Skip to content

Commit

Permalink
NVSHAS-8522: cross-reference severity from other feeds
Browse files Browse the repository at this point in the history
  • Loading branch information
becitsthere committed Dec 13, 2023
1 parent 29ff832 commit 8e620fe
Show file tree
Hide file tree
Showing 6 changed files with 43 additions and 7 deletions.
3 changes: 2 additions & 1 deletion common/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ const RHELCpeMapFile = "rhel-cpe.map"

type NVDMetadata struct {
Description string `json:"description,omitempty"`
Severity Priority
CVSSv2 CVSS
CVSSv3 CVSS
VulnVersions []NVDvulnerableVersion
Expand Down Expand Up @@ -74,7 +75,7 @@ type VulFull struct {
Namespace string `json:"NS"`
Description string `json:"D"`
Link string `json:"L"`
Severity string `json:"S"`
Severity Priority `json:"S"`
CVSSv2 CVSS `json:"C2"`
CVSSv3 CVSS `json:"C3"`
FixedBy string `json:"FB"`
Expand Down
3 changes: 2 additions & 1 deletion dbgen.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
utils "github.com/vul-dbgen/share"
"github.com/vul-dbgen/updater"
_ "github.com/vul-dbgen/updater/fetchers/alpine"

_ "github.com/vul-dbgen/updater/fetchers/amazon"
_ "github.com/vul-dbgen/updater/fetchers/apps"
_ "github.com/vul-dbgen/updater/fetchers/debian"
Expand All @@ -37,7 +38,7 @@ func main() {

version := flag.String("v", "0.90", "cve database version")
dbPath := flag.String("d", "", "cve database path")
debug := flag.String("debug", "", "debug filters")
debug := flag.String("debug", "", "debug filters. -debug v=CVE-2023-1000")
flag.Usage = usage
flag.Parse()

Expand Down
2 changes: 1 addition & 1 deletion memdb.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ func modVulToVulFull(v *common.Vulnerability) *common.VulFull {
vv1.Namespace = v.Namespace
vv1.Description = v.Description
vv1.Link = v.Link
vv1.Severity = string(v.Severity)
vv1.Severity = v.Severity
vv1.FeedRating = v.FeedRating
vv1.CPEs = v.CPEs
vv1.CVEs = make([]string, len(v.CVEs))
Expand Down
4 changes: 2 additions & 2 deletions updater/fetchers/ubuntu/ubuntu.go
Original file line number Diff line number Diff line change
Expand Up @@ -304,7 +304,7 @@ func parseUbuntuCVE(fileContent io.Reader) (vulnerability common.Vulnerability,
priority = priority[:strings.Index(priority, " ")]
}

vulnerability.Severity = ubuntuPriorityToSeverity(priority)
vulnerability.Severity = toSeverity(priority)
vulnerability.FeedRating = priority
continue
}
Expand Down Expand Up @@ -409,7 +409,7 @@ func parseUbuntuCVE(fileContent io.Reader) (vulnerability common.Vulnerability,
return
}

func ubuntuPriorityToSeverity(priority string) common.Priority {
func toSeverity(priority string) common.Priority {
switch priority {
case "untriaged":
return common.Unknown
Expand Down
27 changes: 25 additions & 2 deletions updater/nvd/nvd.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ type NvdCve struct {
Source string `json:"source"`
Type string `json:"type"`
CvssData CvssData `json:"cvssData"`
Severity string `json:"severity"`
Severity string `json:"baseSeverity"`
ExploitabilityScore float64 `json:"exploitabilityScore"`
ImpactScore float64 `json:"impactScore"`
ObtainAllPrivilege bool `json:"obtainAllPrivilege"`
Expand Down Expand Up @@ -124,6 +124,7 @@ type CvssData struct {
IntegrityImpact string `json:"integrityImpact"`
AvailabilityImpact string `json:"availabilityImpact"`
BaseScore float64 `json:"baseScore"`
BaseSeverity string `json:"baseSeverity"`
}

var NVD NVDMetadataFetcher
Expand Down Expand Up @@ -247,17 +248,22 @@ func (fetcher *NVDMetadataFetcher) Load() error {
meta.Description = cve.Cve.Description[0].Value
}
if cve.Cve.ID != "" {
//Prefer CVSS31 over CVSS30 if it exists.
// Prefer CVSS31 over CVSS30 if it exists.
if len(cve.Cve.Metrics.BaseMetricV31) > 0 && cve.Cve.Metrics.BaseMetricV31[0].CvssData.BaseScore != 0 {
meta.CVSSv3.Vectors = cve.Cve.Metrics.BaseMetricV31[0].CvssData.VectorString
meta.CVSSv3.Score = cve.Cve.Metrics.BaseMetricV31[0].CvssData.BaseScore
meta.Severity = fetcher.toSeverity(cve.Cve.Metrics.BaseMetricV31[0].CvssData.BaseSeverity)
} else if len(cve.Cve.Metrics.BaseMetricV3) > 0 && cve.Cve.Metrics.BaseMetricV3[0].CvssData.BaseScore != 0 {
meta.CVSSv3.Vectors = cve.Cve.Metrics.BaseMetricV3[0].CvssData.VectorString
meta.CVSSv3.Score = cve.Cve.Metrics.BaseMetricV3[0].CvssData.BaseScore
meta.Severity = fetcher.toSeverity(cve.Cve.Metrics.BaseMetricV3[0].CvssData.BaseSeverity)
}
if len(cve.Cve.Metrics.BaseMetricV2) > 0 && cve.Cve.Metrics.BaseMetricV2[0].CvssData.BaseScore != 0 {
meta.CVSSv2.Vectors = cve.Cve.Metrics.BaseMetricV2[0].CvssData.VectorString
meta.CVSSv2.Score = cve.Cve.Metrics.BaseMetricV2[0].CvssData.BaseScore
if meta.Severity == "" {
meta.Severity = fetcher.toSeverity(cve.Cve.Metrics.BaseMetricV2[0].Severity)
}
}
if cve.Cve.PublishedDate != "" {
// Use new format, try old format if parse fails.
Expand Down Expand Up @@ -314,6 +320,22 @@ func (fetcher *NVDMetadataFetcher) Load() error {
return nil
}

func (fetcher *NVDMetadataFetcher) toSeverity(s string) common.Priority {
switch s {
case "LOW":
return common.Low
case "MEDIUM":
return common.Medium
case "HIGH":
return common.High
case "CRITICAL":
return common.Critical
}

// return empty instead of Unknown
return ""
}

func (fetcher *NVDMetadataFetcher) GetMetadata(cve string) (*common.NVDMetadata, bool) {
if nvd, ok := fetcher.metadata[cve]; ok {
var description string
Expand All @@ -324,6 +346,7 @@ func (fetcher *NVDMetadataFetcher) GetMetadata(cve string) (*common.NVDMetadata,
}
return &common.NVDMetadata{
Description: description,
Severity: nvd.Severity,
CVSSv3: nvd.CVSSv3,
CVSSv2: nvd.CVSSv2,
PublishedDate: nvd.PublishedDate,
Expand Down
11 changes: 11 additions & 0 deletions updater/updater.go
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,9 @@ func enrichAppMeta(meta *common.NVDMetadata, v *common.AppModuleVul) {
meta.CVSSv2.Score = v.Score
meta.CVSSv2.Vectors = v.Vectors
}
if meta.Severity == "" || meta.Severity == common.Unknown {
meta.Severity = v.Severity
}
if meta.PublishedDate.IsZero() {
meta.PublishedDate = v.IssuedDate
}
Expand All @@ -228,6 +231,9 @@ func enrichDistroMeta(meta *common.NVDMetadata, v *common.Vulnerability, cve *co
if meta.CVSSv2.Score == 0 {
meta.CVSSv2 = cve.CVSSv2
}
if meta.Severity == "" || meta.Severity == common.Unknown {
meta.Severity = v.Severity
}
if meta.PublishedDate.IsZero() {
meta.PublishedDate = v.IssuedDate
}
Expand Down Expand Up @@ -302,6 +308,7 @@ func assignMetadata(vuls []*common.Vulnerability, apps []*common.AppModuleVul) (
meta = &common.NVDMetadata{
CVSSv3: cve.CVSSv3,
CVSSv2: cve.CVSSv2,
Severity: v.Severity,
PublishedDate: v.IssuedDate,
LastModifiedDate: v.LastModDate,
}
Expand Down Expand Up @@ -333,6 +340,7 @@ func assignMetadata(vuls []*common.Vulnerability, apps []*common.AppModuleVul) (
meta = &common.NVDMetadata{
CVSSv3: common.CVSS{Score: app.ScoreV3, Vectors: app.VectorsV3},
CVSSv2: common.CVSS{Score: app.Score, Vectors: app.Vectors},
Severity: app.Severity,
PublishedDate: app.IssuedDate,
LastModifiedDate: app.LastModDate,
}
Expand Down Expand Up @@ -372,6 +380,9 @@ func assignMetadata(vuls []*common.Vulnerability, apps []*common.AppModuleVul) (
if cvss2.Score == 0 {
cvss2 = meta.CVSSv2
}
if v.Severity == "" || v.Severity == common.Unknown {
v.Severity = meta.Severity
}
}
}

Expand Down

0 comments on commit 8e620fe

Please sign in to comment.