Change: Update handling of CVEs for the new JSON API.

- Handle references explicitly to remove raw_data.
- Add affected software configurations and references to the
response of get_info for CVEs when details are enabled.

src/gmp.c

@@ -101,6 +101,7 @@
 #include "manage_report_configs.h"
 #include "manage_report_formats.h"
 #include "manage_tls_certificates.h"
+#include "sql.h"
 #include "utils.h"
 
 #include <arpa/inet.h>
@@ -128,6 +129,7 @@
 #include <gvm/util/fileutils.h>
 #include <gvm/util/sshutils.h>
 #include <gvm/util/authutils.h>
+#include <gvm/util/cpeutils.h>
 
 #undef G_LOG_DOMAIN
 /**
@@ -13252,6 +13254,182 @@ handle_get_groups (gmp_parser_t *gmp_parser, GError **error)
   set_client_state (CLIENT_AUTHENTIC);
 }
 
+/**
+ * @brief Print CPE match node with its matched CPEs.
+ *
+ * @param[in]  node     CPE match node to print.
+ * @param[in]  buffer   Buffer into which to print match node.
+ */
+static void
+print_cpe_match_nodes_xml(resource_t node, GString *buffer)
+{
+  iterator_t cpe_match_nodes, cpe_match_ranges;
+  init_iterator (&cpe_match_nodes,
+                 "SELECT operator, negate FROM scap.cpe_match_nodes WHERE id = %llu;", 
+                 node);
+  xml_string_append (buffer, "<operator>%s</operator>", iterator_string (&cpe_match_nodes, 0)?: "");
+  xml_string_append (buffer, "<negate>%s</negate>", iterator_int (&cpe_match_nodes, 1)? "1" : "0");
+  cleanup_iterator (&cpe_match_nodes);
+
+  init_cpe_match_range_iterator (&cpe_match_ranges, node);
+  while (next (&cpe_match_ranges))
+    {
+      const gchar *vsi, *vse, *vei, *vee, *match_criteria_id, *range_uri_product;
+
+      xml_string_append (buffer, "<match_criteria>");
+      match_criteria_id = cpe_match_range_iterator_match_criteria_id (&cpe_match_ranges);
+      range_uri_product 
+        = fs_cpe_to_uri_cpe (cpe_match_range_iterator_cpe (&cpe_match_ranges));
+      xml_string_append (buffer, "<match_string>%s</match_string>", range_uri_product?: "");
+      xml_string_append (buffer, "<vulnerable>%s</vulnerable>",
+                         cpe_match_range_iterator_vulnerable (&cpe_match_ranges) != 0
+                         ? "1"
+                         : "0");
+      vsi = cpe_match_range_iterator_version_start_incl(&cpe_match_ranges);
+      vse = cpe_match_range_iterator_version_start_excl(&cpe_match_ranges);
+      vei = cpe_match_range_iterator_version_end_incl(&cpe_match_ranges);
+      vee = cpe_match_range_iterator_version_end_excl(&cpe_match_ranges);
+
+      xml_string_append (buffer,
+                         "<version_start_including>%s</version_start_including>", 
+                         vsi ?: "");
+      xml_string_append (buffer,
+                         "<version_start_excluding>%s</version_start_excluding>",
+                         vse ?: "");
+      xml_string_append (buffer,
+                         "<version_end_including>%s</version_end_including>",
+                         vei ?: "");
+      xml_string_append (buffer,
+                         "<version_end_excluding>%s</version_end_excluding>",
+                         vee ?: "");
+
+      iterator_t cpe_matches;
+      init_cpe_match_range_matches_iterator (&cpe_matches, match_criteria_id);
+      xml_string_append (buffer, "<matched_cpes>");
+
+      while (next (&cpe_matches))
+        {
+          const gchar *cpe_name_id;
+          iterator_t cpes;
+
+          cpe_name_id = cpe_matches_cpe_name_id(&cpe_matches);
+
+          init_iterator (&cpes,
+                         "SELECT name, deprecated FROM scap.cves"
+                         " WHERE cpe_name_id = %s;",
+                         cpe_name_id);
+
+          const char* cpe = iterator_string (&cpes, 0);
+          int deprecated = iterator_int (&cpes, 1);
+          xml_string_append (buffer, "<cpe>");
+          xml_string_append (buffer, "<name>%s</name>", cpe?: "");
+          xml_string_append (buffer,
+                            "<deprecated>%s</deprecated>",
+                             deprecated ? "1" : "0");
+          if (deprecated)
+            {
+              iterator_t deprecated_by;
+              init_cpe_deprecated_by_iterator (&deprecated_by, cpe);
+              while (next (&deprecated_by))
+              {
+                xml_string_append (buffer,
+                                   "<deprecated_by cpe_id=\"%s\"/>",
+                                   cpe_deprecated_by_iterator_deprecated_by
+                                    (&deprecated_by));
+              }
+              cleanup_iterator (&deprecated_by);
+            }
+          xml_string_append (buffer, "</cpe>");
+          cleanup_iterator (&cpes);
+        }
+      xml_string_append (buffer, "</matched_cpes>");
+      xml_string_append (buffer, "</match_criteria>");
+      cleanup_iterator (&cpe_matches);
+    }
+  cleanup_iterator (&cpe_match_ranges);
+}
+/**
+ * @brief Print CVE affected software configurations
+ *
+ * @param[in]   cve_uuid  uuid of the CVE.
+ * @param[out]  result    Buffer into which to print.
+ *
+ */
+static void
+print_cve_affected_software_configs_xml (gchar *cve_uuid, GString *result)
+{
+  iterator_t cpe_match_root_nodes;
+  xml_string_append (result, "<configuration_nodes>");
+  init_cve_cpe_match_nodes_iterator (&cpe_match_root_nodes, cve_uuid);
+  while (next (&cpe_match_root_nodes))
+    {
+        result_t root_node;
+        iterator_t cpe_match_node_childs;
+        root_node = cpe_match_nodes_iterator_root_id (&cpe_match_root_nodes);
+        xml_string_append (result, "<node>");
+        print_cpe_match_nodes_xml(root_node, result);
+        init_cpe_match_node_childs_iterator (&cpe_match_node_childs, root_node);
+        while (next (&cpe_match_node_childs))
+          {
+            resource_t child_node;
+            child_node = cpe_match_node_childs_iterator_id (&cpe_match_node_childs);
+            xml_string_append (result, "<node>");
+            print_cpe_match_nodes_xml(child_node, result);
+            xml_string_append (result, "</node>");
+          }
+        xml_string_append (result, "</node>");
+        cleanup_iterator (&cpe_match_node_childs);
+    }
+    xml_string_append (result, "</configuration_nodes>");
+    cleanup_iterator (&cpe_match_root_nodes);
+}
+
+/**
+ * @brief Print CVE references
+ *
+ * @param[in]   cve_uuid  uuid of the CVE.
+ * @param[out]  result    Buffer into which to print.
+ *
+ */
+static void
+print_cve_references_xml (gchar *cve_uuid, GString *result)
+{
+  iterator_t references;
+  init_cve_reference_iterator (&references, cve_uuid);
+  xml_string_append (result, "<references>");
+  while (next (&references))
+    {
+      xml_string_append (result, "<reference>");
+      xml_string_append (result, "<url>%s</url>", cve_reference_iterator_url (&references));
+      xml_string_append (result, "<tags>");
+      const char * tags_array = cve_reference_iterator_tags (&references);
+      if(tags_array && strlen(tags_array) > 2)
+        {
+          char *trimmed_array = g_strndup (tags_array + 1, strlen (tags_array) - 2);
+          gchar **tags, **current_tag;
+          tags = g_strsplit (trimmed_array, ",", -1);
+          current_tag = tags;
+          while (*current_tag)
+            {
+              if (strlen (*current_tag) > 2 && (*current_tag)[0] == '"' && (*current_tag)[strlen (*current_tag) - 1] == '"')
+                {
+                  char *trimmed_tag = g_strndup (*current_tag + 1, strlen (*current_tag) - 2);
+                  xml_string_append (result, "<tag>%s</tag>", trimmed_tag);
+                  g_free (trimmed_tag);
+                }
+              else
+                xml_string_append (result, "<tag>%s</tag>", *current_tag);
+              current_tag++;
+            }
+          g_strfreev (tags);
+          g_free (trimmed_array);
+        }
+      xml_string_append (result, "</tags>");
+      xml_string_append (result, "</reference>");
+    }
+  xml_string_append (result, "</references>");
+  cleanup_iterator (&references);
+}
 /**
  * @brief Handle end of GET_INFO element.
  *
@@ -13627,6 +13805,11 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
                                           "</warning>");
                 }
               g_string_append (result, "</cert>");
+
+              gchar *cve_uuid = g_strdup(get_iterator_uuid (&info));
+              print_cve_affected_software_configs_xml (cve_uuid, result);
+              print_cve_references_xml (cve_uuid, result);
+              g_free(cve_uuid);
             }
         }
       else if (g_strcmp0 ("cert_bund_adv", get_info_data->type) == 0)

src/manage.h

@@ -1693,6 +1693,21 @@ app_locations_iterator_location (iterator_t*);
 void
 init_cpe_match_nodes_iterator (iterator_t*, const char *);
 
+void
+init_cve_cpe_match_nodes_iterator (iterator_t*, const char *);
+
+void
+init_cve_reference_iterator (iterator_t*, const char *);
+
+const char*
+cve_reference_iterator_url (iterator_t*);
+
+const char*
+cve_reference_iterator_tags (iterator_t*);
+
+const char*
+cve_reference_iterator_tags_count (iterator_t*);
+
 long long int
 cpe_match_nodes_iterator_root_id (iterator_t*);
 
@@ -1714,6 +1729,12 @@ init_cpe_match_range_iterator (iterator_t*, long long int);
 const char*
 cpe_match_range_iterator_cpe (iterator_t*);
 
+const char*
+cpe_match_range_iterator_match_criteria_id (iterator_t*);
+
+const char*
+cpe_match_range_iterator_status (iterator_t*);
+
 const char*
 cpe_match_range_iterator_version_start_incl (iterator_t*);
 
@@ -1729,6 +1750,12 @@ cpe_match_range_iterator_version_end_excl (iterator_t*);
 int
 cpe_match_range_iterator_vulnerable (iterator_t*);
 
+void
+init_cpe_match_range_matches_iterator (iterator_t*, const char *);
+
+const char*
+cpe_matches_cpe_name_id (iterator_t*);
+
 void
 init_host_details_cpe_product_iterator (iterator_t*, const char *, report_host_t);
 

src/manage_pg.c

@@ -3546,20 +3546,31 @@ manage_db_init (const gchar *name)
 
       sql ("CREATE TABLE scap2.cpe_match_nodes"
            " (id SERIAL PRIMARY KEY,"
-           "  parent_id INTEGER DEFAULT 0,"
-           "  root_id INTEGER DEFAULT 0,"
-           "  cve_id INTEGER DEFAULT 0,"
-           "  operator text);");
+           "  root_id integer DEFAULT 0,"
+           "  cve_id integer DEFAULT 0,"
+           "  operator text,"
+           "  negate integer DEFAULT 0);");
+
+      sql ("CREATE TABLE scap2.cpe_nodes_match_criteria"
+           " (id SERIAL PRIMARY KEY,"
+           "  node_id integer DEFAULT 0,"
+           "  vulnerable integer DEFAULT 0," 
+           "  match_criteria_id text);");
 
       sql ("CREATE TABLE scap2.cpe_match_range"
            " (id SERIAL PRIMARY KEY,"
-           "  node_id INTEGER DEFAULT 0,"
-           "  vulnerable INTEGER DEFAULT 0,"
+           "  match_criteria_id text,"
            "  cpe text DEFAULT NULL,"
            "  version_start_incl text DEFAULT NULL,"
            "  version_start_excl text DEFAULT NULL,"
            "  version_end_incl text DEFAULT NULL,"
-           "  version_end_excl text DEFAULT NULL);");
+           "  version_end_excl text DEFAULT NULL,"
+           "  status text);");
+
+      sql ("CREATE TABLE scap2.cpe_matches"
+           " (id SERIAL PRIMARY KEY,"
+           "  match_criteria_id text,"               
+           "  cpe_name_id text);");
 
       sql ("CREATE TABLE scap2.cpe_details"
            " (id SERIAL PRIMARY KEY,"
@@ -3575,6 +3586,11 @@ manage_db_init (const gchar *name)
            "  epss DOUBLE PRECISION,"
            "  percentile DOUBLE PRECISION);");
 
+      sql ("CREATE TABLE scap2.cve_references"
+           " (id SERIAL PRIMARY KEY,"
+           "  cve_id INTEGER,"
+           "  url text,"
+           "  tags text[]);");
 
       /* Init tables. */
 
@@ -3624,6 +3640,15 @@ manage_db_add_constraints (const gchar *name)
       sql ("ALTER TABLE scap2.epss_scores"
            " ALTER cve SET NOT NULL,"
            " ADD UNIQUE (cve);");
+
+      sql ("ALTER TABLE scap2.cve_references"
+           " ALTER cve_id SET NOT NULL,"
+           " ALTER url SET NOT NULL,"
+           " ADD UNIQUE (cve_id, url);");
+
+      sql ("ALTER TABLE scap2.cpe_match_range"
+           " ADD UNIQUE (match_criteria_id);");
+
     }
   else
     {