aquasecurity · simar7 · Jan 10, 2024 · Dec 6, 2023 · Dec 18, 2023
diff --git a/docGen/nvd.go b/docGen/nvd.go
@@ -103,7 +103,7 @@ func generateVulnPages() {
 		wg.Add(1)
 
 		log.Printf("generating vuln year: %s\n", year)
-		nvdDir := fmt.Sprintf("vuln-list-nvd/feed/%s/", year)
+		nvdDir := fmt.Sprintf("vuln-list-nvd/api/%s/", year)
 		cweDir := "vuln-list/cwe"
 
 		go func(year string) {
@@ -405,35 +405,50 @@ func parseVulnerabilityJSONFile(fileName string) (VulnerabilityPost, error) {
 	if err != nil {
 		return VulnerabilityPost{}, err
 	}
-	vuln.Description = strings.NewReplacer(`"`, ``, `\`, ``, `'`, ``).Replace(string(v.GetStringBytes("cve", "description", "description_data", "0", "value")))
-	vuln.ID = string(v.GetStringBytes("cve", "CVE_data_meta", "ID"))
-	vuln.CWEID = string(v.GetStringBytes("cve", "problemtype", "problemtype_data", "0", "description", "0", "value"))
-	vuln.CVSS = CVSS{
-		V2Vector: string(v.GetStringBytes("impact", "baseMetricV2", "cvssV2", "vectorString")),
-		V2Score:  v.GetFloat64("impact", "baseMetricV2", "cvssV2", "baseScore"),
-		V3Vector: string(v.GetStringBytes("impact", "baseMetricV3", "cvssV3", "vectorString")),
-		V3Score:  v.GetFloat64("impact", "baseMetricV3", "cvssV3", "baseScore"),
+	vuln.Description = strings.NewReplacer(`"`, ``, `\`, ``, `'`, ``).Replace(string(v.GetStringBytes("descriptions", "0", "value")))
+	vuln.ID = string(v.GetStringBytes("id"))
+	if cwe := string(v.GetStringBytes("weaknesses", "0", "description", "0", "value")); cwe != "NVD-CWE-noinfo" {
+		vuln.CWEID = cwe
 	}
 
-	vuln.NVDSeverityV2 = string(v.GetStringBytes("impact", "baseMetricV2", "severity"))
-	vuln.NVDSeverityV3 = string(v.GetStringBytes("impact", "baseMetricV3", "cvssV3", "baseSeverity"))
+	for _, metricV2 := range v.GetArray("metrics", "cvssMetricV2") {
+		source := string(metricV2.GetStringBytes("source"))
+		// Save only NVD metric
+		if source == "[email protected]" {
+			vuln.CVSS.V2Score = metricV2.GetFloat64("cvssData", "baseScore")
+			vuln.CVSS.V2Vector = string(metricV2.GetStringBytes("cvssData", "vectorString"))
+			vuln.NVDSeverityV2 = string(metricV2.GetStringBytes("baseSeverity"))
+		}
+	}
+
+	// Save NVD metric from v3.1,
+	// if it doesn't exist - save NVD metric from v3.0
+	for _, metricV3 := range append(v.GetArray("metrics", "cvssMetricV31"), v.GetArray("metrics", "cvssMetricV30")...) {
+		source := string(metricV3.GetStringBytes("source"))
+		// Save only NVD metric
+		if source == "[email protected]" {
+			vuln.CVSS.V3Score = metricV3.GetFloat64("cvssData", "baseScore")
+			vuln.CVSS.V3Vector = string(metricV3.GetStringBytes("cvssData", "vectorString"))
+			vuln.NVDSeverityV3 = string(metricV3.GetStringBytes("cvssData", "baseSeverity"))
+		}
+	}
 
-	publishedDate, _ := time.Parse("2006-01-02T04:05Z", string(v.GetStringBytes("publishedDate")))
-	modifiedDate, _ := time.Parse("2006-01-02T04:05Z", string(v.GetStringBytes("lastModifiedDate")))
+	publishedDate, _ := time.Parse("2006-01-02T15:04:05", string(v.GetStringBytes("published")))
+	modifiedDate, _ := time.Parse("2006-01-02T15:04:05", string(v.GetStringBytes("lastModified")))
 	vuln.Dates = Dates{
 		Published: publishedDate.UTC().Format("2006-01-02 03:04:05 -0700"),
 		Modified:  modifiedDate.UTC().Format("2006-01-02 03:04:05 -0700"),
 	}
 
 	var refs []string
-	for _, r := range v.GetArray("cve", "references", "reference_data") {
+	for _, r := range v.GetArray("references") {
 		refs = append(refs, strings.ReplaceAll(r.Get("url").String(), `"`, ``))
 	}
 	vuln.References = refs
 
-	affectedSoftwares := v.GetArray("configurations", "nodes", "0", "cpe_match") // TODO: This logic should be improved to iterate over list of lists
+	affectedSoftwares := v.GetArray("configurations", "0", "nodes", "0", "cpeMatch") // TODO: This logic should be improved to iterate over list of lists
 	for _, as := range affectedSoftwares {
-		uri := string(as.GetStringBytes("cpe23Uri"))
+		uri := string(as.GetStringBytes("criteria"))
 		item, err := cpe.NewItemFromFormattedString(uri)
 		if err != nil {
 			continue

diff --git a/docGen/nvd_test.go b/docGen/nvd_test.go
@@ -22,10 +22,9 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
 				Layout: "vulnerability",
 				Title:  "CVE-2020-0001",
 				By:     "NVD",
-				Date:   "2020-01-08 12:19:15 +0000",
+				Date:   "2020-01-08 07:15:12 +0000",
 				Vulnerability: Vulnerability{
 					ID:          "CVE-2020-0001",
-					CWEID:       "CWE-269",
 					Description: "In getProcessRecordLocked of ActivityManagerService.java isolated apps are not handled correctly. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-140055304",
 					References: []string{
 						"https://source.android.com/security/bulletin/2020-01-01",
@@ -37,8 +36,8 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
 						V3Score:  7.8,
 					},
 					Dates: Dates{
-						Published: "2020-01-08 12:19:15 +0000",
-						Modified:  "2020-01-14 12:21:52 +0000",
+						Published: "2020-01-08 07:15:12 +0000",
+						Modified:  "2021-07-21 11:39:23 +0000",
 					},
 					NVDSeverityV2: "HIGH",
 					NVDSeverityV3: "HIGH",
@@ -77,12 +76,13 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
 				Layout: "vulnerability",
 				Title:  "CVE-2020-11932",
 				By:     "NVD",
-				Date:   "2020-05-13 12:01:15 +0000",
+				Date:   "2020-05-13 01:15:12 +0000",
 				Vulnerability: Vulnerability{
 					ID:          "CVE-2020-11932",
 					CWEID:       "CWE-532",
 					Description: "It was discovered that the Subiquity installer for Ubuntu Server logged the LUKS full disk encryption password if one was entered.",
 					References: []string{
+						"https://aliceandbob.company/the-human-factor-in-an-economy-of-scale",
 						"https://github.com/CanonicalLtd/subiquity/commit/7db70650feaf513d7fb6f1ca07f2d670a0890613",
 					},
 					CVSS: CVSS{
@@ -92,8 +92,8 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
 						V3Score:  2.3,
 					},
 					Dates: Dates{
-						Published: "2020-05-13 12:01:15 +0000",
-						Modified:  "2020-05-18 12:17:59 +0000",
+						Published: "2020-05-13 01:15:12 +0000",
+						Modified:  "2020-08-03 06:15:11 +0000",
 					},
 					NVDSeverityV2: "LOW",
 					NVDSeverityV3: "LOW",
@@ -114,50 +114,29 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
 				Layout: "vulnerability",
 				Title:  "CVE-2022-2788",
 				By:     "NVD",
-				Date:   "2020-01-08 12:19:15 +0000",
+				Date:   "2022-08-19 09:15:08 +0000",
 				Vulnerability: Vulnerability{
 					ID:          "CVE-2022-2788",
-					CWEID:       "CWE-269",
+					CWEID:       "CWE-22",
 					Description: "Emerson Electrics Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: ..Filename, also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code.",
 					References: []string{
-						"https://source.android.com/security/bulletin/2020-01-01",
+						"https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-06",
 					},
 					CVSS: CVSS{
-						V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
-						V2Score:  7.2,
-						V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
-						V3Score:  7.8,
+						V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
+						V3Score:  7.3,
 					},
 					Dates: Dates{
-						Published: "2020-01-08 12:19:15 +0000",
-						Modified:  "2020-01-14 12:21:52 +0000",
+						Published: "2022-08-19 09:15:08 +0000",
+						Modified:  "2023-06-28 02:25:03 +0000",
 					},
-					NVDSeverityV2: "HIGH",
 					NVDSeverityV3: "HIGH",
 					AffectedSoftware: []AffectedSoftware{
 						{
-							Name:         "android",
-							Vendor:       "google",
-							StartVersion: "8.0",
-							EndVersion:   "8.0",
-						},
-						{
-							Name:         "android",
-							Vendor:       "google",
-							StartVersion: "8.1",
-							EndVersion:   "8.1",
-						},
-						{
-							Name:         "android",
-							Vendor:       "google",
-							StartVersion: "9.0",
-							EndVersion:   "9.0",
-						},
-						{
-							Name:         "android",
-							Vendor:       "google",
-							StartVersion: "10.0",
-							EndVersion:   "10.0",
+							Name:         "electric's_proficy",
+							Vendor:       "emerson",
+							StartVersion: "*",
+							EndVersion:   "9.80",
 						},
 					},
 				},