Skip to content

feat(scanner): support disablerepo option for yum/dnf#2559

Merged
MaineK00n merged 1 commit into
masterfrom
MaineK00n/feat-scanner-disablerepo
May 20, 2026
Merged

feat(scanner): support disablerepo option for yum/dnf#2559
MaineK00n merged 1 commit into
masterfrom
MaineK00n/feat-scanner-disablerepo

Conversation

@MaineK00n
Copy link
Copy Markdown
Collaborator

@MaineK00n MaineK00n commented May 19, 2026
edited
Loading

Summary

  • Add Disablerepo []string config field, mirroring the existing Enablerepo, so users can pass --disablerepo=<repo> to repoquery on RHEL-family hosts (CentOS, Alma, Rocky, RHEL, Amazon, Fedora).
  • Useful for excluding third-party repos (e.g. EPEL, internal mirrors) from updatable package scans without having to disable them globally on the host.
  • Also adds enablerepo / disablerepo sample lines to the discover subcommand's config.toml template.

The existing Enablerepo base/updates-only restriction is left intact to keep this change minimal; lifting it can be a follow-up.

Test plan

  • go build ./... passes
  • go vet ./... passes
  • On a RHEL-family host, set disablerepo = ["epel"] and confirm repoquery is invoked with --disablerepo=epel
  • vuls discover outputs the new sample lines in the generated config.toml

🤖 Generated with Claude Code

@MaineK00n @claude
feat(scanner): support disablerepo option for yum/dnf
92a67d1 
Add Disablerepo config field so users can pass --disablerepo=<repo>
to repoquery on RHEL-family hosts, mirroring the existing Enablerepo
option. Useful for excluding third-party repos (e.g. EPEL) from
updatable package scans.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@MaineK00n MaineK00n force-pushed the MaineK00n/feat-scanner-disablerepo branch from 8fafae7 to 92a67d1 Compare May 19, 2026 09:14
@MaineK00n MaineK00n self-assigned this May 19, 2026
@MaineK00n
Copy link
Copy Markdown
Collaborator Author

MaineK00n commented May 19, 2026
edited
Loading

setup

[vagrant@localhost vagrant]$ sudo bash -c 'cat > /etc/yum.repos.d/broken.repo' <<'EOF'
[broken]
name=broken
baseurl=http://127.0.0.1:1/
enabled=1
gpgcheck=0
skip_if_unavailable=False
EOF
[vagrant@localhost vagrant]$ sudo dnf clean all
[vagrant@localhost vagrant]$ repoquery --upgrades
broken                                                                                                                                                                             0.0  B/s |   0  B     00:00    
Errors during downloading metadata for repository 'broken':
  - Curl error (7): Could not connect to server for http://127.0.0.1:1/repodata/repomd.xml [Failed to connect to 127.0.0.1 port 1 after 0 ms: Could not connect to server]
Error: Failed to download metadata for repo 'broken': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

[vagrant@localhost vagrant]$ cat config.toml 
[servers]

[servers.localhost]
host = "localhost"
port = "local"
scanMode           = ["fast"]
scanModules        = ["ospkg"]
disablerepo = ["broken"]

before

[vagrant@localhost vagrant]$ vuls scan
[May 19 13:30:34]  INFO [localhost] vuls-0.39.1-140017bde3f1b484013b3ee58a909079c4533572-2026-05-18T09:39:28Z
[May 19 13:30:34]  INFO [localhost] Start scanning
[May 19 13:30:34]  INFO [localhost] config: /vagrant/config.toml
[May 19 13:30:34]  INFO [localhost] Validating config...
[May 19 13:30:34]  INFO [localhost] Detecting Server/Container OS... 
[May 19 13:30:34]  INFO [localhost] Detecting OS of servers... 
[May 19 13:30:34]  INFO [localhost] (1/1) Detected: localhost: alma 10.0
[May 19 13:30:34]  INFO [localhost] Detecting OS of containers... 
[May 19 13:30:34]  INFO [localhost] Checking Scan Modes... 
[May 19 13:30:34]  INFO [localhost] Detecting Platforms... 
[May 19 13:30:36]  INFO [localhost] (1/1) localhost is running on other
[May 19 13:30:36]  INFO [localhost] Scanning OS pkg in fast mode
[May 19 13:30:37]  WARN [localhost] err: Failed to scan updatable packages:
    github.com/future-architect/vuls/scanner.(*redhatBase).scanPackages
        github.com/future-architect/vuls/scanner/redhatbase.go:439
  - Failed to SSH: execResult: servername: 
      cmd: /bin/sh -c repoquery --upgrades --qf='"%{NAME}" "%{EPOCH}" "%{VERSION}" "%{RELEASE}" "%{REPONAME}"' -q
      exitstatus: 1
      stdout: 
      stderr: Error: Failed to download metadata for repo 'broken': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
    
      err: exit status 1:
    github.com/future-architect/vuls/scanner.(*redhatBase).scanUpdatablePackages
        github.com/future-architect/vuls/scanner/redhatbase.go:794
[May 19 13:30:37]  WARN [localhost] Some warnings occurred during scanning on localhost. Please fix the warnings to get a useful information. Execute configtest subcommand before scanning to know the cause of the warnings. warnings: [Failed to scan updatable packages:
    github.com/future-architect/vuls/scanner.(*redhatBase).scanPackages
        github.com/future-architect/vuls/scanner/redhatbase.go:439
  - Failed to SSH: execResult: servername: 
      cmd: /bin/sh -c repoquery --upgrades --qf='"%{NAME}" "%{EPOCH}" "%{VERSION}" "%{RELEASE}" "%{REPONAME}"' -q
      exitstatus: 1
      stdout: 
      stderr: Error: Failed to download metadata for repo 'broken': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
    
      err: exit status 1:
    github.com/future-architect/vuls/scanner.(*redhatBase).scanUpdatablePackages
        github.com/future-architect/vuls/scanner/redhatbase.go:794]


Scan Summary
================
localhost	alma10.0	614 installed, 0 updatable

Warning: [Failed to scan updatable packages:
    github.com/future-architect/vuls/scanner.(*redhatBase).scanPackages
        github.com/future-architect/vuls/scanner/redhatbase.go:439
  - Failed to SSH: execResult: servername: 
      cmd: /bin/sh -c repoquery --upgrades --qf='"%{NAME}" "%{EPOCH}" "%{VERSION}" "%{RELEASE}" "%{REPONAME}"' -q
      exitstatus: 1
      stdout: 
      stderr: Error: Failed to download metadata for repo 'broken': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
    
      err: exit status 1:
    github.com/future-architect/vuls/scanner.(*redhatBase).scanUpdatablePackages
        github.com/future-architect/vuls/scanner/redhatbase.go:794]



To view the detail, vuls tui is useful.
To send a report, run vuls report -h.

after

[vagrant@localhost vagrant]$ vuls scan
[May 19 13:31:22]  INFO [localhost] vuls-v0.39.1-build-20260519_214435_92a67d19
[May 19 13:31:22]  INFO [localhost] Start scanning
[May 19 13:31:22]  INFO [localhost] config: /vagrant/config.toml
[May 19 13:31:22]  INFO [localhost] Validating config...
[May 19 13:31:22]  INFO [localhost] Detecting Server/Container OS... 
[May 19 13:31:22]  INFO [localhost] Detecting OS of servers... 
[May 19 13:31:22]  INFO [localhost] (1/1) Detected: localhost: alma 10.0
[May 19 13:31:22]  INFO [localhost] Detecting OS of containers... 
[May 19 13:31:22]  INFO [localhost] Checking Scan Modes... 
[May 19 13:31:22]  INFO [localhost] Detecting Platforms... 
[May 19 13:31:24]  INFO [localhost] (1/1) localhost is running on other
[May 19 13:31:24]  INFO [localhost] Scanning OS pkg in fast mode


Scan Summary
================
localhost	alma10.0	614 installed, 289 updatable





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.

[vagrant@localhost vagrant]$ vuls discover 127.0.0.1
[May 19 13:34:23]  INFO [localhost] vuls-v0.39.1-build-20260519_214435_92a67d19
# Create config.toml using below and then ./vuls -config=/path/to/config.toml


# https://vuls.io/docs/en/config.toml.html#database-section
[cveDict]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/cve.sqlite3"
#url        = ""
#debugSQL = false
#timeoutSec = 0
#timeoutSecPerRequest = 0

[gost]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/gost.sqlite3"
#url        = ""
#debugSQL = false
#timeoutSec = 0
#timeoutSecPerRequest = 0

[cti]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/go-cti.sqlite3"
#url        = ""
#debugSQL = false
#timeoutSec = 0
#timeoutSecPerRequest = 0

[vuls2]
#Path = "/path/to/vuls.db"
#Repository = "ghcr.io/vulsio/vuls-nightly-db:<schema-version>"
#SkipUpdate = false

# https://vuls.io/docs/en/config.toml.html#slack-section
#[slack]
#hookURL      = "https://hooks.slack.com/services/abc123/defghijklmnopqrstuvwxyz"
##legacyToken = "xoxp-11111111111-222222222222-3333333333"
#channel      = "#channel-name"
##channel     = "${servername}"
#iconEmoji    = ":ghost:"
#authUser     = "username"
#notifyUsers  = ["@username"]

# https://vuls.io/docs/en/config.toml.html#email-section
#[email]
#smtpAddr              = "smtp.example.com"
#smtpPort              = "587"
#tlsMode               = "STARTTLS"
#tlsInsecureSkipVerify = false
#user                  = "username"
#password              = "password"
#from                  = "from@example.com"
#to                    = ["to@example.com"]
#cc                    = ["cc@example.com"]
#subjectPrefix         = "[vuls]"

# https://vuls.io/docs/en/config.toml.html#http-section
#[http]
#url = "http://localhost:11234"

# https://vuls.io/docs/en/config.toml.html#syslog-section
#[syslog]
#protocol    = "tcp"
#host        = "localhost"
#port        = "514"
#tag         = "vuls"
#facility    = "local0"
#severity    = "alert"
#verbose     = false

# https://vuls.io/docs/en/usage-report.html#example-put-results-in-s3-bucket
#[aws]
#s3Endpoint             = "http://localhost:9000"
#region                 = "ap-northeast-1"
#profile                = "default"
#credentialProvider     = "anonymous"
#s3Bucket               = "vuls"
#s3ResultsDir           = "/path/to/result"
#s3ServerSideEncryption = "AES256"
#s3UsePathStyle         = false

# https://vuls.io/docs/en/usage-report.html#example-put-results-in-azure-blob-storage
#[azure]
#endpoint      = "https://default.blob.core.windows.net/"
#accountName   = "default"
#accountKey    = "xxxxxxxxxxxxxx"
#containerName = "vuls"

# https://vuls.io/docs/en/config.toml.html#chatwork-section
#[chatwork]
#room     = "xxxxxxxxxxx"
#apiToken = "xxxxxxxxxxxxxxxxxx"

# https://vuls.io/docs/en/config.toml.html#googlechat-section
#[googlechat]
#webHookURL = "https://chat.googleapis.com/v1/spaces/xxxxxxxxxx/messages?key=yyyyyyyyyy&token=zzzzzzzzzz%3D"
#skipIfNoCve = false
#serverNameRegexp = "^(\\[Reboot Required\\] )?((spam|ham).*|.*(egg)$)" # include spamonigiri, hamburger, boiledegg
#serverNameRegexp = "^(\\[Reboot Required\\] )?(?:(spam|ham).*|.*(?:egg)$)" # exclude spamonigiri, hamburger, boiledegg

# https://vuls.io/docs/en/config.toml.html#telegram-section
#[telegram]
#chatID     = "xxxxxxxxxxx"
#token = "xxxxxxxxxxxxxxxxxx"

#[wpscan]
#token = "xxxxxxxxxxx"
#detectInactive = false

# https://vuls.io/docs/en/config.toml.html#default-section
[default]
#port               = "22"
#user               = "username"
#keyPath            = "/home/username/.ssh/id_rsa"
#scanMode           = ["fast", "fast-root", "deep", "offline"]
#scanModules        = ["ospkg", "wordpress", "lockfile", "port"]
#lockfiles = ["/path/to/package-lock.json"]
#cpeNames = [
#  "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
#]
#owaspDCXMLPath     = "/tmp/dependency-check-report.xml"
#ignoreCves         = ["CVE-2014-6271"]
#containerType      = "docker" #or "lxd" or "lxc" default: docker
#containersIncluded = ["${running}"]
#containersExcluded = ["container_name_a"]
#enablerepo         = ["base", "updates"] # For RHEL-family. Currently only "base" and "updates" are allowed
#disablerepo        = ["epel"] # For RHEL-family

# https://vuls.io/docs/en/config.toml.html#servers-section
[servers]

[servers.127-0-0-1]
host                = "127.0.0.1"
#ignoreIPAddresses  = ["127.0.0.1"]
#port               = "22"
#user               = "root"
#sshConfigPath		= "/home/username/.ssh/config"
#keyPath            = "/home/username/.ssh/id_rsa"
#scanMode           = ["fast", "fast-root", "deep", "offline"]
#scanModules        = ["ospkg", "wordpress", "lockfile", "port"]
#type               = "pseudo"
#memo               = "DB Server"
#findLock = true
#findLockDirs = [ "/path/to/prject/lib" ]
#lockfiles = ["/path/to/package-lock.json"]
#cpeNames           = [ "cpe:/a:rubyonrails:ruby_on_rails:4.2.1" ]
#owaspDCXMLPath     = "/path/to/dependency-check-report.xml"
#ignoreCves         = ["CVE-2014-0160"]
#containersOnly     = false
#containerType      = "docker" #or "lxd" or "lxc" default: docker
#containersIncluded = ["${running}"]
#containersExcluded = ["container_name_a"]
#enablerepo         = ["base", "updates"] # For RHEL-family. Currently only "base" and "updates" are allowed
#disablerepo        = ["epel"] # For RHEL-family
#confidenceScoreOver = 80

#[servers.127-0-0-1.containers.container_name_a]
#cpeNames       = [ "cpe:/a:rubyonrails:ruby_on_rails:4.2.1" ]
#owaspDCXMLPath = "/path/to/dependency-check-report.xml"
#ignoreCves     = ["CVE-2014-0160"]

#[servers.127-0-0-1.wordpress]
#cmdPath = "/usr/local/bin/wp"
#osUser = "wordpress"
#docRoot = "/path/to/DocumentRoot/"
#noSudo = false

#[servers.127-0-0-1.portscan]
#scannerBinPath = "/usr/bin/nmap"
#hasPrivileged = true
#scanTechniques = ["sS"]
#sourcePort = "65535"

#[servers.127-0-0-1.windows]
#serverSelection = 3
#cabPath = "/path/to/wsusscn2.cab"

#[servers.127-0-0-1.optional]
#key = "value1"

@MaineK00n MaineK00n requested a review from shino May 19, 2026 13:35
shino
shino approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@shino shino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎊

@MaineK00n MaineK00n merged commit 48f8c79 into master May 20, 2026
7 checks passed
@MaineK00n MaineK00n deleted the MaineK00n/feat-scanner-disablerepo branch May 20, 2026 02:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shino shino shino approved these changes

Assignees

@MaineK00n MaineK00n

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MaineK00n @shino