Added support for field vulnerable_product

Agh42 · Agh42 · commit 223ce32d1fdb · 2018-12-07T23:35:07.000+01:00
Parser now ingests the field "vulerable_product" from the NVD XML-feed.
New option "--vulnerable-product-only" uses this field:

With this option, "-p" will only return vulnerabilities directly
assigned to the product.

I.e. it will not consider "windows_7" if it is only mentioned as
affected OS in a "foxit_reader" vulnerability.
diff --git a/bin/search.py b/bin/search.py
@@ -45,6 +45,7 @@
 # parse command-line arguments
 argParser = argparse.ArgumentParser(description='Search for vulnerabilities in the National Vulnerability DB. Data from http://nvd.nist.org.')
 argParser.add_argument('-p', type=str, help='S = search product, e.g. o:microsoft:windows_7 or o:cisco:ios:12.1')
+argParser.add_argument('--only-if-vulnerable', dest='vulnProdSearch', default=False, action='store_true', help='With this option, "-p" will only return vulnerabilities directly assigned to the product. I.e. it will not consider "windows_7" if it is only mentioned as affected OS in an adobe:reader vulnerability. ')
 argParser.add_argument('--lax', default=False, action='store_true', help='Strict search for software version is disabled. Note that this option only support product description with numerical values only (of the form cisco:ios:1.2.3) ')
 argParser.add_argument('-f', type=str, help='F = free text search in vulnerability summary')
 argParser.add_argument('-c', action='append', help='search one or more CVE-ID')
@@ -61,6 +62,7 @@
 
 vSearch = args.p
 relaxSearch = args.lax
+vulnerableProductSearch = args.vulnProdSearch
 cveSearch = [x.upper() for x in args.c] if args.c else None
 vOutput = args.o
 vFreeSearch = args.f
@@ -303,7 +305,7 @@ def search_in_summary(item):
 # Search Product (best to use CPE notation, e.g. cisco:ios:12.2
 if vSearch:
 
-    for item in db.cvesForCPE(vSearch, lax=relaxSearch):
+    for item in db.cvesForCPE(vSearch, lax=relaxSearch, vulnProdSearch=vulnerableProductSearch):
         if not last_ndays:
             if csvOutput:
                 printCVE_csv(item)
diff --git a/lib/DatabaseLayer.py b/lib/DatabaseLayer.py
@@ -106,10 +106,11 @@ def target_version_is_included(target_version, cpe_version):
 
 
 # API Functions
-def cvesForCPE(cpe, lax=False):
+def cvesForCPE(cpe, lax=False, vulnProdSearch=False):
   if not cpe: return []
   cpe_regex = cpe
   final_cves = []
+  cpe_searchField = "vulnerable_product" if vulnProdSearch else "vulnerable_configuration"  
   if lax:
     # get target version from product description provided by the user
     target_version = cpe.split(":")[-1]
@@ -127,12 +128,13 @@ def cvesForCPE(cpe, lax=False):
 
     # over-approximate versions
     final_cves = []
-    cpe_regex = product
-    cves = colCVE.find({"vulnerable_configuration": {"$regex": cpe_regex}}).sort("Modified", -1)
+    cpe_regex = product 
+    cves = colCVE.find({cpe_searchField: {"$regex": cpe_regex}}).sort("Modified", -1)
     i = 0
     for cve in cves:
       vuln_confs = cve["vulnerable_configuration"]
       vuln_confs += cve["vulnerable_configuration_cpe_2_2"]
+      vuln_confs += cve["vulnerable_product"]
       i += 1
       for vc in vuln_confs:
         if not cpe_regex in vc:
@@ -157,7 +159,7 @@ def cvesForCPE(cpe, lax=False):
 
   else:
     # default strict search
-    cves = colCVE.find({"vulnerable_configuration": {"$regex": cpe_regex}}).sort("Modified", -1)
+    cves = colCVE.find({cpe_searchField: {"$regex": cpe_regex}}).sort("Modified", -1)
     final_cves = cves
 
   return sanitize(final_cves)
diff --git a/sbin/db_mgmt.py b/sbin/db_mgmt.py
@@ -63,6 +63,7 @@ def __init__(self):
         self.inCVSSElem = 0
         self.inSUMMElem = 0
         self.inDTElem = 0
+        self.inVPElem = 0
         self.inPUBElem = 0
         self.inAccessvElem = 0
         self.inAccesscElem = 0
@@ -74,11 +75,15 @@ def __init__(self):
 
     def startElement(self, name, attrs):
         if name == 'entry':
-            self.cves.append({'id': attrs.get('id'), 'references': [], 'vulnerable_configuration': [], 'vulnerable_configuration_cpe_2_2':[]})
+            self.cves.append({'id': attrs.get('id'), 'references': [], 'vulnerable_configuration': [], 
+                              'vulnerable_configuration_cpe_2_2':[], 'vulnerable_product':[] })
             self.ref = attrs.get('id')
         elif name == 'cpe-lang:fact-ref':
             self.cves[-1]['vulnerable_configuration'].append(toStringFormattedCPE(attrs.get('name')))
             self.cves[-1]['vulnerable_configuration_cpe_2_2'].append(attrs.get('name'))
+        elif name=='vuln:product':
+            self.inVPElem = 1
+            self.VP = ""
         elif name == 'cvss:score':
             self.inCVSSElem = 1
             self.CVSS = ""
@@ -120,6 +125,8 @@ def startElement(self, name, attrs):
     def characters(self, ch):
         if self.inCVSSElem:
             self.CVSS += ch
+        if self.inVPElem:
+            self.VP += ch
         if self.inSUMMElem:
             self.SUMM += ch
         if self.inDTElem:
@@ -145,6 +152,9 @@ def endElement(self, name):
         if name == 'cvss:score':
             self.inCVSSElem = 0
             self.cves[-1]['cvss'] = self.CVSS
+        if name == 'vuln:product':
+            self.inVPElem = 0
+            self.cves[-1]['vulnerable_product'].append(self.VP) 
         if name == 'cvss:access-vector':
             self.inAccessvElem = 0
             if 'access' not in self.cves[-1]:
diff --git a/sbin/db_mgmt_create_index.py b/sbin/db_mgmt_create_index.py
@@ -30,6 +30,7 @@ def setIndex(col, field, printSuccess = True):
 setIndex('cpeother', 'id')
 setIndex('cves', 'id')
 setIndex('cves', 'vulnerable_configuration')
+setIndex('cves', 'vulnerable_product')
 setIndex('cves', 'Modified')
 setIndex('cves', [("summary",TEXT)])
 setIndex('via4', 'id')
