From 87b94e70d04c92d4ad0c87d572f81a118addece9 Mon Sep 17 00:00:00 2001 From: Zhixiong Chi Date: Wed, 20 Oct 2021 05:26:22 -0400 Subject: [PATCH] cve_policy_filter: Upstream vulsscan json data format changed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since vulsscan upstream commit [https://github.com/future-architect/ vuls/commit/96c3592db1c4b3d658e8e8169fdc17c670e48379] had been merged, So the list type for nvd and jvn items was added in vulsscan data result. For example the part of json result changed from "scannedCves": { "CVE-2015-8035": { "cveContents": { "nvd": { "type": "nvd", "cveID": "CVE-2015-8035", "title": "", "summary": "The xz_decomp function in xzlib.c in libxml2 \ 2.9.1 does not properly detect compression errors, which \ allows context-dependent attackers to cause a denial of \ service (process hang) via crafted XML data.", "cvss2Score": 2.6, "cvss2Vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "cvss2Severity": "LOW", "cvss3Score": 0, "cvss3Vector": "", ... }, }, }, } to "scannedCves": { "CVE-2015-8035": { "cveContents": { "nvd": [ { "type": "nvd", "cveID": "CVE-2015-8035", "title": "", "summary": "The xz_decomp function in xzlib.c in libxml2 \ 2.9.1 does not properly detect compression errors, which \ allows context-dependent attackers to cause a denial of \ service (process hang) via crafted XML data.", "cvss2Score": 2.6, "cvss2Vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "cvss2Severity": "LOW", "cvss3Score": 0, "cvss3Vector": "", ... }, ], }, }, } There is only one item within NVD area according to the latest vulsscan result data set. Meanwhile we can only see two items within JVN area for the CVE-2018-5407 as follows: "cveContents": { "jvn": [ { "type": "jvn", "cveID": "CVE-2018-5407", "cvss2Score": 1.9, "title": "HPE Integrated Lights-Out 5、HPE Integrated Lights-Out 4 "cvss2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", }, { "type": "jvn", "cveID": "CVE-2018-5407", "title": "Simultaneous Multi-threading における情報漏えいに関する脆弱性", "cvss2Score": 9, "cvss2Vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C", } ], As Michel and Mark suggested, we don't see anything obvious in the log and descriptions in way of plans to indicate if we should expect more than one item in NVD arean. Now we update it in cve_policy_filter.py parser for NVD, and add exeception raised in case it ever happens will allow us to react to the occurrence when the NVD length is more than 1. Therefore when getting the cve report we can avoid the following error: Traceback (most recent call last): File "cve_support/cve_policy_filter.py", line 345, in main() File "cve_support/cve_policy_filter.py", line 338, in main cvssv2_parse_n_report(cves,title,data) File "cve_support/cve_policy_filter.py", line 269, in cvssv2_parse_n_report nvd2_score = data["scannedCves"][cve_id]["cveContents"]["nvd"]["cvss2Score"] TypeError: list indices must be integers or slices, not str Change-Id: I847938fde14d6240637537e964578758289b56f5 Signed-off-by: Zhixiong Chi --- cve_support/cve_policy_filter.py | 34 +++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/cve_support/cve_policy_filter.py b/cve_support/cve_policy_filter.py index 1fc246f09..210d60e96 100644 --- a/cve_support/cve_policy_filter.py +++ b/cve_support/cve_policy_filter.py @@ -24,6 +24,18 @@ cves_to_omit = [] cves_report = {} +class NVDLengthException(Exception): + """ + Throw the exception when the length of NVD list != 1 + """ + def __init__(self, length): + self.length = length + + def __str__(self): + print("Warning: NVD length: %d, not 1, Please check again!" \ + % self.length) + + def print_html_report(cves_report, title): """ Print the html report @@ -123,7 +135,7 @@ def get_summary(data, cve_id): return: nvd summary """ try: - summary = data["scannedCves"][cve_id]["cveContents"]["nvd"]["summary"] + summary = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["summary"] except KeyError: summary = None return summary @@ -133,7 +145,7 @@ def get_source_link(data, cve_id): return: web link to the nvd report """ try: - source_link = data["scannedCves"][cve_id]["cveContents"]["nvd"]["sourceLink"] + source_link = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["sourceLink"] except KeyError: source_link = None return source_link @@ -227,12 +239,16 @@ def cvssv3_parse_n_report(cves,title,data): affectedpackages_list = [] allfixed = "fixed" try: - nvd2_score = data["scannedCves"][cve_id]["cveContents"]["nvd"]["cvss3Score"] - cvss3vector = data["scannedCves"][cve_id]["cveContents"]["nvd"]["cvss3Vector"] + nvdlength = len(data["scannedCves"][cve_id]["cveContents"]["nvd"]) + if nvdlength != 1: + raise NVDLengthException(nvdlength) + + nvd3_score = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss3Score"] + cvss3vector = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss3Vector"] except KeyError: cves_w_errors.append(cve) else: - cve["cvss3Score"] = nvd2_score + cve["cvss3Score"] = nvd3_score for element in cvss3vector.split("/"): if "AV:" in element: _av = element.split(":")[1] @@ -266,8 +282,12 @@ def cvssv2_parse_n_report(cves,title,data): affectedpackages_list = [] allfixed = "fixed" try: - nvd2_score = data["scannedCves"][cve_id]["cveContents"]["nvd"]["cvss2Score"] - cvss2vector = data["scannedCves"][cve_id]["cveContents"]["nvd"]["cvss2Vector"] + nvdlength = len(data["scannedCves"][cve_id]["cveContents"]["nvd"]) + if nvdlength != 1: + raise NVDLengthException(nvdlength) + + nvd2_score = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss2Score"] + cvss2vector = data["scannedCves"][cve_id]["cveContents"]["nvd"][0]["cvss2Vector"] except KeyError: cves_w_errors.append(cve) else: