def main():
try:
parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument('-2', action='store_true', help='compute CVSS2 instead')
parser.add_argument('-a', '--all', action='store_true', help='ask for all metrics')
parser.add_argument('-v', '--vector', help='input string with CVSS vector')
parser.add_argument('-n', '--no-colors', action='store_true',
help='do not use terminal coloring')
args = parser.parse_args()
# Import the correct CVSS module
if getattr(args, '2'):
version = 2
from cvss import CVSS2 as CVSS
else:
version = 3
from cvss import CVSS3 as CVSS
# Vector input, either from command line or interactively
if args.vector:
vector_string = args.vector
else:
vector_string = ask_interactively(version, args.all, args.no_colors)
# Compute scores and clean vector
try:
cvss_vector = CVSS(vector_string)
except CVSSError as e:
print(e)
else:
scores = cvss_vector.scores()
if version == 2:
print('CVSS2')
severities = None
elif version == 3:
print('CVSS3')
severities = cvss_vector.severities()
else:
raise ValueError('Unknown CVSS version: {0}'.format(version))
for i, score_name in enumerate(['Base Score', 'Temporal Score', 'Environmental Score']):
print(score_name + ':' + ' ' * (PAD - len(score_name) - 2), end='')
if version == 3:
print(scores[i], '({0})'.format(severities[i]))
else:
print(scores[i])
print('Cleaned vector: ', cvss_vector.clean_vector())
print('Red Hat vector: ', cvss_vector.rh_vector())
except (KeyboardInterrupt, EOFError):
print()
def main():
try:
parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument('-2', action='store_true', help='compute CVSS2 instead')
parser.add_argument('-a', '--all', action='store_true', help='ask for all metrics')
parser.add_argument('-v', '--vector', help='input string with CVSS vector')
parser.add_argument('-n', '--no-colors', action='store_true',
help='do not use terminal coloring')
args = parser.parse_args()
# Import the correct CVSS module
if getattr(args, '2'):
version = 2
from cvss import CVSS2 as CVSS
else:
version = 3
from cvss import CVSS3 as CVSS
# Vector input, either from command line or interactively
if args.vector:
vector_string = args.vector
else:
vector_string = ask_interactively(version, args.all, args.no_colors)
# Compute scores and clean vector
try:
cvss_vector = CVSS(vector_string)
except CVSSError as e:
print(e)
else:
scores = cvss_vector.scores()
if version == 2:
print('CVSS2')
severities = None
elif version == 3:
print('CVSS3')
severities = cvss_vector.severities()
else:
raise ValueError('Unknown CVSS version: {0}'.format(version))
for i, score_name in enumerate(['Base Score', 'Temporal Score', 'Environmental Score']):
print(score_name + ':' + ' ' * (PAD - len(score_name) - 2), end='')
if version == 3:
print(scores[i], '({0})'.format(severities[i]))
else:
print(scores[i])
print('Cleaned vector: ', cvss_vector.clean_vector())
print('Red Hat vector: ', cvss_vector.rh_vector())
except KeyboardInterrupt:
print()
def test_clean_vector(self):
"""
Tests for cleaning-up vector, where fields are not in order or some fields have ND values.
"""
v = 'AV:A/AC:L/Au:M/C:C/I:P/A:C/E:ND/CDP:ND/TD:M/IR:H/AR:H'
self.assertEqual('AV:A/AC:L/Au:M/C:C/I:P/A:C/TD:M/IR:H/AR:H',
CVSS2(v).clean_vector())
v = 'AV:A/AC:H/Au:S/C:C/I:C/A:P/E:U/RL:U/RC:UR/CDP:ND/TD:ND/CR:L/IR:M/AR:ND'
self.assertEqual('AV:A/AC:H/Au:S/C:C/I:C/A:P/E:U/RL:U/RC:UR/CR:L/IR:M',
CVSS2(v).clean_vector())
v = 'AV:A/AC:H/Au:M/C:C/I:N/A:C/CR:ND/IR:L/RL:W/RC:ND/CDP:H/E:POC/TD:N/AR:M'
self.assertEqual(
'AV:A/AC:H/Au:M/C:C/I:N/A:C/E:POC/RL:W/CDP:H/TD:N/IR:L/AR:M',
CVSS2(v).clean_vector())
def parse_cve(cve_obj: Dict[str, Any]) -> CVE:
cve_id = cve_obj["cve"]["CVE_data_meta"]["ID"]
assigner = cve_obj["cve"]["CVE_data_meta"].get("ASSIGNER", None)
references = tuple(
Reference(url=ref.get("url", None), name=ref.get("name", None))
for ref in cve_obj["cve"].get("references", {}).get(
"reference_data", []))
descriptions = tuple(
Description(lang=desc["lang"], value=desc["value"])
for desc in cve_obj["cve"].get("description", {}).get(
"description_data", []))
published_date = isoparse(cve_obj["publishedDate"])
last_modified_date = isoparse(cve_obj["lastModifiedDate"])
if "baseMetricV3" in cve_obj["impact"]:
impact = CVSS3(
cve_obj["impact"]["baseMetricV3"]["cvssV3"]["vectorString"])
elif "baseMetricV2" in cve_obj["impact"]:
impact = CVSS2(
cve_obj["impact"]["baseMetricV2"]["cvssV2"]["vectorString"])
else:
impact = None
return CVE(cve_id=cve_id,
published_date=published_date,
last_modified_date=last_modified_date,
impact=impact,
descriptions=descriptions,
references=references,
assigner=assigner,
configurations=JsonDataSource.parse_configurations(
cve_obj.get("configurations", {})))
def extract_nasl_info(nasl_paths):
plugins_info = {}
for path in nasl_paths:
with open(path) as f:
t = f.read()
info = {}
m = p_id.search(t)
info['script_id'] = m.group(1) if m else None
m = p_name.search(t)
m = m if m else p_name_alt.search(t)
info['script_name'] = m.group(1) if m else None
# some CVSS strings have leading/trailing spaces, hence the use of strip()
m = p_cvss2.search(t)
m = m if m else p_cvss2_alt.search(t)
info['cvss2'] = float(CVSS2(
m.group(1).strip()).base_score) if m else None
m = p_cvss3.search(t)
info['cvss3'] = float(CVSS3(
m.group(1).strip()).base_score) if m else None
m = p_risk_factor.search(t)
info['risk_factor'] = m.group(1) if m else None
m = p_deps.search(t)
info['dependencies'] = p_deps2.findall(m.group(1)) if m else []
plugins_info[os.path.basename(path)] = info
return plugins_info
def cve_iter(
self,
rows: Iterator[Tuple[Union[float, int, str], ...]],
extra_row_handler: Callable[[Tuple[Union[float, int, str], ...], Dict[str, Any]], Any] = lambda *_: None
) -> Iterator[CVE]:
for cve_id, _, published, last_modified, impact_vector, *extra_rows in rows:
if impact_vector is None:
impact = None
else:
try:
impact = CVSS3(impact_vector)
except CVSSError:
try:
impact = CVSS2(impact_vector)
except CVSSError:
impact = None
d = self.connection.cursor()
d.execute(f"SELECT lang, description FROM descriptions WHERE cve = ?", (cve_id,))
descriptions = tuple(Description(lang, desc) for lang, desc in d.fetchall())
kwargs = {}
if extra_rows:
extra_row_handler(extra_rows, kwargs)
yield CVE(
cve_id=cve_id,
published_date=datetime.fromtimestamp(published, timezone.utc),
last_modified_date=datetime.fromtimestamp(last_modified, timezone.utc),
impact=impact,
descriptions=descriptions,
references=(), # References are implemented in SchemaV1
assigner=None,
**kwargs
)
def run_rh_tests_from_file(self, test_name):
with open(path.join(WD, test_name)) as f:
for line in f:
vector, expected_scores = line.split(' - ')
expected_scores = expected_scores.replace('(', '').replace(')', '').strip().split(', ')
expected_scores = tuple(float(a) if a != 'None' else None for a in expected_scores)
tested_rh_vector = str(expected_scores[0]) + '/' + vector
result = CVSS2.from_rh_vector(tested_rh_vector)
results_scores = result.scores()
self.assertEqual(expected_scores, results_scores, test_name + ' - ' + vector)
def run_tests_from_file(self, test_name):
with open(path.join(WD, test_name)) as f:
for line in f:
vector, expected_scores = line.split(' - ')
expected_scores = expected_scores.replace('(', '').replace(
')', '').strip().split(', ')
expected_scores = tuple(
float(a) if a != 'None' else None for a in expected_scores)
result = CVSS2(vector)
results_scores = result.scores()
self.assertEqual(expected_scores, results_scores,
test_name + ' - ' + vector)
def getImageTrivyVulnerabilities(self, uniqueImagesList, reportsummary):
print('INFO: Load trivy Vulnerabilities')
VulnList = {}
imageTrivyVulnSummary = {}
for imageUid, image in uniqueImagesList.items():
reportsummary['images'] += 1
log.debug("run Trivy on: {}".format(image['fulltag']))
vulnsum = {
'Critical': {
'severity': 0,
'total': 0,
'fixed': 0
},
'High': {
'severity': 1,
'total': 0,
'fixed': 0
},
'Medium': {
'severity': 2,
'total': 0,
'fixed': 0
},
'Low': {
'severity': 3,
'total': 0,
'fixed': 0
},
'Unknown': {
'severity': 4,
'total': 0,
'fixed': 0
}
}
VulnList[imageUid] = []
self.__addCredentials(image['fulltag'], self.repoCredentials)
#log.debug(subprocess.run(['printenv'], stdout=subprocess.PIPE).stdout.decode('utf-8'))
trivyresult = subprocess.run(
["trivy", "-q", "i", "-f", "json", image['fulltag']],
stdout=subprocess.PIPE).stdout.decode('utf-8')
self.__removeCredenials()
try:
imageVuln = json.loads(trivyresult)
except json.JSONDecodeError:
print("ERROR: could not parse {}".format(image['fulltag']))
continue
# skip empty images like busybox
if type(imageVuln) is not list:
continue
for target in imageVuln:
if target['Vulnerabilities'] is not None:
for vulnerability in target['Vulnerabilities']:
#print("PkgName: {PkgName} {VulnerabilityID}".format(PkgName=vulnerability['PkgName'], VulnerabilityID=vulnerability['VulnerabilityID']))
if 'CVSS' in vulnerability:
for provider, vectors in vulnerability[
'CVSS'].items():
if 'V3Vector' in vectors:
cvss = CVSS3(vectors['V3Vector'])
vectors['V3Vector_base_score'] = str(
round(cvss.base_score, 1))
vectors['V3Vector_modified_isc'] = str(
round(cvss.modified_isc, 1))
vectors['V3Vector_modified_esc'] = str(
round(cvss.modified_esc, 1))
vectors['V3Vector_metrics'] = cvss.metrics
vectors['provider'] = provider
#print(" CVSS3 {provider} {base_score} {modified_isc} {modified_esc} {vector}".format(provider=provider, base_score=vectors['V3Vector_base_score'], modified_isc=vectors['V3Vector_modified_isc'], modified_esc=vectors['V3Vector_modified_esc'], vector=vectors['V3Vector']))
if 'V2Vector' in vectors:
cvss = CVSS2(vectors['V2Vector'])
vectors['V2Vector_base_score'] = str(
round(cvss.base_score, 1))
vectors['V2Vector_metrics'] = cvss.metrics
vectors['provider'] = provider
#print(" CVSS2 {provider} {base_score} {vector}".format(provider=provider, base_score=vectors['V2Vector_base_score'], vector=vectors['V2Vector']))
if 'Severity' in vulnerability:
vulnerability['SeverityInt'] = vulnsum[
vulnerability['Severity'].capitalize(
)]['severity']
vulnsum[vulnerability['Severity'].capitalize(
)]['total'] += 1
reportsummary['vuln_total'] += 1
reportsummary['vuln_' +
vulnerability['Severity'].lower()] += 1
if 'FixedVersion' in vulnerability:
vulnsum[vulnerability['Severity'].capitalize(
)]['fixed'] += 1
reportsummary['vuln_fixed'] += 1
target['summary'] = vulnsum
VulnList[imageUid].append(target)
imageTrivyVulnSummary[imageUid] = vulnsum
#pprint.pprint(imageTryviVulnList)
return VulnList, imageTrivyVulnSummary
""" Usage examples for CVSS library. """ from __future__ import print_function, unicode_literals from cvss import CVSS2, CVSS3 vector = 'AV:L/AC:L/Au:M/C:N/I:P/A:C/E:U/RL:W/RC:ND/CDP:L/TD:H/CR:ND/IR:ND/AR:M' c = CVSS2(vector) print(vector) print(c.clean_vector()) print(c.scores()) print() vector = 'S:C/C:H/I:H/A:N/AV:P/AC:H/PR:H/UI:R/E:H/RL:O/RC:R/CR:H/IR:X/AR:X/MAC:H/MPR:X/MUI:X/MC:L/MA:X' c = CVSS3(vector) print(vector) print(c.clean_vector()) print(c.scores()) print(c.severities())
