Skip to content

Commit

Permalink
NVSHAS-8481: Merge CPE and FixedIn for feed entries of same vuln
Browse files Browse the repository at this point in the history
  • Loading branch information
becitsthere committed Dec 14, 2023
1 parent 1a86847 commit 94c4e9e
Show file tree
Hide file tree
Showing 5 changed files with 48 additions and 26 deletions.
1 change: 1 addition & 0 deletions common/debug.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ func DEBUG_VULN(x interface{}, msg string) {
if Debugs.CVEs.Contains(v.Name) {
log.WithFields(log.Fields{
"name": v.Name, "distro": v.Namespace, "severity": v.Severity, "v2": v.CVSSv2, "v3": v.CVSSv3, "rate": v.FeedRating,
"fix": v.FixedIn, "cpes": v.CPEs,
"pub": v.IssuedDate.Format(time.RFC3339), "lastMod": v.LastModDate.Format(time.RFC3339),
"description": firstN(v.Description, 64),
}).Debug(msg)
Expand Down
9 changes: 4 additions & 5 deletions common/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,11 +63,10 @@ type VulShort struct {
}

type FeaFull struct {
Name string `json:"N"`
Namespace string `json:"NS"`
Version string `json:"V"`
MinVer string `json:"MV"`
AddedBy string `json:"A"`
Name string `json:"N"`
Version string `json:"V"`
MinVer string `json:"MV"`
AddedBy string `json:"A"`
}

type VulFull struct {
Expand Down
2 changes: 1 addition & 1 deletion dbgen.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ import (
"github.com/vul-dbgen/common"
utils "github.com/vul-dbgen/share"
"github.com/vul-dbgen/updater"
_ "github.com/vul-dbgen/updater/fetchers/alpine"

_ "github.com/vul-dbgen/updater/fetchers/alpine"
_ "github.com/vul-dbgen/updater/fetchers/amazon"
_ "github.com/vul-dbgen/updater/fetchers/apps"
_ "github.com/vul-dbgen/updater/fetchers/debian"
Expand Down
24 changes: 19 additions & 5 deletions memdb.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,10 +72,9 @@ func modVulToVulFull(v *common.Vulnerability) *common.VulFull {

func modFeaToFeaFull(fx common.FeatureVersion) common.FeaFull {
var v1fx = common.FeaFull{
Name: fx.Feature.Name,
Namespace: fx.Feature.Namespace,
Version: fx.Version.String(),
MinVer: fx.MinVer.String(),
Name: fx.Feature.Name,
Version: fx.Version.String(),
MinVer: fx.MinVer.String(),
}
return v1fx
}
Expand Down Expand Up @@ -288,7 +287,22 @@ func (db *memDB) InsertVulnerabilities(osVuls []*common.Vulnerability, appVuls [
vv1.FixedIn = append(vv1.FixedIn, v1fx)
}
cveName := fmt.Sprintf("%s:%s", vv1.Namespace, vv1.Name)
db.osVuls[cveName] = vv1
if vf, ok := db.osVuls[cveName]; ok {
fixes := utils.NewSetFromSliceKind(vf.FixedIn)
cpes := utils.NewSetFromSliceKind(vf.CPEs)
for _, f := range vv1.FixedIn {
if !fixes.Contains(f) {
vf.FixedIn = append(vf.FixedIn, f)
}
}
for _, c := range vv1.CPEs {
if !cpes.Contains(c) {
vf.CPEs = append(vf.CPEs, c)
}
}
} else {
db.osVuls[cveName] = vv1
}
}
db.appVuls = appVuls

Expand Down
38 changes: 23 additions & 15 deletions updater/fetchers/rhel2/rhel.go
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ func (f *RHELFetcher) fetchPreDownload(rhelFolder string) ([]common.Vulnerabilit
}
for _, f := range files {
if strings.HasSuffix(f.Name(), ".xml.bz2") {
log.WithFields(log.Fields{"file": f.Name()}).Debug("Read redhat feed")
log.WithFields(log.Fields{"os": ros, "file": f.Name()}).Debug("Read redhat feed")

rfp, err := os.Open(fmt.Sprintf("%s/%s", folder, f.Name()))
cr := bzip2.NewReader(rfp)
Expand Down Expand Up @@ -450,7 +450,7 @@ func parseRHSA(ros int, rhsa string, ovalReader io.Reader) (vulnerabilities []co

pkgs := toFeatureVersions(ros, rhsa, nameId, definition.Criteria)
if len(pkgs) > 0 {
vulnerability := common.Vulnerability{
v := common.Vulnerability{
Name: nameId,
Namespace: "centos" + ":" + strconv.Itoa(ros),
Link: link(definition),
Expand All @@ -461,14 +461,12 @@ func parseRHSA(ros int, rhsa string, ovalReader io.Reader) (vulnerabilities []co
CPEs: definition.CpeList.CPEs,
FeedRating: definition.Severity,
}
if vulnerability.Link == "" {
vulnerability.Link = cveLink(definition)
if v.Link == "" {
v.Link = cveLink(definition)
}
// if vulnerability.Severity == common.Unknown {
// log.WithFields(log.Fields{"nameId": nameId, "rhsa": rhsa}).Error("\"Unknown\" severity")
// }

for _, p := range pkgs {
vulnerability.FixedIn = append(vulnerability.FixedIn, p)
v.FixedIn = append(v.FixedIn, p)
}
for _, r := range definition.Cves {
var v2, v3 string
Expand All @@ -485,19 +483,29 @@ func parseRHSA(ros int, rhsa string, ovalReader io.Reader) (vulnerabilities []co
v3 = r.Cvss3[s+1:]
}
}
vulnerability.CVEs = append(vulnerability.CVEs, common.CVE{
cve := common.CVE{
Name: r.ID,
CVSSv2: common.CVSS{Vectors: v2, Score: s2},
CVSSv3: common.CVSS{Vectors: v3, Score: s3},
})
}
if s2 > v.CVSSv2.Score {
v.CVSSv2 = cve.CVSSv2
}
if s3 > v.CVSSv3.Score {
v.CVSSv3 = cve.CVSSv3
}
v.CVEs = append(v.CVEs, cve)
}
if vulnerability.IssuedDate.IsZero() {
vulnerability.IssuedDate = vulnerability.LastModDate
if v.IssuedDate.IsZero() {
v.IssuedDate = v.LastModDate
}
if vulnerability.LastModDate.IsZero() {
vulnerability.LastModDate = vulnerability.IssuedDate
if v.LastModDate.IsZero() {
v.LastModDate = v.IssuedDate
}
vulnerabilities = append(vulnerabilities, vulnerability)

common.DEBUG_VULN(&v, "redhat")

vulnerabilities = append(vulnerabilities, v)
}
}

Expand Down

0 comments on commit 94c4e9e

Please sign in to comment.