Skip to content

Commit

Permalink
fix(nvd): add support of versionStartExcluding and `versionEndExclu…
Browse files Browse the repository at this point in the history 
…ding` (#82)

* fix(ndv): add support of versionStartExcluding and versionEndExcluding

* update tests

* test: revert changes for test with custom content

* test: update golden values

* fix(nvd): add `update` for version from CPE
  • Loading branch information
@DmitriyLewen
DmitriyLewen authored Apr 18, 2024
1 parent 0ed3349 commit 9cce08c
Show file tree
Hide file tree
Showing 4 changed files with 64 additions and 39 deletions.
41 changes: 30 additions & 11 deletions docGen/nvd.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package main
import (
"encoding/json"
"fmt"
"golang.org/x/exp/slices"
"io/ioutil"
"log"
"os"
Expand Down Expand Up @@ -454,22 +455,20 @@ func parseVulnerabilityJSONFile(fileName string) (VulnerabilityPost, error) {
continue
}

startVersion := string(as.GetStringBytes("versionStartIncluding"))
if startVersion == "" {
startVersion = item.Version().String()
}

endVersion := string(as.GetStringBytes("versionEndIncluding"))
if endVersion == "" {
endVersion = item.Version().String()
}
startVersion := detectVersion(string(as.GetStringBytes("versionStartIncluding")), string(as.GetStringBytes("versionStartExcluding")), item)
endVersion := detectVersion(string(as.GetStringBytes("versionEndIncluding")), string(as.GetStringBytes("versionEndExcluding")), item)

vuln.AffectedSoftware = append(vuln.AffectedSoftware, AffectedSoftware{
affectedSoftware := AffectedSoftware{
Name: item.Product().String(),
Vendor: item.Vendor().String(),
StartVersion: startVersion,
EndVersion: endVersion,
})
}

// Avoid duplicates
if !slices.Contains(vuln.AffectedSoftware, affectedSoftware) {
vuln.AffectedSoftware = append(vuln.AffectedSoftware, affectedSoftware)
}
}

return VulnerabilityPost{
Expand All @@ -481,6 +480,26 @@ func parseVulnerabilityJSONFile(fileName string) (VulnerabilityPost, error) {
}, nil
}

func detectVersion(includeVersion, excludeVersion string, item *cpe.Item) string {
if includeVersion != "" {
return includeVersion + " (including)"
}

if excludeVersion != "" {
return excludeVersion + " (excluding)"
}

version := item.Version().String()
if version != "*" {
if update := item.Update().String(); update != "*" && update != "-" {
version += "-" + update
}
return version + " (including)"
}

return version
}

func VulnerabilityPostToMarkdown(blog VulnerabilityPost, outputFile *os.File, customContent string) error {
t := template.Must(template.New("blog").Funcs(gtf.GtfTextFuncMap).Parse(vulnerabilityPostTemplate))
err := t.Execute(outputFile, blog)
Expand Down
54 changes: 30 additions & 24 deletions docGen/nvd_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,26 +45,26 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
{
Name: "android",
Vendor: "google",
StartVersion: "8.0",
EndVersion: "8.0",
StartVersion: "8.0 (including)",
EndVersion: "8.0 (including)",
},
{
Name: "android",
Vendor: "google",
StartVersion: "8.1",
EndVersion: "8.1",
StartVersion: "8.1 (including)",
EndVersion: "8.1 (including)",
},
{
Name: "android",
Vendor: "google",
StartVersion: "9.0",
EndVersion: "9.0",
StartVersion: "9.0-beta1 (including)",
EndVersion: "9.0-beta1 (including)",
},
{
Name: "android",
Vendor: "google",
StartVersion: "10.0",
EndVersion: "10.0",
StartVersion: "10.0 (including)",
EndVersion: "10.0 (including)",
},
},
},
Expand Down Expand Up @@ -102,7 +102,7 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
Name: "subiquity",
Vendor: "canonical",
StartVersion: "*",
EndVersion: "*",
EndVersion: "20.05.2 (excluding)",
},
},
},
Expand Down Expand Up @@ -136,7 +136,7 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
Name: "electric's_proficy",
Vendor: "emerson",
StartVersion: "*",
EndVersion: "9.80",
EndVersion: "9.80 (including)",
},
},
},
Expand Down Expand Up @@ -187,8 +187,8 @@ func TestVulnerabilityPostToMarkdown(t *testing.T) {
{
Name: "foo-software",
Vendor: "foo-vendor",
StartVersion: "1.2.3",
EndVersion: "4.5.6",
StartVersion: "1.2.3 (including)",
EndVersion: "4.5.6 (excluding)",
},
},
},
Expand Down Expand Up @@ -240,7 +240,7 @@ It was discovered that the Subiquity installer for Ubuntu Server logged the LUKS
### Affected Software {.with_icon .affected_software}
| Name | Vendor | Start Version | End Version |
| ------------- |-------------|-----|----|
| Foo-software | Foo-vendor | 1.2.3 | 4.5.6|
| Foo-software | Foo-vendor | 1.2.3 (including) | 4.5.6 (excluding)|
### References {.with_icon .references}
Expand Down Expand Up @@ -283,8 +283,8 @@ It was discovered that the Subiquity installer for Ubuntu Server logged the LUKS
{
Name: "foo-software",
Vendor: "foo-vendor",
StartVersion: "1.2.3",
EndVersion: "4.5.6",
StartVersion: "1.2.3 (including)",
EndVersion: "4.5.6 (excluding)",
},
},
},
Expand Down Expand Up @@ -339,7 +339,7 @@ foo Description
### Affected Software {.with_icon .affected_software}
| Name | Vendor | Start Version | End Version |
| ------------- |-------------|-----|----|
| Foo-software | Foo-vendor | 1.2.3 | 4.5.6|
| Foo-software | Foo-vendor | 1.2.3 (including) | 4.5.6 (excluding)|
### References {.with_icon .references}
Expand Down Expand Up @@ -444,16 +444,22 @@ func TestGenerateVulnerabilityPages(t *testing.T) {
b, _ := ioutil.ReadFile(file)
assert.NotEmpty(t, b)

if file == "CVE-2020-0002.md" {
if filepath.Base(file) == "CVE-2020-0002.md" {
assert.Equal(t, `---
title: "CVE-2020-0002"
date: 2020-01-08 12:19:15 +0000
aliases: [
"/nvd/cve-2020-0002"
]
shortName: "Generation of Error Message Containing Sensitive Information"
date: 2020-01-08 07:15:12 +0000
category: vulnerabilities
draft: false
avd_page_type: nvd_page
date_published: 2020-01-08 12:19:15 +0000
date_modified: 2020-01-29 12:21:15 +0000
date_published: 2020-01-08 07:15:12 +0000
date_modified: 2022-01-01 08:01:34 +0000
header_subtitle: "Generation of Error Message Containing Sensitive Information"
Expand Down Expand Up @@ -489,10 +495,10 @@ The software generates an error message that includes sensitive information abou
### Affected Software {.with_icon .affected_software}
| Name | Vendor | Start Version | End Version |
| ------------- |-------------|-----|----|
| Android | Google | 1.1.1 | 1.1.1c|
| Android | Google | 8.1 | 8.1|
| Android | Google | 9.0 | 9.0|
| Android | Google | 10.0 | 10.0|
| Android | Google | 8.0 (including) | 8.0 (including)|
| Android | Google | 8.1 (including) | 8.1 (including)|
| Android | Google | 9.0-beta1 (including) | 9.0-beta1 (including)|
| Android | Google | 10.0 (including) | 10.0 (including)|
| Red Hat Enterprise Linux 6 Supplementary | RedHat | chromium-browser-80.0.3987.87-1.el6_10 | *|
| Tar | Ubuntu | bionic | *|
| Tar | Ubuntu | cosmic | *|
Expand Down
4 changes: 2 additions & 2 deletions goldens/json/nvd/CVE-2020-0001.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,12 +89,12 @@
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:google:android:8.1:*:*:*:*:*:*:*",
"criteria": "cpe:2.3:o:google:android:8.1:-:*:*:*:*:*:*",
"matchCriteriaId": "B06BE74B-83F4-41A3-8AD3-2E6248F7B0B2"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*",
"criteria": "cpe:2.3:o:google:android:9.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "8DFAAD08-36DA-4C95-8200-C29FE5B6B854"
},
{
Expand Down
4 changes: 2 additions & 2 deletions goldens/json/nvd/CVE-2020-0002.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,12 +93,12 @@
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:google:android:8.1:*:*:*:*:*:*:*",
"criteria": "cpe:2.3:o:google:android:8.1:-:*:*:*:*:*:*",
"matchCriteriaId": "B06BE74B-83F4-41A3-8AD3-2E6248F7B0B2"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*",
"criteria": "cpe:2.3:o:google:android:9.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "8DFAAD08-36DA-4C95-8200-C29FE5B6B854"
},
{
Expand Down

0 comments on commit 9cce08c

Please sign in to comment.