refactor(nvd): use struct from nvd api 2.0 (#78)

* refactor: use struct from nvd api 2.0 * refactor: use only NVD cvss metrics
aquasecurity · Jan 10, 2024 · a509330 · a509330
1 parent f0d3519
commit a509330
Show file tree

Hide file tree

Showing 6 changed files with 472 additions and 421 deletions.
diff --git a/docGen/nvd.go b/docGen/nvd.go
@@ -103,7 +103,7 @@ func generateVulnPages() {
 		wg.Add(1)
 
 		log.Printf("generating vuln year: %s\n", year)
-		nvdDir := fmt.Sprintf("vuln-list-nvd/feed/%s/", year)
+		nvdDir := fmt.Sprintf("vuln-list-nvd/api/%s/", year)
 		cweDir := "vuln-list/cwe"
 
 		go func(year string) {
@@ -405,35 +405,50 @@ func parseVulnerabilityJSONFile(fileName string) (VulnerabilityPost, error) {
 	if err != nil {
 		return VulnerabilityPost{}, err
 	}
-	vuln.Description = strings.NewReplacer(`"`, ``, `\`, ``, `'`, ``).Replace(string(v.GetStringBytes("cve", "description", "description_data", "0", "value")))
-	vuln.ID = string(v.GetStringBytes("cve", "CVE_data_meta", "ID"))
-	vuln.CWEID = string(v.GetStringBytes("cve", "problemtype", "problemtype_data", "0", "description", "0", "value"))
-	vuln.CVSS = CVSS{
-		V2Vector: string(v.GetStringBytes("impact", "baseMetricV2", "cvssV2", "vectorString")),
-		V2Score:  v.GetFloat64("impact", "baseMetricV2", "cvssV2", "baseScore"),
-		V3Vector: string(v.GetStringBytes("impact", "baseMetricV3", "cvssV3", "vectorString")),
-		V3Score:  v.GetFloat64("impact", "baseMetricV3", "cvssV3", "baseScore"),
+	vuln.Description = strings.NewReplacer(`"`, ``, `\`, ``, `'`, ``).Replace(string(v.GetStringBytes("descriptions", "0", "value")))
+	vuln.ID = string(v.GetStringBytes("id"))
+	if cwe := string(v.GetStringBytes("weaknesses", "0", "description", "0", "value")); cwe != "NVD-CWE-noinfo" {
+		vuln.CWEID = cwe
 	}
 
-	vuln.NVDSeverityV2 = string(v.GetStringBytes("impact", "baseMetricV2", "severity"))
-	vuln.NVDSeverityV3 = string(v.GetStringBytes("impact", "baseMetricV3", "cvssV3", "baseSeverity"))
+	for _, metricV2 := range v.GetArray("metrics", "cvssMetricV2") {
+		source := string(metricV2.GetStringBytes("source"))
+		// Save only NVD metric
+		if source == "[email protected]" {
+			vuln.CVSS.V2Score = metricV2.GetFloat64("cvssData", "baseScore")
+			vuln.CVSS.V2Vector = string(metricV2.GetStringBytes("cvssData", "vectorString"))
+			vuln.NVDSeverityV2 = string(metricV2.GetStringBytes("baseSeverity"))
+		}
+	}
+
+	// Save NVD metric from v3.1,
+	// if it doesn't exist - save NVD metric from v3.0
+	for _, metricV3 := range append(v.GetArray("metrics", "cvssMetricV31"), v.GetArray("metrics", "cvssMetricV30")...) {
+		source := string(metricV3.GetStringBytes("source"))
+		// Save only NVD metric
+		if source == "[email protected]" {
+			vuln.CVSS.V3Score = metricV3.GetFloat64("cvssData", "baseScore")
+			vuln.CVSS.V3Vector = string(metricV3.GetStringBytes("cvssData", "vectorString"))
+			vuln.NVDSeverityV3 = string(metricV3.GetStringBytes("cvssData", "baseSeverity"))
+		}
+	}
 
-	publishedDate, _ := time.Parse("2006-01-02T04:05Z", string(v.GetStringBytes("publishedDate")))
-	modifiedDate, _ := time.Parse("2006-01-02T04:05Z", string(v.GetStringBytes("lastModifiedDate")))
+	publishedDate, _ := time.Parse("2006-01-02T15:04:05", string(v.GetStringBytes("published")))
+	modifiedDate, _ := time.Parse("2006-01-02T15:04:05", string(v.GetStringBytes("lastModified")))
 	vuln.Dates = Dates{
 		Published: publishedDate.UTC().Format("2006-01-02 03:04:05 -0700"),
 		Modified:  modifiedDate.UTC().Format("2006-01-02 03:04:05 -0700"),
 	}
 
 	var refs []string
-	for _, r := range v.GetArray("cve", "references", "reference_data") {
+	for _, r := range v.GetArray("references") {
 		refs = append(refs, strings.ReplaceAll(r.Get("url").String(), `"`, ``))
 	}
 	vuln.References = refs
 
-	affectedSoftwares := v.GetArray("configurations", "nodes", "0", "cpe_match") // TODO: This logic should be improved to iterate over list of lists
+	affectedSoftwares := v.GetArray("configurations", "0", "nodes", "0", "cpeMatch") // TODO: This logic should be improved to iterate over list of lists
 	for _, as := range affectedSoftwares {
-		uri := string(as.GetStringBytes("cpe23Uri"))
+		uri := string(as.GetStringBytes("criteria"))
 		item, err := cpe.NewItemFromFormattedString(uri)
 		if err != nil {
 			continue

diff --git a/docGen/nvd_test.go b/docGen/nvd_test.go
@@ -22,10 +22,9 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
 				Layout: "vulnerability",
 				Title:  "CVE-2020-0001",
 				By:     "NVD",
-				Date:   "2020-01-08 12:19:15 +0000",
+				Date:   "2020-01-08 07:15:12 +0000",
 				Vulnerability: Vulnerability{
 					ID:          "CVE-2020-0001",
-					CWEID:       "CWE-269",
 					Description: "In getProcessRecordLocked of ActivityManagerService.java isolated apps are not handled correctly. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-140055304",
 					References: []string{
 						"https://source.android.com/security/bulletin/2020-01-01",
@@ -37,8 +36,8 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
 						V3Score:  7.8,
 					},
 					Dates: Dates{
-						Published: "2020-01-08 12:19:15 +0000",
-						Modified:  "2020-01-14 12:21:52 +0000",
+						Published: "2020-01-08 07:15:12 +0000",
+						Modified:  "2021-07-21 11:39:23 +0000",
 					},
 					NVDSeverityV2: "HIGH",
 					NVDSeverityV3: "HIGH",
@@ -77,12 +76,13 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
 				Layout: "vulnerability",
 				Title:  "CVE-2020-11932",
 				By:     "NVD",
-				Date:   "2020-05-13 12:01:15 +0000",
+				Date:   "2020-05-13 01:15:12 +0000",
 				Vulnerability: Vulnerability{
 					ID:          "CVE-2020-11932",
 					CWEID:       "CWE-532",
 					Description: "It was discovered that the Subiquity installer for Ubuntu Server logged the LUKS full disk encryption password if one was entered.",
 					References: []string{
+						"https://aliceandbob.company/the-human-factor-in-an-economy-of-scale",
 						"https://github.com/CanonicalLtd/subiquity/commit/7db70650feaf513d7fb6f1ca07f2d670a0890613",
 					},
 					CVSS: CVSS{
@@ -92,8 +92,8 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
 						V3Score:  2.3,
 					},
 					Dates: Dates{
-						Published: "2020-05-13 12:01:15 +0000",
-						Modified:  "2020-05-18 12:17:59 +0000",
+						Published: "2020-05-13 01:15:12 +0000",
+						Modified:  "2020-08-03 06:15:11 +0000",
 					},
 					NVDSeverityV2: "LOW",
 					NVDSeverityV3: "LOW",
@@ -114,50 +114,29 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
 				Layout: "vulnerability",
 				Title:  "CVE-2022-2788",
 				By:     "NVD",
-				Date:   "2020-01-08 12:19:15 +0000",
+				Date:   "2022-08-19 09:15:08 +0000",
 				Vulnerability: Vulnerability{
 					ID:          "CVE-2022-2788",
-					CWEID:       "CWE-269",
+					CWEID:       "CWE-22",
 					Description: "Emerson Electrics Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: ..Filename, also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code.",
 					References: []string{
-						"https://source.android.com/security/bulletin/2020-01-01",
+						"https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-06",
 					},
 					CVSS: CVSS{
-						V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
-						V2Score:  7.2,
-						V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
-						V3Score:  7.8,
+						V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
+						V3Score:  7.3,
 					},
 					Dates: Dates{
-						Published: "2020-01-08 12:19:15 +0000",
-						Modified:  "2020-01-14 12:21:52 +0000",
+						Published: "2022-08-19 09:15:08 +0000",
+						Modified:  "2023-06-28 02:25:03 +0000",
 					},
-					NVDSeverityV2: "HIGH",
 					NVDSeverityV3: "HIGH",
 					AffectedSoftware: []AffectedSoftware{
 						{
-							Name:         "android",
-							Vendor:       "google",
-							StartVersion: "8.0",
-							EndVersion:   "8.0",
-						},
-						{
-							Name:         "android",
-							Vendor:       "google",
-							StartVersion: "8.1",
-							EndVersion:   "8.1",
-						},
-						{
-							Name:         "android",
-							Vendor:       "google",
-							StartVersion: "9.0",
-							EndVersion:   "9.0",
-						},
-						{
-							Name:         "android",
-							Vendor:       "google",
-							StartVersion: "10.0",
-							EndVersion:   "10.0",
+							Name:         "electric's_proficy",
+							Vendor:       "emerson",
+							StartVersion: "*",
+							EndVersion:   "9.80",
 						},
 					},
 				},