Hi,

I've setup the management console on an AWS instance using the repository instructions. I've registered an account and accessed the console but I can't navigate to any other pages (registries, vulnerabilities, settings etc.). It seems to be in a loop of 'resuming the live state' and is stuck 'Optimizing hosts'.

I've given it over 60 minutes as the readme mentioned, but there's been no change.

I can't find any obvious problems looking through the various container logs. I wondered if someone here could offer any guidance?

Can Multiple AWS Agents deployed and visible in single management console?

Need to add MSRC feeds for deeper scanning of Windows base pkgs.

Now that we are removing host node counts + also adding some optimisations on UI side, we need to add the console size requirements for various scale levels assuming user is always using 1 node kubernetes cluster or docker compose.

Need following numbers:

Console size

8 core - 16G RAM - how many hosts, unlimited number of containers
16 core - 16G RAM - how many hosts, unlimited number of containers
8 core - 32G RAM - how many hosts, unlimited number of containers
16 core - 32G RAM - how many hosts, unlimited number of containers

Currently we show all vulnerabilities in all scans in charts and on stats panel.

We should

• Show union of unique CVE ids across all scans across all containers, images and hosts

List and scan images out of Docker hub private registry.

In ReadMe as well as on the UI. We will try to support 2 latest versions for all integrations.

Unable to run vulnerability scans on management console node and registries. Vulnerability scans start but hang after a while with error "Scan was interrupted". There is no info in the docker-compose logs to investigate or viewable logs from the console itself.

Agent and Management are at same IP? Would it show results?

Got a query on community channel on feasibility of adding this, should be straight forward based on my cursory analysis.

Adding https://github.com/deepfence/SecretScanner as an additional type of scan in addition to vulnerabilities.

• Currently masking a vulnerability masks only that vulnerability document.
• That vulnerability might be present in different packages in the same image also.
• We should have an option to mask in all packages in the image and mask across all images

Hey there!

I'd like to report a security issue but cannot find contact instructions on your repository.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

Need to add GCR integration.

Need to add Quay integration.

Intalled deepfence and create the first registration... with an error in the email. Try to change but it doesn't have any button to modify only delete but if you try to delete admin you cant do that. If I want to create other admin user is not possible or tranfers de admin role to other user is not possible.

For docker private registry, add support for uploading custom certificates and keys

• client certificate
• client key
• ca certificate

List and scan images our of GitLab container registry

Public roadmap with upcoming features and enhancements.

Hi I installed the community edition and work fine. After a linux upgrade and patch I had to reboot the server (including put the server certs) and after that reboot docker ps shows that deepfence-ui hasn't any 80 or 443 binding. I run docker-compose down and up again and same result no web ui is bind to 80 or 443 ports

Filtering and routing reported vulnerabilities to LogRhythm.

Problem:

getting error pulling image configuration: unknown blob when trying to pull latest version

sudo docker pull deepfenceio/deepfence_agent_ce:latest
Trying to pull repository docker.io/deepfenceio/deepfence_agent_ce ... 
sha256:ef2bfb042c1947d7fa1521c92d80d48b427ec1921a7a8bf719a4da1bfe41a2d5: Pulling from docker.io/deepfenceio/deepfence_agent_ce
c9b1b535fdd9: Pulling fs layer 
a467aaeebe51: Pulling fs layer 
4972601ee06f: Pulling fs layer 
50fea360ba80: Waiting 
12cb344c186e: Waiting 
7fcfa6d4777d: Waiting 
88e4e5d70d35: Waiting 
09111211c518: Waiting 
02367567fd52: Waiting 
14db001a3bcd: Waiting 
b3f9fa29ccb1: Waiting 
9f2c31a673b2: Waiting 
37a51eba9536: Waiting 
d58fe0077a61: Waiting 
5007810f217c: Waiting 
f3da2746ca1d: Waiting 
4d0e5e4a4a1a: Waiting 
Trying to pull repository registry.fedoraproject.org/deepfenceio/deepfence_agent_ce ... 
Trying to pull repository registry.access.redhat.com/deepfenceio/deepfence_agent_ce ... 
Trying to pull repository registry.centos.org/deepfenceio/deepfence_agent_ce ... 
Trying to pull repository quay.io/deepfenceio/deepfence_agent_ce ... 
Trying to pull repository docker.io/deepfenceio/deepfence_agent_ce ... 
sha256:ef2bfb042c1947d7fa1521c92d80d48b427ec1921a7a8bf719a4da1bfe41a2d5: Pulling from docker.io/deepfenceio/deepfence_agent_ce
c9b1b535fdd9: Pulling fs layer 
a467aaeebe51: Pulling fs layer 
4972601ee06f: Pulling fs layer 
50fea360ba80: Waiting 
12cb344c186e: Waiting 
7fcfa6d4777d: Waiting 
88e4e5d70d35: Waiting 
09111211c518: Waiting 
02367567fd52: Waiting 
14db001a3bcd: Waiting 
b3f9fa29ccb1: Waiting 
9f2c31a673b2: Waiting 
37a51eba9536: Waiting 
d58fe0077a61: Waiting 
5007810f217c: Waiting 
f3da2746ca1d: Waiting 
4d0e5e4a4a1a: Waiting 
error pulling image configuration: unknown blob

pulling bottlerocket version works as expected

sudo docker pull deepfenceio/deepfence_agent_ce:bottlerocket
Trying to pull repository docker.io/deepfenceio/deepfence_agent_ce ... 
sha256:1caea67efebbebd83dc09f869ac66c0bd99f2b4a7ec2d80bfe80042fe1f1786a: Pulling from docker.io/deepfenceio/deepfence_agent_ce
c9b1b535fdd9: Pull complete 
b6d83a030696: Pull complete 
f6a06778061f: Pull complete 
4346f63f6540: Pull complete 
9621f77de183: Pull complete 
ea774dd0a492: Pull complete 
bc61a45c72b5: Pull complete 
3d194fa3baa1: Pull complete 
3ab4871f49df: Pull complete 
58a3160a4149: Pull complete 
737c91d96cd4: Pull complete 
37db6d33e67d: Pull complete 
25ff9d31fb02: Pull complete 
19c622447144: Pull complete 
2dd6c587aacb: Pull complete 
28634e02c7dd: Pull complete 
d06993b63779: Pull complete 
Digest: sha256:1caea67efebbebd83dc09f869ac66c0bd99f2b4a7ec2d80bfe80042fe1f1786a
Status: Downloaded newer image for docker.io/deepfenceio/deepfence_agent_ce:bottlerocket

Currently we show a ranked list most exploitable vulnerabilities across running hosts and containers as a table. Would be good to add a heat map or a split bubble chart showing the same with added filters.

1. Remove host node count limit, on UI as well as backend

2. No realtime node count tracking for hosts. Containers and images are already unlimited.

3. Remove work email requirement while registering

4. Remove menu items which do not belong in threatmapper like compliance etc

Currently we run only 10 max scans concurrently, assuming users might install console on a busy machine.

Provide a way for user to specify max concurrent scans while launching console as an ENV variable. This will speed things up significantly while scanning images out of registries at scale.

While sending vulnerabilities to Slack, Splunk or any other integration allow users to chose a specific.

• cluster id //randomly assigned cluster id that we use to differentiate clusters

• namespace

• user defined tag // user can tag a bunch of containers or hosts with a certain tag E.g. dev, staging etc

In ReadMe as well as on the UI. We will always strive to support 2 latest versions for all registries.

Currently only container, container images and host level scanning is support. With this feature user should be able to scan at following granularities with a single click

• an entire kubernetes cluster

• a certain namespace

• user defined tags which could contains multiple hosts e.g. dev/staging/prod etc

In addition to Jenkins and CircleCI plugins, we need to support the same scan modality for GitLab.

Hi.
I had the control working a few days ago using the docker-compose file in this repository but I tried to create a control node today and the router fails with the following message.

deepfence-router                  | Set operating_mode to either 'docker' or 'k8s'. Exiting...
deepfence-router                  | Set operating_mode to either 'docker' or 'k8s'. Exiting...
deepfence-router                  | Set operating_mode to either 'docker' or 'k8s'. Exiting...

I had to add the following to the docker-compose deepfence-router block file

   environment:
      OPERATING_MODE: "docker"

I am deploying on a GCE instance with Debian 10 via a startup script

I have an internal unauthenticated Image Registry (docker). There is a way to scan unauthenticated Registries?

The Username/Password fields are mandatory.

Filtering and routing reported vulnerabilities to Qradar.

In addition to Jenkins, CircleCI and GitLab plugins, I would like one for GitHub Actions. Maybe it's better to make Threatmapper available in the GitHub Actions marketplace, then developing a plugin, I'm not sure. Could someone make Threatmapper compatible with GitHub Actions?

While generating xls reports, allow users to generate report for a specific:

• cluster id //randomly assigned cluster id that we use to differentiate clusters

• namespace

• user defined tag // user can tag a bunch of containers or hosts with a certain tag E.g. dev, staging etc

Problem:
cannot switch tabs inside deepfence-ui, ui stuck at loading topology page with "verifying topologies message"

Expected:
to be able to browse the ui normally

deepfence-api_logs.txt.gz

truncated deepfence-api container logs below

[2020-10-07 07:27:41 +0000] [97] [ERROR] Exception on /deepfence/v1.5/node_status [GET]
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 2447, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1952, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python3.6/site-packages/flask_restful/__init__.py", line 272, in error_router
    return original_handler(e)
  File "/usr/local/lib/python3.6/site-packages/flask_restful/__init__.py", line 272, in error_router
    return original_handler(e)
  File "/usr/local/lib/python3.6/site-packages/flask_restful/__init__.py", line 272, in error_router
    return original_handler(e)
  File "/usr/local/lib/python3.6/site-packages/flask_cors/extension.py", line 161, in wrapped_function
    return cors_after_request(app.make_response(f(*args, **kwargs)))
  File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1821, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python3.6/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "api/common_api.py", line 1424, in api.common_api.get_node_status
  File "api/common_api.py", line 1433, in api.common_api.determine_node_status
  File "api/common_api.py", line 1552, in api.common_api.get_topology_cve_status
  File "utils/esconn.py", line 2823, in utils.esconn.ESConn.group_by
  File "utils/esconn.py", line 503, in utils.esconn.ESConn.search
  File "/usr/local/lib/python3.6/site-packages/elasticsearch/client/utils.py", line 92, in _wrapped
    return func(*args, params=params, headers=headers, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/elasticsearch/client/__init__.py", line 1623, in search
    body=body,
  File "/usr/local/lib/python3.6/site-packages/elasticsearch/transport.py", line 362, in perform_request
    timeout=timeout,
  File "/usr/local/lib/python3.6/site-packages/elasticsearch/connection/http_urllib3.py", line 252, in perform_request
    self._raise_error(response.status, raw_data)
  File "/usr/local/lib/python3.6/site-packages/elasticsearch/connection/base.py", line 282, in _raise_error
    status_code, error_message, additional_info
elasticsearch.exceptions.RequestError: RequestError(400, 'illegal_argument_exception', 'field name is null or empty')
ERROR:config.df_app:Exception on /deepfence/v1.5/node_status [GET]
Traceback (most recent call last):

Add instructions to deploy threatmapper as a sidecar + embedding. This depends on #43 as all binaries must be agnostic to underlying distro i.e. static binaries only.

Instead of Alpine/Debian, lets use SCRATCH base image, this requires us shipping our binaries as static binaries, doable easily.

Additional context
ThreatMapper is missing features used to connect to an open-source Cyber Threat Intelligence Platform, such as OpenCTI. This feature request can be used used to map vulnerabilities exploited by known malicious actors (i.e APT). Additionally,

Is your feature request related to a problem? Please describe.
Similar to Anomali, or ThreatConnect, a novice CTI analyst will have difficulties mapping CRITICAL/HIGH vulnerabilities to a malicious actor (i.e. APT, or UNC) without integration between ThreatMapper and a CTI platform.

Describe the solution you'd like
This feature enhancement would allow CTI analysts to prioritize and rank vulnerabilities exploited, and security advisories warning to patch vulnerabilities commonly propagated by malicious actors

Describe alternatives you've considered

MITRE ATT&CK
ThreatConnect
Anomali ThreatStrem
Securonix

Components/Services

• UI/Frontend
• API/Backend
• Agent
• Deployment/YAMLs
• CI/CD Integration
• Other (specify) - Support for OpenCTI Connectors

Additional context
https://www.opencti.io/en/
https://github.com/OpenCTI-Platform
https://github.com/OpenCTI-Platform/connectors

root@ubuntu-s-6vcpu-16gb-nyc1-01:~# sudo docker-compose -f ./docker-compose.yml up -d
ERROR: yaml.scanner.ScannerError: mapping values are not allowed here
in "././docker-compose.yml", line 119, column 73

Provided the docer-compose.yml file, when executing the following command:

docker-compose -f docker-compose.yml up -d

I am unable to browse to the management console as not all containers are started, specifically the deepfence-es-master container which presents the following errors:

Exception in thread "main" java.lang.RuntimeException: starting java failed with [137]
output:

error:
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
	at org.elasticsearch.tools.launchers.JvmErgonomics.flagsFinal(JvmErgonomics.java:123)
	at org.elasticsearch.tools.launchers.JvmErgonomics.finalJvmOptions(JvmErgonomics.java:88)
	at org.elasticsearch.tools.launchers.JvmErgonomics.choose(JvmErgonomics.java:59)
	at org.elasticsearch.tools.launchers.JvmOptionsParser.main(JvmOptionsParser.java:95)

Would appreciate any guidance.

Currently we use a self-signed certificate for Deepfence UI. User might want to use their own self signed certificates due to various reasons.

If user specifies path to a dir containing certs, we should volume mount and use those certs instead of deepfence self signed certs.

Top most exploitable vulnerabilities with score and rank across all nodes and images.

If a certain container registry has > 1K images, it gets tricky to search, sort and scan images due to current rigid table structure. This gets amplified when more registries are added and each has more than a few hundred images.

Need to:

1. Add a per registry search box (free text search with autocomplete) so users can search per based on container image name AND/OR image tag

2. While we are at this, lets also make tables dynamically paginated based on number of images and make all columns sortable

Problem:

Currently, the initial vulnerability db update takes anywhere between 15-60 minutes and only after this first full update threatmapper is usable.

• Every 24 hours we can push pre-populated vulnerability DB images to threatmapper registry so when a user uses a fresh installation of threatmapper, at the very worst a 24 hr old database is being referred for scanning. This db anyway will get updated over next few hours but reduced the initial wait required.

Need to enable JIRA integration and document supported JIRA versions.

List and scan images our of Jfrog container registry

User request. Add filtering and routing reported vulnerabilities to Microsoft Teams just as we do with Slack.

I have a lot of applications running and of course 443 is not available.

How do I configure the management console to work on a port, other than 443?

Where should I change that setting if I am using

• Docker or
• Standalone?