diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4b8cf8988..9985e3b9f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Move EXE credential generation to a Python script [#1260](https://github.com/greenbone/gvmd/pull/1260) [#1262](https://github.com/greenbone/gvmd/pull/1262)
- Clarify documentation for --scan-host parameter [#1277](https://github.com/greenbone/gvmd/pull/1277)
- In result iterator access severity directly if possible [#1321](https://github.com/greenbone/gvmd/pull/1321)
+- Change SCAP and CERT data to use new severity scoring [#1333](https://github.com/greenbone/gvmd/pull/1333)
### Fixed
- Use GMP version with leading zero for feed dirs [#1287](https://github.com/greenbone/gvmd/pull/1287)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index c44288d45..41cf7e3aa 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -98,9 +98,9 @@ include (CPack)
set (GVMD_DATABASE_VERSION 238)
-set (GVMD_SCAP_DATABASE_VERSION 16)
+set (GVMD_SCAP_DATABASE_VERSION 17)
-set (GVMD_CERT_DATABASE_VERSION 6)
+set (GVMD_CERT_DATABASE_VERSION 7)
set (GMP_VERSION "21.4")
set (GMP_VERSION_FEED "21.04")
diff --git a/src/gmp.c b/src/gmp.c
index fb62a9309..552aa48d1 100644
--- a/src/gmp.c
+++ b/src/gmp.c
@@ -9121,13 +9121,11 @@ results_xml_append_nvt (iterator_t *results, GString *buffer, int cert_loaded)
"ovaldef"
"%s"
""
- "%s"
""
""
"summary=%s",
oid,
ovaldef_info_iterator_title (&iterator),
- ovaldef_info_iterator_max_cvss (&iterator),
ovaldef_info_iterator_score (&iterator),
ovaldef_info_iterator_description (&iterator));
g_free (get.id);
@@ -13248,11 +13246,11 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
cpe_info_iterator_title (&info));
xml_string_append (result,
"%s"
- "%s"
+ "%d"
"%s"
"%s",
cpe_info_iterator_nvd_id (&info),
- cpe_info_iterator_max_cvss (&info),
+ cpe_info_iterator_score (&info),
cpe_info_iterator_cve_refs (&info),
cpe_info_iterator_status (&info) ?
cpe_info_iterator_status (&info) : "");
@@ -13276,13 +13274,13 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
" id=\"%s\">"
""
""
- "%s"
+ "%0.1lf"
""
""
""
"",
cve_iterator_name (&cves),
- cve_iterator_cvss (&cves));
+ cve_iterator_score (&cves) / 10.0);
cleanup_iterator (&cves);
g_string_append (result, "");
}
@@ -13291,24 +13289,12 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
{
xml_string_append (result,
""
- "%s"
- "%s"
- "%s"
- "%s"
- "%s"
- "%s"
- "%s"
+ "%d"
+ "%s"
"%s"
"%s",
- cve_info_iterator_cvss (&info)
- ? cve_info_iterator_cvss (&info)
- : "",
+ cve_info_iterator_score (&info),
cve_info_iterator_vector (&info),
- cve_info_iterator_complexity (&info),
- cve_info_iterator_authentication (&info),
- cve_info_iterator_confidentiality_impact (&info),
- cve_info_iterator_integrity_impact (&info),
- cve_info_iterator_availability_impact (&info),
cve_info_iterator_description (&info),
cve_info_iterator_products (&info));
if (get_info_data->details == 1)
@@ -13382,7 +13368,7 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
"%s"
"%s"
"%s"
- "%s"
+ "%d"
"%s"
"%s",
ovaldef_info_iterator_version (&info),
@@ -13390,7 +13376,7 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
ovaldef_info_iterator_status (&info),
ovaldef_info_iterator_class (&info),
ovaldef_info_iterator_title (&info),
- ovaldef_info_iterator_max_cvss (&info),
+ ovaldef_info_iterator_score (&info),
ovaldef_info_iterator_cve_refs (&info),
ovaldef_info_iterator_file (&info));
description = ovaldef_info_iterator_description (&info);
@@ -13404,22 +13390,22 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
""
"%s"
"%s"
- "%s"
+ "%d"
"%s",
cert_bund_adv_info_iterator_title (&info),
cert_bund_adv_info_iterator_summary (&info),
- cert_bund_adv_info_iterator_max_cvss(&info),
+ cert_bund_adv_info_iterator_score(&info),
cert_bund_adv_info_iterator_cve_refs (&info));
else if (g_strcmp0 ("dfn_cert_adv", get_info_data->type) == 0)
xml_string_append (result,
""
"%s"
"%s"
- "%s"
+ "%d"
"%s",
dfn_cert_adv_info_iterator_title (&info),
dfn_cert_adv_info_iterator_summary (&info),
- dfn_cert_adv_info_iterator_max_cvss(&info),
+ dfn_cert_adv_info_iterator_score(&info),
dfn_cert_adv_info_iterator_cve_refs (&info));
else if (g_strcmp0 ("nvt", get_info_data->type) == 0)
{
diff --git a/src/manage.h b/src/manage.h
index 4b63d9f2c..210b8878e 100644
--- a/src/manage.h
+++ b/src/manage.h
@@ -3104,8 +3104,8 @@ cpe_info_iterator_title (iterator_t*);
const char*
cpe_info_iterator_status (iterator_t*);
-const char*
-cpe_info_iterator_max_cvss (iterator_t*);
+int
+cpe_info_iterator_score (iterator_t*);
const char*
cpe_info_iterator_deprecated_by_id (iterator_t*);
@@ -3121,30 +3121,15 @@ cpe_info_iterator_nvd_id (iterator_t*);
const char*
cve_iterator_name (iterator_t*);
-const char*
-cve_iterator_cvss (iterator_t*);
+int
+cve_iterator_score (iterator_t*);
-const char*
-cve_info_iterator_cvss (iterator_t*);
+int
+cve_info_iterator_score (iterator_t*);
const char*
cve_info_iterator_vector (iterator_t*);
-const char*
-cve_info_iterator_complexity (iterator_t*);
-
-const char*
-cve_info_iterator_authentication (iterator_t*);
-
-const char*
-cve_info_iterator_confidentiality_impact (iterator_t*);
-
-const char*
-cve_info_iterator_integrity_impact (iterator_t*);
-
-const char*
-cve_info_iterator_availability_impact (iterator_t*);
-
const char*
cve_info_iterator_description (iterator_t*);
@@ -3191,15 +3176,12 @@ ovaldef_info_iterator_file (iterator_t*);
const char*
ovaldef_info_iterator_status (iterator_t*);
-const char*
-ovaldef_info_iterator_max_cvss (iterator_t*);
+int
+ovaldef_info_iterator_score (iterator_t*);
const char*
ovaldef_info_iterator_cve_refs (iterator_t*);
-int
-ovaldef_info_iterator_score (iterator_t *);
-
char *
ovaldef_severity (const char *);
@@ -3233,8 +3215,8 @@ cert_bund_adv_info_iterator_summary (iterator_t*);
const char*
cert_bund_adv_info_iterator_cve_refs (iterator_t*);
-const char*
-cert_bund_adv_info_iterator_max_cvss (iterator_t*);
+int
+cert_bund_adv_info_iterator_score (iterator_t*);
void
init_cve_cert_bund_adv_iterator (iterator_t*, const char*, int, const char*);
@@ -3262,8 +3244,8 @@ dfn_cert_adv_info_iterator_summary (iterator_t*);
const char*
dfn_cert_adv_info_iterator_cve_refs (iterator_t*);
-const char*
-dfn_cert_adv_info_iterator_max_cvss (iterator_t*);
+int
+dfn_cert_adv_info_iterator_score (iterator_t*);
void
init_cve_dfn_cert_adv_iterator (iterator_t*, const char*, int, const char*);
diff --git a/src/manage_pg.c b/src/manage_pg.c
index 3616a723d..a76b8be57 100644
--- a/src/manage_pg.c
+++ b/src/manage_pg.c
@@ -1648,12 +1648,14 @@ create_view_vulns ()
" FROM nvts"
VULNS_RESULTS_WHERE
" UNION SELECT id, uuid, name, creation_time, modification_time,"
- " cvss AS severity, " G_STRINGIFY (QOD_DEFAULT) " AS qod,"
+ " score / 10.0 AS severity, "
+ G_STRINGIFY (QOD_DEFAULT) " AS qod,"
" 'cve' AS type"
" FROM cves"
VULNS_RESULTS_WHERE
" UNION SELECT id, uuid, name, creation_time, modification_time,"
- " max_cvss AS severity, " G_STRINGIFY (QOD_DEFAULT) " AS qod,"
+ " score / 10.0 AS severity, "
+ G_STRINGIFY (QOD_DEFAULT) " AS qod,"
" 'ovaldef' AS type"
" FROM ovaldefs"
VULNS_RESULTS_WHERE);
@@ -2963,7 +2965,7 @@ manage_db_init (const gchar *name)
" title TEXT,"
" summary TEXT,"
" cve_refs INTEGER,"
- " max_cvss FLOAT);");
+ " score INTEGER);");
sql ("CREATE UNIQUE INDEX cert_bund_advs_idx"
" ON cert.cert_bund_advs (name);");
sql ("CREATE INDEX cert_bund_advs_by_creation_time"
@@ -2987,7 +2989,7 @@ manage_db_init (const gchar *name)
" title TEXT,"
" summary TEXT,"
" cve_refs INTEGER,"
- " max_cvss FLOAT);");
+ " score INTEGER);");
sql ("CREATE UNIQUE INDEX dfn_cert_advs_idx"
" ON cert.dfn_cert_advs (name);");
sql ("CREATE INDEX dfn_cert_advs_by_creation_time"
@@ -3030,7 +3032,7 @@ manage_db_init (const gchar *name)
/* Init tables. */
sql ("INSERT INTO cert.meta (name, value)"
- " VALUES ('database_version', '6');");
+ " VALUES ('database_version', '7');");
sql ("INSERT INTO cert.meta (name, value)"
" VALUES ('last_update', '0');");
}
@@ -3070,14 +3072,9 @@ manage_db_init (const gchar *name)
" description text,"
" creation_time integer,"
" modification_time integer,"
- " vector text,"
- " complexity text,"
- " authentication text,"
- " confidentiality_impact text,"
- " integrity_impact text,"
- " availability_impact text,"
+ " cvss_vector text,"
" products text,"
- " cvss FLOAT DEFAULT 0);");
+ " score integer DEFAULT 0);");
sql ("CREATE TABLE scap2.cpes"
" (id SERIAL PRIMARY KEY,"
@@ -3089,7 +3086,7 @@ manage_db_init (const gchar *name)
" title text,"
" status text,"
" deprecated_by_id INTEGER,"
- " max_cvss FLOAT DEFAULT 0,"
+ " score integer DEFAULT 0,"
" cve_refs INTEGER DEFAULT 0,"
" nvd_id text);");
@@ -3111,7 +3108,7 @@ manage_db_init (const gchar *name)
" description TEXT,"
" xml_file TEXT,"
" status TEXT,"
- " max_cvss FLOAT DEFAULT 0,"
+ " score integer DEFAULT 0,"
" cve_refs INTEGER DEFAULT 0);");
sql ("CREATE TABLE scap2.ovalfiles"
@@ -3125,7 +3122,7 @@ manage_db_init (const gchar *name)
/* Init tables. */
sql ("INSERT INTO scap2.meta (name, value)"
- " VALUES ('database_version', '16');");
+ " VALUES ('database_version', '17');");
sql ("INSERT INTO scap2.meta (name, value)"
" VALUES ('last_update', '0');");
}
@@ -3202,8 +3199,8 @@ manage_db_init_indexes (const gchar *name)
" ON scap2.cves (creation_time);");
sql ("CREATE INDEX cves_by_modification_time_idx"
" ON scap2.cves (modification_time);");
- sql ("CREATE INDEX cves_by_cvss"
- " ON scap2.cves (cvss);");
+ sql ("CREATE INDEX cves_by_score"
+ " ON scap2.cves (score);");
sql ("CREATE UNIQUE INDEX cpe_idx"
" ON scap2.cpes (name);");
@@ -3211,8 +3208,8 @@ manage_db_init_indexes (const gchar *name)
" ON scap2.cpes (creation_time);");
sql ("CREATE INDEX cpes_by_modification_time_idx"
" ON scap2.cpes (modification_time);");
- sql ("CREATE INDEX cpes_by_cvss"
- " ON scap2.cpes (max_cvss);");
+ sql ("CREATE INDEX cpes_by_score"
+ " ON scap2.cpes (score);");
sql ("CREATE INDEX cpes_by_uuid"
" ON scap2.cpes (uuid);");
diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c
index b78b17f2f..6b8499455 100644
--- a/src/manage_sql_secinfo.c
+++ b/src/manage_sql_secinfo.c
@@ -39,6 +39,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -550,14 +551,19 @@ DEF_ACCESS (cpe_info_iterator_title, GET_ITERATOR_COLUMN_COUNT);
DEF_ACCESS (cpe_info_iterator_status, GET_ITERATOR_COLUMN_COUNT + 1);
/**
- * @brief Get the Highest CVSS Score of all CVE's referencing this cpe.
+ * @brief Get the highest severity Score of all CVE's referencing this cpe.
*
* @param[in] iterator Iterator.
*
- * @return The Highest CVSS of the CPE, or NULL if iteration is complete.
- * Freed by cleanup_iterator.
+ * @return The highest severity score (10 * CVSS score) of the CPE,
+ * or -1 if iteration is complete. Freed by cleanup_iterator.
*/
-DEF_ACCESS (cpe_info_iterator_max_cvss, GET_ITERATOR_COLUMN_COUNT + 3);
+int
+cpe_info_iterator_score (iterator_t *iterator)
+{
+ if (iterator->done) return -1;
+ return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 3);
+}
/**
* @brief Get the Number of CVE's referencing this cpe from a CPE iterator.
@@ -644,40 +650,44 @@ init_cpe_cve_iterator (iterator_t *iterator, const char *cve, int ascending,
DEF_ACCESS (cve_iterator_name, 1);
/**
- * @brief Get the CVSS from a CVE iterator.
+ * @brief Get the severity score from a CVE iterator.
*
* @param[in] iterator Iterator.
*
- * @return The CVSS of the CVE, or NULL if iteration is complete. Freed by
- * cleanup_iterator.
+ * @return The severity score (10 * CVSS score) of the CVE,
+ * or -1 if iteration is complete. Freed by cleanup_iterator.
*/
-DEF_ACCESS (cve_iterator_cvss, 2);
+int
+cve_iterator_score (iterator_t* iterator)
+{
+ if (iterator->done) return -1;
+ return iterator_int (iterator, 2);
+}
/**
- * @brief Get the short file name for an OVALDEF.
+ * @brief Get the CVSS score for a CVE.
*
- * @param[in] cve Full OVAL identifier with file suffix.
+ * @param[in] cve CVE-ID of the CVE to get the score of.
*
- * @return The file name of the OVAL definition relative to the SCAP directory,
- * Freed by g_free.
+ * @return The CVSS score of the CVE.
*/
gchar *
cve_cvss_base (const gchar *cve)
{
gchar *quoted_cve, *ret;
quoted_cve = sql_quote (cve);
- ret = sql_string ("SELECT cvss FROM cves WHERE name = '%s'",
+ ret = sql_string ("SELECT score / 10.0 FROM cves WHERE name = '%s'",
quoted_cve);
g_free (quoted_cve);
return ret;
}
/**
- * @brief Get the score from a CVE.
+ * @brief Get the severity score from a CVE.
*
- * @param[in] cve CVE.
+ * @param[in] cve CVE-ID of the CVE to get the score of.
*
- * @return Severity score of CVE.
+ * @return Severity score (10 * CVSS score) of CVE.
*/
int
cve_score (const gchar *cve)
@@ -686,7 +696,7 @@ cve_score (const gchar *cve)
int ret;
quoted_cve = sql_quote (cve);
- ret = sql_int ("SELECT (cvss * 10)::integer FROM cves WHERE name = '%s'",
+ ret = sql_int ("SELECT score FROM cves WHERE name = '%s'",
quoted_cve);
g_free (quoted_cve);
return ret;
@@ -777,46 +787,6 @@ DEF_ACCESS (cve_info_iterator_vector, GET_ITERATOR_COLUMN_COUNT);
*/
DEF_ACCESS (cve_info_iterator_complexity, GET_ITERATOR_COLUMN_COUNT + 1);
-/**
- * @brief Get the CVSS attack authentication for this CVE.
- *
- * @param[in] iterator Iterator.
- *
- * @return The CVSS attack authentication of this CVE, or NULL if iteration is
- * complete. Freed by cleanup_iterator.
- */
-DEF_ACCESS (cve_info_iterator_authentication, GET_ITERATOR_COLUMN_COUNT + 2);
-
-/**
- * @brief Get the CVSS confidentiality impact for this CVE.
- *
- * @param[in] iterator Iterator.
- *
- * @return The CVSS confidentiality impact of this CVE, or NULL if iteration is
- * complete. Freed by cleanup_iterator.
- */
-DEF_ACCESS (cve_info_iterator_confidentiality_impact, GET_ITERATOR_COLUMN_COUNT + 3);
-
-/**
- * @brief Get the CVSS integrity impact for this CVE.
- *
- * @param[in] iterator Iterator.
- *
- * @return The CVSS integrity impact of this CVE, or NULL if iteration is
- * complete. Freed by cleanup_iterator.
- */
-DEF_ACCESS (cve_info_iterator_integrity_impact, GET_ITERATOR_COLUMN_COUNT + 4);
-
-/**
- * @brief Get the CVSS availability impact for this CVE.
- *
- * @param[in] iterator Iterator.
- *
- * @return The CVSS availability impact of this CVE, or NULL if iteration is
- * complete. Freed by cleanup_iterator.
- */
-DEF_ACCESS (cve_info_iterator_availability_impact, GET_ITERATOR_COLUMN_COUNT + 5);
-
/**
* @brief Get a space separated list of CPEs affected by this CVE.
*
@@ -825,17 +795,22 @@ DEF_ACCESS (cve_info_iterator_availability_impact, GET_ITERATOR_COLUMN_COUNT + 5
* @return A space separated list of CPEs or NULL if iteration is
* complete. Freed by cleanup_iterator.
*/
-DEF_ACCESS (cve_info_iterator_products, GET_ITERATOR_COLUMN_COUNT + 6);
+DEF_ACCESS (cve_info_iterator_products, GET_ITERATOR_COLUMN_COUNT + 1);
/**
- * @brief Get the CVSS base score for this CVE.
+ * @brief Get the severity score for this CVE.
*
* @param[in] iterator Iterator.
*
- * @return The CVSS base score of this CVE, or NULL if iteration is
- * complete. Freed by cleanup_iterator.
+ * @return The severity score (10 * CVSS score) of this CVE,
+ * or -1 if iteration is complete. Freed by cleanup_iterator.
*/
-DEF_ACCESS (cve_info_iterator_cvss, GET_ITERATOR_COLUMN_COUNT + 7);
+int
+cve_info_iterator_score (iterator_t* iterator)
+{
+ if (iterator->done) return -1;
+ return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 2);
+}
/**
* @brief Get the Summary for this CVE.
@@ -845,7 +820,7 @@ DEF_ACCESS (cve_info_iterator_cvss, GET_ITERATOR_COLUMN_COUNT + 7);
* @return The Summary of this CVE, or NULL if iteration is
* complete. Freed by cleanup_iterator.
*/
-DEF_ACCESS (cve_info_iterator_description, GET_ITERATOR_COLUMN_COUNT + 8);
+DEF_ACCESS (cve_info_iterator_description, GET_ITERATOR_COLUMN_COUNT + 3);
�
/* OVAL data. */
@@ -1018,15 +993,20 @@ DEF_ACCESS (ovaldef_info_iterator_file, GET_ITERATOR_COLUMN_COUNT + 5);
DEF_ACCESS (ovaldef_info_iterator_status, GET_ITERATOR_COLUMN_COUNT + 6);
/**
- * @brief Get maximum CVSS score from an OVALDEF iterator.
+ * @brief Get maximum severity score from an OVALDEF iterator.
*
* @param[in] iterator Iterator.
*
- * @return The maximum CVSS score of the OVAL definition,
- * or NULL if iteration is complete.
+ * @return The maximum severity score (10 * CVSS score) of the OVAL
+ * definition, or -1 if iteration is complete.
* Freed by cleanup_iterator.
*/
-DEF_ACCESS (ovaldef_info_iterator_max_cvss, GET_ITERATOR_COLUMN_COUNT + 7);
+int
+ovaldef_info_iterator_score (iterator_t* iterator)
+{
+ if (iterator->done) return -1;
+ return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 7);
+}
/**
* @brief Get number of referenced CVEs from an OVALDEF iterator.
@@ -1039,19 +1019,6 @@ DEF_ACCESS (ovaldef_info_iterator_max_cvss, GET_ITERATOR_COLUMN_COUNT + 7);
*/
DEF_ACCESS (ovaldef_info_iterator_cve_refs, GET_ITERATOR_COLUMN_COUNT + 8);
-/**
- * @brief Get column value from an iterator.
- *
- * @param[in] iterator Iterator.
- *
- * @return Column value, or -1 if iteration is complete.
- */
-int
-ovaldef_info_iterator_score (iterator_t* iterator)
-{
- if (iterator->done) return -1;
- return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 9);
-}
/**
* @brief Get the short file name for an OVALDEF.
@@ -1107,7 +1074,7 @@ ovaldef_severity (const char *id)
assert (id);
quoted_id = sql_quote (id);
- ret = sql_string ("SELECT max_cvss FROM ovaldefs WHERE uuid = '%s';",
+ ret = sql_string ("SELECT score / 10.0 FROM ovaldefs WHERE uuid = '%s';",
quoted_id);
g_free (quoted_id);
return ret;
@@ -1301,16 +1268,20 @@ DEF_ACCESS (cert_bund_adv_info_iterator_cve_refs,
GET_ITERATOR_COLUMN_COUNT + 2);
/**
- * @brief Get the maximum CVSS from an CERT_BUND_ADV iterator.
+ * @brief Get the maximum severity score from an CERT_BUND_ADV iterator.
*
* @param[in] iterator Iterator.
*
- * @return The maximum CVSS of the CVEs referenced in the CERT-Bund advisory,
- * or NULL if iteration is complete.
+ * @return The maximum severity score (10 * CVSS score) of the CVEs referenced
+ * in the CERT-Bund advisory, or -1 if iteration is complete.
* Freed by cleanup_iterator.
*/
-DEF_ACCESS (cert_bund_adv_info_iterator_max_cvss,
- GET_ITERATOR_COLUMN_COUNT + 3);
+int
+cert_bund_adv_info_iterator_score (iterator_t* iterator)
+{
+ if (iterator->done) return -1;
+ return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 3);
+}
/**
* @brief Initialise CVE iterator, for CVEs referenced by a CERT-Bund advisory.
@@ -1506,15 +1477,20 @@ DEF_ACCESS (dfn_cert_adv_info_iterator_summary, GET_ITERATOR_COLUMN_COUNT + 1);
DEF_ACCESS (dfn_cert_adv_info_iterator_cve_refs, GET_ITERATOR_COLUMN_COUNT + 2);
/**
- * @brief Get the maximum CVSS from an DFN_CERT_ADV iterator.
+ * @brief Get the maximum severity score from an DFN_CERT_ADV iterator.
*
* @param[in] iterator Iterator.
*
- * @return The maximum CVSS of the CVEs referenced in the DFN-CERT advisory,
- * or NULL if iteration is complete.
+ * @return The maximum score (10 * CVSS score) of the CVEs referenced
+ * in the DFN-CERT advisory, or -1 if iteration is complete.
* Freed by cleanup_iterator.
*/
-DEF_ACCESS (dfn_cert_adv_info_iterator_max_cvss, GET_ITERATOR_COLUMN_COUNT + 3);
+int
+dfn_cert_adv_info_iterator_score (iterator_t* iterator)
+{
+ if (iterator->done) return -1;
+ return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 3);
+}
/**
* @brief Initialise CVE iterator, for CVEs referenced by a DFN-CERT advisory.
@@ -2765,15 +2741,11 @@ static int
insert_cve_from_entry (element_t entry, element_t last_modified,
GHashTable *hashed_cpes, int *transaction_size)
{
- element_t published, summary, cvss, score, base_metrics;
- element_t access_vector, access_complexity, authentication;
- element_t confidentiality_impact, integrity_impact;
- element_t availability_impact, list;
- gchar *quoted_id, *quoted_summary;
- gchar *quoted_access_vector, *quoted_access_complexity;
- gchar *quoted_authentication, *quoted_confidentiality_impact;
- gchar *quoted_integrity_impact, *quoted_availability_impact;
- gchar *quoted_software, *id, *score_text;
+ gboolean cvss_is_v3;
+ element_t published, summary, cvss, score, base_metrics, cvss_vector, list;
+ int score_int;
+ gchar *quoted_id, *quoted_summary, *quoted_cvss_vector;
+ gchar *quoted_software, *id;
GString *software;
gchar *software_unescaped, *software_tilde;
int time_modified, time_published;
@@ -2796,24 +2768,31 @@ insert_cve_from_entry (element_t entry, element_t last_modified,
return -1;
}
- cvss = element_child (entry, "vuln:cvss");
+ cvss = element_child (entry, "vuln:cvss3");
+ if (cvss == NULL)
+ {
+ cvss = element_child (entry, "vuln:cvss");
+ cvss_is_v3 = FALSE;
+ }
+ else
+ cvss_is_v3 = TRUE;
+
if (cvss == NULL)
base_metrics = NULL;
else
- base_metrics = element_child (cvss, "cvss:base_metrics");
+ base_metrics = element_child (cvss,
+ cvss_is_v3 ? "cvss3:base_metrics"
+ : "cvss:base_metrics");
+
if (base_metrics == NULL)
{
score = NULL;
- access_vector = NULL;
- access_complexity = NULL;
- authentication = NULL;
- confidentiality_impact = NULL;
- integrity_impact = NULL;
- availability_impact = NULL;
+ cvss_vector = NULL;
}
else
{
- score = element_child (base_metrics, "cvss:score");
+ score = element_child (base_metrics,
+ cvss_is_v3 ? "cvss3:base-score" : "cvss:score");
if (score == NULL)
{
g_warning ("%s: cvss:score missing", __func__);
@@ -2821,68 +2800,22 @@ insert_cve_from_entry (element_t entry, element_t last_modified,
return -1;
}
- access_vector = element_child (base_metrics, "cvss:access-vector");
- if (access_vector == NULL)
+ cvss_vector = element_child (base_metrics,
+ cvss_is_v3 ? "cvss3:vector-string"
+ : "cvss:vector-string");
+ if (cvss_vector == NULL)
{
g_warning ("%s: cvss:access-vector missing", __func__);
g_free (id);
return -1;
}
-
- access_complexity = element_child (base_metrics,
- "cvss:access-complexity");
- if (access_complexity == NULL)
- {
- g_warning ("%s: cvss:access-complexity missing",
- __func__);
- g_free (id);
- return -1;
- }
-
- authentication = element_child (base_metrics,
- "cvss:authentication");
- if (authentication == NULL)
- {
- g_warning ("%s: cvss:authentication missing",
- __func__);
- g_free (id);
- return -1;
- }
-
- confidentiality_impact = element_child
- (base_metrics,
- "cvss:confidentiality-impact");
- if (confidentiality_impact == NULL)
- {
- g_warning ("%s: cvss:confidentiality-impact missing",
- __func__);
- g_free (id);
- return -1;
- }
-
- integrity_impact = element_child
- (base_metrics,
- "cvss:integrity-impact");
- if (integrity_impact == NULL)
- {
- g_warning ("%s: cvss:integrity-impact missing",
- __func__);
- g_free (id);
- return -1;
- }
-
- availability_impact = element_child
- (base_metrics,
- "cvss:availability-impact");
- if (availability_impact == NULL)
- {
- g_warning ("%s: cvss:availability-impact missing",
- __func__);
- g_free (id);
- return -1;
- }
}
+ if (score == NULL)
+ score_int = 0;
+ else
+ score_int = round (atof (element_text (score)) * 10);
+
summary = element_child (entry, "vuln:summary");
if (summary == NULL)
{
@@ -2914,15 +2847,7 @@ insert_cve_from_entry (element_t entry, element_t last_modified,
quoted_id = sql_quote (id);
g_free (id);
quoted_summary = sql_quote_element_text (summary);
- quoted_access_vector = sql_quote_element_text (access_vector);
- quoted_access_complexity = sql_quote_element_text
- (access_complexity);
- quoted_authentication = sql_quote_element_text (authentication);
- quoted_confidentiality_impact = sql_quote_element_text
- (confidentiality_impact);
- quoted_integrity_impact = sql_quote_element_text (integrity_impact);
- quoted_availability_impact = sql_quote_element_text
- (availability_impact);
+ quoted_cvss_vector = sql_quote_element_text (cvss_vector);
software_unescaped = g_uri_unescape_string (software->str, NULL);
g_string_free (software, TRUE);
software_tilde = string_replace (software_unescaped,
@@ -2932,53 +2857,33 @@ insert_cve_from_entry (element_t entry, element_t last_modified,
g_free (software_tilde);
time_modified = parse_iso_time_element_text (last_modified);
time_published = parse_iso_time_element_text (published);
- score_text = score ? element_text (score) : g_strdup ("NULL");
cve = sql_int64_0
("INSERT INTO scap2.cves"
" (uuid, name, creation_time, modification_time,"
- " cvss, description, vector, complexity,"
- " authentication, confidentiality_impact,"
- " integrity_impact, availability_impact, products)"
+ " score, description, cvss_vector, products)"
" VALUES"
- " ('%s', '%s', %i, %i, %s, '%s', '%s', '%s', '%s',"
- " '%s', '%s', '%s', '%s')"
+ " ('%s', '%s', %i, %i,"
+ " %i, '%s', '%s', '%s')"
" ON CONFLICT (uuid) DO UPDATE"
" SET name = EXCLUDED.name,"
" creation_time = EXCLUDED.creation_time,"
" modification_time = EXCLUDED.modification_time,"
- " cvss = EXCLUDED.cvss,"
+ " score = EXCLUDED.score,"
" description = EXCLUDED.description,"
- " vector = EXCLUDED.vector,"
- " complexity = EXCLUDED.complexity,"
- " authentication = EXCLUDED.authentication,"
- " confidentiality_impact"
- " = EXCLUDED.confidentiality_impact,"
- " integrity_impact = EXCLUDED.integrity_impact,"
- " availability_impact = EXCLUDED.availability_impact,"
+ " cvss_vector = EXCLUDED.cvss_vector,"
" products = EXCLUDED.products"
" RETURNING scap2.cves.id;",
quoted_id,
quoted_id,
time_published,
time_modified,
- score_text,
+ score_int,
quoted_summary,
- quoted_access_vector,
- quoted_access_complexity,
- quoted_authentication,
- quoted_confidentiality_impact,
- quoted_integrity_impact,
- quoted_availability_impact,
+ quoted_cvss_vector,
quoted_software);
increment_transaction_size (transaction_size);
g_free (quoted_summary);
- g_free (quoted_access_vector);
- g_free (quoted_access_complexity);
- g_free (quoted_authentication);
- g_free (quoted_confidentiality_impact);
- g_free (quoted_integrity_impact);
- g_free (quoted_availability_impact);
- g_free (score_text);
+ g_free (quoted_cvss_vector);
insert_cve_products (list, cve, time_published, time_modified,
hashed_cpes, transaction_size);
@@ -3600,9 +3505,9 @@ update_ovaldef_xml (gchar **file_and_date, int private)
" (uuid, name, comment, creation_time,"
" modification_time, version, deprecated, def_class,"
" title, description, xml_file, status,"
- " max_cvss, cve_refs)"
+ " score, cve_refs)"
" VALUES ('%s', '%s', '', %i, %i, %s, %i, '%s', '%s',"
- " '%s', '%s', '%s', 0.0, %i)"
+ " '%s', '%s', '%s', 0, %i)"
" ON CONFLICT (uuid) DO UPDATE"
" SET name = EXCLUDED.name,"
" comment = EXCLUDED.comment,"
@@ -3615,7 +3520,7 @@ update_ovaldef_xml (gchar **file_and_date, int private)
" description = EXCLUDED.description,"
" xml_file = EXCLUDED.xml_file,"
" status = EXCLUDED.status,"
- " max_cvss = 0.0,"
+ " score = 0,"
" cve_refs = EXCLUDED.cve_refs;",
quoted_id,
quoted_oval_id,
@@ -4439,13 +4344,13 @@ update_cvss_dfn_cert (int updated_dfn_cert, int last_cert_update,
{
g_info ("Updating Max CVSS for DFN-CERT");
sql ("UPDATE cert.dfn_cert_advs"
- " SET max_cvss = (SELECT max (cvss)"
- " FROM scap.cves"
- " WHERE name"
- " IN (SELECT cve_name"
- " FROM cert.dfn_cert_cves"
- " WHERE adv_id = dfn_cert_advs.id)"
- " AND cvss != 0.0);");
+ " SET score = (SELECT max (score)"
+ " FROM scap.cves"
+ " WHERE name"
+ " IN (SELECT cve_name"
+ " FROM cert.dfn_cert_cves"
+ " WHERE adv_id = dfn_cert_advs.id)"
+ " AND score != 0);");
g_info ("Updating DFN-CERT CVSS max succeeded.");
}
@@ -4470,13 +4375,13 @@ update_cvss_cert_bund (int updated_cert_bund, int last_cert_update,
{
g_info ("Updating Max CVSS for CERT-Bund");
sql ("UPDATE cert.cert_bund_advs"
- " SET max_cvss = (SELECT max (cvss)"
- " FROM scap.cves"
- " WHERE name"
- " IN (SELECT cve_name"
- " FROM cert.cert_bund_cves"
- " WHERE adv_id = cert_bund_advs.id)"
- " AND cvss != 0.0);");
+ " SET score = (SELECT max (score)"
+ " FROM scap.cves"
+ " WHERE name"
+ " IN (SELECT cve_name"
+ " FROM cert.cert_bund_cves"
+ " WHERE adv_id = cert_bund_advs.id)"
+ " AND score != 0);");
g_info ("Updating CERT-Bund CVSS max succeeded.");
}
@@ -4681,22 +4586,22 @@ update_scap_cvss ()
g_info ("Updating CVSS scores and CVE counts for CPEs");
sql ("UPDATE scap2.cpes"
- " SET (max_cvss, cve_refs)"
+ " SET (score, cve_refs)"
" = (WITH affected_cves"
" AS (SELECT cve FROM scap2.affected_products"
" WHERE cpe=cpes.id)"
- " SELECT (SELECT max (cvss) FROM scap2.cves"
+ " SELECT (SELECT max (score) FROM scap2.cves"
" WHERE id IN (SELECT cve FROM affected_cves)),"
" (SELECT count (*) FROM affected_cves));");
g_info ("Updating CVSS scores for OVAL definitions");
sql ("UPDATE scap2.ovaldefs"
- " SET max_cvss = (SELECT max (cvss)"
- " FROM scap2.cves"
- " WHERE id IN (SELECT cve"
- " FROM scap2.affected_ovaldefs"
- " WHERE ovaldef=ovaldefs.id)"
- " AND cvss != 0.0);");
+ " SET score = (SELECT max (score)"
+ " FROM scap2.cves"
+ " WHERE id IN (SELECT cve"
+ " FROM scap2.affected_ovaldefs"
+ " WHERE ovaldef=ovaldefs.id)"
+ " AND score != 0);");
}
/**
diff --git a/src/manage_sql_secinfo.h b/src/manage_sql_secinfo.h
index 23b24f22d..a7165c46f 100644
--- a/src/manage_sql_secinfo.h
+++ b/src/manage_sql_secinfo.h
@@ -75,10 +75,8 @@
* @brief Filter columns for CVE iterator.
*/
#define CVE_INFO_ITERATOR_FILTER_COLUMNS \
- { GET_ITERATOR_FILTER_COLUMNS, "vector", \
- "complexity", "authentication", "confidentiality_impact", \
- "integrity_impact", "availability_impact", "products", \
- "cvss", "description", "severity", "published", NULL }
+ { GET_ITERATOR_FILTER_COLUMNS, "cvss_vector", "products", \
+ "score", "description", "published", "severity", NULL }
/**
* @brief CVE iterator columns.
@@ -88,16 +86,11 @@
GET_ITERATOR_COLUMNS_PREFIX (""), \
{ "''", "_owner", KEYWORD_TYPE_STRING }, \
{ "0", NULL, KEYWORD_TYPE_INTEGER }, \
- { "vector", NULL, KEYWORD_TYPE_STRING }, \
- { "complexity", NULL, KEYWORD_TYPE_STRING }, \
- { "authentication", NULL, KEYWORD_TYPE_STRING }, \
- { "confidentiality_impact", NULL, KEYWORD_TYPE_STRING }, \
- { "integrity_impact", NULL, KEYWORD_TYPE_STRING }, \
- { "availability_impact", NULL, KEYWORD_TYPE_STRING }, \
+ { "cvss_vector", NULL, KEYWORD_TYPE_STRING }, \
{ "products", NULL, KEYWORD_TYPE_STRING }, \
- { "cvss", NULL, KEYWORD_TYPE_DOUBLE }, \
+ { "score", NULL, KEYWORD_TYPE_DOUBLE }, \
{ "description", NULL, KEYWORD_TYPE_STRING }, \
- { "cvss", "severity", KEYWORD_TYPE_DOUBLE }, \
+ { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \
{ "creation_time", "published", KEYWORD_TYPE_INTEGER }, \
{ NULL, NULL, KEYWORD_TYPE_UNKNOWN } \
}
@@ -107,8 +100,8 @@
*/
#define CPE_INFO_ITERATOR_FILTER_COLUMNS \
{ GET_ITERATOR_FILTER_COLUMNS, "title", "status", \
- "deprecated_by_id", "max_cvss", "cves", "nvd_id", \
- "severity", NULL }
+ "deprecated_by_id", "score", "cves", "nvd_id", \
+ "severity", "score", NULL }
/**
* @brief CPE iterator columns.
@@ -121,10 +114,10 @@
{ "title", NULL, KEYWORD_TYPE_STRING }, \
{ "status", NULL, KEYWORD_TYPE_STRING }, \
{ "deprecated_by_id", NULL, KEYWORD_TYPE_INTEGER }, \
- { "max_cvss", NULL, KEYWORD_TYPE_DOUBLE }, \
+ { "score", NULL, KEYWORD_TYPE_INTEGER }, \
{ "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \
{ "nvd_id", NULL, KEYWORD_TYPE_INTEGER }, \
- { "max_cvss", "severity", KEYWORD_TYPE_DOUBLE }, \
+ { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \
{ NULL, NULL, KEYWORD_TYPE_UNKNOWN } \
}
@@ -134,7 +127,8 @@
#define OVALDEF_INFO_ITERATOR_FILTER_COLUMNS \
{ GET_ITERATOR_FILTER_COLUMNS, "version", "deprecated", \
"class", "title", "description", "file", \
- "status", "max_cvss", "cves", "severity", NULL }
+ "status", "cves", "score", "severity", \
+ NULL }
/**
* @brief OVALDEF iterator columns.
@@ -151,15 +145,9 @@
{ "description", NULL, KEYWORD_TYPE_STRING }, \
{ "xml_file", "file", KEYWORD_TYPE_STRING }, \
{ "status", NULL, KEYWORD_TYPE_STRING }, \
- { "max_cvss", NULL, KEYWORD_TYPE_DOUBLE }, \
+ { "score", NULL, KEYWORD_TYPE_INTEGER }, \
{ "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \
- { "max_cvss", "severity", KEYWORD_TYPE_DOUBLE }, \
- { "CASE WHEN max_cvss IS NULL" \
- " THEN -1" \
- " ELSE (max_cvss * 10)::integer" \
- " END", \
- "score", \
- KEYWORD_TYPE_INTEGER }, \
+ { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \
{ NULL, NULL, KEYWORD_TYPE_UNKNOWN } \
}
@@ -167,8 +155,8 @@
* @brief Filter columns for CERT_BUND_ADV iterator.
*/
#define CERT_BUND_ADV_INFO_ITERATOR_FILTER_COLUMNS \
- { GET_ITERATOR_FILTER_COLUMNS, "title", "summary", \
- "cves", "max_cvss", "severity", NULL }
+ { GET_ITERATOR_FILTER_COLUMNS, "title", "summary", \
+ "cves", "score", "severity", NULL }
/**
* @brief CERT_BUND_ADV iterator columns.
@@ -181,8 +169,8 @@
{ "title", NULL, KEYWORD_TYPE_STRING }, \
{ "summary", NULL, KEYWORD_TYPE_STRING }, \
{ "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \
- { "max_cvss", NULL, KEYWORD_TYPE_DOUBLE }, \
- { "max_cvss", "severity", KEYWORD_TYPE_DOUBLE }, \
+ { "score", NULL, KEYWORD_TYPE_INTEGER }, \
+ { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \
{ NULL, NULL, KEYWORD_TYPE_UNKNOWN } \
}
@@ -191,7 +179,7 @@
*/
#define DFN_CERT_ADV_INFO_ITERATOR_FILTER_COLUMNS \
{ GET_ITERATOR_FILTER_COLUMNS, "title", "summary", \
- "cves", "max_cvss", "severity", NULL }
+ "cves", "score", "severity", NULL }
/**
* @brief DFN_CERT_ADV iterator columns.
@@ -204,8 +192,8 @@
{ "title", NULL, KEYWORD_TYPE_STRING }, \
{ "summary", NULL, KEYWORD_TYPE_STRING }, \
{ "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \
- { "max_cvss", NULL, KEYWORD_TYPE_DOUBLE }, \
- { "max_cvss", "severity", KEYWORD_TYPE_DOUBLE }, \
+ { "score", NULL, KEYWORD_TYPE_INTEGER }, \
+ { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \
{ NULL, NULL, KEYWORD_TYPE_UNKNOWN } \
}