Scans are working but return 0 results on GVM 22.4

thecomet28 · September 2, 2022, 6:19pm

Hello, I’m having an issue with the docker image I created/maintain with the new version of GVM CE 22.4. I followed the build instructions, and everything installs correctly. However, once I execute a scan, the scan runs for a couple of minutes and then returns log results. The test environment has one high and a couple of medium & lows on our previous version 21.4.4. Not sure why it’s failing to find anything, but everything seems to be fine, from the setup to syncs.

The link to the dev version of the docker image is: NetizenCorp/GVM-Docker at dev (github.com)

I’ve attached the logs from the docker:

++++++++++++++++
Tailing logs +
++++++++++++++++
==> /var/log/gvm/gsad.log <==
gsad main:MESSAGE:2022-09-02 16h16.51 utc:1150: Starting GSAD version 22.04.0
gsad  gmp:MESSAGE:2022-09-02 16h22.48 utc:1151: Authentication success for 'admin' from 192.168.0.7
gsad main:MESSAGE:2022-09-02 16h33.02 utc:712: Starting GSAD version 22.04.0
gsad  gmp:MESSAGE:2022-09-02 16h33.19 utc:713: Authentication success for 'admin' from 192.168.0.7
gsad main:MESSAGE:2022-09-02 17h04.53 utc:712: Starting GSAD version 22.04.0
gsad main:MESSAGE:2022-09-02 17h15.43 utc:716: Starting GSAD version 22.04.0
gsad  gmp:MESSAGE:2022-09-02 17h16.09 utc:717: Authentication success for 'admin' from 192.168.0.7
gsad  gmp:MESSAGE:2022-09-02 17h35.24 GMT:717: Authentication success for 'admin' from 192.168.0.7
gsad main:MESSAGE:2022-09-02 17h59.05 utc:715: Starting GSAD version 22.04.0

==> /var/log/gvm/gvmd.log <==
md   main:   INFO:2022-09-02 17h57.52 utc:37:    Migrating database.
md   main:   INFO:2022-09-02 17h57.52 utc:37: gvmd: databases are already at the supported version
md   main:MESSAGE:2022-09-02 17h59.03 utc:680:    Greenbone Vulnerability Manager version 22.4.0~dev1 (DB revision 250)
md   main:MESSAGE:2022-09-02 17h59.03 utc:684:    Greenbone Vulnerability Manager version 22.4.0~dev1 (DB revision 250)
md   main:WARNING:2022-09-02 17h59.03 utc:684: gvmd: Another process is busy starting up
md manage:   INFO:2022-09-02 17h59.04 UTC:703: osp_scanner_feed_version: No feed version available yet. OSPd OpenVAS is still starting
md   main:MESSAGE:2022-09-02 17h59.04 utc:707:    Greenbone Vulnerability Manager version 22.4.0~dev1 (DB revision 250)
md manage:   INFO:2022-09-02 17h59.04 utc:707:    Getting users.
md   main:MESSAGE:2022-09-02 17h59.04 utc:711:    Greenbone Vulnerability Manager version 22.4.0~dev1 (DB revision 250)
md manage:   INFO:2022-09-02 17h59.04 utc:711:    Modifying user password.

==> /var/log/gvm/notus-scanner.log <==
2022-09-02 17:59:03,702 notus-scanner: INFO: (notus.scanner.daemon) Starting notus-scanner version 22.4.1.

==> /var/log/gvm/ospd-openvas.log <==
OSPD[664] 2022-09-02 17:59:03,608: INFO: (ospd.main) Starting OSPd OpenVAS version 22.4.2.
OSPD[664] 2022-09-02 17:59:03,612: INFO: (ospd_openvas.messaging.mqtt) Successfully connected to MQTT broker

==> /var/log/gvm/gvmd.log <==
md manage:   INFO:2022-09-02 17h59.14 UTC:731: osp_scanner_feed_version: No feed version available yet. OSPd OpenVAS is still starting

==> /var/log/gvm/ospd-openvas.log <==
OSPD[664] 2022-09-02 17:59:13,649: INFO: (ospd_openvas.daemon) Loading VTs. Scans will be [requested|queued] until VTs are loaded. This may take a few minutes, please wait...

==> /var/log/gvm/gvmd.log <==
md manage:   INFO:2022-09-02 17h59.24 UTC:734: osp_scanner_feed_version: No feed version available yet. OSPd OpenVAS is still starting
md manage:   INFO:2022-09-02 17h59.34 UTC:737: osp_scanner_feed_version: No feed version available yet. OSPd OpenVAS is still starting
md manage:   INFO:2022-09-02 17h59.44 UTC:740: osp_scanner_feed_version: No feed version available yet. OSPd OpenVAS is still starting

==> /var/log/gvm/gsad.log <==
gsad  gmp:MESSAGE:2022-09-02 17h59.47 utc:716: Authentication success for 'admin' from 192.168.0.7

==> /var/log/gvm/gvmd.log <==
md    gmp:   INFO:2022-09-02 17h59.47 UTC:765:    Failed to parse client XML: Command Unavailable
md manage:   INFO:2022-09-02 18h00.03 UTC:836: osp_scanner_feed_version: No feed version available yet. OSPd OpenVAS is still starting

==> /var/log/gvm/openvas.log <==
libgvm util:MESSAGE:2022-09-02 18h00.03 utc:730: Updated NVT cache from version 0 to 202209021012

==> /var/log/gvm/ospd-openvas.log <==
OSPD[664] 2022-09-02 18:00:03,149: INFO: (ospd_openvas.daemon) Finished loading VTs. The VT cache has been updated from version 0 to 202209021012.

==> /var/log/gvm/gvmd.log <==
md manage:   INFO:2022-09-02 18h00.18 UTC:843: osp_scanner_feed_version: No feed version available yet. OSPd OpenVAS is still starting
md manage:   INFO:2022-09-02 18h00.33 UTC:850: osp_scanner_feed_version: No feed version available yet. OSPd OpenVAS is still starting
event task:MESSAGE:2022-09-02 18h01.07 UTC:899: Status of task Server VLAN (d89e93f0-6f24-44ca-9397-e2d8c37c581d) has changed to Requested
event task:MESSAGE:2022-09-02 18h01.07 UTC:899: Task Server VLAN (d89e93f0-6f24-44ca-9397-e2d8c37c581d) has been requested to start by admin
event task:MESSAGE:2022-09-02 18h01.11 UTC:902: Status of task Server VLAN (d89e93f0-6f24-44ca-9397-e2d8c37c581d) has changed to Queued

==> /var/log/gvm/ospd-openvas.log <==
OSPD[664] 2022-09-02 18:01:11,850: INFO: (ospd.command.command) Scan b8f3bb4b-79f8-4196-9613-d0764bf7ff1f added to the queue in position 1.
OSPD[664] 2022-09-02 18:01:15,767: INFO: (ospd.ospd) Currently 1 queued scans.
OSPD[664] 2022-09-02 18:01:15,804: INFO: (ospd.ospd) Starting scan b8f3bb4b-79f8-4196-9613-d0764bf7ff1f.

==> /var/log/gvm/gvmd.log <==
event task:MESSAGE:2022-09-02 18h01.16 UTC:902: Status of task Server VLAN (d89e93f0-6f24-44ca-9397-e2d8c37c581d) has changed to Running
1662141711: New connection from 127.0.0.1:57598 on port 1883.
1662141711: New client connected from 127.0.0.1:57598 as 4439cd37-1d18-4a5e-9048-a584091f7689 (p5, c1, k0).

==> /var/log/gvm/openvas.log <==
sd   main:MESSAGE:2022-09-02 18h01.51 utc:1234: openvas 22.4.0 started
sd   main:MESSAGE:2022-09-02 18h01.51 utc:1234: attack_network_init: INIT MQTT: SUCCESS
sd   main:MESSAGE:2022-09-02 18h01.53 utc:1234: Vulnerability scan b8f3bb4b-79f8-4196-9613-d0764bf7ff1f started: Target has 254 hosts: 192.168.10.1/24, with max_hosts = 15 and max_checks = 4
libgvm boreas:MESSAGE:2022-09-02 18h01.53 utc:1234: Alive scan b8f3bb4b-79f8-4196-9613-d0764bf7ff1f started: Target has 254 hosts
:WARNING:2022-09-02 18h01.54 utc:1263: nasl_pread: Failed to close file descriptor for child process (Operation not permitted)
:WARNING:2022-09-02 18h01.54 utc:1264: nasl_pread: Failed to close file descriptor for child process (Operation not permitted)
:WARNING:2022-09-02 18h01.54 utc:1265: nasl_pread: Failed to close file descriptor for child process (Operation not permitted)
sd   main:MESSAGE:2022-09-02 18h01.54 utc:1261: Vulnerability scan b8f3bb4b-79f8-4196-9613-d0764bf7ff1f started for host: 192.168.10.1
sd   main:MESSAGE:2022-09-02 18h01.54 utc:1260: Vulnerability scan b8f3bb4b-79f8-4196-9613-d0764bf7ff1f started for host: 192.168.10.10 (Vhosts: ns01.hacker-net.com)
sd   main:MESSAGE:2022-09-02 18h01.54 utc:1262: Vulnerability scan b8f3bb4b-79f8-4196-9613-d0764bf7ff1f started for host: 192.168.10.9 (Vhosts: gvm.int.hacker-net.com)
libgvm boreas:MESSAGE:2022-09-02 18h01.58 utc:1234: Alive scan b8f3bb4b-79f8-4196-9613-d0764bf7ff1f finished in 5 seconds: 3 alive hosts of 254.
1662141728: New connection from 127.0.0.1:57640 on port 1883.
1662141728: New client connected from 127.0.0.1:57640 as 7d744643-1466-4d5b-bbd3-8b30a687735e (p5, c1, k0).
1662141728: Client 7d744643-1466-4d5b-bbd3-8b30a687735e closed its connection.
sd   main:MESSAGE:2022-09-02 18h02.08 utc:1260: Running LSC via Notus for 192.168.10.10
sd   main:MESSAGE:2022-09-02 18h02.08 utc:1260: Vulnerability scan b8f3bb4b-79f8-4196-9613-d0764bf7ff1f finished for host 192.168.10.10 in 14.29 seconds
1662141729: New connection from 127.0.0.1:57650 on port 1883.
sd   main:MESSAGE:2022-09-02 18h02.09 utc:1261: Running LSC via Notus for 192.168.10.1
1662141729: New client connected from 127.0.0.1:57650 as 3afb19c5-5a62-4a1e-be00-8a55bc0b6b44 (p5, c1, k0).
1662141729: Client 3afb19c5-5a62-4a1e-be00-8a55bc0b6b44 closed its connection.
1662141729: New connection from 127.0.0.1:57652 on port 1883.
1662141730: New client connected from 127.0.0.1:57652 as 7c29192d-bd86-49a8-97a4-652f023ef62d (p5, c1, k0).
1662141730: Client 7c29192d-bd86-49a8-97a4-652f023ef62d closed its connection.
sd   main:MESSAGE:2022-09-02 18h02.09 utc:1261: Vulnerability scan b8f3bb4b-79f8-4196-9613-d0764bf7ff1f finished for host 192.168.10.1 in 15.43 seconds
sd   main:MESSAGE:2022-09-02 18h02.09 utc:1262: Running LSC via Notus for 192.168.10.9
sd   main:MESSAGE:2022-09-02 18h02.10 utc:1262: Vulnerability scan b8f3bb4b-79f8-4196-9613-d0764bf7ff1f finished for host 192.168.10.9 in 16.08 seconds
1662141730: Client 4439cd37-1d18-4a5e-9048-a584091f7689 closed its connection.
sd   main:MESSAGE:2022-09-02 18h02.10 utc:1234: Vulnerability scan b8f3bb4b-79f8-4196-9613-d0764bf7ff1f finished in 19 seconds: 3 alive hosts of 254

==> /var/log/gvm/ospd-openvas.log <==
OSPD[664] 2022-09-02 18:02:12,627: INFO: (ospd.ospd) b8f3bb4b-79f8-4196-9613-d0764bf7ff1f: Host scan finished.
OSPD[664] 2022-09-02 18:02:12,628: INFO: (ospd.ospd) b8f3bb4b-79f8-4196-9613-d0764bf7ff1f: Scan finished.

==> /var/log/gvm/gvmd.log <==
event task:MESSAGE:2022-09-02 18h02.17 UTC:902: Status of task Server VLAN (d89e93f0-6f24-44ca-9397-e2d8c37c581d) has changed to Done

Edit: Running Full and Fast and running the latest releases of GVM (not dev versions). OS & Versions can be found in the dockerfile. Also, port detection not working. 0 for 0 on ports.

bricks · September 3, 2022, 8:19am

Hi for me it seems the loading of the feed data has not finished and you are already starting a scan. See Building 22.4 from Source - Greenbone Community Documentation for some background of the feed sync.

cfi · September 5, 2022, 12:25pm

If the now missing results are originating from SSL/TLS services this should be also the same as dicussed in "Report Vulnerable Cipher Suites for HTTPS" VT not reporting in GSEv22.4 and which seems to be fixed with Fix: determine SSL/TLS support on services by jjnicola · Pull Request #1176 · greenbone/openvas-scanner · GitHub.

One additional important note to the following

The “Ports” tab in GSA doesn’t list every open port found by a port scanner. Instead it lists (by design) only the ports on which at least one result from the current used filter has been found.

thecomet28 · September 6, 2022, 3:21pm

NVTs showing 103,000 currently in the DB. I just attempted another scan, and still nothing in the results. Also, getting warning messages as well with an operation not permitted. However, based on the documentation, I have all the proper permissions in place.

==> /var/log/gvm/openvas.log <==
sd   main:MESSAGE:2022-09-06 15h14.49 utc:1635: openvas 22.4.0 started
sd   main:MESSAGE:2022-09-06 15h14.49 utc:1635: attack_network_init: INIT MQTT: SUCCESS
sd   main:MESSAGE:2022-09-06 15h14.54 utc:1635: Vulnerability scan 62fa8655-d449-41ad-8897-0cec7ea36924 started: Target has 254 hosts: 192.168.10.1/24, with max_hosts = 15 and max_checks = 4
libgvm boreas:MESSAGE:2022-09-06 15h14.54 utc:1635: Alive scan 62fa8655-d449-41ad-8897-0cec7ea36924 started: Target has 254 hosts
:WARNING:2022-09-06 15h14.55 utc:1674: nasl_pread: Failed to close file descriptor for child process (Operation not permitted)
:WARNING:2022-09-06 15h14.55 utc:1673: nasl_pread: Failed to close file descriptor for child process (Operation not permitted)
:WARNING:2022-09-06 15h14.55 utc:1672: nasl_pread: Failed to close file descriptor for child process (Operation not permitted)
sd   main:MESSAGE:2022-09-06 15h14.55 utc:1669: Vulnerability scan 62fa8655-d449-41ad-8897-0cec7ea36924 started for host: 192.168.10.10 (Vhosts: ns01.hacker-net.com)
sd   main:MESSAGE:2022-09-06 15h14.55 utc:1670: Vulnerability scan 62fa8655-d449-41ad-8897-0cec7ea36924 started for host: 192.168.10.1
sd   main:MESSAGE:2022-09-06 15h14.55 utc:1671: Vulnerability scan 62fa8655-d449-41ad-8897-0cec7ea36924 started for host: 192.168.10.9 (Vhosts: gvm.int.hacker-net.com)
libgvm boreas:MESSAGE:2022-09-06 15h14.59 utc:1635: Alive scan 62fa8655-d449-41ad-8897-0cec7ea36924 finished in 5 seconds: 3 alive hosts of 254.
1662477353: New connection from 127.0.0.1:33052 on port 1883.
1662477353: New client connected from 127.0.0.1:33052 as 5637697c-bc68-449f-8fd9-b15d9bb8dc62 (p5, c1, k0).
1662477353: Client 5637697c-bc68-449f-8fd9-b15d9bb8dc62 closed its connection.
1662477353: New connection from 127.0.0.1:33054 on port 1883.
1662477353: New connection from 127.0.0.1:33056 on port 1883.
1662477353: New client connected from 127.0.0.1:33054 as dc70def1-ea05-42c5-a9f3-329baafab160 (p5, c1, k0).
sd   main:MESSAGE:2022-09-06 15h15.53 utc:1670: Running LSC via Notus for 192.168.10.1
sd   main:MESSAGE:2022-09-06 15h15.53 utc:1670: Vulnerability scan 62fa8655-d449-41ad-8897-0cec7ea36924 finished for host 192.168.10.1 in 58.74 seconds
sd   main:MESSAGE:2022-09-06 15h15.53 utc:1671: Running LSC via Notus for 192.168.10.9
sd   main:MESSAGE:2022-09-06 15h15.53 utc:1669: Running LSC via Notus for 192.168.10.10
1662477353: New client connected from 127.0.0.1:33056 as 4b869c0f-6a11-4f85-87ea-e1838eab9a2d (p5, c1, k0).
1662477353: Client dc70def1-ea05-42c5-a9f3-329baafab160 closed its connection.
1662477353: Client 4b869c0f-6a11-4f85-87ea-e1838eab9a2d closed its connection.
1662477354: Client 3b60efd9-a4f0-40cb-9851-2e1ad2b82ab8 closed its connection.
sd   main:MESSAGE:2022-09-06 15h15.53 utc:1671: Vulnerability scan 62fa8655-d449-41ad-8897-0cec7ea36924 finished for host 192.168.10.9 in 58.88 seconds
sd   main:MESSAGE:2022-09-06 15h15.53 utc:1669: Vulnerability scan 62fa8655-d449-41ad-8897-0cec7ea36924 finished for host 192.168.10.10 in 58.89 seconds
sd   main:MESSAGE:2022-09-06 15h15.54 utc:1635: Vulnerability scan 62fa8655-d449-41ad-8897-0cec7ea36924 finished in 65 seconds: 3 alive hosts of 254

==> /var/log/gvm/ospd-openvas.log <==
OSPD[695] 2022-09-06 15:15:55,610: INFO: (ospd.ospd) 62fa8655-d449-41ad-8897-0cec7ea36924: Host scan finished.
OSPD[695] 2022-09-06 15:15:55,611: INFO: (ospd.ospd) 62fa8655-d449-41ad-8897-0cec7ea36924: Scan finished.

==> /var/log/gvm/gvmd.log <==
event task:MESSAGE:2022-09-06 15h16.00 UTC:1218: Status of task Server VLAN (d89e93f0-6f24-44ca-9397-e2d8c37c581d) has changed to Done

thecomet28 · September 21, 2022, 6:20pm

This was resolved by using the latest main branch in github along with adding the following to the dockerfile/setup:

ENV NMAP_PRIVILEGED=1
RUN setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap