Change: Update handling of CVEs for the new JSON API.

- Handle references explicitly to remove raw_data. - Add affected software configurations and references to the response of get_info for CVEs when details are enabled.
greenbone · Oct 4, 2024 · c7f7a18 · c7f7a18
1 parent 39f25b8
commit c7f7a18
Show file tree

Hide file tree

Showing 7 changed files with 602 additions and 43 deletions.
diff --git a/src/gmp.c b/src/gmp.c
@@ -101,6 +101,7 @@
 #include "manage_report_configs.h"
 #include "manage_report_formats.h"
 #include "manage_tls_certificates.h"
+#include "sql.h"
 #include "utils.h"
 
 #include <arpa/inet.h>
@@ -128,6 +129,8 @@
 #include <gvm/util/fileutils.h>
 #include <gvm/util/sshutils.h>
 #include <gvm/util/authutils.h>
+#include <gvm/util/cpeutils.h>
+#include <gvm/util/versionutils.h>
 
 #undef G_LOG_DOMAIN
 /**
@@ -13200,6 +13203,178 @@ handle_get_groups (gmp_parser_t *gmp_parser, GError **error)
   set_client_state (CLIENT_AUTHENTIC);
 }
 
+/**
+ * @brief Print CPE match node with its matched CPEs.
+ *
+ * @param[in]  node     CPE match node to print.
+ * @param[in]  buffer   Buffer into which to print match node.
+ */
+static void
+print_cpe_match_nodes_xml(resource_t node, GString *buffer)
+{
+  iterator_t cpe_match_ranges;
+  gchar *operator;
+  operator = sql_string ("SELECT operator FROM scap.cpe_match_nodes WHERE id = %llu", node);
+  xml_string_append (buffer, "<operator>%s</operator>", operator);
+  init_cpe_match_range_iterator (&cpe_match_ranges, node, 1, "COALESCE(version_start_incl, version_start_excl)");
+  while (next (&cpe_match_ranges))
+    {
+      iterator_t cpes;
+      const gchar *vsi, *vse, *vei, *vee, *range_fs_cpe;
+      gchar *range_uri_product;
+
+      xml_string_append (buffer, "<match_criteria>");
+      range_fs_cpe = cpe_match_range_iterator_cpe (&cpe_match_ranges);
+      xml_string_append (buffer, "<match_string>%s</match_string>", range_fs_cpe);
+      xml_string_append (buffer, "<vulnerable>%s</vulnerable>",
+                         cpe_match_range_iterator_vulnerable (&cpe_match_ranges) != 0
+                         ? "1"
+                         : "0");
+      vsi = cpe_match_range_iterator_version_start_incl(&cpe_match_ranges);
+      vse = cpe_match_range_iterator_version_start_excl(&cpe_match_ranges);
+      vei = cpe_match_range_iterator_version_end_incl(&cpe_match_ranges);
+      vee = cpe_match_range_iterator_version_end_excl(&cpe_match_ranges);
+      xml_string_append (buffer,
+                         "<version_start_including>%s</version_start_including>",
+                         vsi ?: "");
+      xml_string_append (buffer,
+                         "<version_start_excluding>%s</version_start_excluding>",
+                         vse ?: "");
+      xml_string_append (buffer,
+                         "<version_end_including>%s</version_end_including>",
+                         vei ?: "");
+      xml_string_append (buffer,
+                         "<version_end_excluding>%s</version_end_excluding>",
+                         vee ?: "");
+      range_uri_product = fs_cpe_to_uri_product (range_fs_cpe);
+      init_product_cpe_iterator (&cpes, range_uri_product);
+      xml_string_append (buffer, "<matched_cpes>");
+
+      while (next (&cpes))
+        {
+          cpe_struct_t source, target;
+          const gchar *cpe;
+          gboolean matches;
+          cpe = product_cpe_iterator_uuid(&cpes);
+          cpe_struct_init (&source);
+          cpe_struct_init (&target);
+          fs_cpe_to_cpe_struct (range_fs_cpe, &source);
+          uri_cpe_to_cpe_struct (cpe, &target);
+          matches = cpe_struct_match (source, target);
+          if (matches && check_version (target.version, vsi, vse, vei, vee))
+            {
+                xml_string_append (buffer, "<cpe>");
+                xml_string_append (buffer, "<name>%s</name>", cpe);
+
+                xml_string_append (buffer,
+                                  "<deprecated>%s</deprecated>",
+                                  product_cpe_iterator_deprecated (&cpes)
+                                  ? product_cpe_iterator_deprecated (&cpes)
+                                  : "0");
+              iterator_t deprecated_by;
+              init_cpe_deprecated_by_iterator (&deprecated_by,
+                                               product_cpe_iterator_uuid (&cpes));
+              while (next (&deprecated_by))
+                {
+                  xml_string_append (buffer,
+                                     "<deprecated_by cpe_id=\"%s\"/>",
+                                     cpe_deprecated_by_iterator_deprecated_by
+                                      (&deprecated_by));
+                }
+              xml_string_append (buffer, "</cpe>");
+              cleanup_iterator (&deprecated_by);
+            }
+        }
+
+      xml_string_append (buffer, "</matched_cpes>");
+      xml_string_append (buffer, "</match_criteria>");
+      cleanup_iterator (&cpes);
+      g_free (range_uri_product);
+    }
+    cleanup_iterator (&cpe_match_ranges);
+}
+/**
+ * @brief Print CVE affected software configurations
+ *
+ * @param[in]   cve_uuid  uuid of the CVE.
+ * @param[out]  result    Buffer into which to print.
+ *
+ */
+static void
+print_cve_affected_software_configs_xml (gchar *cve_uuid, GString *result)
+{
+  iterator_t cpe_match_root_nodes;
+  xml_string_append (result, "<configuration_nodes>");
+  init_cve_cpe_match_nodes_iterator (&cpe_match_root_nodes, cve_uuid);
+  while (next (&cpe_match_root_nodes))
+    {
+        result_t root_node;
+        iterator_t cpe_match_node_childs;
+        root_node = cpe_match_nodes_iterator_root_id (&cpe_match_root_nodes);
+        xml_string_append (result, "<node>");
+        print_cpe_match_nodes_xml(root_node, result);
+        init_cpe_match_node_childs_iterator (&cpe_match_node_childs, root_node);
+        while (next (&cpe_match_node_childs))
+          {
+            resource_t child_node;
+            child_node = cpe_match_node_childs_iterator_id (&cpe_match_node_childs);
+            xml_string_append (result, "<node>");
+            print_cpe_match_nodes_xml(child_node, result);
+            xml_string_append (result, "</node>");
+          }
+        xml_string_append (result, "</node>");
+        cleanup_iterator (&cpe_match_node_childs);
+    }
+    xml_string_append (result, "</configuration_nodes>");
+    cleanup_iterator (&cpe_match_root_nodes);
+}
+
+/**
+ * @brief Print CVE references
+ *
+ * @param[in]   cve_uuid  uuid of the CVE.
+ * @param[out]  result    Buffer into which to print.
+ *
+ */
+static void
+print_cve_references_xml (gchar *cve_uuid, GString *result)
+{
+  iterator_t references;
+  init_cve_reference_iterator (&references, cve_uuid);
+  xml_string_append (result, "<references>");
+  while (next (&references))
+    {
+      xml_string_append (result, "<reference>");
+      xml_string_append (result, "<url>%s</url>", cve_reference_iterator_url (&references));
+      xml_string_append (result, "<tags>");
+      const char * tags_array = cve_reference_iterator_tags (&references);
+      if(tags_array && strlen(tags_array) > 2)
+        {
+          char *trimmed_array = g_strndup (tags_array + 1, strlen (tags_array) - 2);
+          gchar **tags, **current_tag;
+          tags = g_strsplit (trimmed_array, ",", -1);
+          current_tag = tags;
+          while (*current_tag)
+            {
+              if (strlen (*current_tag) > 2 && (*current_tag)[0] == '"' && (*current_tag)[strlen (*current_tag) - 1] == '"')
+                {
+                  char *trimmed_tag = g_strndup (*current_tag + 1, strlen (*current_tag) - 2);
+                  xml_string_append (result, "<tag>%s</tag>", trimmed_tag);
+                  g_free (trimmed_tag);
+                }
+              else
+                xml_string_append (result, "<tag>%s</tag>", *current_tag);
+              current_tag++;
+            }
+          g_strfreev (tags);
+          g_free (trimmed_array);
+        }
+      xml_string_append (result, "</tags>");
+      xml_string_append (result, "</reference>");
+    }
+  xml_string_append (result, "</references>");
+  cleanup_iterator (&references);
+}
 /**
  * @brief Handle end of GET_INFO element.
  *
@@ -13574,6 +13749,11 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
                                           "</warning>");
                 }
               g_string_append (result, "</cert>");
+
+              gchar *cve_uuid = g_strdup(get_iterator_uuid (&info));
+              print_cve_affected_software_configs_xml (cve_uuid, result);
+              print_cve_references_xml (cve_uuid, result);
+              g_free(cve_uuid);
             }
         }
       else if (g_strcmp0 ("cert_bund_adv", get_info_data->type) == 0)

diff --git a/src/manage.c b/src/manage.c
@@ -3109,7 +3109,7 @@ set_scanner_connection_retry (int new_retry)
 
 /* CVE tasks. */
 
-static int
+int
 check_version (const gchar *target, const gchar *start_incl, const gchar *start_excl, const gchar *end_incl, const gchar *end_excl)
 {
   int result;
@@ -3178,7 +3178,7 @@ check_cpe_match_rule (long long int node, gboolean *match, gboolean *vulnerable,
         return;
     }
   iterator_t cpe_match_ranges;
-  init_cpe_match_range_iterator (&cpe_match_ranges, node);
+  init_cpe_match_range_iterator (&cpe_match_ranges, node, 1, NULL);
   while (next (&cpe_match_ranges))
     {
       iterator_t cpe_host_details_products;
@@ -5937,29 +5937,6 @@ set_schedule_timeout (int new_timeout)
 /* Defined in gmp.c. */
 void buffer_config_preference_xml (GString *, iterator_t *, config_t, int);
 
-/**
- * @brief Compute the filename where a given CVE can be found.
- *
- * @param[in] item_id   Full CVE identifier ("CVE-YYYY-ZZZZ").
- *
- * @return A dynamically allocated string (to be g_free'd) containing the
- *         path to the desired file or NULL on error.
- */
-static char *
-get_cve_filename (char *item_id)
-{
-  int year;
-
-  if (sscanf (item_id, "%*3s-%d-%*d", &year) == 1)
-    {
-      /* CVEs before 2002 are stored in the 2002 file. */
-      if (year <= 2002)
-        year = 2002;
-      return g_strdup_printf (CVE_FILENAME_FMT, year);
-    }
-  return NULL;
-}
-
 /**
  * @brief Compute the filename where a given CERT-Bund Advisory can be found.
  *
@@ -6585,18 +6562,6 @@ manage_read_info (gchar *type, gchar *uid, gchar *name, gchar **result)
     {
       *result = cpe_details_xml(uid);
     }
-  else if (g_ascii_strcasecmp ("CVE", type) == 0)
-    {
-      fname = get_cve_filename (uid);
-      if (fname)
-        {
-          gchar *cve;
-          cve = xsl_transform (CVE_GETBYNAME_XSL, fname, pnames, pvalues);
-          g_free (fname);
-          if (cve)
-            *result = cve;
-        }
-    }
   else if (g_ascii_strcasecmp ("NVT", type) == 0)
     {
       iterator_t nvts;

diff --git a/src/manage.h b/src/manage.h
@@ -1693,6 +1693,15 @@ app_locations_iterator_location (iterator_t*);
 void
 init_cpe_match_nodes_iterator (iterator_t*, const char *);
 
+void
+init_cve_cpe_match_nodes_iterator (iterator_t*, const char *);
+
+void
+init_product_cpe_iterator (iterator_t*, const char *);
+
+void
+init_cve_reference_iterator (iterator_t*, const char *);
+
 long long int
 cpe_match_nodes_iterator_root_id (iterator_t*);
 
@@ -1709,7 +1718,7 @@ long long int
 cpe_match_node_childs_iterator_id (iterator_t*);
 
 void
-init_cpe_match_range_iterator (iterator_t*, long long int);
+init_cpe_match_range_iterator (iterator_t *, long long int, int, const char*);
 
 const char*
 cpe_match_range_iterator_cpe (iterator_t*);
@@ -1735,6 +1744,21 @@ init_host_details_cpe_product_iterator (iterator_t*, const char *, report_host_t
 const char*
 host_details_cpe_product_iterator_value (iterator_t*);
 
+const char*
+product_cpe_iterator_uuid (iterator_t*);
+
+const char*
+product_cpe_iterator_deprecated (iterator_t*);
+
+const char*
+cve_reference_iterator_url (iterator_t*);
+
+const char*
+cve_reference_iterator_tags (iterator_t*);
+
+const char*
+cve_reference_iterator_tags_count (iterator_t*);
+
 void
 init_host_prognosis_iterator (iterator_t*, report_host_t);
 
@@ -1750,6 +1774,8 @@ prognosis_iterator_cve (iterator_t*);
 const char*
 prognosis_iterator_description (iterator_t*);
 
+int
+check_version (const gchar *, const gchar *, const gchar *, const gchar *, const gchar *);
 
 /* Targets. */
 

diff --git a/src/manage_pg.c b/src/manage_pg.c
@@ -3576,6 +3576,11 @@ manage_db_init (const gchar *name)
            "  epss DOUBLE PRECISION,"
            "  percentile DOUBLE PRECISION);");
 
+      sql ("CREATE TABLE scap2.cve_references"
+           " (id SERIAL PRIMARY KEY,"
+           "  cve_id INTEGER,"
+           "  url text,"
+           "  tags text[]);");
 
       /* Init tables. */
 
@@ -3625,6 +3630,13 @@ manage_db_add_constraints (const gchar *name)
       sql ("ALTER TABLE scap2.epss_scores"
            " ALTER cve SET NOT NULL,"
            " ADD UNIQUE (cve);");
+
+      sql ("ALTER TABLE scap2.cve_references"
+           " ALTER cve_id SET NOT NULL,"
+           " ALTER url SET NOT NULL,"
+           " ADD UNIQUE (cve_id, url);");
+
+
     }
   else
     {