Hello,
I'm new to the splunk universe, and I need to create a dashboard listing the CVEs (security holes) of a Docker image.
I think my need is feasible via splunk, but I don't know how to proceed. I'll try to go into as much detail as I can.
First of all, I get all these informations for scanning an image in splunk (example: debian)
I would like to process this information to get a dashboard similar to this one:
https://anchore.io/image/dockerhub/2b98c9851a37e18356abe407922726dc35c370f7cee76f435f94ee92950b4493?...
First, I would like to list all CVE line by line as on the website above. But when I try to do that, I get that result:
I have a column scrolling around the field with its number, and all this information is on one line. I would like all vulnerabilities_*_vuln fields to be "merged" into a single CVE field, in order to have the same result as on the anchore.io site above
Is it possible via splunk to get this result?
Thank you in advance,
Sincerely.
Try like this
index="poc_anchor" "imagetag=docker.io/debian:latest
| fields index vulnerabilities_*
| untable index attribute value
| rex field=attribute "vulnerability_(?<VulnID>\d+)_(?<name>\w+)"
| chart values(value) over VulnID over name
| table vuln severity package fix url
| rename vuln as "CVE ID" severity as "Severity" package as "Vulnerable Package" fix as "Fix Available" url as "URL"
Try like this
index="poc_anchor" "imagetag=docker.io/debian:latest
| fields index vulnerabilities_*
| untable index attribute value
| rex field=attribute "vulnerability_(?<VulnID>\d+)_(?<name>\w+)"
| chart values(value) over VulnID over name
| table vuln severity package fix url
| rename vuln as "CVE ID" severity as "Severity" package as "Vulnerable Package" fix as "Fix Available" url as "URL"
thanks for the answer, I think it's very close to what I want, though it doesn't return anything. I don't understand the untable line. once I launched the untable line I couldn't do anything in return. Do you know what the problem might be?
It's working!
I hadn't seen it but it was just missing "ies" at the end of vulnerabilities here:
rex field=attribute "vulnerabilit*ies*(?\d+)(?\w+)"
That's exactly what I wanted, thanks again!
See you later
What all fields do you get when younrun below query?
index="poc_anchor" "imagetag=docker.io/debian:latest
| table index vulnerabilities_*
After adding `| unstable index attribute value´ to above you should get a table with 3 columns index attribute value
Hi,
thanks for your quick answers!
I'm going to clarify what I want to reproduce, I want to get this table with the same columns based on the fields vulnerabilities_x_fix, vulnerabilities_x_vuln, etc.. I want to list every _vuln vulnerability on one line and the same with _fix, etc.
I think somesoni2's answer is very close to what I want. But I get an error Error in'chart' command: Invalid argument:'over'. if I replace the second over with "by" I have no more error but no result is displayed.
I also tried the JDukeSplunk solution, I get a table, but with only one line.
Do you have any other ideas? Thank you again.
Sincerely.
Okay so you need to extract the vulnerabilities_*_vuln in one field . and then expand it .
can you share one sample event?
You might want to eval, coalesce. I don't know if this will work..Just spitballing here. You'll have to fill in the additional fields in the eval statements if this works.
index="poc_anchor" "imagetag=docker.io/debian:latest
| eval "vulnerabilities"=coalesce(vulnerabilities_0_vuln,vulnerabilities_10_vuln,vulnerabilities_11_vuln)
| eval "severity"=coalesce(vulnerabilities_0_severity,vulnerabilities_10_severity,vulnerabilities_11_severity)
|stats list(vulnerabilities) as vulnerabilities by severity
Another option would be to create a more generic field extraction with a single name that captures all the CVE-\d+-\d+-\d+- patterns.