SpotlightCombinedAPIEndpoint always returns nil Mitigations

Question

SpotlightCombinedAPIEndpoint always returns nil Mitigations

Closed this issue 3 years ago · 6 comments

FYI @isimluk it seems that for DomainBaseAPIVulnerabilityV2 the Mitigation is always nil?

queryResult, err := client.SpotlightVulnerabilities.CombinedQueryVulnerabilities(
		&spotlight_vulnerabilities.CombinedQueryVulnerabilitiesParams{
			Filter:  "status:'open'",
		},
	)
	if err != nil {
		return nil, errors.Wrap(err, "could not query vulnerabilities")
	}

	if queryResult == nil {
		return nil, errors.New("QueryVulnerabilities result was nil")
	}

	for _, vuln := range queryResult.GetPayload().Resources {
			logrus.WithField("rem", fmt.Sprintf("%+v", vuln.Remediation)).Debug("rem")
	}
}

-> nil, nil, nil, nil, ....

Answer 1 · 2021-10-25T11:26:03.000Z

There seems to be two distinct remediation fields. One is available per vulnerability (empty). The other one is assigned per application (populated).

I have modified your excerpt bellow to print the latter field.

	queryResult, err := client.SpotlightVulnerabilities.CombinedQueryVulnerabilities(
		&spotlight_vulnerabilities.CombinedQueryVulnerabilitiesParams{
			Context: context.Background(),
			Filter:  "status:'open'",
		},
	)
if err != nil {
		panic(err)
	}

	if queryResult == nil {
		panic("QueryVulnerabilities result was nil")
	}

	for _, vuln := range queryResult.GetPayload().Resources {
		if vuln.Apps == nil {
			continue
		}

		for _, app := range vuln.Apps {
			fmt.Printf("%+v\n", app.Remediation)
		}
	}

Answer 2 · 2021-10-25T12:00:40.000Z

Hmm @isimluk , is it normal that vuln.HostInfo is nil too?

Answer 3 · 2021-10-26T08:05:14.000Z

Hmm @isimluk , is it normal that vuln.HostInfo is nil too?

You are right. This is suspicious.

Interestingly, this issue only affects the combined query.

I will investigate some more, in the mean time please use the Query + Get API tuple instead of the combined query.

Answer 4 · 2021-10-26T08:21:09.000Z

@hazcod, oh, I figured this out finally.

The Combined API contains lightweight description of the vulnerability. If you want more details use Facet attribute as shown bellow:

	queryResult, err := client.SpotlightVulnerabilities.CombinedQueryVulnerabilities(
		&spotlight_vulnerabilities.CombinedQueryVulnerabilitiesParams{
			Context: context.Background(),
			Filter: "aid:'XYZ'",
			Facet: []string{"host_info"},
		},
	)

Supported facets are: cve, remediation, host_info.

Answer 5 · 2021-10-26T09:02:01.000Z

Ahh, that makes sense @isimluk !
However, following returns error="could not query vulnerabilities: [GET /spotlight/combined/vulnerabilities/v1][400] combinedQueryVulnerabilitiesBadRequest &{Errors:[{Code:400 Message:Unknown facet, supported facets: cve, remediation, host_info}] Meta:0x14000225860 Resources:[]}":

	queryResult, err := client.SpotlightVulnerabilities.CombinedQueryVulnerabilities(
		&spotlight_vulnerabilities.CombinedQueryVulnerabilitiesParams{
			Context: ctx,
			Filter:  "status:'open'",
			Limit:   &falconAPIMaxRecords,
			Facet: []string{"host_info", "cve", "remediation"},
		},
	)

Answer 6 · 2021-10-26T11:48:32.000Z

There seems to be an issue in mutlival serialization on facet parameter.