Documentation
¶
Overview ¶
Package cve provides an adapter framework for non-nuclei CVE detection.
CVE scanning in networkscan has two execution paths that both produce the same Fern report shape ([]*nuclei.NucleiTargetInfo):
- Nuclei templates — driven by utils/nuclei.RunNucleiEngine, filtered by year and protocol.
- Custom Go detectors — implemented in this package, also filtered by year and protocol. One detector covers exactly one CVE.
This mirrors internal/discover/service: fingerprintx supplies broad coverage while local plugins handle specialized protocols, and both feed the same ServiceDetails type so the downstream report is uniform.
To add a CVE check that cannot be expressed as a nuclei template, implement the Detector interface in a file under internal/pentest/cve/detectors/ and register it in registry.go.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MergeTargets ¶
func MergeTargets(a, b []*nuclei.NucleiTargetInfo) []*nuclei.NucleiTargetInfo
MergeTargets combines two NucleiTargetInfo slices keyed by Target string.
The nuclei path keys by ev.URL — which for HTTP templates is "http://host:port" and for network templates is "host:port". Custom detectors are handed the raw --targets entry. To merge correctly across both shapes, we key by a normalized form (host:port, scheme stripped, lowercased) so the same target scanned by both paths collapses into one NucleiTargetInfo. The original Target string on each entry is preserved (we don't rewrite the target the nuclei report builder set).
func RunCustomDetectors ¶
RunCustomDetectors runs every registered Detector that passes the year and protocol filters against each target. Results are merged into a slice of NucleiTargetInfo (one entry per target with at least one attempt), matching the shape produced by utils/nuclei.RunNucleiEngine so the caller can append the two slices and treat them uniformly.
The second return value carries non-fatal warnings (e.g. per-detector errors) using the same convention as RunNucleiEngine.
Types ¶
type Detector ¶
type Detector interface {
// CVEID returns the canonical identifier, e.g. "CVE-2024-12345". Must be
// unique across all registered detectors and must match the regex
// ^CVE-\d{4}-\d{4,}$ so the existing report builder recognizes it.
CVEID() string
// Year returns the 4-digit publication year as a string (e.g. "2024").
// The orchestrator only runs a detector if its Year is in the caller's
// --years filter, matching the year-subdirectory semantics used by the
// nuclei template path.
Year() string
// Protocol returns the application protocol filter token this detector
// applies to (e.g. "SSH", "HTTP", "FTP", "SMB"). Compared case-insensitively
// against the --protocol CLI flag. Empty means "any protocol" — the
// detector will always be considered once the year filter passes.
Protocol() string
// Detect probes a single target string (host:port form, as passed via
// --targets) and returns the attempt result. See package doc above for
// return semantics. Implementations should respect ctx cancellation and
// honor the supplied timeout (seconds).
Detect(ctx context.Context, target string, timeout int) (*nuclei.NucleiAttemptInfo, error)
}
Detector implements detection for exactly one CVE without using a nuclei template. Implementations live in internal/pentest/cve/detectors/ and are registered in registry.go.
Return semantics for Detect:
- Vulnerable: *NucleiAttemptInfo with Finding.Finding = true.
- Probed-but-clean: *NucleiAttemptInfo with Finding.Finding = false.
- Not applicable: (nil, nil) — e.g. wrong banner, port closed, service does not match. The orchestrator will skip the target silently.
- Fatal probe error: (nil, err) — surfaced as a warning in the report.
The returned NucleiAttemptInfo.TemplateId MUST equal CVEID() so downstream processors can key off it the same way they key off a nuclei template ID.
func Registered ¶
func Registered() []Detector
Registered returns the list of registered detectors. Exported for tests and for the runner; production code should call RunCustomDetectors instead.
Source Files
Directories