From c4c4133b4a3891fd398be5eed9ed05333c7b0d5b Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Wed, 21 Oct 2020 14:54:34 +0200 Subject: [PATCH 1/6] Use new scores and CVSS vector strings for SecInfo CVEs, CPEs, OVAL definitions and CERT advisories now use integer scores from 0 to 100 instead of CVSS scores. CVEs now also use CVSS v3 if available and store CVSS vector strings instead of individual components. --- CMakeLists.txt | 4 +- src/manage_pg.c | 35 ++++--- src/manage_sql_secinfo.c | 200 +++++++++++++-------------------------- 3 files changed, 83 insertions(+), 156 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6616df9ac..c15ad34ec 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -98,9 +98,9 @@ include (CPack) set (GVMD_DATABASE_VERSION 237) -set (GVMD_SCAP_DATABASE_VERSION 16) +set (GVMD_SCAP_DATABASE_VERSION 17) -set (GVMD_CERT_DATABASE_VERSION 6) +set (GVMD_CERT_DATABASE_VERSION 7) set (GMP_VERSION "21.4") set (GMP_VERSION_FEED "21.04") diff --git a/src/manage_pg.c b/src/manage_pg.c index a72f83137..20dcfd09e 100644 --- a/src/manage_pg.c +++ b/src/manage_pg.c @@ -1648,12 +1648,14 @@ create_view_vulns () " FROM nvts" VULNS_RESULTS_WHERE " UNION SELECT id, uuid, name, creation_time, modification_time," - " cvss AS severity, " G_STRINGIFY (QOD_DEFAULT) " AS qod," + " score / 10.0 AS severity, " + G_STRINGIFY (QOD_DEFAULT) " AS qod," " 'cve' AS type" " FROM cves" VULNS_RESULTS_WHERE " UNION SELECT id, uuid, name, creation_time, modification_time," - " max_cvss AS severity, " G_STRINGIFY (QOD_DEFAULT) " AS qod," + " max_score / 10.0 AS severity, " + G_STRINGIFY (QOD_DEFAULT) " AS qod," " 'ovaldef' AS type" " FROM ovaldefs" VULNS_RESULTS_WHERE); @@ -2960,7 +2962,7 @@ manage_db_init (const gchar *name) " title TEXT," " summary TEXT," " cve_refs INTEGER," - " max_cvss FLOAT);"); + " max_score INTEGER);"); sql ("CREATE UNIQUE INDEX cert_bund_advs_idx" " ON cert.cert_bund_advs (name);"); sql ("CREATE INDEX cert_bund_advs_by_creation_time" @@ -2984,7 +2986,7 @@ manage_db_init (const gchar *name) " title TEXT," " summary TEXT," " cve_refs INTEGER," - " max_cvss FLOAT);"); + " max_score INTEGER);"); sql ("CREATE UNIQUE INDEX dfn_cert_advs_idx" " ON cert.dfn_cert_advs (name);"); sql ("CREATE INDEX dfn_cert_advs_by_creation_time" @@ -3027,7 +3029,7 @@ manage_db_init (const gchar *name) /* Init tables. */ sql ("INSERT INTO cert.meta (name, value)" - " VALUES ('database_version', '6');"); + " VALUES ('database_version', '7');"); sql ("INSERT INTO cert.meta (name, value)" " VALUES ('last_update', '0');"); } @@ -3067,14 +3069,9 @@ manage_db_init (const gchar *name) " description text," " creation_time integer," " modification_time integer," - " vector text," - " complexity text," - " authentication text," - " confidentiality_impact text," - " integrity_impact text," - " availability_impact text," + " cvss_vector text," " products text," - " cvss FLOAT DEFAULT 0);"); + " score integer DEFAULT 0);"); sql ("CREATE TABLE scap2.cpes" " (id SERIAL PRIMARY KEY," @@ -3086,7 +3083,7 @@ manage_db_init (const gchar *name) " title text," " status text," " deprecated_by_id INTEGER," - " max_cvss FLOAT DEFAULT 0," + " max_score integer DEFAULT 0," " cve_refs INTEGER DEFAULT 0," " nvd_id text);"); @@ -3108,7 +3105,7 @@ manage_db_init (const gchar *name) " description TEXT," " xml_file TEXT," " status TEXT," - " max_cvss FLOAT DEFAULT 0," + " max_score integer DEFAULT 0," " cve_refs INTEGER DEFAULT 0);"); sql ("CREATE TABLE scap2.ovalfiles" @@ -3122,7 +3119,7 @@ manage_db_init (const gchar *name) /* Init tables. */ sql ("INSERT INTO scap2.meta (name, value)" - " VALUES ('database_version', '16');"); + " VALUES ('database_version', '17');"); sql ("INSERT INTO scap2.meta (name, value)" " VALUES ('last_update', '0');"); } @@ -3199,8 +3196,8 @@ manage_db_init_indexes (const gchar *name) " ON scap2.cves (creation_time);"); sql ("CREATE INDEX cves_by_modification_time_idx" " ON scap2.cves (modification_time);"); - sql ("CREATE INDEX cves_by_cvss" - " ON scap2.cves (cvss);"); + sql ("CREATE INDEX cves_by_score" + " ON scap2.cves (score);"); sql ("CREATE UNIQUE INDEX cpe_idx" " ON scap2.cpes (name);"); @@ -3208,8 +3205,8 @@ manage_db_init_indexes (const gchar *name) " ON scap2.cpes (creation_time);"); sql ("CREATE INDEX cpes_by_modification_time_idx" " ON scap2.cpes (modification_time);"); - sql ("CREATE INDEX cpes_by_cvss" - " ON scap2.cpes (max_cvss);"); + sql ("CREATE INDEX cpes_by_score" + " ON scap2.cpes (max_score);"); sql ("CREATE INDEX cpes_by_uuid" " ON scap2.cpes (uuid);"); diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c index b78b17f2f..e67e79201 100644 --- a/src/manage_sql_secinfo.c +++ b/src/manage_sql_secinfo.c @@ -39,6 +39,7 @@ #include #include #include +#include #include #include #include @@ -2765,15 +2766,11 @@ static int insert_cve_from_entry (element_t entry, element_t last_modified, GHashTable *hashed_cpes, int *transaction_size) { - element_t published, summary, cvss, score, base_metrics; - element_t access_vector, access_complexity, authentication; - element_t confidentiality_impact, integrity_impact; - element_t availability_impact, list; - gchar *quoted_id, *quoted_summary; - gchar *quoted_access_vector, *quoted_access_complexity; - gchar *quoted_authentication, *quoted_confidentiality_impact; - gchar *quoted_integrity_impact, *quoted_availability_impact; - gchar *quoted_software, *id, *score_text; + gboolean cvss_is_v3; + element_t published, summary, cvss, score, base_metrics, cvss_vector, list; + int score_int; + gchar *quoted_id, *quoted_summary, *quoted_cvss_vector; + gchar *quoted_software, *id; GString *software; gchar *software_unescaped, *software_tilde; int time_modified, time_published; @@ -2796,24 +2793,31 @@ insert_cve_from_entry (element_t entry, element_t last_modified, return -1; } - cvss = element_child (entry, "vuln:cvss"); + cvss = element_child (entry, "vuln:cvss3"); + if (cvss == NULL) + { + cvss = element_child (entry, "vuln:cvss"); + cvss_is_v3 = FALSE; + } + else + cvss_is_v3 = TRUE; + if (cvss == NULL) base_metrics = NULL; else - base_metrics = element_child (cvss, "cvss:base_metrics"); + base_metrics = element_child (cvss, + cvss_is_v3 ? "cvss3:base_metrics" + : "cvss:base_metrics"); + if (base_metrics == NULL) { score = NULL; - access_vector = NULL; - access_complexity = NULL; - authentication = NULL; - confidentiality_impact = NULL; - integrity_impact = NULL; - availability_impact = NULL; + cvss_vector = NULL; } else { - score = element_child (base_metrics, "cvss:score"); + score = element_child (base_metrics, + cvss_is_v3 ? "cvss3:base-score" : "cvss:score"); if (score == NULL) { g_warning ("%s: cvss:score missing", __func__); @@ -2821,68 +2825,22 @@ insert_cve_from_entry (element_t entry, element_t last_modified, return -1; } - access_vector = element_child (base_metrics, "cvss:access-vector"); - if (access_vector == NULL) + cvss_vector = element_child (base_metrics, + cvss_is_v3 ? "cvss3:vector-string" + : "cvss:vector-string"); + if (cvss_vector == NULL) { g_warning ("%s: cvss:access-vector missing", __func__); g_free (id); return -1; } - - access_complexity = element_child (base_metrics, - "cvss:access-complexity"); - if (access_complexity == NULL) - { - g_warning ("%s: cvss:access-complexity missing", - __func__); - g_free (id); - return -1; - } - - authentication = element_child (base_metrics, - "cvss:authentication"); - if (authentication == NULL) - { - g_warning ("%s: cvss:authentication missing", - __func__); - g_free (id); - return -1; - } - - confidentiality_impact = element_child - (base_metrics, - "cvss:confidentiality-impact"); - if (confidentiality_impact == NULL) - { - g_warning ("%s: cvss:confidentiality-impact missing", - __func__); - g_free (id); - return -1; - } - - integrity_impact = element_child - (base_metrics, - "cvss:integrity-impact"); - if (integrity_impact == NULL) - { - g_warning ("%s: cvss:integrity-impact missing", - __func__); - g_free (id); - return -1; - } - - availability_impact = element_child - (base_metrics, - "cvss:availability-impact"); - if (availability_impact == NULL) - { - g_warning ("%s: cvss:availability-impact missing", - __func__); - g_free (id); - return -1; - } } + if (score == NULL) + score_int = 0; + else + score_int = round (atof (element_text (score)) * 10); + summary = element_child (entry, "vuln:summary"); if (summary == NULL) { @@ -2914,15 +2872,7 @@ insert_cve_from_entry (element_t entry, element_t last_modified, quoted_id = sql_quote (id); g_free (id); quoted_summary = sql_quote_element_text (summary); - quoted_access_vector = sql_quote_element_text (access_vector); - quoted_access_complexity = sql_quote_element_text - (access_complexity); - quoted_authentication = sql_quote_element_text (authentication); - quoted_confidentiality_impact = sql_quote_element_text - (confidentiality_impact); - quoted_integrity_impact = sql_quote_element_text (integrity_impact); - quoted_availability_impact = sql_quote_element_text - (availability_impact); + quoted_cvss_vector = sql_quote_element_text (cvss_vector); software_unescaped = g_uri_unescape_string (software->str, NULL); g_string_free (software, TRUE); software_tilde = string_replace (software_unescaped, @@ -2932,53 +2882,33 @@ insert_cve_from_entry (element_t entry, element_t last_modified, g_free (software_tilde); time_modified = parse_iso_time_element_text (last_modified); time_published = parse_iso_time_element_text (published); - score_text = score ? element_text (score) : g_strdup ("NULL"); cve = sql_int64_0 ("INSERT INTO scap2.cves" " (uuid, name, creation_time, modification_time," - " cvss, description, vector, complexity," - " authentication, confidentiality_impact," - " integrity_impact, availability_impact, products)" + " score, description, cvss_vector, products)" " VALUES" - " ('%s', '%s', %i, %i, %s, '%s', '%s', '%s', '%s'," - " '%s', '%s', '%s', '%s')" + " ('%s', '%s', %i, %i," + " %i, '%s', '%s', '%s')" " ON CONFLICT (uuid) DO UPDATE" " SET name = EXCLUDED.name," " creation_time = EXCLUDED.creation_time," " modification_time = EXCLUDED.modification_time," - " cvss = EXCLUDED.cvss," + " score = EXCLUDED.score," " description = EXCLUDED.description," - " vector = EXCLUDED.vector," - " complexity = EXCLUDED.complexity," - " authentication = EXCLUDED.authentication," - " confidentiality_impact" - " = EXCLUDED.confidentiality_impact," - " integrity_impact = EXCLUDED.integrity_impact," - " availability_impact = EXCLUDED.availability_impact," + " cvss_vector = EXCLUDED.cvss_vector," " products = EXCLUDED.products" " RETURNING scap2.cves.id;", quoted_id, quoted_id, time_published, time_modified, - score_text, + score_int, quoted_summary, - quoted_access_vector, - quoted_access_complexity, - quoted_authentication, - quoted_confidentiality_impact, - quoted_integrity_impact, - quoted_availability_impact, + quoted_cvss_vector, quoted_software); increment_transaction_size (transaction_size); g_free (quoted_summary); - g_free (quoted_access_vector); - g_free (quoted_access_complexity); - g_free (quoted_authentication); - g_free (quoted_confidentiality_impact); - g_free (quoted_integrity_impact); - g_free (quoted_availability_impact); - g_free (score_text); + g_free (quoted_cvss_vector); insert_cve_products (list, cve, time_published, time_modified, hashed_cpes, transaction_size); @@ -3600,9 +3530,9 @@ update_ovaldef_xml (gchar **file_and_date, int private) " (uuid, name, comment, creation_time," " modification_time, version, deprecated, def_class," " title, description, xml_file, status," - " max_cvss, cve_refs)" + " max_score, cve_refs)" " VALUES ('%s', '%s', '', %i, %i, %s, %i, '%s', '%s'," - " '%s', '%s', '%s', 0.0, %i)" + " '%s', '%s', '%s', 0, %i)" " ON CONFLICT (uuid) DO UPDATE" " SET name = EXCLUDED.name," " comment = EXCLUDED.comment," @@ -3615,7 +3545,7 @@ update_ovaldef_xml (gchar **file_and_date, int private) " description = EXCLUDED.description," " xml_file = EXCLUDED.xml_file," " status = EXCLUDED.status," - " max_cvss = 0.0," + " max_score = 0," " cve_refs = EXCLUDED.cve_refs;", quoted_id, quoted_oval_id, @@ -4439,13 +4369,13 @@ update_cvss_dfn_cert (int updated_dfn_cert, int last_cert_update, { g_info ("Updating Max CVSS for DFN-CERT"); sql ("UPDATE cert.dfn_cert_advs" - " SET max_cvss = (SELECT max (cvss)" - " FROM scap.cves" - " WHERE name" - " IN (SELECT cve_name" - " FROM cert.dfn_cert_cves" - " WHERE adv_id = dfn_cert_advs.id)" - " AND cvss != 0.0);"); + " SET max_score = (SELECT max (score)" + " FROM scap.cves" + " WHERE name" + " IN (SELECT cve_name" + " FROM cert.dfn_cert_cves" + " WHERE adv_id = dfn_cert_advs.id)" + " AND score != 0);"); g_info ("Updating DFN-CERT CVSS max succeeded."); } @@ -4470,13 +4400,13 @@ update_cvss_cert_bund (int updated_cert_bund, int last_cert_update, { g_info ("Updating Max CVSS for CERT-Bund"); sql ("UPDATE cert.cert_bund_advs" - " SET max_cvss = (SELECT max (cvss)" - " FROM scap.cves" - " WHERE name" - " IN (SELECT cve_name" - " FROM cert.cert_bund_cves" - " WHERE adv_id = cert_bund_advs.id)" - " AND cvss != 0.0);"); + " SET max_score = (SELECT max (score)" + " FROM scap.cves" + " WHERE name" + " IN (SELECT cve_name" + " FROM cert.cert_bund_cves" + " WHERE adv_id = cert_bund_advs.id)" + " AND score != 0);"); g_info ("Updating CERT-Bund CVSS max succeeded."); } @@ -4681,22 +4611,22 @@ update_scap_cvss () g_info ("Updating CVSS scores and CVE counts for CPEs"); sql ("UPDATE scap2.cpes" - " SET (max_cvss, cve_refs)" + " SET (max_score, cve_refs)" " = (WITH affected_cves" " AS (SELECT cve FROM scap2.affected_products" " WHERE cpe=cpes.id)" - " SELECT (SELECT max (cvss) FROM scap2.cves" + " SELECT (SELECT max (score) FROM scap2.cves" " WHERE id IN (SELECT cve FROM affected_cves))," " (SELECT count (*) FROM affected_cves));"); g_info ("Updating CVSS scores for OVAL definitions"); sql ("UPDATE scap2.ovaldefs" - " SET max_cvss = (SELECT max (cvss)" - " FROM scap2.cves" - " WHERE id IN (SELECT cve" - " FROM scap2.affected_ovaldefs" - " WHERE ovaldef=ovaldefs.id)" - " AND cvss != 0.0);"); + " SET max_score = (SELECT max (score)" + " FROM scap2.cves" + " WHERE id IN (SELECT cve" + " FROM scap2.affected_ovaldefs" + " WHERE ovaldef=ovaldefs.id)" + " AND score != 0);"); } /** From d8e1abd6b34be84c2907f0bd314a657aba102497 Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Thu, 22 Oct 2020 09:24:08 +0200 Subject: [PATCH 2/6] Use new score and vector in info GMP and filters The "severity", "cvss", "max_cvss" elements and filters are replaced with the new score ones. Only the filter keyword "severity" is kept for filter and aggregate / chart compatibility. --- src/gmp.c | 42 ++++++---------- src/manage.h | 42 +++++----------- src/manage_sql_secinfo.c | 102 +++++++++++++++------------------------ src/manage_sql_secinfo.h | 54 +++++++++------------ 4 files changed, 88 insertions(+), 152 deletions(-) diff --git a/src/gmp.c b/src/gmp.c index 17543b8f4..e7b4121eb 100644 --- a/src/gmp.c +++ b/src/gmp.c @@ -9121,14 +9121,12 @@ results_xml_append_nvt (iterator_t *results, GString *buffer, int cert_loaded) "ovaldef" "%s" "" - "%s" "" "" "summary=%s", oid, ovaldef_info_iterator_title (&iterator), - ovaldef_info_iterator_max_cvss (&iterator), - ovaldef_info_iterator_score (&iterator), + ovaldef_info_iterator_max_score (&iterator), ovaldef_info_iterator_description (&iterator)); g_free (get.id); cleanup_iterator (&iterator); @@ -13246,11 +13244,11 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) cpe_info_iterator_title (&info)); xml_string_append (result, "%s" - "%s" + "%d" "%s" "%s", cpe_info_iterator_nvd_id (&info), - cpe_info_iterator_max_cvss (&info), + cpe_info_iterator_max_score (&info), cpe_info_iterator_cve_refs (&info), cpe_info_iterator_status (&info) ? cpe_info_iterator_status (&info) : ""); @@ -13274,13 +13272,13 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) " id=\"%s\">" "" "" - "%s" + "%0.1lf" "" "" "" "", cve_iterator_name (&cves), - cve_iterator_cvss (&cves)); + cve_iterator_score (&cves) / 10.0); cleanup_iterator (&cves); g_string_append (result, ""); } @@ -13289,24 +13287,12 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) { xml_string_append (result, "" - "%s" - "%s" - "%s" - "%s" - "%s" - "%s" - "%s" + "%d" + "%s" "%s" "%s", - cve_info_iterator_cvss (&info) - ? cve_info_iterator_cvss (&info) - : "", + cve_info_iterator_score (&info), cve_info_iterator_vector (&info), - cve_info_iterator_complexity (&info), - cve_info_iterator_authentication (&info), - cve_info_iterator_confidentiality_impact (&info), - cve_info_iterator_integrity_impact (&info), - cve_info_iterator_availability_impact (&info), cve_info_iterator_description (&info), cve_info_iterator_products (&info)); if (get_info_data->details == 1) @@ -13380,7 +13366,7 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) "%s" "%s" "%s" - "%s" + "%d" "%s" "%s", ovaldef_info_iterator_version (&info), @@ -13388,7 +13374,7 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) ovaldef_info_iterator_status (&info), ovaldef_info_iterator_class (&info), ovaldef_info_iterator_title (&info), - ovaldef_info_iterator_max_cvss (&info), + ovaldef_info_iterator_max_score (&info), ovaldef_info_iterator_cve_refs (&info), ovaldef_info_iterator_file (&info)); description = ovaldef_info_iterator_description (&info); @@ -13402,22 +13388,22 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) "" "%s" "%s" - "%s" + "%d" "%s", cert_bund_adv_info_iterator_title (&info), cert_bund_adv_info_iterator_summary (&info), - cert_bund_adv_info_iterator_max_cvss(&info), + cert_bund_adv_info_iterator_max_score(&info), cert_bund_adv_info_iterator_cve_refs (&info)); else if (g_strcmp0 ("dfn_cert_adv", get_info_data->type) == 0) xml_string_append (result, "" "%s" "%s" - "%s" + "%d" "%s", dfn_cert_adv_info_iterator_title (&info), dfn_cert_adv_info_iterator_summary (&info), - dfn_cert_adv_info_iterator_max_cvss(&info), + dfn_cert_adv_info_iterator_max_score(&info), dfn_cert_adv_info_iterator_cve_refs (&info)); else if (g_strcmp0 ("nvt", get_info_data->type) == 0) { diff --git a/src/manage.h b/src/manage.h index a0c029810..cab0f2b23 100644 --- a/src/manage.h +++ b/src/manage.h @@ -3101,8 +3101,8 @@ cpe_info_iterator_title (iterator_t*); const char* cpe_info_iterator_status (iterator_t*); -const char* -cpe_info_iterator_max_cvss (iterator_t*); +int +cpe_info_iterator_max_score (iterator_t*); const char* cpe_info_iterator_deprecated_by_id (iterator_t*); @@ -3118,30 +3118,15 @@ cpe_info_iterator_nvd_id (iterator_t*); const char* cve_iterator_name (iterator_t*); -const char* -cve_iterator_cvss (iterator_t*); +int +cve_iterator_score (iterator_t*); -const char* -cve_info_iterator_cvss (iterator_t*); +int +cve_info_iterator_score (iterator_t*); const char* cve_info_iterator_vector (iterator_t*); -const char* -cve_info_iterator_complexity (iterator_t*); - -const char* -cve_info_iterator_authentication (iterator_t*); - -const char* -cve_info_iterator_confidentiality_impact (iterator_t*); - -const char* -cve_info_iterator_integrity_impact (iterator_t*); - -const char* -cve_info_iterator_availability_impact (iterator_t*); - const char* cve_info_iterator_description (iterator_t*); @@ -3188,15 +3173,12 @@ ovaldef_info_iterator_file (iterator_t*); const char* ovaldef_info_iterator_status (iterator_t*); -const char* -ovaldef_info_iterator_max_cvss (iterator_t*); +int +ovaldef_info_iterator_max_score (iterator_t*); const char* ovaldef_info_iterator_cve_refs (iterator_t*); -int -ovaldef_info_iterator_score (iterator_t *); - char * ovaldef_severity (const char *); @@ -3230,8 +3212,8 @@ cert_bund_adv_info_iterator_summary (iterator_t*); const char* cert_bund_adv_info_iterator_cve_refs (iterator_t*); -const char* -cert_bund_adv_info_iterator_max_cvss (iterator_t*); +int +cert_bund_adv_info_iterator_max_score (iterator_t*); void init_cve_cert_bund_adv_iterator (iterator_t*, const char*, int, const char*); @@ -3259,8 +3241,8 @@ dfn_cert_adv_info_iterator_summary (iterator_t*); const char* dfn_cert_adv_info_iterator_cve_refs (iterator_t*); -const char* -dfn_cert_adv_info_iterator_max_cvss (iterator_t*); +int +dfn_cert_adv_info_iterator_max_score (iterator_t*); void init_cve_dfn_cert_adv_iterator (iterator_t*, const char*, int, const char*); diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c index e67e79201..0da9b0416 100644 --- a/src/manage_sql_secinfo.c +++ b/src/manage_sql_secinfo.c @@ -558,7 +558,12 @@ DEF_ACCESS (cpe_info_iterator_status, GET_ITERATOR_COLUMN_COUNT + 1); * @return The Highest CVSS of the CPE, or NULL if iteration is complete. * Freed by cleanup_iterator. */ -DEF_ACCESS (cpe_info_iterator_max_cvss, GET_ITERATOR_COLUMN_COUNT + 3); +int +cpe_info_iterator_max_score (iterator_t *iterator) +{ + if (iterator->done) return -1; + return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 3); +} /** * @brief Get the Number of CVE's referencing this cpe from a CPE iterator. @@ -652,7 +657,12 @@ DEF_ACCESS (cve_iterator_name, 1); * @return The CVSS of the CVE, or NULL if iteration is complete. Freed by * cleanup_iterator. */ -DEF_ACCESS (cve_iterator_cvss, 2); +int +cve_iterator_score (iterator_t* iterator) +{ + if (iterator->done) return -1; + return iterator_int (iterator, 2); +} /** * @brief Get the short file name for an OVALDEF. @@ -778,46 +788,6 @@ DEF_ACCESS (cve_info_iterator_vector, GET_ITERATOR_COLUMN_COUNT); */ DEF_ACCESS (cve_info_iterator_complexity, GET_ITERATOR_COLUMN_COUNT + 1); -/** - * @brief Get the CVSS attack authentication for this CVE. - * - * @param[in] iterator Iterator. - * - * @return The CVSS attack authentication of this CVE, or NULL if iteration is - * complete. Freed by cleanup_iterator. - */ -DEF_ACCESS (cve_info_iterator_authentication, GET_ITERATOR_COLUMN_COUNT + 2); - -/** - * @brief Get the CVSS confidentiality impact for this CVE. - * - * @param[in] iterator Iterator. - * - * @return The CVSS confidentiality impact of this CVE, or NULL if iteration is - * complete. Freed by cleanup_iterator. - */ -DEF_ACCESS (cve_info_iterator_confidentiality_impact, GET_ITERATOR_COLUMN_COUNT + 3); - -/** - * @brief Get the CVSS integrity impact for this CVE. - * - * @param[in] iterator Iterator. - * - * @return The CVSS integrity impact of this CVE, or NULL if iteration is - * complete. Freed by cleanup_iterator. - */ -DEF_ACCESS (cve_info_iterator_integrity_impact, GET_ITERATOR_COLUMN_COUNT + 4); - -/** - * @brief Get the CVSS availability impact for this CVE. - * - * @param[in] iterator Iterator. - * - * @return The CVSS availability impact of this CVE, or NULL if iteration is - * complete. Freed by cleanup_iterator. - */ -DEF_ACCESS (cve_info_iterator_availability_impact, GET_ITERATOR_COLUMN_COUNT + 5); - /** * @brief Get a space separated list of CPEs affected by this CVE. * @@ -826,7 +796,7 @@ DEF_ACCESS (cve_info_iterator_availability_impact, GET_ITERATOR_COLUMN_COUNT + 5 * @return A space separated list of CPEs or NULL if iteration is * complete. Freed by cleanup_iterator. */ -DEF_ACCESS (cve_info_iterator_products, GET_ITERATOR_COLUMN_COUNT + 6); +DEF_ACCESS (cve_info_iterator_products, GET_ITERATOR_COLUMN_COUNT + 1); /** * @brief Get the CVSS base score for this CVE. @@ -836,7 +806,12 @@ DEF_ACCESS (cve_info_iterator_products, GET_ITERATOR_COLUMN_COUNT + 6); * @return The CVSS base score of this CVE, or NULL if iteration is * complete. Freed by cleanup_iterator. */ -DEF_ACCESS (cve_info_iterator_cvss, GET_ITERATOR_COLUMN_COUNT + 7); +int +cve_info_iterator_score (iterator_t* iterator) +{ + if (iterator->done) return -1; + return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 2); +} /** * @brief Get the Summary for this CVE. @@ -846,7 +821,7 @@ DEF_ACCESS (cve_info_iterator_cvss, GET_ITERATOR_COLUMN_COUNT + 7); * @return The Summary of this CVE, or NULL if iteration is * complete. Freed by cleanup_iterator. */ -DEF_ACCESS (cve_info_iterator_description, GET_ITERATOR_COLUMN_COUNT + 8); +DEF_ACCESS (cve_info_iterator_description, GET_ITERATOR_COLUMN_COUNT + 3); /* OVAL data. */ @@ -1027,7 +1002,12 @@ DEF_ACCESS (ovaldef_info_iterator_status, GET_ITERATOR_COLUMN_COUNT + 6); * or NULL if iteration is complete. * Freed by cleanup_iterator. */ -DEF_ACCESS (ovaldef_info_iterator_max_cvss, GET_ITERATOR_COLUMN_COUNT + 7); +int +ovaldef_info_iterator_max_score (iterator_t* iterator) +{ + if (iterator->done) return -1; + return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 7); +} /** * @brief Get number of referenced CVEs from an OVALDEF iterator. @@ -1040,19 +1020,6 @@ DEF_ACCESS (ovaldef_info_iterator_max_cvss, GET_ITERATOR_COLUMN_COUNT + 7); */ DEF_ACCESS (ovaldef_info_iterator_cve_refs, GET_ITERATOR_COLUMN_COUNT + 8); -/** - * @brief Get column value from an iterator. - * - * @param[in] iterator Iterator. - * - * @return Column value, or -1 if iteration is complete. - */ -int -ovaldef_info_iterator_score (iterator_t* iterator) -{ - if (iterator->done) return -1; - return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 9); -} /** * @brief Get the short file name for an OVALDEF. @@ -1108,7 +1075,7 @@ ovaldef_severity (const char *id) assert (id); quoted_id = sql_quote (id); - ret = sql_string ("SELECT max_cvss FROM ovaldefs WHERE uuid = '%s';", + ret = sql_string ("SELECT max_score / 10.0 FROM ovaldefs WHERE uuid = '%s';", quoted_id); g_free (quoted_id); return ret; @@ -1310,8 +1277,12 @@ DEF_ACCESS (cert_bund_adv_info_iterator_cve_refs, * or NULL if iteration is complete. * Freed by cleanup_iterator. */ -DEF_ACCESS (cert_bund_adv_info_iterator_max_cvss, - GET_ITERATOR_COLUMN_COUNT + 3); +int +cert_bund_adv_info_iterator_max_score (iterator_t* iterator) +{ + if (iterator->done) return -1; + return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 3); +} /** * @brief Initialise CVE iterator, for CVEs referenced by a CERT-Bund advisory. @@ -1515,7 +1486,12 @@ DEF_ACCESS (dfn_cert_adv_info_iterator_cve_refs, GET_ITERATOR_COLUMN_COUNT + 2); * or NULL if iteration is complete. * Freed by cleanup_iterator. */ -DEF_ACCESS (dfn_cert_adv_info_iterator_max_cvss, GET_ITERATOR_COLUMN_COUNT + 3); +int +dfn_cert_adv_info_iterator_max_score (iterator_t* iterator) +{ + if (iterator->done) return -1; + return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 3); +} /** * @brief Initialise CVE iterator, for CVEs referenced by a DFN-CERT advisory. diff --git a/src/manage_sql_secinfo.h b/src/manage_sql_secinfo.h index 23b24f22d..9508046ae 100644 --- a/src/manage_sql_secinfo.h +++ b/src/manage_sql_secinfo.h @@ -75,10 +75,8 @@ * @brief Filter columns for CVE iterator. */ #define CVE_INFO_ITERATOR_FILTER_COLUMNS \ - { GET_ITERATOR_FILTER_COLUMNS, "vector", \ - "complexity", "authentication", "confidentiality_impact", \ - "integrity_impact", "availability_impact", "products", \ - "cvss", "description", "severity", "published", NULL } + { GET_ITERATOR_FILTER_COLUMNS, "cvss_vector", "products", \ + "score", "description", "published", "severity", NULL } /** * @brief CVE iterator columns. @@ -88,16 +86,11 @@ GET_ITERATOR_COLUMNS_PREFIX (""), \ { "''", "_owner", KEYWORD_TYPE_STRING }, \ { "0", NULL, KEYWORD_TYPE_INTEGER }, \ - { "vector", NULL, KEYWORD_TYPE_STRING }, \ - { "complexity", NULL, KEYWORD_TYPE_STRING }, \ - { "authentication", NULL, KEYWORD_TYPE_STRING }, \ - { "confidentiality_impact", NULL, KEYWORD_TYPE_STRING }, \ - { "integrity_impact", NULL, KEYWORD_TYPE_STRING }, \ - { "availability_impact", NULL, KEYWORD_TYPE_STRING }, \ + { "cvss_vector", NULL, KEYWORD_TYPE_STRING }, \ { "products", NULL, KEYWORD_TYPE_STRING }, \ - { "cvss", NULL, KEYWORD_TYPE_DOUBLE }, \ + { "score", NULL, KEYWORD_TYPE_DOUBLE }, \ { "description", NULL, KEYWORD_TYPE_STRING }, \ - { "cvss", "severity", KEYWORD_TYPE_DOUBLE }, \ + { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ { "creation_time", "published", KEYWORD_TYPE_INTEGER }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } @@ -107,8 +100,8 @@ */ #define CPE_INFO_ITERATOR_FILTER_COLUMNS \ { GET_ITERATOR_FILTER_COLUMNS, "title", "status", \ - "deprecated_by_id", "max_cvss", "cves", "nvd_id", \ - "severity", NULL } + "deprecated_by_id", "max_score", "cves", "nvd_id", \ + "severity", "score", NULL } /** * @brief CPE iterator columns. @@ -121,10 +114,11 @@ { "title", NULL, KEYWORD_TYPE_STRING }, \ { "status", NULL, KEYWORD_TYPE_STRING }, \ { "deprecated_by_id", NULL, KEYWORD_TYPE_INTEGER }, \ - { "max_cvss", NULL, KEYWORD_TYPE_DOUBLE }, \ + { "max_score", NULL, KEYWORD_TYPE_INTEGER }, \ { "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \ { "nvd_id", NULL, KEYWORD_TYPE_INTEGER }, \ - { "max_cvss", "severity", KEYWORD_TYPE_DOUBLE }, \ + { "max_score", "score", KEYWORD_TYPE_INTEGER }, \ + { "max_score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } @@ -134,7 +128,8 @@ #define OVALDEF_INFO_ITERATOR_FILTER_COLUMNS \ { GET_ITERATOR_FILTER_COLUMNS, "version", "deprecated", \ "class", "title", "description", "file", \ - "status", "max_cvss", "cves", "severity", NULL } + "status", "max_score", "cves", "score", "severity", \ + NULL } /** * @brief OVALDEF iterator columns. @@ -151,15 +146,10 @@ { "description", NULL, KEYWORD_TYPE_STRING }, \ { "xml_file", "file", KEYWORD_TYPE_STRING }, \ { "status", NULL, KEYWORD_TYPE_STRING }, \ - { "max_cvss", NULL, KEYWORD_TYPE_DOUBLE }, \ + { "max_score", NULL, KEYWORD_TYPE_INTEGER }, \ { "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \ - { "max_cvss", "severity", KEYWORD_TYPE_DOUBLE }, \ - { "CASE WHEN max_cvss IS NULL" \ - " THEN -1" \ - " ELSE (max_cvss * 10)::integer" \ - " END", \ - "score", \ - KEYWORD_TYPE_INTEGER }, \ + { "max_score", "score", KEYWORD_TYPE_INTEGER }, \ + { "max_score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } @@ -168,7 +158,7 @@ */ #define CERT_BUND_ADV_INFO_ITERATOR_FILTER_COLUMNS \ { GET_ITERATOR_FILTER_COLUMNS, "title", "summary", \ - "cves", "max_cvss", "severity", NULL } + "cves", "max_score", "score", "severity", NULL } /** * @brief CERT_BUND_ADV iterator columns. @@ -181,8 +171,9 @@ { "title", NULL, KEYWORD_TYPE_STRING }, \ { "summary", NULL, KEYWORD_TYPE_STRING }, \ { "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \ - { "max_cvss", NULL, KEYWORD_TYPE_DOUBLE }, \ - { "max_cvss", "severity", KEYWORD_TYPE_DOUBLE }, \ + { "max_score", NULL, KEYWORD_TYPE_INTEGER }, \ + { "max_score", "score", KEYWORD_TYPE_INTEGER }, \ + { "max_score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } @@ -191,7 +182,7 @@ */ #define DFN_CERT_ADV_INFO_ITERATOR_FILTER_COLUMNS \ { GET_ITERATOR_FILTER_COLUMNS, "title", "summary", \ - "cves", "max_cvss", "severity", NULL } + "cves", "max_score", "score", "severity", NULL } /** * @brief DFN_CERT_ADV iterator columns. @@ -204,8 +195,9 @@ { "title", NULL, KEYWORD_TYPE_STRING }, \ { "summary", NULL, KEYWORD_TYPE_STRING }, \ { "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \ - { "max_cvss", NULL, KEYWORD_TYPE_DOUBLE }, \ - { "max_cvss", "severity", KEYWORD_TYPE_DOUBLE }, \ + { "max_score", NULL, KEYWORD_TYPE_INTEGER }, \ + { "max_score", "score", KEYWORD_TYPE_INTEGER }, \ + { "max_score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } From 2dee5a67bfa7c85d80daa5dbc9e172bec7ac37d9 Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Thu, 22 Oct 2020 10:48:44 +0200 Subject: [PATCH 3/6] Rename max_score columns and elements to score For simplicity all the new score elements and filter columns should be named the same. --- src/gmp.c | 18 ++++++++-------- src/manage.h | 8 ++++---- src/manage_pg.c | 12 +++++------ src/manage_sql_secinfo.c | 44 ++++++++++++++++++++-------------------- src/manage_sql_secinfo.h | 30 ++++++++++++--------------- 5 files changed, 54 insertions(+), 58 deletions(-) diff --git a/src/gmp.c b/src/gmp.c index e7b4121eb..673fb3772 100644 --- a/src/gmp.c +++ b/src/gmp.c @@ -9126,7 +9126,7 @@ results_xml_append_nvt (iterator_t *results, GString *buffer, int cert_loaded) "summary=%s", oid, ovaldef_info_iterator_title (&iterator), - ovaldef_info_iterator_max_score (&iterator), + ovaldef_info_iterator_score (&iterator), ovaldef_info_iterator_description (&iterator)); g_free (get.id); cleanup_iterator (&iterator); @@ -13244,11 +13244,11 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) cpe_info_iterator_title (&info)); xml_string_append (result, "%s" - "%d" + "%d" "%s" "%s", cpe_info_iterator_nvd_id (&info), - cpe_info_iterator_max_score (&info), + cpe_info_iterator_score (&info), cpe_info_iterator_cve_refs (&info), cpe_info_iterator_status (&info) ? cpe_info_iterator_status (&info) : ""); @@ -13366,7 +13366,7 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) "%s" "%s" "%s" - "%d" + "%d" "%s" "%s", ovaldef_info_iterator_version (&info), @@ -13374,7 +13374,7 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) ovaldef_info_iterator_status (&info), ovaldef_info_iterator_class (&info), ovaldef_info_iterator_title (&info), - ovaldef_info_iterator_max_score (&info), + ovaldef_info_iterator_score (&info), ovaldef_info_iterator_cve_refs (&info), ovaldef_info_iterator_file (&info)); description = ovaldef_info_iterator_description (&info); @@ -13388,22 +13388,22 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) "" "%s" "%s" - "%d" + "%d" "%s", cert_bund_adv_info_iterator_title (&info), cert_bund_adv_info_iterator_summary (&info), - cert_bund_adv_info_iterator_max_score(&info), + cert_bund_adv_info_iterator_score(&info), cert_bund_adv_info_iterator_cve_refs (&info)); else if (g_strcmp0 ("dfn_cert_adv", get_info_data->type) == 0) xml_string_append (result, "" "%s" "%s" - "%d" + "%d" "%s", dfn_cert_adv_info_iterator_title (&info), dfn_cert_adv_info_iterator_summary (&info), - dfn_cert_adv_info_iterator_max_score(&info), + dfn_cert_adv_info_iterator_score(&info), dfn_cert_adv_info_iterator_cve_refs (&info)); else if (g_strcmp0 ("nvt", get_info_data->type) == 0) { diff --git a/src/manage.h b/src/manage.h index cab0f2b23..0296561f2 100644 --- a/src/manage.h +++ b/src/manage.h @@ -3102,7 +3102,7 @@ const char* cpe_info_iterator_status (iterator_t*); int -cpe_info_iterator_max_score (iterator_t*); +cpe_info_iterator_score (iterator_t*); const char* cpe_info_iterator_deprecated_by_id (iterator_t*); @@ -3174,7 +3174,7 @@ const char* ovaldef_info_iterator_status (iterator_t*); int -ovaldef_info_iterator_max_score (iterator_t*); +ovaldef_info_iterator_score (iterator_t*); const char* ovaldef_info_iterator_cve_refs (iterator_t*); @@ -3213,7 +3213,7 @@ const char* cert_bund_adv_info_iterator_cve_refs (iterator_t*); int -cert_bund_adv_info_iterator_max_score (iterator_t*); +cert_bund_adv_info_iterator_score (iterator_t*); void init_cve_cert_bund_adv_iterator (iterator_t*, const char*, int, const char*); @@ -3242,7 +3242,7 @@ const char* dfn_cert_adv_info_iterator_cve_refs (iterator_t*); int -dfn_cert_adv_info_iterator_max_score (iterator_t*); +dfn_cert_adv_info_iterator_score (iterator_t*); void init_cve_dfn_cert_adv_iterator (iterator_t*, const char*, int, const char*); diff --git a/src/manage_pg.c b/src/manage_pg.c index 20dcfd09e..315052278 100644 --- a/src/manage_pg.c +++ b/src/manage_pg.c @@ -1654,7 +1654,7 @@ create_view_vulns () " FROM cves" VULNS_RESULTS_WHERE " UNION SELECT id, uuid, name, creation_time, modification_time," - " max_score / 10.0 AS severity, " + " score / 10.0 AS severity, " G_STRINGIFY (QOD_DEFAULT) " AS qod," " 'ovaldef' AS type" " FROM ovaldefs" @@ -2962,7 +2962,7 @@ manage_db_init (const gchar *name) " title TEXT," " summary TEXT," " cve_refs INTEGER," - " max_score INTEGER);"); + " score INTEGER);"); sql ("CREATE UNIQUE INDEX cert_bund_advs_idx" " ON cert.cert_bund_advs (name);"); sql ("CREATE INDEX cert_bund_advs_by_creation_time" @@ -2986,7 +2986,7 @@ manage_db_init (const gchar *name) " title TEXT," " summary TEXT," " cve_refs INTEGER," - " max_score INTEGER);"); + " score INTEGER);"); sql ("CREATE UNIQUE INDEX dfn_cert_advs_idx" " ON cert.dfn_cert_advs (name);"); sql ("CREATE INDEX dfn_cert_advs_by_creation_time" @@ -3083,7 +3083,7 @@ manage_db_init (const gchar *name) " title text," " status text," " deprecated_by_id INTEGER," - " max_score integer DEFAULT 0," + " score integer DEFAULT 0," " cve_refs INTEGER DEFAULT 0," " nvd_id text);"); @@ -3105,7 +3105,7 @@ manage_db_init (const gchar *name) " description TEXT," " xml_file TEXT," " status TEXT," - " max_score integer DEFAULT 0," + " score integer DEFAULT 0," " cve_refs INTEGER DEFAULT 0);"); sql ("CREATE TABLE scap2.ovalfiles" @@ -3206,7 +3206,7 @@ manage_db_init_indexes (const gchar *name) sql ("CREATE INDEX cpes_by_modification_time_idx" " ON scap2.cpes (modification_time);"); sql ("CREATE INDEX cpes_by_score" - " ON scap2.cpes (max_score);"); + " ON scap2.cpes (score);"); sql ("CREATE INDEX cpes_by_uuid" " ON scap2.cpes (uuid);"); diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c index 0da9b0416..f37f0ef3b 100644 --- a/src/manage_sql_secinfo.c +++ b/src/manage_sql_secinfo.c @@ -559,7 +559,7 @@ DEF_ACCESS (cpe_info_iterator_status, GET_ITERATOR_COLUMN_COUNT + 1); * Freed by cleanup_iterator. */ int -cpe_info_iterator_max_score (iterator_t *iterator) +cpe_info_iterator_score (iterator_t *iterator) { if (iterator->done) return -1; return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 3); @@ -1003,7 +1003,7 @@ DEF_ACCESS (ovaldef_info_iterator_status, GET_ITERATOR_COLUMN_COUNT + 6); * Freed by cleanup_iterator. */ int -ovaldef_info_iterator_max_score (iterator_t* iterator) +ovaldef_info_iterator_score (iterator_t* iterator) { if (iterator->done) return -1; return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 7); @@ -1075,7 +1075,7 @@ ovaldef_severity (const char *id) assert (id); quoted_id = sql_quote (id); - ret = sql_string ("SELECT max_score / 10.0 FROM ovaldefs WHERE uuid = '%s';", + ret = sql_string ("SELECT score / 10.0 FROM ovaldefs WHERE uuid = '%s';", quoted_id); g_free (quoted_id); return ret; @@ -1278,7 +1278,7 @@ DEF_ACCESS (cert_bund_adv_info_iterator_cve_refs, * Freed by cleanup_iterator. */ int -cert_bund_adv_info_iterator_max_score (iterator_t* iterator) +cert_bund_adv_info_iterator_score (iterator_t* iterator) { if (iterator->done) return -1; return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 3); @@ -1487,7 +1487,7 @@ DEF_ACCESS (dfn_cert_adv_info_iterator_cve_refs, GET_ITERATOR_COLUMN_COUNT + 2); * Freed by cleanup_iterator. */ int -dfn_cert_adv_info_iterator_max_score (iterator_t* iterator) +dfn_cert_adv_info_iterator_score (iterator_t* iterator) { if (iterator->done) return -1; return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 3); @@ -3506,7 +3506,7 @@ update_ovaldef_xml (gchar **file_and_date, int private) " (uuid, name, comment, creation_time," " modification_time, version, deprecated, def_class," " title, description, xml_file, status," - " max_score, cve_refs)" + " score, cve_refs)" " VALUES ('%s', '%s', '', %i, %i, %s, %i, '%s', '%s'," " '%s', '%s', '%s', 0, %i)" " ON CONFLICT (uuid) DO UPDATE" @@ -3521,7 +3521,7 @@ update_ovaldef_xml (gchar **file_and_date, int private) " description = EXCLUDED.description," " xml_file = EXCLUDED.xml_file," " status = EXCLUDED.status," - " max_score = 0," + " score = 0," " cve_refs = EXCLUDED.cve_refs;", quoted_id, quoted_oval_id, @@ -4345,7 +4345,7 @@ update_cvss_dfn_cert (int updated_dfn_cert, int last_cert_update, { g_info ("Updating Max CVSS for DFN-CERT"); sql ("UPDATE cert.dfn_cert_advs" - " SET max_score = (SELECT max (score)" + " SET score = (SELECT max (score)" " FROM scap.cves" " WHERE name" " IN (SELECT cve_name" @@ -4376,13 +4376,13 @@ update_cvss_cert_bund (int updated_cert_bund, int last_cert_update, { g_info ("Updating Max CVSS for CERT-Bund"); sql ("UPDATE cert.cert_bund_advs" - " SET max_score = (SELECT max (score)" - " FROM scap.cves" - " WHERE name" - " IN (SELECT cve_name" - " FROM cert.cert_bund_cves" - " WHERE adv_id = cert_bund_advs.id)" - " AND score != 0);"); + " SET score = (SELECT max (score)" + " FROM scap.cves" + " WHERE name" + " IN (SELECT cve_name" + " FROM cert.cert_bund_cves" + " WHERE adv_id = cert_bund_advs.id)" + " AND score != 0);"); g_info ("Updating CERT-Bund CVSS max succeeded."); } @@ -4587,7 +4587,7 @@ update_scap_cvss () g_info ("Updating CVSS scores and CVE counts for CPEs"); sql ("UPDATE scap2.cpes" - " SET (max_score, cve_refs)" + " SET (score, cve_refs)" " = (WITH affected_cves" " AS (SELECT cve FROM scap2.affected_products" " WHERE cpe=cpes.id)" @@ -4597,12 +4597,12 @@ update_scap_cvss () g_info ("Updating CVSS scores for OVAL definitions"); sql ("UPDATE scap2.ovaldefs" - " SET max_score = (SELECT max (score)" - " FROM scap2.cves" - " WHERE id IN (SELECT cve" - " FROM scap2.affected_ovaldefs" - " WHERE ovaldef=ovaldefs.id)" - " AND score != 0);"); + " SET score = (SELECT max (score)" + " FROM scap2.cves" + " WHERE id IN (SELECT cve" + " FROM scap2.affected_ovaldefs" + " WHERE ovaldef=ovaldefs.id)" + " AND score != 0);"); } /** diff --git a/src/manage_sql_secinfo.h b/src/manage_sql_secinfo.h index 9508046ae..a7165c46f 100644 --- a/src/manage_sql_secinfo.h +++ b/src/manage_sql_secinfo.h @@ -100,7 +100,7 @@ */ #define CPE_INFO_ITERATOR_FILTER_COLUMNS \ { GET_ITERATOR_FILTER_COLUMNS, "title", "status", \ - "deprecated_by_id", "max_score", "cves", "nvd_id", \ + "deprecated_by_id", "score", "cves", "nvd_id", \ "severity", "score", NULL } /** @@ -114,11 +114,10 @@ { "title", NULL, KEYWORD_TYPE_STRING }, \ { "status", NULL, KEYWORD_TYPE_STRING }, \ { "deprecated_by_id", NULL, KEYWORD_TYPE_INTEGER }, \ - { "max_score", NULL, KEYWORD_TYPE_INTEGER }, \ + { "score", NULL, KEYWORD_TYPE_INTEGER }, \ { "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \ { "nvd_id", NULL, KEYWORD_TYPE_INTEGER }, \ - { "max_score", "score", KEYWORD_TYPE_INTEGER }, \ - { "max_score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ + { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } @@ -128,7 +127,7 @@ #define OVALDEF_INFO_ITERATOR_FILTER_COLUMNS \ { GET_ITERATOR_FILTER_COLUMNS, "version", "deprecated", \ "class", "title", "description", "file", \ - "status", "max_score", "cves", "score", "severity", \ + "status", "cves", "score", "severity", \ NULL } /** @@ -146,10 +145,9 @@ { "description", NULL, KEYWORD_TYPE_STRING }, \ { "xml_file", "file", KEYWORD_TYPE_STRING }, \ { "status", NULL, KEYWORD_TYPE_STRING }, \ - { "max_score", NULL, KEYWORD_TYPE_INTEGER }, \ + { "score", NULL, KEYWORD_TYPE_INTEGER }, \ { "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \ - { "max_score", "score", KEYWORD_TYPE_INTEGER }, \ - { "max_score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ + { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } @@ -157,8 +155,8 @@ * @brief Filter columns for CERT_BUND_ADV iterator. */ #define CERT_BUND_ADV_INFO_ITERATOR_FILTER_COLUMNS \ - { GET_ITERATOR_FILTER_COLUMNS, "title", "summary", \ - "cves", "max_score", "score", "severity", NULL } + { GET_ITERATOR_FILTER_COLUMNS, "title", "summary", \ + "cves", "score", "severity", NULL } /** * @brief CERT_BUND_ADV iterator columns. @@ -171,9 +169,8 @@ { "title", NULL, KEYWORD_TYPE_STRING }, \ { "summary", NULL, KEYWORD_TYPE_STRING }, \ { "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \ - { "max_score", NULL, KEYWORD_TYPE_INTEGER }, \ - { "max_score", "score", KEYWORD_TYPE_INTEGER }, \ - { "max_score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ + { "score", NULL, KEYWORD_TYPE_INTEGER }, \ + { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } @@ -182,7 +179,7 @@ */ #define DFN_CERT_ADV_INFO_ITERATOR_FILTER_COLUMNS \ { GET_ITERATOR_FILTER_COLUMNS, "title", "summary", \ - "cves", "max_score", "score", "severity", NULL } + "cves", "score", "severity", NULL } /** * @brief DFN_CERT_ADV iterator columns. @@ -195,9 +192,8 @@ { "title", NULL, KEYWORD_TYPE_STRING }, \ { "summary", NULL, KEYWORD_TYPE_STRING }, \ { "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \ - { "max_score", NULL, KEYWORD_TYPE_INTEGER }, \ - { "max_score", "score", KEYWORD_TYPE_INTEGER }, \ - { "max_score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ + { "score", NULL, KEYWORD_TYPE_INTEGER }, \ + { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } From 56196010616c160dfd634cb9fb6eda90405e0f00 Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Thu, 22 Oct 2020 10:54:19 +0200 Subject: [PATCH 4/6] Use new score for cve_cvss_base and cve_score The functions were still trying to use the old "cvss" field. Also, the doc comment of cve_cvss_base has been fixed. --- src/manage_sql_secinfo.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c index f37f0ef3b..41a4ae383 100644 --- a/src/manage_sql_secinfo.c +++ b/src/manage_sql_secinfo.c @@ -665,19 +665,18 @@ cve_iterator_score (iterator_t* iterator) } /** - * @brief Get the short file name for an OVALDEF. + * @brief Get the CVSS score for a CVE. * - * @param[in] cve Full OVAL identifier with file suffix. + * @param[in] cve CVE-ID of the CVE to get the score of. * - * @return The file name of the OVAL definition relative to the SCAP directory, - * Freed by g_free. + * @return The CVSS score of the CVE. */ gchar * cve_cvss_base (const gchar *cve) { gchar *quoted_cve, *ret; quoted_cve = sql_quote (cve); - ret = sql_string ("SELECT cvss FROM cves WHERE name = '%s'", + ret = sql_string ("SELECT score / 10.0 FROM cves WHERE name = '%s'", quoted_cve); g_free (quoted_cve); return ret; @@ -686,7 +685,7 @@ cve_cvss_base (const gchar *cve) /** * @brief Get the score from a CVE. * - * @param[in] cve CVE. + * @param[in] cve CVE-ID of the CVE to get the score of. * * @return Severity score of CVE. */ @@ -697,7 +696,7 @@ cve_score (const gchar *cve) int ret; quoted_cve = sql_quote (cve); - ret = sql_int ("SELECT (cvss * 10)::integer FROM cves WHERE name = '%s'", + ret = sql_int ("SELECT score FROM cves WHERE name = '%s'", quoted_cve); g_free (quoted_cve); return ret; From 368634dcd342837b65aa3dfbc9501376aa508226 Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Thu, 22 Oct 2020 11:25:16 +0200 Subject: [PATCH 5/6] Update doc comments for SCAP and CERT functions The doc comments are updated to refer to the new scoring instead of CVSS scores and -1 instead of NULL for finished iteration values. --- src/manage_sql_secinfo.c | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c index 41a4ae383..6b8499455 100644 --- a/src/manage_sql_secinfo.c +++ b/src/manage_sql_secinfo.c @@ -551,12 +551,12 @@ DEF_ACCESS (cpe_info_iterator_title, GET_ITERATOR_COLUMN_COUNT); DEF_ACCESS (cpe_info_iterator_status, GET_ITERATOR_COLUMN_COUNT + 1); /** - * @brief Get the Highest CVSS Score of all CVE's referencing this cpe. + * @brief Get the highest severity Score of all CVE's referencing this cpe. * * @param[in] iterator Iterator. * - * @return The Highest CVSS of the CPE, or NULL if iteration is complete. - * Freed by cleanup_iterator. + * @return The highest severity score (10 * CVSS score) of the CPE, + * or -1 if iteration is complete. Freed by cleanup_iterator. */ int cpe_info_iterator_score (iterator_t *iterator) @@ -650,12 +650,12 @@ init_cpe_cve_iterator (iterator_t *iterator, const char *cve, int ascending, DEF_ACCESS (cve_iterator_name, 1); /** - * @brief Get the CVSS from a CVE iterator. + * @brief Get the severity score from a CVE iterator. * * @param[in] iterator Iterator. * - * @return The CVSS of the CVE, or NULL if iteration is complete. Freed by - * cleanup_iterator. + * @return The severity score (10 * CVSS score) of the CVE, + * or -1 if iteration is complete. Freed by cleanup_iterator. */ int cve_iterator_score (iterator_t* iterator) @@ -683,11 +683,11 @@ cve_cvss_base (const gchar *cve) } /** - * @brief Get the score from a CVE. + * @brief Get the severity score from a CVE. * * @param[in] cve CVE-ID of the CVE to get the score of. * - * @return Severity score of CVE. + * @return Severity score (10 * CVSS score) of CVE. */ int cve_score (const gchar *cve) @@ -798,12 +798,12 @@ DEF_ACCESS (cve_info_iterator_complexity, GET_ITERATOR_COLUMN_COUNT + 1); DEF_ACCESS (cve_info_iterator_products, GET_ITERATOR_COLUMN_COUNT + 1); /** - * @brief Get the CVSS base score for this CVE. + * @brief Get the severity score for this CVE. * * @param[in] iterator Iterator. * - * @return The CVSS base score of this CVE, or NULL if iteration is - * complete. Freed by cleanup_iterator. + * @return The severity score (10 * CVSS score) of this CVE, + * or -1 if iteration is complete. Freed by cleanup_iterator. */ int cve_info_iterator_score (iterator_t* iterator) @@ -993,12 +993,12 @@ DEF_ACCESS (ovaldef_info_iterator_file, GET_ITERATOR_COLUMN_COUNT + 5); DEF_ACCESS (ovaldef_info_iterator_status, GET_ITERATOR_COLUMN_COUNT + 6); /** - * @brief Get maximum CVSS score from an OVALDEF iterator. + * @brief Get maximum severity score from an OVALDEF iterator. * * @param[in] iterator Iterator. * - * @return The maximum CVSS score of the OVAL definition, - * or NULL if iteration is complete. + * @return The maximum severity score (10 * CVSS score) of the OVAL + * definition, or -1 if iteration is complete. * Freed by cleanup_iterator. */ int @@ -1268,12 +1268,12 @@ DEF_ACCESS (cert_bund_adv_info_iterator_cve_refs, GET_ITERATOR_COLUMN_COUNT + 2); /** - * @brief Get the maximum CVSS from an CERT_BUND_ADV iterator. + * @brief Get the maximum severity score from an CERT_BUND_ADV iterator. * * @param[in] iterator Iterator. * - * @return The maximum CVSS of the CVEs referenced in the CERT-Bund advisory, - * or NULL if iteration is complete. + * @return The maximum severity score (10 * CVSS score) of the CVEs referenced + * in the CERT-Bund advisory, or -1 if iteration is complete. * Freed by cleanup_iterator. */ int @@ -1477,12 +1477,12 @@ DEF_ACCESS (dfn_cert_adv_info_iterator_summary, GET_ITERATOR_COLUMN_COUNT + 1); DEF_ACCESS (dfn_cert_adv_info_iterator_cve_refs, GET_ITERATOR_COLUMN_COUNT + 2); /** - * @brief Get the maximum CVSS from an DFN_CERT_ADV iterator. + * @brief Get the maximum severity score from an DFN_CERT_ADV iterator. * * @param[in] iterator Iterator. * - * @return The maximum CVSS of the CVEs referenced in the DFN-CERT advisory, - * or NULL if iteration is complete. + * @return The maximum score (10 * CVSS score) of the CVEs referenced + * in the DFN-CERT advisory, or -1 if iteration is complete. * Freed by cleanup_iterator. */ int From f0a080436f33ff890023685bf980b2a36dd6b6cc Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Thu, 22 Oct 2020 11:49:26 +0200 Subject: [PATCH 6/6] Add CHANGELOG entry for SCAP/CERT scoring change --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b8cf8988..9985e3b9f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Move EXE credential generation to a Python script [#1260](https://github.com/greenbone/gvmd/pull/1260) [#1262](https://github.com/greenbone/gvmd/pull/1262) - Clarify documentation for --scan-host parameter [#1277](https://github.com/greenbone/gvmd/pull/1277) - In result iterator access severity directly if possible [#1321](https://github.com/greenbone/gvmd/pull/1321) +- Change SCAP and CERT data to use new severity scoring [#1333](https://github.com/greenbone/gvmd/pull/1333) ### Fixed - Use GMP version with leading zero for feed dirs [#1287](https://github.com/greenbone/gvmd/pull/1287)