merged

.github/FUNDING.yml

@@ -0,0 +1,13 @@
+# These are supported funding model platforms
+
+github: immauss
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

Dockerfile

@@ -1,10 +1,13 @@
+# Environment variables for all
+
 # Stage 0: 
 # Start with ovasbase with running dependancies installed.
-FROM immauss/ovasbase:latest
+FROM immauss/ovasbase:latest AS builder
 
 # Ensure apt doesn't ask any questions 
 ENV DEBIAN_FRONTEND=noninteractive
 ENV LANG=C.UTF-8
+ENV VER="22.4.17-beta"
 
 # Build/install gvm (by default, everything installs in /usr/local)
 RUN mkdir /build.d
@@ -32,19 +35,21 @@ COPY build.d/notus-scanner.sh /build.d/
 RUN bash /build.d/notus-scanner.sh
 COPY build.d/pg-gvm.sh /build.d/
 RUN bash /build.d/pg-gvm.sh
+COPY build.d/gb-feed-sync.sh /build.d/
+RUN bash /build.d/gb-feed-sync.sh
 COPY build.d/links.sh /build.d/
 RUN bash /build.d/links.sh
 RUN mkdir /branding
 COPY branding/* /branding/
 RUN bash /branding/branding.sh
 # Stage 1: Start again with the ovasbase. Dependancies already installed
-FROM immauss/ovasbase:latest
+# This target is for the image with no database
+# Makes rebuilds for data refresh and scripting changes faster. 
+FROM immauss/ovasbase:latest AS slim
 LABEL maintainer="[email protected]" \
-      version="22.4.03" \
+      version="$VER-slim" \
       url="https://hub.docker.com/r/immauss/openvas" \
-      source="https://github.com/immauss/openvas"
-
-
+      source="https://github.com/immauss/openvas"     
 #EXPOSE 9392
 ENV LANG=C.UTF-8
 # Copy the install from stage 0
@@ -65,14 +70,26 @@ RUN bash /links.sh
 COPY build.d/gpg-keys.sh /
 RUN bash /gpg-keys.sh
 # Split these off in a new layer makes refresh builds faster.
-COPY update.ts /
 COPY build.rc /gvm-versions
+
+COPY scripts/* /scripts/
+# Healthcheck needs be an on image script that will know what service is running and check it. 
+# Current image function stored in /usr/local/etc/running-as
+HEALTHCHECK --interval=60s --start-period=300s --timeout=10s \
+  CMD /scripts/healthcheck.sh || exit 1
+ENTRYPOINT [ "/scripts/start.sh" ]
+
+FROM slim AS final
+LABEL maintainer="[email protected]" \
+      version="$VER-full" \
+      url="https://hub.docker.com/r/immauss/openvas" \
+      source="https://github.com/immauss/openvas"
+# Pull and then Make sure we didn't just pull zero length files 
 RUN curl -L --url https://www.immauss.com/openvas/latest.base.sql.xz -o /usr/lib/base.sql.xz && \
-    curl -L --url https://www.immauss.com/openvas/latest.var-lib.tar.xz -o /usr/lib/var-lib.tar.xz
-# Make sure we didn't just pull zero length files 
-RUN bash -c " if [ $(ls -l /usr/lib/base.sql.xz | awk '{print $5}') -lt 1200 ]; then exit 1; fi " && \
+    curl -L --url https://www.immauss.com/openvas/latest.var-lib.tar.xz -o /usr/lib/var-lib.tar.xz && \
+    bash -c " if [ $(ls -l /usr/lib/base.sql.xz | awk '{print $5}') -lt 1200 ]; then exit 1; fi " && \
     bash -c " if [ $(ls -l /usr/lib/var-lib.tar.xz | awk '{print $5}') -lt 1200 ]; then exit 1; fi "
-#RUN mkdir /scripts
+
 # packages to add to ovasbase
 #RUN apt-get update && apt-get -y install libpaho-mqtt-dev python3-paho-mqtt gir1.2-json-1.0 libjson-glib-1.0-0 libjson-glib-1.0-common
 COPY scripts/* /scripts/

Readme.md

@@ -10,21 +10,115 @@
 ### Brought to you by ###
 [![Immauss Cybersecurity](https://github.com/immauss/openvas/raw/master/images/ics-hz.png)](https://immauss.com "Immauss Cybersecurity")
 
+[Sponsor immauss](https://github.com/sponsors/immauss)
+
 
 # Docker Tags  #
 tag              | Description
 ----------------|-------------------------------------------------------------------
-22.4.11 | This is the latest based on GVMd 22.4 available on x86_64, arm64, and armv7.
+22.4.21 | This is the latest based on GVMd 22.5.4 available on x86_64, arm64, and armv7.
 21.04.09 | This is the last 21.4 build.  
 20.08.04.6 | The last 20.08 image
 pre-20.08   | This is the last image from before the 20.08 update. 
 v1.0             | old out of date image for posterity. (Dont` use this one. . . . ever)
 
+# Greenbone Versions in Latest image: #
+Component | Version | | Component | Version
+----------|----------|-|----------|---------
+|pg_gvm|v22.5.1| |gvmd|v22.5.5|
+|notus_scanner|v22.5.0| |openvas|v22.7.3|
+|openvas_smb|v22.5.3| |gvm_libs|v22.6.3|
+|openvas_scanner|v22.7.3| |gsad|v22.5.1|
+|gsa|v22.5.0| |ospd|v21.4.4|
+|ospd_openvas|v22.5.3| |python_gvm|v23.5.1|
+|gvm_tools|v23.4.0| |greenbone_feed_sync|v23.7.0|
+
+
 
 - - - -
 ## Documentation ##
-The current docs are maintained on github [here](https://immauss.github.io/openvas/)
+The current container docs are maintained on github [here](https://immauss.github.io/openvas/)
+
+For docs on the web interface and scanning, use Greenbone's docs [here](https://docs.greenbone.net/GSM-Manual/gos-22.04/en/). Chapter's 8-14 cover the bits you'll need.
+- - - - 
+# 21 July 2023 #
+## 22.4.21 ##
+It's been a busy month. This latest release updates the openvas-scanner to prevent the "out-of-date" scanner warnings. There is also currently a bug with GSA that is preventing user creation from the web interface. GB has resolved the issue, but it has not been released yet. In the interim, if you need to create a new user, use the following:
+```
+docker exec -it -u gvm openvas gvmd --role="Admin" --create-user="$USERNAME" --password="$PASSWORD"
+```
+
+-Scott
+
+# 13 July  2023 #
+##  22.4.20 ##
+
+GB pushed a new gmvd (22.5.4) that resolved some issues with PostgreSQL connections.
+
+-Scott
+- - - - 
+# 9 July 2023 #
+## 22.4.19 ##
+
+OK 22.4.19 with the latest (22.5.3) of gvmd and now gsad joins it with a version 22.5 as well. 
+Enjoy! 
+
+-Scott
+
+- - - -
+
+# 7 July 2023 #
+## 22.4.18 ##
+
+So .... GB has updated gvmd to 22.5.x. This build includes 22.5.0, though there is a 22.5.3 as of this writing .... I'll try to get that built and test, but first I need to go through the process of updating my base DB since there is new DB version with the new version of gvmd. This version will start just fine, but it takes a while as it has to go through the database migration.
+
+If you take a look at the Dockerfile, you may also notice I've done some giggering with the stages. There is now a slim build and a corresponding slim tag in docker hub. If you try to use this image, it will work, but it has NO database preinstalled. So you'll be waiting for the download and database population. This is primarily to make the database refresh process faster and more efficient.
+
+I'm now a member of Git Hub's sponsor program. If you like what you see here, and would like to contribute, please visit:
+[Sponsor Immauss](https://github.com/sponsors/immauss)
+
+-Scott
+
+- - - -
+
+- - - -
+# 15 May 2023 #
+## 22.4.16 ##
+
+I realized last week, that GB has created a new single script for NVT and data sync and it has it's own repo. So ... I rolled it into the build and replaced all the bits that called the old scripts. It does make the startup less noisy on synchronization. 
+
+Coming soon. I'll be spliting the build out to make refreshes easier and more reliable. The secondary result of that will be a new tag, slim. The slim tag will be as the name implies, smaller. The only difference will be it will not contain the prexisting data base and feed sync archives.
 - - - - 
+# 10 May 2023 #
+## 22.4.15 ##
+
+Added changes for version notices to the multi-container scripts. 
+Thanks @NicoWde
+
+# 9 May 2023 #
+## 22.4.14 ##
+
+Yet another minor update from GB.
+Also some bug fixes, mostly in the way version numbers are displayed during startup. 
+
+-Scott
+
+- - - - 
+
+# 3 May 2023 #
+## 22.4.13 ##
+
+Another minor update to align with the latest from Greenbone and few minor bug fixes including:
+- Removed the /var/lib/CA and /var/lib/private from the feeds archive. This was overwriting the freshly generated certs early in the start scripts.  (Thanks @sergeymeleschenko)
+- Added a check by gvm-manage-certs to validate the cert config and regenerate if out of date. This should refresh any out of date certs in the future.
+- Corrected typos in fs-setup.sh (Thanks @shandshellin)
+
+For the curious, 22.4.12 was another minor update from Greenbone, but it failed to build on arm7. Before I had a chance to work it out, GB made another update, and resoveled the issue. 
+
+-Scott
+
+- - - -
+
 # 4 April 2023 #
 ## 22.4.11 ##
 

TODO.md

@@ -14,7 +14,7 @@
 	- postfix **Should be able to pull this image seperately too**
 - [ ] Let`s encrypt 
 	- In current build ?
-	- In seperate reverse proxy
+	- [x] In seperate reverse proxy
 - [ ] Write some build / test scripts to automate testing of new builds. 
 	- use GMP/OSP to validate a scan against a scannable container
 	- use compose to spin up openvas &  scannable, then script the scan creation and execution
@@ -23,4 +23,4 @@
 - [x] start.sh clean up. 
 	- Make sure there are no duplicates
 	- Validate the order of operations
-- [ ] Move all daemon logs to /var/log/gvm so they will show up with docker logs -f ...
+- [x] Move all daemon logs to /var/log/gvm so they will show up with docker logs -f ...

bin/base-rebuild.sh

@@ -20,7 +20,7 @@ while ! [ -z "$1" ]; do
 	-N)
 	shift
 	NOBASE=true;
-	echo "Skipping ovasebase build"
+	echo "Skipping ovasbase build"
 	;;
   esac
 done
@@ -39,7 +39,8 @@ if  [ "$NOBASE" == "false" ]; then
 	cd ..
 fi
 cd /home/scott/Projects/openvas
-docker buildx build --push --platform $arch -f Dockerfile -t immauss/openvas:$tag .
+docker buildx build --push --platform $arch -f Dockerfile --target slim -t immauss/openvas:${tag}-slim .
+docker buildx build --push --platform $arch -f Dockerfile --target final -t immauss/openvas:$tag .
 docker rm -f $tag
 docker pull immauss/openvas:$tag
 docker run -d --name $tag -e SKIPSYNC=true immauss/openvas:$tag 

bin/check-gvm-release.sh

@@ -6,13 +6,13 @@ RC=$(mktemp)
 # Source the api token
 . .token
 # 
-for repo in pg-gvm notus-scanner gvmd openvas openvas-smb gvm-libs openvas-scanner gsa ospd ospd-openvas ; do 
+for repo in pg-gvm notus-scanner gvmd openvas openvas-smb gvm-libs openvas-scanner gsa ospd ospd-openvas ; do
 	VERSION=$(curl -s -H "Authorization: token $Oauth" -L https://api.github.com/repos/greenbone/$repo/releases/latest |  jq -r ".assets[].browser_download_url" | sed "s/^.*download\/\(v.*\)\/.*$/\1/" | head -1)
 	#echo "$repo current version is $VERSION"
 	VAR=$( echo $repo | tr - _ )
 	echo "$VAR=$VERSION" >> $RC
 done
-for repo in python-gvm gvm-tools; do 
+for repo in python-gvm gvm-tools greenbone-feed-sync; do 
 	python_gvm=$(curl -s -H "Authorization: token $Oauth" -L https://api.github.com/repos/greenbone/$repo/releases/latest |  jq -r ".tarball_url" | awk -F/ '{print $NF}' )
 	#echo "$repo current version is $python_gvm"
 	VAR=$(echo $repo | tr - _ )

bin/get-gvm-releases.sh

@@ -9,7 +9,7 @@ rm versions.md
 echo "# Greenbone Versions in Latest image: #
 Component | Version | | Component | Version
 ----------|----------|-|----------|---------" > versions.md
-for repo in pg-gvm notus-scanner gvmd openvas openvas-smb gvm-libs openvas-scanner gsa ospd ospd-openvas ; do 
+for repo in pg-gvm notus-scanner gvmd openvas openvas-smb gvm-libs openvas-scanner gsa gsad ospd ospd-openvas ; do 
 	VERSION=$(curl -s -H "Authorization: token $Oauth" -L https://api.github.com/repos/greenbone/$repo/releases/latest |  jq -r ".assets[].browser_download_url" | sed "s/^.*download\/\(v.*\)\/.*$/\1/" | head -1)
 	echo "$repo current version is $VERSION"
 	VAR=$( echo $repo | tr - _ )
@@ -22,8 +22,8 @@ for repo in pg-gvm notus-scanner gvmd openvas openvas-smb gvm-libs openvas-scann
 		echo " | $VAR | \$${repo} |" >> versions.md
 	fi	
 done
-for repo in python-gvm gvm-tools; do 
-	python_gvm=$(curl -s -H "Authorization: token $Oauth" -L https://api.github.com/repos/greenbone/$repo/releases/latest |  jq -r ".tarball_url" | awk -F/ '{print $NF}' )
+for repo in python-gvm gvm-tools greenbone-feed-sync; do 
+	python_gvm=$(curl -s -H "Authorization: token $Oauth" -L https://api.github.com/repos/greenbone/$repo/releases/latest | jq -r ".tarball_url" | awk -F/ '{print $NF}' )
 	echo "$repo current version is $python_gvm"
 	VAR=$(echo $repo | tr - _ )
 	echo "$VAR=$python_gvm" >> build.rc

bin/refresh.sh

@@ -53,7 +53,7 @@ while  [ $CONTINUE -eq 0 ] && [ $COUNTER -le $WAIT ]; do
 done
 
 if [ $COUNTER -gt $WAIT ]; then
-	echo "Waited for succes in logs for > $WAIT minutes. "
+	echo "Waited for success in logs for > $WAIT minutes. "
 	echo "Bailing out now."
 	docker logs -n 30 updater
 	exit
@@ -71,10 +71,14 @@ echo "Dumping container logs to /var/log/refresh.log"
 date >> /var/log/refresh.log
 docker logs updater >> /var/log/refresh.log
 docker rm updater
-
+# Give the data a timestamp
+date > var-lib/update.ts
 echo "Compress and archive the data"
 #Exclude the gnupg dir as this should be unique for each installation. 
-tar cJf $TAR --exclude=var-lib/gvm/gvmd/gnupg var-lib
+tar cJf $TAR --exclude=var-lib/gvm/gvmd/gnupg \
+	--exclude=var-lib/gvm/CA \
+	--exclude=var-lib/gvm/private \
+	var-lib
 xz -1 $SQLBU
 SQL_SIZE=$( ls -l $SQLBU.xz | awk '{print $5}')
 FEED_SIZE=$( ls -l $TAR | awk '{print $5'})
@@ -91,26 +95,10 @@ if [ $? -ne 0 ]; then
 	logger -t db-refresh "SCP of new db failed $?"
 	exit
 fi
-
-
 # Now rebuild the image
-#cd ~/Projects/openvas
-#echo "Pulling latest from github"
-#git pull
-#if [ $? -ne 0 ]; then
-	#echo "git pull failed. Rebuild image manually: $?"
-	#exit
-#fi
-# Update timestamp
-date > update.ts
-#git commit update.ts -m "Data update for $Date"
-#echo "And pushing to github"
-#git push 
-
-#Build new image here
-#docker build -t immauss/openvas:latest .
 cd $WorkDir
-docker buildx build -t immauss/openvas:$TAG --platform linux/arm64,linux/amd64,linux/arm/v7 --push .
+date > update.ts
+docker buildx build --target final -t immauss/openvas:$TAG --platform linux/arm64,linux/amd64,linux/arm/v7 --push .
 if [ $? -ne 0 ]; then
 	echo "Build failed."
 	exit

build.d/gb-feed-sync.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -Eeuo pipefail
+# Source this for the latest release versions
+. build.rc
+
+echo "pip install of new greenbone-feed-sync"
+python3 -m pip install greenbone-feed-sync 

build.d/gpg-keys.sh

@@ -4,13 +4,13 @@ export OPENVAS_GNUPG_HOME=/etc/openvas/gnupg
 export GNUPGHOME=/tmp/openvas-gnupg
 if ! [ -f tmp/GBCommunitySigningKey.asc ]; then
         echo " Get the Greenbone public Key"
-        curl -f -L https://www.greenbone.net/GBCommunitySigningKey.asc -o /tmp/GBCommunitySigningKey.asc
-        echo "8AE4BE429B60A59B311C2E739823FAA60ED1E580:6:" > /tmp/ownertrust.txt
+        curl -f -L https://www.greenbone.net/GBCommunitySigningKey.asc -o /etc/GBCommunitySigningKey.asc
+        echo "8AE4BE429B60A59B311C2E739823FAA60ED1E580:6:" > /etc/ownertrust.txt
         echo "Setup environment"
         mkdir -m 0600 -p $GNUPGHOME $OPENVAS_GNUPG_HOME
         echo "Import the key "
-        gpg --import /tmp/GBCommunitySigningKey.asc
-        gpg --import-ownertrust < /tmp/ownertrust.txt
+        gpg --import /etc/GBCommunitySigningKey.asc
+        gpg --import-ownertrust < /etc/ownertrust.txt
         echo "Setup key for openvas .."
         cp -r /tmp/openvas-gnupg/* $OPENVAS_GNUPG_HOME/
         #chown -R gvm:gvm $OPENVAS_GNUPG_HOME

build.rc

@@ -6,7 +6,9 @@ openvas_smb=v22.5.3
 gvm_libs=v22.6.3
 openvas_scanner=v22.7.3
 gsa=v22.5.0
+gsad=v22.5.1
 ospd=v21.4.4
 ospd_openvas=v22.5.3
 python_gvm=v23.5.1
 gvm_tools=v23.4.0
+greenbone_feed_sync=v23.7.0

compose/.env

@@ -1 +1 @@
-TAG="22.4.20"
+TAG="22.4.21"