Add support for CWE #782
Add support for CWE #782
Conversation
|
|
There was a problem hiding this comment.
This would need to be rebased... also you may want to remove the UI part to treat it separately as the UI has changed extensively!
Also could we also get the CWE from the NVD importer? or is this something for later?
Finally two other considerations:
- the CWE library maintainer has not much replied to data, so if we need this we would have to fok it
- is there something else beyond CWE that would be about a more general concept of categories?
ok, no problem I will change this, but what about editing all importers not just NVD, I think I could handle this in a separate pull request.
oops, yes we can fork it. it isn't a complicated library, all data come from this database, we need to make sure the database is updated so I think we should use this link
I don't know but the main three categories are
some External Mappings :
|
ziadhany
force-pushed
the
add-cwe
branch
2 times, most recently
from
89ff4d0
to
24a919b
Compare
|
|
|
|
|
@ziadhany the cwe2 library is ready now: https://pypi.org/project/cwe2/ |
ziadhany
force-pushed
the
add-cwe
branch
2 times, most recently
from
3b2c98c
to
550788f
Compare
| <div class="tab-nested-div"> | ||
| <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth gray-header-border"> | ||
| <tr> | ||
| <th> CWE id </th> |
vulnerabilities/importers/nvd.py
Outdated
| """ | ||
| weaknesses = [] | ||
| for weaknesses in get_item(self.cve_item, "cve", "problemtype", "problemtype_data") or []: | ||
| weaknesses_description = weaknesses.get("description") |
There was a problem hiding this comment.
| weaknesses_description = weaknesses.get("description") | |
| weaknesses_description = weaknesses.get("description") or [] | |
vulnerabilities/importers/nvd.py
Outdated
| for weaknesses in get_item(self.cve_item, "cve", "problemtype", "problemtype_data") or []: | ||
| weaknesses_description = weaknesses.get("description") | ||
| for weaknesses_value in weaknesses_description: | ||
| cwe_id = get_cwe_id(weaknesses_value.get("value")) |
There was a problem hiding this comment.
I would skip weaknesses_description if the lang is not "en"
vulnerabilities/improve_runner.py
Outdated
| @@ -133,6 +134,10 @@ def process_inferences(inferences: List[Inference], advisory: Advisory, improver | |||
| fix=True, | |||
| ).update_or_create() | |||
|
|
|||
| if inference.weaknesses: | |||
| for cwe_id in inference.weaknesses: | |||
| Weakness.objects.update_or_create(cwe_id=cwe_id, vulnerabilities=vulnerability) | |||
There was a problem hiding this comment.
Why is vulnerabilities plural and receiving a single vulnerability?
There was a problem hiding this comment.
I think because we improve vulnerability one by one . Can you suggest any way to do this?
vulnerabilities/models.py
Outdated
| @property | ||
| def name(self): | ||
| """Return the weakness's name.""" | ||
| db = Database() |
There was a problem hiding this comment.
This should be a class member instead
vulnerabilities/models.py
Outdated
| @@ -249,6 +250,25 @@ def get_related_purls(self): | |||
| return [p.package_url for p in self.packages.distinct().all()] | |||
|
|
|||
|
|
|||
| class Weakness(models.Model): | |||
| cwe_id = models.IntegerField() | |||
ziadhany
force-pushed
the
add-cwe
branch
3 times, most recently
from
52b1aeb
to
3ddaccf
Compare
|
@ziadhany Could you rebase or merge on the latest main branch? |
ziadhany
force-pushed
the
add-cwe
branch
3 times, most recently
from
818945c
to
5080ea3
Compare
Remove the weaknesses table header Fix expected_files tests Fix all test cases Add CWE support for NVD importer Fix migration conflict Add Weakness model Fix requirements.txt , Fix migration conflict Add cwe name instead of Hyperlinks Add nexB/cwe package Fix test , remove empty lines Add CWE in the new UI Signed-off-by: ziadhany <ziadhany2016@gmail.com>
Signed-off-by: ziadhany <ziadhany2016@gmail.com>
Reference: #651
Signed-off-by: Ziad ziadhany2016@gmail.com