def main(): try: parser = argparse.ArgumentParser(description=__doc__) parser.add_argument('-2', action='store_true', help='compute CVSS2 instead') parser.add_argument('-a', '--all', action='store_true', help='ask for all metrics') parser.add_argument('-v', '--vector', help='input string with CVSS vector') parser.add_argument('-n', '--no-colors', action='store_true', help='do not use terminal coloring') args = parser.parse_args() # Import the correct CVSS module if getattr(args, '2'): version = 2 from cvss import CVSS2 as CVSS else: version = 3 from cvss import CVSS3 as CVSS # Vector input, either from command line or interactively if args.vector: vector_string = args.vector else: vector_string = ask_interactively(version, args.all, args.no_colors) # Compute scores and clean vector try: cvss_vector = CVSS(vector_string) except CVSSError as e: print(e) else: scores = cvss_vector.scores() if version == 2: print('CVSS2') severities = None elif version == 3: print('CVSS3') severities = cvss_vector.severities() else: raise ValueError('Unknown CVSS version: {0}'.format(version)) for i, score_name in enumerate(['Base Score', 'Temporal Score', 'Environmental Score']): print(score_name + ':' + ' ' * (PAD - len(score_name) - 2), end='') if version == 3: print(scores[i], '({0})'.format(severities[i])) else: print(scores[i]) print('Cleaned vector: ', cvss_vector.clean_vector()) print('Red Hat vector: ', cvss_vector.rh_vector()) except (KeyboardInterrupt, EOFError): print()
def main(): try: parser = argparse.ArgumentParser(description=__doc__) parser.add_argument('-2', action='store_true', help='compute CVSS2 instead') parser.add_argument('-a', '--all', action='store_true', help='ask for all metrics') parser.add_argument('-v', '--vector', help='input string with CVSS vector') parser.add_argument('-n', '--no-colors', action='store_true', help='do not use terminal coloring') args = parser.parse_args() # Import the correct CVSS module if getattr(args, '2'): version = 2 from cvss import CVSS2 as CVSS else: version = 3 from cvss import CVSS3 as CVSS # Vector input, either from command line or interactively if args.vector: vector_string = args.vector else: vector_string = ask_interactively(version, args.all, args.no_colors) # Compute scores and clean vector try: cvss_vector = CVSS(vector_string) except CVSSError as e: print(e) else: scores = cvss_vector.scores() if version == 2: print('CVSS2') severities = None elif version == 3: print('CVSS3') severities = cvss_vector.severities() else: raise ValueError('Unknown CVSS version: {0}'.format(version)) for i, score_name in enumerate(['Base Score', 'Temporal Score', 'Environmental Score']): print(score_name + ':' + ' ' * (PAD - len(score_name) - 2), end='') if version == 3: print(scores[i], '({0})'.format(severities[i])) else: print(scores[i]) print('Cleaned vector: ', cvss_vector.clean_vector()) print('Red Hat vector: ', cvss_vector.rh_vector()) except KeyboardInterrupt: print()
def test_clean_vector(self): """ Tests for cleaning-up vector, where fields are not in order or some fields have ND values. """ v = 'AV:A/AC:L/Au:M/C:C/I:P/A:C/E:ND/CDP:ND/TD:M/IR:H/AR:H' self.assertEqual('AV:A/AC:L/Au:M/C:C/I:P/A:C/TD:M/IR:H/AR:H', CVSS2(v).clean_vector()) v = 'AV:A/AC:H/Au:S/C:C/I:C/A:P/E:U/RL:U/RC:UR/CDP:ND/TD:ND/CR:L/IR:M/AR:ND' self.assertEqual('AV:A/AC:H/Au:S/C:C/I:C/A:P/E:U/RL:U/RC:UR/CR:L/IR:M', CVSS2(v).clean_vector()) v = 'AV:A/AC:H/Au:M/C:C/I:N/A:C/CR:ND/IR:L/RL:W/RC:ND/CDP:H/E:POC/TD:N/AR:M' self.assertEqual( 'AV:A/AC:H/Au:M/C:C/I:N/A:C/E:POC/RL:W/CDP:H/TD:N/IR:L/AR:M', CVSS2(v).clean_vector())
def parse_cve(cve_obj: Dict[str, Any]) -> CVE: cve_id = cve_obj["cve"]["CVE_data_meta"]["ID"] assigner = cve_obj["cve"]["CVE_data_meta"].get("ASSIGNER", None) references = tuple( Reference(url=ref.get("url", None), name=ref.get("name", None)) for ref in cve_obj["cve"].get("references", {}).get( "reference_data", [])) descriptions = tuple( Description(lang=desc["lang"], value=desc["value"]) for desc in cve_obj["cve"].get("description", {}).get( "description_data", [])) published_date = isoparse(cve_obj["publishedDate"]) last_modified_date = isoparse(cve_obj["lastModifiedDate"]) if "baseMetricV3" in cve_obj["impact"]: impact = CVSS3( cve_obj["impact"]["baseMetricV3"]["cvssV3"]["vectorString"]) elif "baseMetricV2" in cve_obj["impact"]: impact = CVSS2( cve_obj["impact"]["baseMetricV2"]["cvssV2"]["vectorString"]) else: impact = None return CVE(cve_id=cve_id, published_date=published_date, last_modified_date=last_modified_date, impact=impact, descriptions=descriptions, references=references, assigner=assigner, configurations=JsonDataSource.parse_configurations( cve_obj.get("configurations", {})))
def extract_nasl_info(nasl_paths): plugins_info = {} for path in nasl_paths: with open(path) as f: t = f.read() info = {} m = p_id.search(t) info['script_id'] = m.group(1) if m else None m = p_name.search(t) m = m if m else p_name_alt.search(t) info['script_name'] = m.group(1) if m else None # some CVSS strings have leading/trailing spaces, hence the use of strip() m = p_cvss2.search(t) m = m if m else p_cvss2_alt.search(t) info['cvss2'] = float(CVSS2( m.group(1).strip()).base_score) if m else None m = p_cvss3.search(t) info['cvss3'] = float(CVSS3( m.group(1).strip()).base_score) if m else None m = p_risk_factor.search(t) info['risk_factor'] = m.group(1) if m else None m = p_deps.search(t) info['dependencies'] = p_deps2.findall(m.group(1)) if m else [] plugins_info[os.path.basename(path)] = info return plugins_info
def cve_iter( self, rows: Iterator[Tuple[Union[float, int, str], ...]], extra_row_handler: Callable[[Tuple[Union[float, int, str], ...], Dict[str, Any]], Any] = lambda *_: None ) -> Iterator[CVE]: for cve_id, _, published, last_modified, impact_vector, *extra_rows in rows: if impact_vector is None: impact = None else: try: impact = CVSS3(impact_vector) except CVSSError: try: impact = CVSS2(impact_vector) except CVSSError: impact = None d = self.connection.cursor() d.execute(f"SELECT lang, description FROM descriptions WHERE cve = ?", (cve_id,)) descriptions = tuple(Description(lang, desc) for lang, desc in d.fetchall()) kwargs = {} if extra_rows: extra_row_handler(extra_rows, kwargs) yield CVE( cve_id=cve_id, published_date=datetime.fromtimestamp(published, timezone.utc), last_modified_date=datetime.fromtimestamp(last_modified, timezone.utc), impact=impact, descriptions=descriptions, references=(), # References are implemented in SchemaV1 assigner=None, **kwargs )
def run_rh_tests_from_file(self, test_name): with open(path.join(WD, test_name)) as f: for line in f: vector, expected_scores = line.split(' - ') expected_scores = expected_scores.replace('(', '').replace(')', '').strip().split(', ') expected_scores = tuple(float(a) if a != 'None' else None for a in expected_scores) tested_rh_vector = str(expected_scores[0]) + '/' + vector result = CVSS2.from_rh_vector(tested_rh_vector) results_scores = result.scores() self.assertEqual(expected_scores, results_scores, test_name + ' - ' + vector)
def run_tests_from_file(self, test_name): with open(path.join(WD, test_name)) as f: for line in f: vector, expected_scores = line.split(' - ') expected_scores = expected_scores.replace('(', '').replace( ')', '').strip().split(', ') expected_scores = tuple( float(a) if a != 'None' else None for a in expected_scores) result = CVSS2(vector) results_scores = result.scores() self.assertEqual(expected_scores, results_scores, test_name + ' - ' + vector)
def getImageTrivyVulnerabilities(self, uniqueImagesList, reportsummary): print('INFO: Load trivy Vulnerabilities') VulnList = {} imageTrivyVulnSummary = {} for imageUid, image in uniqueImagesList.items(): reportsummary['images'] += 1 log.debug("run Trivy on: {}".format(image['fulltag'])) vulnsum = { 'Critical': { 'severity': 0, 'total': 0, 'fixed': 0 }, 'High': { 'severity': 1, 'total': 0, 'fixed': 0 }, 'Medium': { 'severity': 2, 'total': 0, 'fixed': 0 }, 'Low': { 'severity': 3, 'total': 0, 'fixed': 0 }, 'Unknown': { 'severity': 4, 'total': 0, 'fixed': 0 } } VulnList[imageUid] = [] self.__addCredentials(image['fulltag'], self.repoCredentials) #log.debug(subprocess.run(['printenv'], stdout=subprocess.PIPE).stdout.decode('utf-8')) trivyresult = subprocess.run( ["trivy", "-q", "i", "-f", "json", image['fulltag']], stdout=subprocess.PIPE).stdout.decode('utf-8') self.__removeCredenials() try: imageVuln = json.loads(trivyresult) except json.JSONDecodeError: print("ERROR: could not parse {}".format(image['fulltag'])) continue # skip empty images like busybox if type(imageVuln) is not list: continue for target in imageVuln: if target['Vulnerabilities'] is not None: for vulnerability in target['Vulnerabilities']: #print("PkgName: {PkgName} {VulnerabilityID}".format(PkgName=vulnerability['PkgName'], VulnerabilityID=vulnerability['VulnerabilityID'])) if 'CVSS' in vulnerability: for provider, vectors in vulnerability[ 'CVSS'].items(): if 'V3Vector' in vectors: cvss = CVSS3(vectors['V3Vector']) vectors['V3Vector_base_score'] = str( round(cvss.base_score, 1)) vectors['V3Vector_modified_isc'] = str( round(cvss.modified_isc, 1)) vectors['V3Vector_modified_esc'] = str( round(cvss.modified_esc, 1)) vectors['V3Vector_metrics'] = cvss.metrics vectors['provider'] = provider #print(" CVSS3 {provider} {base_score} {modified_isc} {modified_esc} {vector}".format(provider=provider, base_score=vectors['V3Vector_base_score'], modified_isc=vectors['V3Vector_modified_isc'], modified_esc=vectors['V3Vector_modified_esc'], vector=vectors['V3Vector'])) if 'V2Vector' in vectors: cvss = CVSS2(vectors['V2Vector']) vectors['V2Vector_base_score'] = str( round(cvss.base_score, 1)) vectors['V2Vector_metrics'] = cvss.metrics vectors['provider'] = provider #print(" CVSS2 {provider} {base_score} {vector}".format(provider=provider, base_score=vectors['V2Vector_base_score'], vector=vectors['V2Vector'])) if 'Severity' in vulnerability: vulnerability['SeverityInt'] = vulnsum[ vulnerability['Severity'].capitalize( )]['severity'] vulnsum[vulnerability['Severity'].capitalize( )]['total'] += 1 reportsummary['vuln_total'] += 1 reportsummary['vuln_' + vulnerability['Severity'].lower()] += 1 if 'FixedVersion' in vulnerability: vulnsum[vulnerability['Severity'].capitalize( )]['fixed'] += 1 reportsummary['vuln_fixed'] += 1 target['summary'] = vulnsum VulnList[imageUid].append(target) imageTrivyVulnSummary[imageUid] = vulnsum #pprint.pprint(imageTryviVulnList) return VulnList, imageTrivyVulnSummary
""" Usage examples for CVSS library. """ from __future__ import print_function, unicode_literals from cvss import CVSS2, CVSS3 vector = 'AV:L/AC:L/Au:M/C:N/I:P/A:C/E:U/RL:W/RC:ND/CDP:L/TD:H/CR:ND/IR:ND/AR:M' c = CVSS2(vector) print(vector) print(c.clean_vector()) print(c.scores()) print() vector = 'S:C/C:H/I:H/A:N/AV:P/AC:H/PR:H/UI:R/E:H/RL:O/RC:R/CR:H/IR:X/AR:X/MAC:H/MPR:X/MUI:X/MC:L/MA:X' c = CVSS3(vector) print(vector) print(c.clean_vector()) print(c.scores()) print(c.severities())