QA testing - Test new MSU feed adds new hotfixes values

[Deblintrake09]

Target version	Related issue	Related PR
4.5.0	https:/wazuh/wazuh-tools/pull/195	https:/wazuh/wazuh-tools/tree/14538-collect-all-catalog-hotfixes

Description

This manual testing aims to verify the proper functioning of the new MSU feed's changes. The PR adds a series of Patches and Supercedence information. This data currently has no related vulnerabilities so they cannot be actually tested on an OS, this would need to be tested on an automated test, since there is need to add a custom feed, custom packages and patches in the agent (This will be handled in the test development issue).

Proposed checks

• Run IT tests to check that Vulnerability Detector test suite works correctly.
• Check that after the upgrade with dev branch, the MSU has more patch and supersedence rows in the database.

Steps to test

• Install Wazuh manager
• Enable VDT with MSU feed enabled
• Wait for update
• Get values stored in DB from MSU and MSU_SUPERSEDENCE
• Generate new feed
• Point VDT to use new local feed
• Check values in DB and compare to values from current feed.

Considerations

Since this is an update of the MSU Feed and not of the application, there will be no Fresh/Update tests. The manual testing done will check that the cve.db DB has more content in the MSU_SUPERSEDENCE table, compared with the current feed.

[Deblintrake09]

Review data

Tester	PR commit
@Deblintrake09	ddb1492

Testing environment

OS	OS version	Deployment	Image/AMI	Notes
Centos	8	LOCAL / Vagrant	qa-ctl/centos_8

Tested packages

wazuh-manager	wazuh-agent
4.3.8

Status

• In progress
• Pending Review
• In Review
• QA leader approved (@damarisg)
• QA Manager approved (@jmv74211)
• Dev Team Manager approved (@chemamartinez)

Conclusion 🟢

Vulnerability detector works correctly with the new msu feed. New data was detected as expected. The new feed has 120k+ rows in MSU_SUPERSEDENCE, which is the expected behavior.

[Deblintrake09]

Task Results

Run IT tests to check that Vulnerability Detector test suite works correctly 🟢

Tests path	Results	Notes
test_vulnerability_detector	🟢🟢🟢

Check that new MSU has more rows on in cve.db 🟢

1. Start manager with default msu feed
2. Wait for official MSU feed to download

2022/09/26 13:16:19 wazuh-modulesd:vulnerability-detector[4546] wm_vuln_detector.c:4618 at wm_vuldet_check_feed(): INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2022/09/26 13:16:19 wazuh-modulesd:vulnerability-detector[4546] wm_vuln_detector.c:4595 at wm_vuldet_check_feed(): INFO: (5400): Starting 'Microsoft Security Update' database update.
2022/09/26 13:16:19 wazuh-modulesd:download[4546] wm_download.c:230 at wm_download_dispatch(): DEBUG: Downloading 'https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.meta' to 'tmp/vuln-temp'
2022/09/26 13:16:19 wazuh-modulesd:download[4546] wm_download.c:250 at wm_download_dispatch(): DEBUG: Download of 'https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.meta' finished.
2022/09/26 13:16:19 wazuh-modulesd:vulnerability-detector[4546] wm_vuln_detector.c:6400 at wm_vuldet_check_feed_metadata(): DEBUG: (5406): The feed 'Microsoft Security Update' is in its latest version.
2022/09/26 13:16:19 wazuh-modulesd:vulnerability-detector[4546] wm_vuln_detector.c:4618 at wm_vuldet_check_feed(): INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.
2022/09/26 13:16:19 wazuh-modulesd:vulnerability-detector[4546] wm_vuln_detector.c:7817 at wm_vuldet_run_sleep(): DEBUG: Sleeping for 1 seconds...
2022/09/26 13:16:20 wazuh-modulesd:vulnerability-detector[4546] wm_vuln_detector.c:7755 at wm_vuldet_run_scan(): INFO: (5431): Starting vulnerability scan.

3. Check Vulnerabilities DB values

# sqlite3 /var/ossec/queue/vulnerabilities/cve.db 
SQLite version 3.26.0 2018-12-01 12:34:55

sqlite> select count(*) from msu;
107519


sqlite> select count(*) from MSU_SUPERSEDENCE;
80929

4. Download wazuh_tools repo and generate new msu feed from dev branch.

~/Downloads/wazuh-tools-14538-collect-all-catalog-hotfixes/utils/vulnerability-detector/msu$ python3 msu-generator.py
.
.
.
https://api.msrc.microsoft.com/cvrf/2021-Nov?api-version=2020
https://api.msrc.microsoft.com/cvrf/2021-Dec?api-version=2020
https://api.msrc.microsoft.com/cvrf/2022-Jan?api-version=2020
https://api.msrc.microsoft.com/cvrf/2022-Feb?api-version=2020
https://api.msrc.microsoft.com/cvrf/2022-Mar?api-version=2020
https://api.msrc.microsoft.com/cvrf/2022-Apr?api-version=2020
https://api.msrc.microsoft.com/cvrf/2022-May?api-version=2020
https://api.msrc.microsoft.com/cvrf/2022-Jun?api-version=2020

5. Configure VDT to use new feed

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <path>/vagrant/msu.json</path>
      <update_interval>1h</update_interval>
    </provider>

6. Restart Manager and check that MSU feed is updated correctly from custom feed 🟢

2022/09/26 13:17:36 wazuh-modulesd:vulnerability-detector[5271] wm_vuln_detector.c:6567 at wm_vuldet_fetch_wazuh_cpe(): DEBUG: (5406): The feed 'Wazuh CPE dictionary' is in its latest version.
2022/09/26 13:17:36 wazuh-modulesd:vulnerability-detector[5271] wm_vuln_detector.c:4620 at wm_vuldet_check_feed(): DEBUG: (5400): Starting 'Wazuh CPE dictionary' database update.
2022/09/26 13:17:36 wazuh-modulesd:vulnerability-detector[5271] wm_vuln_detector.c:4595 at wm_vuldet_check_feed(): INFO: (5400): Starting 'Microsoft Security Update' database update.
2022/09/26 13:17:36 wazuh-modulesd:vulnerability-detector[5271] wm_vuln_detector.c:4488 at wm_vuldet_fetch_feed(): DEBUG: (5484): Cleaning metadata for target 'MSU'
2022/09/26 13:17:36 wazuh-modulesd:vulnerability-detector[5271] wm_vuln_detector.c:4503 at wm_vuldet_fetch_feed(): DEBUG: (5403): Fetching feed from '/vagrant/msu.json'
2022/09/26 13:17:36 wazuh-modulesd:vulnerability-detector[5271] wm_vuln_detector.c:7294 at wm_vuldet_index_json(): DEBUG: (5408): Updating from '/vagrant/msu.json'
2022/09/26 13:17:37 wazuh-modulesd:vulnerability-detector[5271] wm_vuln_detector.c:4279 at wm_vuldet_index_feed(): DEBUG: (5414): Refreshing 'Microsoft Security Update' databases.
2022/09/26 13:17:37 wazuh-modulesd:vulnerability-detector[5271] wm_vuln_detector.c:2971 at wm_vuldet_insert(): DEBUG: (5415): Inserting vulnerabilities.
2022/09/26 13:17:37 wazuh-modulesd:vulnerability-detector[5271] wm_vuln_detector.c:2998 at wm_vuldet_insert(): DEBUG: (5418): Inserting Microsoft Security Update dictionary.
2022/09/26 13:17:41 wazuh-modulesd:vulnerability-detector[5271] wm_vuln_detector.c:4285 at wm_vuldet_index_feed(): DEBUG: (5427): Refresh of 'Microsoft Security Update' database finished.
2022/09/26 13:17:41 wazuh-modulesd:vulnerability-detector[5271] wm_vuln_detector.c:4290 at wm_vuldet_index_feed(): DEBUG: remove(tmp/vuln-temp): No such file or directory
2022/09/26 13:17:41 wazuh-modulesd:vulnerability-detector[5271] wm_vuln_detector.c:4296 at wm_vuldet_index_feed(): DEBUG: remove(tmp/vuln-temp.bz2): No such file or directory
2022/09/26 13:17:41 wazuh-modulesd:vulnerability-detector[5271] wm_vuln_detector.c:4618 at wm_vuldet_check_feed(): INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.

7. Check MSU vulnerabilities information in the DB

# sqlite3 /var/ossec/queue/vulnerabilities/cve.db 
SQLite version 3.26.0 2018-12-01 12:34:55

sqlite> select count(*) from msu;
107519


sqlite> select count(*) from MSU_SUPERSEDENCE;
216458

Conclusion: After using the new feed, the DB shows 120k+ MSU_SUPERSEDENCE rows more than the current feed. This is the expected behavior.

[jmv74211]

🟢 Everything seems to be working properly