Skip to content

Commit

Permalink
Merge pull request #1333 from timopollmeier/cves-cvss-v3
Browse files Browse the repository at this point in the history
Change SCAP and CERT data to use new severity scoring
  • Loading branch information
mattmundell authored Oct 26, 2020
2 parents 2cf31ef + f0a0804 commit c0d90ed
Show file tree
Hide file tree
Showing 7 changed files with 194 additions and 335 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Move EXE credential generation to a Python script [#1260](https://github.com/greenbone/gvmd/pull/1260) [#1262](https://github.com/greenbone/gvmd/pull/1262)
- Clarify documentation for --scan-host parameter [#1277](https://github.com/greenbone/gvmd/pull/1277)
- In result iterator access severity directly if possible [#1321](https://github.com/greenbone/gvmd/pull/1321)
- Change SCAP and CERT data to use new severity scoring [#1333](https://github.com/greenbone/gvmd/pull/1333)

### Fixed
- Use GMP version with leading zero for feed dirs [#1287](https://github.com/greenbone/gvmd/pull/1287)
Expand Down
4 changes: 2 additions & 2 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -98,9 +98,9 @@ include (CPack)

set (GVMD_DATABASE_VERSION 238)

set (GVMD_SCAP_DATABASE_VERSION 16)
set (GVMD_SCAP_DATABASE_VERSION 17)

set (GVMD_CERT_DATABASE_VERSION 6)
set (GVMD_CERT_DATABASE_VERSION 7)

set (GMP_VERSION "21.4")
set (GMP_VERSION_FEED "21.04")
Expand Down
40 changes: 13 additions & 27 deletions src/gmp.c
Original file line number Diff line number Diff line change
Expand Up @@ -9121,13 +9121,11 @@ results_xml_append_nvt (iterator_t *results, GString *buffer, int cert_loaded)
"<type>ovaldef</type>"
"<name>%s</name>"
"<family/>"
"<cvss_base>%s</cvss_base>"
"<severities score=\"%i\">"
"</severities>"
"<tags>summary=%s</tags>",
oid,
ovaldef_info_iterator_title (&iterator),
ovaldef_info_iterator_max_cvss (&iterator),
ovaldef_info_iterator_score (&iterator),
ovaldef_info_iterator_description (&iterator));
g_free (get.id);
Expand Down Expand Up @@ -13248,11 +13246,11 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
cpe_info_iterator_title (&info));
xml_string_append (result,
"<nvd_id>%s</nvd_id>"
"<max_cvss>%s</max_cvss>"
"<score>%d</score>"
"<cve_refs>%s</cve_refs>"
"<status>%s</status>",
cpe_info_iterator_nvd_id (&info),
cpe_info_iterator_max_cvss (&info),
cpe_info_iterator_score (&info),
cpe_info_iterator_cve_refs (&info),
cpe_info_iterator_status (&info) ?
cpe_info_iterator_status (&info) : "");
Expand All @@ -13276,13 +13274,13 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
" id=\"%s\">"
"<vuln:cvss>"
"<cvss:base_metrics>"
"<cvss:score>%s</cvss:score>"
"<cvss:score>%0.1lf</cvss:score>"
"</cvss:base_metrics>"
"</vuln:cvss>"
"</entry>"
"</cve>",
cve_iterator_name (&cves),
cve_iterator_cvss (&cves));
cve_iterator_score (&cves) / 10.0);
cleanup_iterator (&cves);
g_string_append (result, "</cves>");
}
Expand All @@ -13291,24 +13289,12 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
{
xml_string_append (result,
"<cve>"
"<cvss>%s</cvss>"
"<vector>%s</vector>"
"<complexity>%s</complexity>"
"<authentication>%s</authentication>"
"<confidentiality_impact>%s</confidentiality_impact>"
"<integrity_impact>%s</integrity_impact>"
"<availability_impact>%s</availability_impact>"
"<score>%d</score>"
"<cvss_vector>%s</cvss_vector>"
"<description>%s</description>"
"<products>%s</products>",
cve_info_iterator_cvss (&info)
? cve_info_iterator_cvss (&info)
: "",
cve_info_iterator_score (&info),
cve_info_iterator_vector (&info),
cve_info_iterator_complexity (&info),
cve_info_iterator_authentication (&info),
cve_info_iterator_confidentiality_impact (&info),
cve_info_iterator_integrity_impact (&info),
cve_info_iterator_availability_impact (&info),
cve_info_iterator_description (&info),
cve_info_iterator_products (&info));
if (get_info_data->details == 1)
Expand Down Expand Up @@ -13382,15 +13368,15 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
"<status>%s</status>"
"<class>%s</class>"
"<title>%s</title>"
"<max_cvss>%s</max_cvss>"
"<score>%d</score>"
"<cve_refs>%s</cve_refs>"
"<file>%s</file>",
ovaldef_info_iterator_version (&info),
ovaldef_info_iterator_deprecated (&info),
ovaldef_info_iterator_status (&info),
ovaldef_info_iterator_class (&info),
ovaldef_info_iterator_title (&info),
ovaldef_info_iterator_max_cvss (&info),
ovaldef_info_iterator_score (&info),
ovaldef_info_iterator_cve_refs (&info),
ovaldef_info_iterator_file (&info));
description = ovaldef_info_iterator_description (&info);
Expand All @@ -13404,22 +13390,22 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
"<cert_bund_adv>"
"<title>%s</title>"
"<summary>%s</summary>"
"<max_cvss>%s</max_cvss>"
"<score>%d</score>"
"<cve_refs>%s</cve_refs>",
cert_bund_adv_info_iterator_title (&info),
cert_bund_adv_info_iterator_summary (&info),
cert_bund_adv_info_iterator_max_cvss(&info),
cert_bund_adv_info_iterator_score(&info),
cert_bund_adv_info_iterator_cve_refs (&info));
else if (g_strcmp0 ("dfn_cert_adv", get_info_data->type) == 0)
xml_string_append (result,
"<dfn_cert_adv>"
"<title>%s</title>"
"<summary>%s</summary>"
"<max_cvss>%s</max_cvss>"
"<score>%d</score>"
"<cve_refs>%s</cve_refs>",
dfn_cert_adv_info_iterator_title (&info),
dfn_cert_adv_info_iterator_summary (&info),
dfn_cert_adv_info_iterator_max_cvss(&info),
dfn_cert_adv_info_iterator_score(&info),
dfn_cert_adv_info_iterator_cve_refs (&info));
else if (g_strcmp0 ("nvt", get_info_data->type) == 0)
{
Expand Down
42 changes: 12 additions & 30 deletions src/manage.h
Original file line number Diff line number Diff line change
Expand Up @@ -3104,8 +3104,8 @@ cpe_info_iterator_title (iterator_t*);
const char*
cpe_info_iterator_status (iterator_t*);

const char*
cpe_info_iterator_max_cvss (iterator_t*);
int
cpe_info_iterator_score (iterator_t*);

const char*
cpe_info_iterator_deprecated_by_id (iterator_t*);
Expand All @@ -3121,30 +3121,15 @@ cpe_info_iterator_nvd_id (iterator_t*);
const char*
cve_iterator_name (iterator_t*);

const char*
cve_iterator_cvss (iterator_t*);
int
cve_iterator_score (iterator_t*);

const char*
cve_info_iterator_cvss (iterator_t*);
int
cve_info_iterator_score (iterator_t*);

const char*
cve_info_iterator_vector (iterator_t*);

const char*
cve_info_iterator_complexity (iterator_t*);

const char*
cve_info_iterator_authentication (iterator_t*);

const char*
cve_info_iterator_confidentiality_impact (iterator_t*);

const char*
cve_info_iterator_integrity_impact (iterator_t*);

const char*
cve_info_iterator_availability_impact (iterator_t*);

const char*
cve_info_iterator_description (iterator_t*);

Expand Down Expand Up @@ -3191,15 +3176,12 @@ ovaldef_info_iterator_file (iterator_t*);
const char*
ovaldef_info_iterator_status (iterator_t*);

const char*
ovaldef_info_iterator_max_cvss (iterator_t*);
int
ovaldef_info_iterator_score (iterator_t*);

const char*
ovaldef_info_iterator_cve_refs (iterator_t*);

int
ovaldef_info_iterator_score (iterator_t *);

char *
ovaldef_severity (const char *);

Expand Down Expand Up @@ -3233,8 +3215,8 @@ cert_bund_adv_info_iterator_summary (iterator_t*);
const char*
cert_bund_adv_info_iterator_cve_refs (iterator_t*);

const char*
cert_bund_adv_info_iterator_max_cvss (iterator_t*);
int
cert_bund_adv_info_iterator_score (iterator_t*);

void
init_cve_cert_bund_adv_iterator (iterator_t*, const char*, int, const char*);
Expand Down Expand Up @@ -3262,8 +3244,8 @@ dfn_cert_adv_info_iterator_summary (iterator_t*);
const char*
dfn_cert_adv_info_iterator_cve_refs (iterator_t*);

const char*
dfn_cert_adv_info_iterator_max_cvss (iterator_t*);
int
dfn_cert_adv_info_iterator_score (iterator_t*);

void
init_cve_dfn_cert_adv_iterator (iterator_t*, const char*, int, const char*);
Expand Down
35 changes: 16 additions & 19 deletions src/manage_pg.c
Original file line number Diff line number Diff line change
Expand Up @@ -1648,12 +1648,14 @@ create_view_vulns ()
" FROM nvts"
VULNS_RESULTS_WHERE
" UNION SELECT id, uuid, name, creation_time, modification_time,"
" cvss AS severity, " G_STRINGIFY (QOD_DEFAULT) " AS qod,"
" score / 10.0 AS severity, "
G_STRINGIFY (QOD_DEFAULT) " AS qod,"
" 'cve' AS type"
" FROM cves"
VULNS_RESULTS_WHERE
" UNION SELECT id, uuid, name, creation_time, modification_time,"
" max_cvss AS severity, " G_STRINGIFY (QOD_DEFAULT) " AS qod,"
" score / 10.0 AS severity, "
G_STRINGIFY (QOD_DEFAULT) " AS qod,"
" 'ovaldef' AS type"
" FROM ovaldefs"
VULNS_RESULTS_WHERE);
Expand Down Expand Up @@ -2963,7 +2965,7 @@ manage_db_init (const gchar *name)
" title TEXT,"
" summary TEXT,"
" cve_refs INTEGER,"
" max_cvss FLOAT);");
" score INTEGER);");
sql ("CREATE UNIQUE INDEX cert_bund_advs_idx"
" ON cert.cert_bund_advs (name);");
sql ("CREATE INDEX cert_bund_advs_by_creation_time"
Expand All @@ -2987,7 +2989,7 @@ manage_db_init (const gchar *name)
" title TEXT,"
" summary TEXT,"
" cve_refs INTEGER,"
" max_cvss FLOAT);");
" score INTEGER);");
sql ("CREATE UNIQUE INDEX dfn_cert_advs_idx"
" ON cert.dfn_cert_advs (name);");
sql ("CREATE INDEX dfn_cert_advs_by_creation_time"
Expand Down Expand Up @@ -3030,7 +3032,7 @@ manage_db_init (const gchar *name)
/* Init tables. */

sql ("INSERT INTO cert.meta (name, value)"
" VALUES ('database_version', '6');");
" VALUES ('database_version', '7');");
sql ("INSERT INTO cert.meta (name, value)"
" VALUES ('last_update', '0');");
}
Expand Down Expand Up @@ -3070,14 +3072,9 @@ manage_db_init (const gchar *name)
" description text,"
" creation_time integer,"
" modification_time integer,"
" vector text,"
" complexity text,"
" authentication text,"
" confidentiality_impact text,"
" integrity_impact text,"
" availability_impact text,"
" cvss_vector text,"
" products text,"
" cvss FLOAT DEFAULT 0);");
" score integer DEFAULT 0);");

sql ("CREATE TABLE scap2.cpes"
" (id SERIAL PRIMARY KEY,"
Expand All @@ -3089,7 +3086,7 @@ manage_db_init (const gchar *name)
" title text,"
" status text,"
" deprecated_by_id INTEGER,"
" max_cvss FLOAT DEFAULT 0,"
" score integer DEFAULT 0,"
" cve_refs INTEGER DEFAULT 0,"
" nvd_id text);");

Expand All @@ -3111,7 +3108,7 @@ manage_db_init (const gchar *name)
" description TEXT,"
" xml_file TEXT,"
" status TEXT,"
" max_cvss FLOAT DEFAULT 0,"
" score integer DEFAULT 0,"
" cve_refs INTEGER DEFAULT 0);");

sql ("CREATE TABLE scap2.ovalfiles"
Expand All @@ -3125,7 +3122,7 @@ manage_db_init (const gchar *name)
/* Init tables. */

sql ("INSERT INTO scap2.meta (name, value)"
" VALUES ('database_version', '16');");
" VALUES ('database_version', '17');");
sql ("INSERT INTO scap2.meta (name, value)"
" VALUES ('last_update', '0');");
}
Expand Down Expand Up @@ -3202,17 +3199,17 @@ manage_db_init_indexes (const gchar *name)
" ON scap2.cves (creation_time);");
sql ("CREATE INDEX cves_by_modification_time_idx"
" ON scap2.cves (modification_time);");
sql ("CREATE INDEX cves_by_cvss"
" ON scap2.cves (cvss);");
sql ("CREATE INDEX cves_by_score"
" ON scap2.cves (score);");

sql ("CREATE UNIQUE INDEX cpe_idx"
" ON scap2.cpes (name);");
sql ("CREATE INDEX cpes_by_creation_time_idx"
" ON scap2.cpes (creation_time);");
sql ("CREATE INDEX cpes_by_modification_time_idx"
" ON scap2.cpes (modification_time);");
sql ("CREATE INDEX cpes_by_cvss"
" ON scap2.cpes (max_cvss);");
sql ("CREATE INDEX cpes_by_score"
" ON scap2.cpes (score);");
sql ("CREATE INDEX cpes_by_uuid"
" ON scap2.cpes (uuid);");

Expand Down
Loading

0 comments on commit c0d90ed

Please sign in to comment.