From 87808a232915904714815bb1f6c68296f9d605f7 Mon Sep 17 00:00:00 2001 From: Kota Kanbe Date: Tue, 12 Oct 2021 05:59:53 +0900 Subject: [PATCH] fix(cpescan): bug in NvdVendorProductMatch --- GNUmakefile | 5 +++++ db/db.go | 10 +++++----- db/db_test.go | 29 ++++++++++++++++++++++++++++- server/server.go | 5 +++++ 4 files changed, 43 insertions(+), 6 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index 6555baad..51199dea 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -115,6 +115,8 @@ diff-cpes: @ python integration/diff_server_mode.py cpe_ids --sample_rate 0.01 diff-server-rdb: + - pkill -KILL go-cve.old + - pkill -KILL go-cve.new integration/go-cve.old server --dbpath=$(PWD)/integration/cve.old.sqlite3 --port 1325 > /dev/null 2>&1 & integration/go-cve.new server --dbpath=$(PWD)/integration/cve.new.sqlite3 --port 1326 > /dev/null 2>&1 & make diff-cveid @@ -123,6 +125,8 @@ diff-server-rdb: pkill go-cve.new diff-server-redis: + - pkill -KILL go-cve.old + - pkill -KILL go-cve.new integration/go-cve.old server --dbtype redis --dbpath "redis://127.0.0.1:6379/0" --port 1325 > /dev/null 2>&1 & integration/go-cve.new server --dbtype redis --dbpath "redis://127.0.0.1:6380/0" --port 1326 > /dev/null 2>&1 & make diff-cveid @@ -131,6 +135,7 @@ diff-server-redis: pkill go-cve.new diff-server-rdb-redis: + - pkill -KILL go-cve.new integration/go-cve.new server --dbpath=$(PWD)/integration/cve.new.sqlite3 --port 1325 > /dev/null 2>&1 & integration/go-cve.new server --dbtype redis --dbpath "redis://127.0.0.1:6380/0" --port 1326 > /dev/null 2>&1 & make diff-cveid diff --git a/db/db.go b/db/db.go index 8fd603d0..42c41126 100644 --- a/db/db.go +++ b/db/db.go @@ -200,11 +200,6 @@ func match(specifiedURI string, cpeInNvd models.CpeBase) (isExactVerMatch, isRou return false, false, false, nil } - if matching.IsEqual(specified, cpeInNvdWfn) { - log.Debugf("%s equals %s", specified.String(), cpeInNvd.URI) - return true, false, false, nil - } - specifiedVer := fmt.Sprintf("%s", specified.Get(common.AttributeVersion)) switch specifiedVer { case "NA", "ANY": @@ -214,6 +209,11 @@ func match(specifiedURI string, cpeInNvd models.CpeBase) (isExactVerMatch, isRou return false, false, isSuperORSubset(cpeInNvdWfn, specified), nil } + if matching.IsEqual(specified, cpeInNvdWfn) { + log.Debugf("%s equals %s", specified.String(), cpeInNvd.URI) + return true, false, false, nil + } + ok, err := matchSemver(specifiedVer, cpeInNvd) if err != nil { // version range specified in cpeInNvd are not defined as semver style diff --git a/db/db_test.go b/db/db_test.go index aa0ac3a5..6860f42c 100644 --- a/db/db_test.go +++ b/db/db_test.go @@ -491,6 +491,7 @@ func Test_filterCveDetailByCpeURI1(t *testing.T) { expected: nil, }, { + name: "NvdExactVersionMatch", args: args{ uri: "cpe:/o:vendor:product:1.0.0", cve: &models.CveDetail{ @@ -530,7 +531,7 @@ func Test_filterCveDetailByCpeURI1(t *testing.T) { }, }, { - name: "", + name: "NvdVendorProductMatch", args: args{ uri: "cpe:/o:vendor:product", cve: &models.CveDetail{ @@ -569,6 +570,32 @@ func Test_filterCveDetailByCpeURI1(t *testing.T) { Jvns: []models.Jvn{}, }, }, + { + name: "NvdVendorProductMatch", + args: args{ + uri: "cpe:/a:vendor:product", + cve: &models.CveDetail{ + Nvds: []models.Nvd{ + { + Cpes: []models.NvdCpe{ + {CpeBase: models.CpeBase{URI: "cpe:/a:vendor:product", VersionEndExcluding: "1.0.0"}}, + }, + }, + }, + }, + }, + expected: &models.CveDetail{ + Nvds: []models.Nvd{ + { + Cpes: []models.NvdCpe{ + {CpeBase: models.CpeBase{URI: "cpe:/a:vendor:product", VersionEndExcluding: "1.0.0"}}, + }, + DetectionMethod: models.NvdVendorProductMatch, + }, + }, + Jvns: []models.Jvn{}, + }, + }, { args: args{ uri: "cpe:/o:vmware:esxi:7.0:-", diff --git a/server/server.go b/server/server.go index ee1b8c87..c28a96c1 100644 --- a/server/server.go +++ b/server/server.go @@ -5,6 +5,7 @@ import ( "net/http" "os" "path/filepath" + "sort" "github.com/labstack/echo" "github.com/labstack/echo/middleware" @@ -83,6 +84,10 @@ func getCveByCpeName(driver db.DB) echo.HandlerFunc { log.Errorf("%s", err) return err } + + sort.Slice(cveDetails, func(i, j int) bool { + return cveDetails[i].CveID < cveDetails[j].CveID + }) return c.JSON(http.StatusOK, &cveDetails) } }