd kvrocks ; git checkout v2.5.1 +RUN cd kvrocks ; ./x.py build + +# Install vulnerablity-lookup from source +RUN git clone --recursive https://github.com/cve-search/vulnerability-lookup.git +RUN cd vulnerability-lookup ; git submodule update --init +RUN ls -la +RUN cd vulnerability-lookup ; poetry install +RUN echo VULNERABILITYLOOKUP_HOME="/vulnerability-lookup" >> .env + +# We need the CSAF Tools +RUN apt install -y wget + +# this was build on a ARM machine, change to AMD if on Intel +RUN wget https://dl.google.com/go/go1.22.2.linux-arm64.tar.gz +RUN tar -C /usr/local -xzf go1.22.2.linux-arm64.tar.gz +ENV PATH=/usr/local/go/bin:$PATH +RUN git clone https://github.com/csaf-poc/csaf_distribution.git +RUN cd csaf_distribution ; make build_linux + +COPY run.sh / +RUN chmod +x /run.sh + +# +# Please check the following edits: +# +# 1/ generic.json needs a hostname, set "public_domain": "localhost:10001" +# +# 2/ CSAF downloader path must be changed to installation location in generic.json: +# "csaf_downloader_path": "/csaf_distribution/bin-linux-amd64/csaf_downloader", +# +# 3/ Add your NVD key to modules.cfg +# + +COPY generic.json vulnerability-lookup/config +COPY logging.json vulnerability-lookup/config +COPY modules.cfg vulnerability-lookup/config + +# We overwrite the config file to enable network access to redis +COPY cache.conf /vulnerability-lookup/cache/cache.conf + +EXPOSE 10001 +EXPOSE 10002 + +CMD /run.sh \ No newline at end of file diff --git a/docker/generic.json b/docker/generic.json new file mode 100644 index 00000000..eeff0849 --- /dev/null +++ b/docker/generic.json @@ -0,0 +1,22 @@ +{ + "loglevel": "INFO", + "website_listen_ip": "0.0.0.0", + "website_listen_port": 10001, + "systemd_service_name": "vulnerability-lookup", + "storage_db_hostname": "127.0.0.1", + "storage_db_port": 10002, + "output_dir": "output", + "public_domain": "localhost:10001", + "csaf_downloader_path": "/csaf_distribution/bin-linux-amd64/csaf_downloader", + "_notes": { + "loglevel": "(lookyloo) Can be one of the value listed here: https://docs.python.org/3/library/logging.html#levels", + "website_listen_ip": "IP Flask will listen on. Defaults to 0.0.0.0, meaning all interfaces.", + "website_listen_port": "Port Flask will listen on.", + "systemd_service_name": "(Optional) Name of the systemd service if your project has one.", + "storage_db_hostname": "Hostname or IP of the kvrocks instance. Must be the same as in storage/kvrocks.conf", + "storage_db_port": "Port of the kvrocks instance. Must be the same as in storage/kvrocks.conf", + "output_dir": "Output directory for fetchers", + "public_domain": "Public domain used for template generating links such as the RSS feeds", + "csaf_downloader_path": "Full path to the csaf_downloader. Get it from there: https://github.com/csaf-poc/csaf_distribution/" + } +} diff --git a/docker/logging.json b/docker/logging.json new file mode 100644 index 00000000..633b8107 --- /dev/null +++ b/docker/logging.json @@ -0,0 +1,33 @@ +{ + "version": 1, + "disable_existing_loggers": false, + "formatters": { + "simple": { + "format": "%(asctime)s %(name)s %(levelname)s:%(message)s" + } + }, + "handlers": { + "stdout": { + "class": "logging.StreamHandler", + "level": "INFO", + "formatter": "simple", + "stream": "ext://sys.stdout" + }, + "file": { + "class": "logging.handlers.RotatingFileHandler", + "level": "WARNING", + "formatter": "simple", + "filename": "logs/warning.log", + "mode": "a", + "maxBytes": 1000000, + "backupCount": 5 + } + }, + "root": { + "level": "DEBUG", + "handlers": [ + "stdout", + "file" + ] + } +} diff --git a/docker/modules.cfg b/docker/modules.cfg new file mode 100644 index 00000000..8b7e0f50 --- /dev/null +++ b/docker/modules.cfg @@ -0,0 +1,18 @@ +[feeder:nvd] +apikey = XXXXX +level = DEBUG + +[feeder:cvelistv5] +level = DEBUG + +[feeder:gsd] +level = DEBUG + +[feeder:github] +level = DEBUG + +[feeder:pysec] +level = DEBUG + +[feeder:cisa_known_exploited] +level = DEBUG diff --git a/docker/run.sh b/docker/run.sh new file mode 100644 index 00000000..254946ed --- /dev/null +++ b/docker/run.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +export VULNERABILITYLOOKUP_HOME='/vulnerability-lookup' +cd vulnerability-lookup && poetry run start +sleep infinity