I wanted to try it out so I checked out their Github report to start the install: https://github.com/salesforce/vulnreport - but there really wasn’t much in the way of documentation on how to get it rolling unless you were deploying it to a Heroku app. I’m not really a fan of putting vulnerability information, especially Red Team findings into the cloud so I decided to deploy it locally. Here are the steps I went through to install it and get it up and running:
Note: I started with a Debian 9.3 ISO that I had on-hand, if you use another repo your mileage may vary.
This project uses Ruby, and many of the gems needed for the project require compiling in libraries.
apt install -y git ruby ruby-dev ruby-bundler build-essential libssl-dev libpq-dev zlib1g-dev postgresql-server-dev-all authbind
Next we install a Redis and Postgres server. If you already have these on the system or wish to use an established server on another systems you can most definitely do that instead of this step.
apt install -y redis-server postgresql
Next we just need to create the database and user we will be using for the database:
root@vulnreportio:~# su - postgres postgres@vulnreportio:~$ createuser -P vulnreportuser Enter password for new role: vulnreportpassword (NOT DISPLAYED) Enter it again: vulnreportpassword (NOT DISPLAYED) postgres@vulnreportio:~$ createdb -O vulnreportuser vulnreportdb postgres@vulnreportio:~$ exit logout root@vulnreportio:~#
Clone the repo
Toss the repo in
/opt/ so that we can run this under another user to better secure it later but just for example we’ll get this running as
root@vulnreportio:~# cd /opt/ root@vulnreportio:/opt# git clone https://github.com/salesforce/vulnreport Cloning into 'vulnreport'... remote: Enumerating objects: 1191, done. remote: Total 1191 (delta 0), reused 0 (delta 0), pack-reused 1191 Receiving objects: 100% (1191/1191), 2.93 MiB | 3.92 MiB/s, done. Resolving deltas: 100% (694/694), done. root@vulnreportio:/opt# cd vulnreport/ root@vulnreportio:/opt/vulnreport#
At the current version the Ruby version is fixed to
2.1.2 but works just fine with later versions so you can remove the fixed Ruby version in the
root@vulnreportio:/opt/vulnreport# bundle install Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all non-root users on this machine. Your Ruby version is 2.3.3, but your Gemfile specified 2.1.2
Just comment out the line and things should work:
root@vulnreportio:/opt/vulnreport# bundle install Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all non-root users on this machine. Fetching gem metadata from https://rubygems.org/.............. Fetching version metadata from https://rubygems.org/... Fetching dependency metadata from https://rubygems.org/.. Installing i18n 0.7.0 Using json 1.8.3 Installing minitest 5.8.4 Installing thread_safe 0.3.5 Installing addressable 2.4.0 Installing builder 3.2.2 Installing mini_portile2 2.0.0 Installing bcrypt 3.1.11 with native extensions Installing chronic 0.10.2 Installing daemons 1.2.3 Installing fastercsv 1.5.5 Installing json_pure 1.8.3 Installing multi_json 1.11.3 Installing stringex 1.5.1 Installing uuidtools 2.1.5 Installing dotenv 2.1.1 Installing eventmachine 1.0.7 with native extensions Installing multi_xml 0.5.5 Installing rack 1.6.4 Installing systemu 2.6.5 Installing mime-types-data 3.2016.0221 Installing multipart-post 2.0.0 Installing nori 2.6.0 Installing oauth 0.5.1 Installing pdfkit 0.8.2 Installing pg 0.18.4 with native extensions Installing redis 3.3.0 Installing rubyzip 1.2.0 Installing rufus-scheduler 3.2.0 Installing tilt 2.0.2 Installing wkhtmltopdf-heroku 18.104.22.168 Installing xml-simple 1.1.5 Installing yard 0.8.7.6 Installing yard-dm 0.1.1 Using bundler 1.13.6 Installing tzinfo 1.2.2 Installing dm-core 1.2.1 Installing data_objects 0.10.17 Installing gyoku 1.3.1 Installing nokogiri 22.214.171.124 with native extensions Installing bcrypt-ruby 3.1.5 Installing rollbar 2.10.0 Installing httparty 0.13.7 Installing httpi 2.4.1 Installing rack-protection 1.5.3 Installing rack-ssl 1.4.1 Installing rack_csrf 2.5.0 Installing thin 1.6.4 with native extensions Installing macaddr 1.7.1 Installing mime-types 3.0 Installing rforce 0.13 Installing yard-sinatra 1.0.0 Installing activesupport 4.2.6 Installing dm-aggregates 1.2.0 Installing dm-constraints 1.2.0 Installing dm-migrations 1.2.0 Installing dm-serializer 1.2.2 Installing dm-timestamps 1.2.0 Installing dm-transactions 1.2.0 Installing dm-validations 1.2.0 Installing dm-do-adapter 1.2.0 Installing do_postgres 0.10.17 with native extensions Installing akami 1.3.1 Installing dm-types 1.2.2 Installing wasabi 3.5.0 Installing sinatra 1.4.7 Installing uuid 2.3.8 Installing mail 2.6.4 Installing dm-postgres-adapter 1.2.0 Installing data_mapper 1.2.0 Installing savon 2.11.1 Installing ruby-saml 1.0.0 Installing pony 1.11 Bundle complete! 29 Gemfile dependencies, 73 gems now installed. Use `bundle show [gemname]` to see where a bundled gem is installed. Post-install message from bcrypt-ruby: ####################################################### The bcrypt-ruby gem has changed its name to just bcrypt. Instead of installing `bcrypt-ruby`, you should install `bcrypt`. Please update your dependencies accordingly. ####################################################### Post-install message from httparty: When you HTTParty, you must party hard!
- Create a
.envfile that looks like this:
export RACK_ENV=production export VR_SESSION_SECRET=ADD_RANDOM_STRING_HERE export DATABASE_URL=postgres://vulnreportuser:vulnreportpassword@localhost:5432/vulnreportdb export REDIS_URL=redis://localhost:6379/ export ROLLBAR_ACCESS_TOKEN=ROLLBARTOKEN
Next we want to replace the
VR_SESSION_SECRET with a strong relatively random string. I used a
sha256 hash of a OpenSSL random string. It’s definitely not perfect random but it’s in the good-enough realm that it would be very hard for someone to brute force it.
sed -i "s/ADD_RANDOM_STRING_HERE/$(openssl rand -base64 32 | sha256sum | cut -d ' ' -f 1 )/" .env
After we are done we’ll have something like this:
root@vulnreportio:/opt/vulnreport# cat .env export RACK_ENV=production export VR_SESSION_SECRET=0e40e9367e35bc7f6f6a0e1966a8c108c87b7f6a60e96c119779ae3b1dc08352 export DATABASE_URL=postgres://vulnreportuser:vulnreportpassword@localhost:5432/vulnreportdb export REDIS_URL=redis://localhost:6379/ export ROLLBAR_ACCESS_TOKEN=ROLLBARTOKEN
Create a self-signed cert
VulnReport looks for it’s SSL certificate in the same directory as it’s started in and called
server.key so we create a self-signed certifcate in the same directory as the git repo:
root@vulnreportio:/opt/vulnreport# openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt Generating a RSA private key ........+++++ .......................................................+++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) : Email Address : root@vulnreportio:/opt/vulnreport# ls -alh server.* -rw-r--r-- 1 root root 1.3K Feb 28 19:56 server.crt -rw------- 1 root root 1.7K Feb 28 19:56 server.key
Of course feel free to put in any information you wish in the certificate, I just went with the defaults to make it easy.
First we need to SEED the database with information and tables using the
root@vulnreportio:/opt/vulnreport# ruby SEED.rb Vulnreport 3.0.3 seed script WARNING: This script should be run ONCE immediately after deploying and then DELETED Setting up Vulnreport now... Setting up the PostgreSQL database... Done Seeding the database... Done User ID 1 created for you ALL DONE! :) Login to Vulnreport now and go through the rest of the settings!
Then we can start up the application:
root@vulnreportio:/opt/vulnreport# ./start.sh Using rack adapter [28/Feb/2019 19:59:02] WARNING: RUNNING IN DEVELOPMENT ENVIRONMENT [28/Feb/2019 19:59:02] Dev environment: CRON JOBS SCHEDULER NOT ENABLED [28/Feb/2019 19:59:02] VRCron Registered: Monthly Allocation Notification [28/Feb/2019 19:59:02] Type: cron, Schedule: 0 7 1 * * [28/Feb/2019 19:59:02] Cron registered as not enabled, did not schedule [28/Feb/2019 19:59:02] VRCron Registered: Monthly Allocation Preset [28/Feb/2019 19:59:02] Type: cron, Schedule: 0 0 1 * * [28/Feb/2019 19:59:02] Cron registered as not enabled, did not schedule Thin web server (v1.6.4 codename Gob Bluth) Maximum connections set to 1024 Listening on 0.0.0.0:443, CTRL+C to stop
Once it’s started, we can log in with the default user
admin and the default password
admin which is quite hilariously ironic for a vulnerability reporting platform. I think the SEED file should be updated to add a vulnerability report example including the default password for it’s own service.
There are quite a few bugs that I’ve run into that result in a ‘NulClass’. I think this is the result of lacking enough SEED data. But once you create a user, vuln, or whatever, you’ll get this error but the creat will go through and you only really see this error once per action type.
Side note: I submitted this install guide as a short version to the repository itself because of the lacking installation steps here: https://github.com/salesforce/vulnreport/pull/30 but they require you to sign a document before they will accept pull requests: https://cla.salesforce.com/sign-cla. I don’t really have time to look over that document nor do I want to spend the time to get a lawyer to do so, so I will leave it at making a blog post about how to install it and hope that is enough to help others get this installed.