A co-worker referenced a pretty cool tool released by @SalesForce’s security team called “VulnReport

I wanted to try it out so I checked out their Github report to start the install: https://github.com/salesforce/vulnreport - but there really wasn’t much in the way of documentation on how to get it rolling unless you were deploying it to a Heroku app. I’m not really a fan of putting vulnerability information, especially Red Team findings into the cloud so I decided to deploy it locally. Here are the steps I went through to install it and get it up and running:

Note: I started with a Debian 9.3 ISO that I had on-hand, if you use another repo your mileage may vary.

Install dependancies:

This project uses Ruby, and many of the gems needed for the project require compiling in libraries.

  • apt install -y git ruby ruby-dev ruby-bundler build-essential libssl-dev libpq-dev zlib1g-dev postgresql-server-dev-all authbind

Next we install a Redis and Postgres server. If you already have these on the system or wish to use an established server on another systems you can most definitely do that instead of this step.

  • apt install -y redis-server postgresql

Setup Database

Next we just need to create the database and user we will be using for the database:

root@vulnreportio:~# su - postgres
postgres@vulnreportio:~$ createuser -P vulnreportuser
Enter password for new role: vulnreportpassword (NOT DISPLAYED)
Enter it again: vulnreportpassword (NOT DISPLAYED)
postgres@vulnreportio:~$ createdb -O vulnreportuser vulnreportdb
postgres@vulnreportio:~$ exit
logout
root@vulnreportio:~#

Clone the repo

Toss the repo in /opt/ so that we can run this under another user to better secure it later but just for example we’ll get this running as root.

root@vulnreportio:~# cd /opt/
root@vulnreportio:/opt# git clone https://github.com/salesforce/vulnreport
Cloning into 'vulnreport'...
remote: Enumerating objects: 1191, done.
remote: Total 1191 (delta 0), reused 0 (delta 0), pack-reused 1191
Receiving objects: 100% (1191/1191), 2.93 MiB | 3.92 MiB/s, done.
Resolving deltas: 100% (694/694), done.
root@vulnreportio:/opt# cd vulnreport/
root@vulnreportio:/opt/vulnreport#

Setup Ruby

At the current version the Ruby version is fixed to 2.1.2 but works just fine with later versions so you can remove the fixed Ruby version in the Gemfile:

root@vulnreportio:/opt/vulnreport# bundle install
Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all non-root users on this machine.
Your Ruby version is 2.3.3, but your Gemfile specified 2.1.2

Just comment out the line and things should work:

root@vulnreportio:/opt/vulnreport# bundle install
Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all non-root users on this
machine.
Fetching gem metadata from https://rubygems.org/..............
Fetching version metadata from https://rubygems.org/...
Fetching dependency metadata from https://rubygems.org/..
Installing i18n 0.7.0
Using json 1.8.3
Installing minitest 5.8.4
Installing thread_safe 0.3.5
Installing addressable 2.4.0
Installing builder 3.2.2
Installing mini_portile2 2.0.0
Installing bcrypt 3.1.11 with native extensions
Installing chronic 0.10.2
Installing daemons 1.2.3
Installing fastercsv 1.5.5
Installing json_pure 1.8.3
Installing multi_json 1.11.3
Installing stringex 1.5.1
Installing uuidtools 2.1.5
Installing dotenv 2.1.1
Installing eventmachine 1.0.7 with native extensions
Installing multi_xml 0.5.5
Installing rack 1.6.4
Installing systemu 2.6.5
Installing mime-types-data 3.2016.0221
Installing multipart-post 2.0.0
Installing nori 2.6.0
Installing oauth 0.5.1
Installing pdfkit 0.8.2
Installing pg 0.18.4 with native extensions
Installing redis 3.3.0
Installing rubyzip 1.2.0
Installing rufus-scheduler 3.2.0
Installing tilt 2.0.2
Installing wkhtmltopdf-heroku 2.12.3.0
Installing xml-simple 1.1.5
Installing yard 0.8.7.6
Installing yard-dm 0.1.1
Using bundler 1.13.6
Installing tzinfo 1.2.2
Installing dm-core 1.2.1
Installing data_objects 0.10.17
Installing gyoku 1.3.1
Installing nokogiri 1.6.7.2 with native extensions
Installing bcrypt-ruby 3.1.5
Installing rollbar 2.10.0
Installing httparty 0.13.7
Installing httpi 2.4.1
Installing rack-protection 1.5.3
Installing rack-ssl 1.4.1
Installing rack_csrf 2.5.0
Installing thin 1.6.4 with native extensions
Installing macaddr 1.7.1
Installing mime-types 3.0
Installing rforce 0.13
Installing yard-sinatra 1.0.0
Installing activesupport 4.2.6
Installing dm-aggregates 1.2.0
Installing dm-constraints 1.2.0
Installing dm-migrations 1.2.0
Installing dm-serializer 1.2.2
Installing dm-timestamps 1.2.0
Installing dm-transactions 1.2.0
Installing dm-validations 1.2.0
Installing dm-do-adapter 1.2.0
Installing do_postgres 0.10.17 with native extensions
Installing akami 1.3.1
Installing dm-types 1.2.2
Installing wasabi 3.5.0
Installing sinatra 1.4.7
Installing uuid 2.3.8
Installing mail 2.6.4
Installing dm-postgres-adapter 1.2.0
Installing data_mapper 1.2.0
Installing savon 2.11.1
Installing ruby-saml 1.0.0
Installing pony 1.11
Bundle complete! 29 Gemfile dependencies, 73 gems now installed.
Use `bundle show [gemname]` to see where a bundled gem is installed.
Post-install message from bcrypt-ruby:

#######################################################

The bcrypt-ruby gem has changed its name to just bcrypt.  Instead of
installing `bcrypt-ruby`, you should install `bcrypt`.  Please update your
dependencies accordingly.

#######################################################

Post-install message from httparty:
When you HTTParty, you must party hard!

Configure VulnReport

  • Create a .env file that looks like this:

    export RACK_ENV=production
    export VR_SESSION_SECRET=ADD_RANDOM_STRING_HERE
    export DATABASE_URL=postgres://vulnreportuser:vulnreportpassword@localhost:5432/vulnreportdb
    export REDIS_URL=redis://localhost:6379/
    export ROLLBAR_ACCESS_TOKEN=ROLLBARTOKEN
    

Next we want to replace the VR_SESSION_SECRET with a strong relatively random string. I used a sha256 hash of a OpenSSL random string. It’s definitely not perfect random but it’s in the good-enough realm that it would be very hard for someone to brute force it.

sed -i "s/ADD_RANDOM_STRING_HERE/$(openssl rand -base64 32 | sha256sum | cut -d ' ' -f 1 )/" .env

After we are done we’ll have something like this:

root@vulnreportio:/opt/vulnreport# cat .env
export RACK_ENV=production
export VR_SESSION_SECRET=0e40e9367e35bc7f6f6a0e1966a8c108c87b7f6a60e96c119779ae3b1dc08352
export DATABASE_URL=postgres://vulnreportuser:vulnreportpassword@localhost:5432/vulnreportdb
export REDIS_URL=redis://localhost:6379/
export ROLLBAR_ACCESS_TOKEN=ROLLBARTOKEN

Create a self-signed cert

VulnReport looks for it’s SSL certificate in the same directory as it’s started in and called server.key so we create a self-signed certifcate in the same directory as the git repo:

root@vulnreportio:/opt/vulnreport# openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt

Generating a RSA private key
........+++++
.......................................................+++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

root@vulnreportio:/opt/vulnreport# ls -alh server.*
-rw-r--r-- 1 root root 1.3K Feb 28 19:56 server.crt
-rw------- 1 root root 1.7K Feb 28 19:56 server.key

Of course feel free to put in any information you wish in the certificate, I just went with the defaults to make it easy.

Start VulnReport

First we need to SEED the database with information and tables using the SEED.rb file:

root@vulnreportio:/opt/vulnreport# ruby SEED.rb


Vulnreport 3.0.3 seed script
WARNING: This script should be run ONCE immediately after deploying and then DELETED

Setting up Vulnreport now...

Setting up the PostgreSQL database...
        Done

Seeding the database...
        Done

User ID 1 created for you


ALL DONE! :)
Login to Vulnreport now and go through the rest of the settings!

Then we can start up the application:

root@vulnreportio:/opt/vulnreport# ./start.sh
Using rack adapter
[28/Feb/2019 19:59:02] WARNING: RUNNING IN DEVELOPMENT ENVIRONMENT
[28/Feb/2019 19:59:02] Dev environment: CRON JOBS SCHEDULER NOT ENABLED
[28/Feb/2019 19:59:02] VRCron Registered: Monthly Allocation Notification
[28/Feb/2019 19:59:02]  Type: cron, Schedule: 0 7 1 * *
[28/Feb/2019 19:59:02]  Cron registered as not enabled, did not schedule
[28/Feb/2019 19:59:02] VRCron Registered: Monthly Allocation Preset
[28/Feb/2019 19:59:02]  Type: cron, Schedule: 0 0 1 * *
[28/Feb/2019 19:59:02]  Cron registered as not enabled, did not schedule
Thin web server (v1.6.4 codename Gob Bluth)
Maximum connections set to 1024
Listening on 0.0.0.0:443, CTRL+C to stop

Once it’s started, we can log in with the default user admin and the default password admin which is quite hilariously ironic for a vulnerability reporting platform. I think the SEED file should be updated to add a vulnerability report example including the default password for it’s own service.

There are quite a few bugs that I’ve run into that result in a ‘NulClass’. I think this is the result of lacking enough SEED data. But once you create a user, vuln, or whatever, you’ll get this error but the creat will go through and you only really see this error once per action type.

Side note: I submitted this install guide as a short version to the repository itself because of the lacking installation steps here: https://github.com/salesforce/vulnreport/pull/30 but they require you to sign a document before they will accept pull requests: https://cla.salesforce.com/sign-cla. I don’t really have time to look over that document nor do I want to spend the time to get a lawyer to do so, so I will leave it at making a blog post about how to install it and hope that is enough to help others get this installed.