18 KiB
Database Scan Reporting System - Architecture & Problem Analysis
Overview
This document provides a comprehensive analysis of the Sirius scan reporting system, detailing the current architecture, identified problems with scan result overwriting, and the planned solution for implementing source-tagged scan history.
Table of Contents
- System Architecture
- Scan Sources and Entry Points
- Database Schema Analysis
- Current Data Flow
- Core Problem Analysis
- File Structure and Key Components
- API Endpoints
- Frontend Interfaces
- Libraries and Dependencies
- Proposed Solution Architecture
System Architecture
High-Level Components
The Sirius vulnerability management system consists of multiple interconnected components:
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Network │ │ Agent/ │ │ Manual/API │
│ Scanner │ │ Terminal │ │ Submissions │
│ (app-scanner) │ │ (app-agent) │ │ │
└─────────────────┘ └─────────────────┘ └─────────────────┘
│ │ │
└───────────────────────┼───────────────────────┘
│
┌─────────────────┐
│ Go API │
│ (go-api) │
│ Host Management│
└─────────────────┘
│
┌─────────────────┐
│ PostgreSQL │
│ Database │
└─────────────────┘
│
┌─────────────────┐
│ NextJS UI │
│ (sirius-ui) │
└─────────────────┘
Project Structure
go-api/- Core Go API and database managementapp-scanner/- Network-based vulnerability scanningapp-agent/- Host-based agent scanningsirius-ui/- NextJS frontend interfacesirius-api/- REST API handlers (Fiber framework)
Scan Sources and Entry Points
1. Network Scanner (app-scanner/)
Purpose: External network-based vulnerability discovery
Tools: nmap, rustscan, naabu, NSE scripts
Entry Point: app-scanner/internal/scan/manager.go
Key Files:
app-scanner/internal/scan/manager.go- Main scan orchestrationapp-scanner/internal/scan/strategies.go- Scan strategy implementationsapp-scanner/modules/nmap/nmap.go- Nmap integrationapp-scanner/modules/rustscan/rustscan.go- RustScan integrationapp-scanner/modules/naabu/naabu.go- Naabu integration
Data Flow:
Scan Target → Discovery (RustScan) → Vulnerability Scan (Nmap) →
host.AddHost() → Database Update → KV Store Update
Capabilities:
- Port discovery and enumeration
- Service detection
- Vulnerability scanning via NSE scripts
- CVE identification and scoring
- Network-accessible vulnerability assessment
2. Agent/Terminal Scanner (app-agent/)
Purpose: Internal host-based vulnerability and inventory discovery
Tools: PowerShell scripts, package managers, system queries
Entry Point: app-agent/internal/commands/scan/scan_command.go
Key Files:
app-agent/internal/commands/scan/scan_command.go- Main scan orchestrationapp-agent/internal/commands/scan/types.go- Scan result structuresapp-agent/internal/commands/scan/windows_scan.go- Windows-specific scanningapp-agent/internal/shell/- Script execution framework
Data Flow:
Terminal Command → Agent Execution → Package/Patch Enumeration →
API POST /host → handlers.AddHost() → host.AddHost() → Database Update
Capabilities:
- Installed software inventory
- Patch level assessment
- Internal configuration scanning
- Custom PowerShell script execution
- OS-specific vulnerability detection
3. Manual/API Submissions
Purpose: Direct API-based host and vulnerability data submission Entry Point: REST API endpoints
Data Flow:
External Tool/User → HTTP POST /host → handlers.AddHost() →
host.AddHost() → Database Update
Database Schema Analysis
Core Models
Located in go-api/sirius/postgres/models/
Host Model (host.go)
type Host struct {
gorm.Model
HID string
OS string
OSVersion string
IP string `gorm:"uniqueIndex"`
Hostname string
Ports []Port `gorm:"many2many:host_ports"`
Services []Service
Vulnerabilities []Vulnerability `gorm:"many2many:host_vulnerabilities"`
CPEs []CPE
Users []User
Notes []Note
AgentID uint
}
Vulnerability Model (vulnerability.go)
type Vulnerability struct {
gorm.Model
VID string `gorm:"column:v_id"`
Description string
Title string
Hosts []Host `gorm:"many2many:host_vulnerabilities"`
RiskScore float64
}
Junction Tables
type HostVulnerability struct {
gorm.Model
HostID uint
VulnerabilityID uint
// MISSING: Source attribution fields
}
type HostPort struct {
gorm.Model
HostID uint
PortID uint
// MISSING: Source attribution fields
}
Current Schema Limitations
Problem: Junction tables lack source attribution, making it impossible to track which scanner reported which findings.
Missing Fields:
- Source identification (scanner name)
- Source version
- First/last seen timestamps
- Confidence scoring
- Status tracking
Current Data Flow
Network Scanner Flow
- Scan Initiation:
app-scanner/internal/scan/manager.go - Discovery Phase: RustScan finds open ports
- Vulnerability Phase: Nmap performs vulnerability assessment
- Data Processing: Results mapped to
sirius.Hoststructure - Database Update:
host.AddHost()called - Association Replacement: [PROBLEM] All existing associations replaced
Agent Scanner Flow
- Command Execution: Terminal runs scan command
- Agent Processing:
app-agent/internal/commands/scan/scan_command.go - Data Collection: OS-specific package/vulnerability enumeration
- API Submission: HTTP POST to
/hostendpoint - Handler Processing:
sirius-api/handlers/host_handler.go - Database Update:
host.AddHost()called - Association Replacement: [PROBLEM] All existing associations replaced
Core Problem Analysis
The Overwriting Issue
Location: go-api/sirius/host/host.go, lines 216-229
// THIS IS THE PROBLEM - Complete replacement of associations
err = db.Model(&existingHost).Association("Vulnerabilities").Replace(dbHost.Vulnerabilities)
err = db.Model(&existingHost).Association("Ports").Replace(dbHost.Ports)
Impact
- Data Loss: When network scanner runs after agent scan, all agent-discovered vulnerabilities are lost
- Incomplete Assessment: No holistic view combining findings from multiple sources
- False Negatives: Internal vulnerabilities hidden when external scan runs
- No Historical Tracking: No way to see when vulnerabilities were first/last detected
- Source Attribution Loss: No way to know which tool found which vulnerability
Example Scenario
1. Agent scan finds: CVE-2023-1234 (internal software vulnerability)
2. Database stores: Host X -> CVE-2023-1234 (source: unknown)
3. Network scan finds: CVE-2023-5678 (network service vulnerability)
4. Database now only contains: Host X -> CVE-2023-5678
5. CVE-2023-1234 is lost forever
File Structure and Key Components
Go API Core (go-api/)
go-api/
├── sirius/
│ ├── host/
│ │ └── host.go # Core host management (NEEDS MODIFICATION)
│ ├── vulnerability/
│ │ └── vulnerability.go # Vulnerability management
│ ├── postgres/
│ │ ├── models/
│ │ │ ├── host.go # Host data model (NEEDS MODIFICATION)
│ │ │ └── vulnerability.go # Vulnerability data model
│ │ ├── connection.go # Database connection management
│ │ ├── host_operations.go # Low-level host operations
│ │ └── vulnerability_operations.go
│ ├── store/
│ │ └── store.go # KV store for scan results
│ └── sirius.go # Core data structures
├── migrations/
│ └── 001_fix_relationships.go # Previous schema migration
└── nvd/
└── nvd.go # NVD API integration
Network Scanner (app-scanner/)
app-scanner/
├── internal/
│ └── scan/
│ ├── manager.go # Main scan orchestration (NEEDS MODIFICATION)
│ └── strategies.go # Scan strategy implementations
├── modules/
│ ├── nmap/
│ │ └── nmap.go # Nmap integration
│ ├── rustscan/
│ │ └── rustscan.go # RustScan integration
│ └── naabu/
│ └── naabu.go # Naabu integration
└── cmd/
└── scan-full-test/
└── main.go # Testing utilities
Agent Scanner (app-agent/)
app-agent/
├── internal/
│ └── commands/
│ └── scan/
│ ├── scan_command.go # Main scan command (NEEDS MODIFICATION)
│ ├── types.go # Scan result types
│ └── windows_scan.go # Windows-specific scanning
└── internal/
└── shell/ # Script execution framework
REST API (sirius-api/)
sirius-api/
├── handlers/
│ └── host_handler.go # HTTP handlers (NEEDS MODIFICATION)
└── routes/
└── host_routes.go # Route definitions
Frontend (sirius-ui/)
sirius-ui/
├── src/
│ ├── pages/
│ │ ├── scanner.tsx # Network scanner interface
│ │ └── terminal.tsx # Agent/terminal interface
│ ├── components/
│ │ ├── scanner/ # Scanner-specific components
│ │ └── EnvironmentDataTable.tsx # Host data display
│ ├── hooks/
│ │ ├── useScanResults.ts # Scan result management
│ │ └── useStartScan.ts # Scan initiation
│ └── types/
│ └── scanTypes.ts # Type definitions
API Endpoints
Host Management Endpoints
Base URL: http://localhost:9001
Core Endpoints
- POST
/host- Add/update host data- Handler:
sirius-api/handlers/host_handler.go:AddHost() - CRITICAL: This is where agent data enters the system
- Handler:
- GET
/host/{ip}- Get host details- Handler:
sirius-api/handlers/host_handler.go:GetHost()
- Handler:
- GET
/host- List all hosts- Handler:
sirius-api/handlers/host_handler.go:GetAllHosts()
- Handler:
Vulnerability Endpoints
- GET
/host/vulnerabilities/all- Get all vulnerabilities - GET
/host/statistics/{ip}- Get host statistics - GET
/host/severity/{ip}- Get vulnerability severity counts
Scan Management Endpoints
- POST
/app/scan- Start network scan- Initiates network scanner workflow
- Updates KV store with scan progress
Request/Response Formats
Host Submission Format
{
"hid": "a1b2c3d4e5f6",
"os": "Windows",
"osversion": "Server 2003",
"ip": "192.168.50.13",
"hostname": "lab-server",
"ports": [
{
"id": 445,
"protocol": "tcp",
"state": "closed"
}
],
"vulnerabilities": [
{
"vid": "CVE-2021-34527",
"description": "Mock Data",
"title": ""
}
],
"cpe": ["cpe:2.3:o:canonical:ubuntu:22.04"],
"users": ["alice", "bob"],
"notes": ["Initial setup completed"]
}
Frontend Interfaces
Scanner Interface (scanner.tsx)
Location: sirius-ui/src/pages/scanner.tsx
Purpose: Network scanning interface and results display
Key Features:
- Target specification (IP, CIDR, ranges)
- Scan template selection (quick, comprehensive, etc.)
- Live scan progress monitoring
- Host and vulnerability result tables
- Report generation functionality
Components Used:
ScanForm- Target input and scan initiationScanStatus- Live scan progress displayEnvironmentDataTable- Host resultsVulnerabilityTable- Vulnerability results
Terminal Interface (terminal.tsx)
Location: sirius-ui/src/pages/terminal.tsx
Purpose: Agent-based terminal interface
Key Features:
- Terminal emulation for agent commands
- Agent connectivity management
- Scan command execution
- Result submission to API
Components Used:
TerminalWrapper- Main terminal interfaceDynamicTerminal- Terminal emulation logic
Data Flow in Frontend
- Network Scan: User initiates via scanner.tsx → API call → Database update
- Agent Scan: User executes via terminal.tsx → Agent execution → API submission → Database update
- Result Display: Both interfaces query same API endpoints for unified view
Libraries and Dependencies
Go Dependencies (go-api/go.mod)
Core Framework:
gorm.io/gorm- ORM for database operationsgorm.io/driver/postgres- PostgreSQL driver
Database and Storage:
- PostgreSQL - Primary data storage
- Valkey - KV store for scan progress
External APIs:
- NVD API - CVE data enrichment
Scanner Dependencies
Network Scanner Tools:
nmap- Network mapper and vulnerability scannerrustscan- Fast port discoverynaabu- Port scanning library
Agent Framework:
- PowerShell - Windows script execution
- Various package managers - Software inventory
Frontend Dependencies (sirius-ui/package.json)
Core Framework:
next- React frameworkreact- UI librarytypescript- Type safety
UI Components:
tailwindcss- Styling framework@shadcn/ui- Component library- Custom component system
State Management:
@tanstack/react-query- Data fetching and cachingtrpc- Type-safe API calls
Proposed Solution Architecture
Phase 1: Enhanced Database Schema
New Junction Table Structure
type HostVulnerability struct {
gorm.Model
HostID uint
VulnerabilityID uint
Source string `json:"source"` // "nmap", "agent", "manual"
SourceVersion string `json:"source_version"` // Scanner version
FirstSeen time.Time `json:"first_seen"`
LastSeen time.Time `json:"last_seen"`
Status string `json:"status"` // "active", "resolved"
Confidence float64 `json:"confidence"` // 0.0-1.0
Port *int `json:"port,omitempty"` // Specific port
Notes string `json:"notes,omitempty"`
}
Phase 2: Source-Aware API
New Function Signatures
func AddHostWithSource(host sirius.Host, source ScanSource) error
func UpdateVulnerabilitiesWithSource(hostID uint, vulns []sirius.Vulnerability, source ScanSource) error
func GetHostWithSources(ip string) (HostWithSources, error)
Phase 3: Scanner Integration
Modified Entry Points
- Network Scanner: Update
app-scanner/internal/scan/manager.goto use source-aware functions - Agent Scanner: Update
app-agent/internal/commands/scan/scan_command.goto include source metadata - API Handlers: Update
sirius-api/handlers/host_handler.goto determine and pass source information
Phase 4: Frontend Enhancements
Enhanced Display Components
- Source attribution in vulnerability tables
- Historical timeline views
- Source filtering and comparison
- Confidence-based result ranking
Implementation Priority
Critical Files to Modify
go-api/sirius/postgres/models/host.go- Add source tracking fieldsgo-api/sirius/host/host.go- Replace Association.Replace() with source-aware logicapp-scanner/internal/scan/manager.go- Add source metadata to database callssirius-api/handlers/host_handler.go- Add source determination logic- Database migration - Update schema and migrate existing data
Development Phases
- Phase 1 (Week 1): Database schema and core API changes
- Phase 2 (Week 2): Scanner integration and source attribution
- Phase 3 (Week 3): Frontend enhancements and testing
- Phase 4 (Week 4): Migration, documentation, and deployment
Risk Assessment
High Risk Areas
- Data Migration: Existing data needs proper source attribution
- Backward Compatibility: Existing API clients must continue working
- Performance Impact: Additional fields and queries may affect performance
- Testing Coverage: Multiple scan sources need comprehensive testing
Mitigation Strategies
- Gradual Migration: Phase implementation with backward compatibility
- Comprehensive Testing: Test all scan source combinations
- Performance Monitoring: Track query performance during development
- Rollback Plan: Maintain ability to revert changes if needed
This documentation serves as the foundation for implementing source-tagged scan history in the Sirius vulnerability management system. All identified files, functions, and data flows have been mapped to enable efficient development and maintenance of the enhanced system.