Add and use our own CVE API (#1383)

Co-authored-by: Patrick <Darwinkel@users.noreply.github.com>

.github/workflows/debian_package.yml

@@ -27,6 +27,9 @@ jobs:
           bytes:
             - 'bytes/**'
             - '.github/workflows/debian_package.yml'
+          cveapi:
+            - 'cveapi/**'
+            - '.github/workflows/debian_package.yml'
           keiko:
             - 'keiko/**'
             - '.github/workflows/debian_package.yml'
@@ -48,7 +51,12 @@ jobs:
       matrix:
         dist: [debian11, debian12, ubuntu22.04]
         # On main, release branches and tags we always want to build all the packages
-        package: ${{ github.event_name == 'push' && fromJSON('["boefjes", "bytes", "keiko", "mula", "octopoes", "rocky"]') || fromJSON(needs.changes.outputs.packages) }}
+        package: ${{ github.event_name == 'push' && fromJSON('["boefjes", "bytes", "cveapi", "keiko", "mula", "octopoes", "rocky"]') || fromJSON(needs.changes.outputs.packages) }}
+        exclude:
+          - package: cveapi
+            dist: debian11
+          - package: cveapi
+            dist: ubuntu22.04
     runs-on: ubuntu-22.04
     env:
       PKG_NAME: kat-${{ matrix.package }}
@@ -88,4 +96,4 @@ jobs:
         uses: actions/upload-artifact@v3
         with:
           name: ${{env.PKG_NAME}}_${{ env.RELEASE_VERSION }}_${{ matrix.dist }}.deb
-          path: ${{matrix.package}}/build/${{env.PKG_NAME}}_${{ env.RELEASE_VERSION }}_amd64.deb
+          path: ${{matrix.package}}/build/${{env.PKG_NAME}}_${{ env.RELEASE_VERSION }}_${{ matrix.package == 'cveapi' && 'all' || 'amd64' }}.deb

.pre-commit-config.yaml

@@ -78,6 +78,7 @@ repos:
           requirements-.*.txt$ |
           retirejs.json$ |
           ^boefjes/boefjes/plugins/kat_fierce/lists |
+          ^boefjes/tests/examples/inputs/cve-result-without-cvss.json |
           ^keiko/glossaries |
           ^keiko/templates/.*/template.tex$ |
           ^rocky/assets/js/vendor |

boefjes/boefjes/plugins/kat_cve_finding_types/boefje.json

@@ -8,7 +8,9 @@
     "produces": [
         "CVEFindingType"
     ],
-    "environment_keys": [],
+    "environment_keys": [
+        "CVEAPI_URL"
+    ],
     "scan_level": 0,
     "enabled": true
 }

boefjes/boefjes/plugins/kat_cve_finding_types/main.py

@@ -1,3 +1,4 @@
+from os import getenv
 from typing import List, Tuple, Union
 
 import requests
@@ -7,6 +8,7 @@
 
 def run(boefje_meta: BoefjeMeta) -> List[Tuple[set, Union[bytes, str]]]:
     cve_id = boefje_meta.arguments["input"]["id"]
-    response = requests.get(f"https://v1.cveapi.com/{cve_id}.json")
+    cveapi_url = getenv("CVEAPI_URL", "https://cve.openkat.dev/v1")
+    response = requests.get(f"{cveapi_url}/{cve_id}.json")
 
     return [(set(), response.content)]

boefjes/boefjes/plugins/kat_cve_finding_types/normalize.py

@@ -29,17 +29,27 @@ def run(normalizer_meta: NormalizerMeta, raw: Union[bytes, str]) -> Iterable[OOI
     cve_finding_type_id = normalizer_meta.raw_data.boefje_meta.arguments["input"]["id"]
     data = json.loads(raw)
 
-    descriptions = data["cve"]["description"]["description_data"]
+    descriptions = data["cve"]["descriptions"]
     english_description = [description for description in descriptions if description["lang"] == "en"][0]
 
-    if data["impact"] == {}:
+    if not data["cve"]["metrics"]:
         risk_severity = RiskLevelSeverity.UNKNOWN
         risk_score = None
     else:
-        try:
-            risk_score = data["impact"]["baseMetricV3"]["cvssV3"]["baseScore"]
-        except KeyError:
-            risk_score = data["impact"]["baseMetricV2"]["cvssV2"]["baseScore"]
+        metrics = data["cve"]["metrics"]
+        if "cvssMetricV31" in metrics:
+            cvss = metrics["cvssMetricV31"]
+        elif "cvssMetricV30" in metrics:
+            cvss = metrics["cvssMetricV30"]
+        else:
+            cvss = metrics["cvssMetricV20"]
+
+        for item in cvss:
+            if item["type"] == "Primary":
+                risk_score = item["cvssData"]["baseScore"]
+                break
+        else:
+            risk_score = cvss[0]["cvssData"]["baseScore"]
         risk_severity = get_risk_level(risk_score)
 
     yield CVEFindingType(

boefjes/boefjes/plugins/kat_cve_finding_types/schema.json

@@ -0,0 +1,13 @@
+{
+    "title": "Arguments",
+    "type": "object",
+    "properties": {
+        "CVEAPI_URL": {
+            "title": "CVEAPI_URL",
+            "maxLength": 2048,
+            "type": "string",
+            "description": "URL of the CVE API, defaults to https://cve.openkat.dev/v1",
+            "default": "https://cve.openkat.dev/v1"
+        }
+    }
+}

boefjes/tests/examples/inputs/cve-result-with-cvss.json

@@ -1,101 +1,97 @@
 {
   "cve": {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
-    "CVE_data_meta": {
-      "ID": "CVE-2021-46882",
-      "ASSIGNER": "psirt@huawei.com"
-    },
-    "problemtype": {
-      "problemtype_data": [
-        {
-          "description": [
-            {
-              "lang": "en",
-              "value": "CWE-120"
-            }
-          ]
-        }
-      ]
-    },
-    "references": {
-      "reference_data": [
+    "id": "CVE-2021-46882",
+    "sourceIdentifier": "psirt@huawei.com",
+    "published": "2023-05-26T17:15:12.703",
+    "lastModified": "2023-05-29T03:38:59.390",
+    "vulnStatus": "Analyzed",
+    "descriptions": [
+      {
+        "lang": "en",
+        "value": "The video framework has memory overwriting caused by addition overflow. Successful exploitation of this vulnerability may affect availability."
+      }
+    ],
+    "metrics": {
+      "cvssMetricV31": [
         {
-          "url": "https://consumer.huawei.com/en/support/bulletin/2023/5/",
-          "name": "https://consumer.huawei.com/en/support/bulletin/2023/5/",
-          "refsource": "MISC",
-          "tags": [
-            "Vendor Advisory"
-          ]
+          "source": "nvd@nist.gov",
+          "type": "Primary",
+          "cvssData": {
+            "version": "3.1",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+            "attackVector": "NETWORK",
+            "attackComplexity": "LOW",
+            "privilegesRequired": "NONE",
+            "userInteraction": "NONE",
+            "scope": "UNCHANGED",
+            "confidentialityImpact": "NONE",
+            "integrityImpact": "NONE",
+            "availabilityImpact": "HIGH",
+            "baseScore": 7.5,
+            "baseSeverity": "HIGH"
+          },
+          "exploitabilityScore": 3.9,
+          "impactScore": 3.6
         }
       ]
     },
-    "description": {
-      "description_data": [
-        {
-          "lang": "en",
-          "value": "The video framework has memory overwriting caused by addition overflow. Successful exploitation of this vulnerability may affect availability."
-        }
-      ]
-    }
-  },
-  "configurations": {
-    "CVE_data_version": "4.0",
-    "nodes": [
+    "weaknesses": [
       {
-        "operator": "OR",
-        "children": [],
-        "cpe_match": [
-          {
-            "vulnerable": true,
-            "cpe23Uri": "cpe:2.3:o:huawei:emui:10.1.0:*:*:*:*:*:*:*",
-            "cpe_name": []
-          },
+        "source": "nvd@nist.gov",
+        "type": "Primary",
+        "description": [
           {
-            "vulnerable": true,
-            "cpe23Uri": "cpe:2.3:o:huawei:emui:10.1.1:*:*:*:*:*:*:*",
-            "cpe_name": []
-          },
-          {
-            "vulnerable": true,
-            "cpe23Uri": "cpe:2.3:o:huawei:emui:11.0.0:*:*:*:*:*:*:*",
-            "cpe_name": []
-          },
-          {
-            "vulnerable": true,
-            "cpe23Uri": "cpe:2.3:o:huawei:emui:12.0.0:*:*:*:*:*:*:*",
-            "cpe_name": []
-          },
+            "lang": "en",
+            "value": "CWE-120"
+          }
+        ]
+      }
+    ],
+    "configurations": [
+      {
+        "nodes": [
           {
-            "vulnerable": true,
-            "cpe23Uri": "cpe:2.3:o:huawei:emui:12.0.1:*:*:*:*:*:*:*",
-            "cpe_name": []
+            "operator": "OR",
+            "negate": false,
+            "cpeMatch": [
+              {
+                "vulnerable": true,
+                "criteria": "cpe:2.3:o:huawei:emui:10.1.0:*:*:*:*:*:*:*",
+                "matchCriteriaId": "66AC7F91-917C-40A6-9983-A339EFB091F1"
+              },
+              {
+                "vulnerable": true,
+                "criteria": "cpe:2.3:o:huawei:emui:10.1.1:*:*:*:*:*:*:*",
+                "matchCriteriaId": "A7FF0AD1-22C2-423B-822A-E6496CEDAB02"
+              },
+              {
+                "vulnerable": true,
+                "criteria": "cpe:2.3:o:huawei:emui:11.0.0:*:*:*:*:*:*:*",
+                "matchCriteriaId": "0B701EC6-8208-4D22-95A6-B07D471A8A8B"
+              },
+              {
+                "vulnerable": true,
+                "criteria": "cpe:2.3:o:huawei:emui:12.0.0:*:*:*:*:*:*:*",
+                "matchCriteriaId": "A974CA73-84E8-480B-BB4C-4A81D0C985B2"
+              },
+              {
+                "vulnerable": true,
+                "criteria": "cpe:2.3:o:huawei:emui:12.0.1:*:*:*:*:*:*:*",
+                "matchCriteriaId": "2DF07E7F-3A18-4B74-B73D-DF3647C2A48F"
+              }
+            ]
           }
         ]
       }
+    ],
+    "references": [
+      {
+        "url": "https://consumer.huawei.com/en/support/bulletin/2023/5/",
+        "source": "psirt@huawei.com",
+        "tags": [
+          "Vendor Advisory"
+        ]
+      }
     ]
-  },
-  "impact": {
-    "baseMetricV3": {
-      "cvssV3": {
-        "version": "3.1",
-        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-        "attackVector": "NETWORK",
-        "attackComplexity": "LOW",
-        "privilegesRequired": "NONE",
-        "userInteraction": "NONE",
-        "scope": "UNCHANGED",
-        "confidentialityImpact": "NONE",
-        "integrityImpact": "NONE",
-        "availabilityImpact": "HIGH",
-        "baseScore": 7.5,
-        "baseSeverity": "HIGH"
-      },
-      "exploitabilityScore": 3.9,
-      "impactScore": 3.6
-    }
-  },
-  "publishedDate": "2023-05-26T17:15Z",
-  "lastModifiedDate": "2023-05-29T03:38Z"
+  }
 }