Test tools

Below is a quick overview of the command line tools used to validate CTI feed processing and inspect local VD databases.

These tools do not reproduce the InventorySync-based detection pipeline.

Scope: The scanner test tool is currently limited to CTI feed database operations (snapshot/update). Legacy Syscollector delta/rsync flags remain in the CLI for older experiments but are not representative of the production pipeline.

Compilation

Command line test tools are intended for development purposes and they are not delivered in the Wazuh manager packages. To use them, it is required to compile the project by sources.

console

cd wazuh/src
make deps
make -j$(nproc) TARGET=server

Vulnerability Scanner tool

Location path

console

src/build/bin/vd_scanner_testtool

Note: execute the cli with --help to display the available options.

Database creation

Command

console

src/build/bin/vd_scanner_testtool -c config.json -d

Configuration file

json

{
  "vulnerability-detection": {
    "enabled": "yes",
    "cti-url": "https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0"
  },
  "clusterName": "cluster01"
}

The -d flag performs a snapshot download from CTI and processes the content to create a local CVE database.
The outcome of this command is a RocksDB CVE database queue in the current directory.
The process will take some minutes until the snapshot file is processed.

Note: It's possible to follow the process with the logs printed by the tool. Optionally, with the -l argument, the logs can be dumped to a file.

console

...
wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:254 processMessage : Processing line: 180001
wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:254 processMessage : Processing line: 181001
wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:254 processMessage : Processing line: 182001
wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:254 processMessage : Processing line: 183001
wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:254 processMessage : Processing line: 184001
wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:254 processMessage : Processing line: 185001
wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:254 processMessage : Processing line: 186001
wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:254 processMessage : Processing line: 187001
...
wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:254 processMessage : Processing line: 292001
wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:369 operator() : Feed update process completed.
Only download content flag is set. Stopping the scanner...

Note: Starting the vulnerability scanner tool without the -d option will update the CVE database with new data not present in the snapshot.

console

wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:355 operator() : Initiating update feed process.
wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:188 processMessage : Processing file: queue/vd_updater/tmp/contents/1906695-api_file.json
wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:188 processMessage : Processing file: queue/vd_updater/tmp/contents/1907695-api_file.json
...
wazuh-manager-modulesd:vulnerability-scanner:databaseFeedManager.hpp:369 operator() : Feed update process completed.

Legacy ingestion (not supported)

The scanner test tool still accepts -i input files and can start fake WDB/report sockets, but that path relies on legacy Syscollector delta/rsync FlatBuffer schemas and Router test providers. It does not exercise the InventorySync pipeline, so it should not be used to validate detections or indexer output. Use the production pipeline (InventorySync + VD) for detections.

Inject CVEs into the Vulnerability Scanner Database

Location path

console

src/build/bin/database_feed_manager_testtool

Command

console

src/build/bin/database_feed_manager_testtool -c config.json -F <CVE5.fbs_PATH> -r <LIST_CVE> -o <OFFSET>

Configuration file

json

{
  "vulnerability-detection": {
    "enabled": "yes",
    "cti-url": "https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0"
  },
  "clusterName": "cluster01"
}

Database Requirement: A decompressed database must exist in the current directory before running the command. You can generate it using the -d flag with the vd_scanner_testtool utility.
-F flag: Path to the CVE5.fbs file, the FlatBuffers schema used to parse CVE data.
-c flag: Path to the configuration file, which should match the configuration used by the actual vulnerability scanner.
-r flag: Injects new CVE entries into the database. The input must be a JSON array of CVE objects.
-o flag: Specifies the offset number to use when processing the CVE entries. If not specified or it's a negative number, the default offset of 99999 will be used.

Output example

console

Error deleting directory ./queue/vd #Ignore this
Replacing information for CVE: CVE-1999-0103
Process complete for CVE: CVE-1999-0103
Replacing information for CVE: CVE-2023-36617
Process complete for CVE: CVE-2023-36617
Press enter to stop the tool...