def map(self, record_json): if not record_json: return None # Handle a 'Vulnerability' wrapper around the specific record. If not present, assume a direct record if len(list(record_json.keys())) == 1 and record_json.get('Vulnerability'): vuln = record_json['Vulnerability'] else: vuln = record_json db_rec = Vulnerability() db_rec.id = vuln['Name'] db_rec.namespace_name = self.group db_rec.severity = vuln.get('Severity', 'Unknown') db_rec.link = vuln.get('Link') description = vuln.get("Description", "") if description: db_rec.description = vuln.get('Description', '') if len(vuln.get('Description', '')) < self.MAX_STR_LEN else (vuln.get('Description')[:self.MAX_STR_LEN - 8] + '...') else: db_rec.description = "" db_rec.fixed_in = [] # db_rec.vulnerable_in = [] # db_rec.metadata_json = json.dumps(vuln.get('Metadata')) if 'Metadata' in vuln else None db_rec.additional_metadata = vuln.get('Metadata', {}) cvss_data = vuln.get('Metadata', {}).get('NVD', {}).get('CVSSv2') if cvss_data: db_rec.cvss2_vectors = cvss_data.get('Vectors') db_rec.cvss2_score = cvss_data.get('Score') # Process Fixes if 'FixedIn' in vuln: for f in vuln['FixedIn']: fix = FixedArtifact() fix.name = f['Name'] fix.version = f['Version'] fix.version_format = f['VersionFormat'] fix.epochless_version = re.sub(r'^[0-9]*:', '', f['Version']) fix.vulnerability_id = db_rec.id fix.namespace_name = self.group fix.vendor_no_advisory = f.get('VendorAdvisory', {}).get('NoAdvisory', False) fix.fix_metadata = {'VendorAdvisorySummary': f['VendorAdvisory']['AdvisorySummary']} if f.get('VendorAdvisory', {}).get('AdvisorySummary', []) else None db_rec.fixed_in.append(fix) # if 'VulnerableIn' in vuln: # for v in vuln['VulnerableIn']: # v_in = VulnerableArtifact() # v_in.name = v['Name'] # v_in.version = v['Version'] # v_in.version_format = v['VersionFormat'] # v_in.epochless_version = re.sub(r'^[0-9]*:', '', v['Version']) # v_in.vulnerability_id = db_rec.id # v_in.namespace_name = self.group # # db_rec.vulnerable_in.append(v_in) return db_rec
def map(self, record_json): advisory = record_json["Advisory"] db_rec = Vulnerability() db_rec.id = advisory["ghsaId"] db_rec.name = advisory["ghsaId"] db_rec.namespace_name = advisory["namespace"] db_rec.description = advisory["Summary"] db_rec.severity = advisory.get("Severity", "Unknown") or "Unknown" db_rec.link = advisory["url"] db_rec.metadata_json = advisory["Metadata"] references = [ "https://nvd.nist.gov/vuln/detail/{}".format(i) for i in advisory["CVE"] ] db_rec.references = references # Set the `FixedArtifact` to an empty list so that a cascade deletion # gets rid of the associated fixes. If the advisory has been withdrawn, # this field will a string with a date. if advisory["withdrawn"] is not None: db_rec.fixed_in = [] return db_rec for f in advisory["FixedIn"]: fix = FixedArtifact() fix.name = f["name"] # this is an unfortunate lie, 'version' has to be a range in order # to be processed correctly. If there is a real fix version, it # will be set in the `fix_metadata`. fix.version = f.get("range", "None") fix.version_format = "semver" fix.vulnerability_id = db_rec.id fix.namespace_name = f["namespace"] fix.vendor_no_advisory = False # the advisory summary is the same as db_rec.description, do we need to do this again? fix.fix_metadata = {"first_patched_version": f["identifier"]} db_rec.fixed_in.append(fix) return db_rec
def map(self, record_json): advisory = record_json['Advisory'] db_rec = Vulnerability() db_rec.id = advisory['ghsaId'] db_rec.name = advisory['ghsaId'] db_rec.namespace_name = advisory['namespace'] db_rec.description = advisory['Summary'] db_rec.severity = advisory.get('Severity', 'Unknown') or 'Unknown' db_rec.link = advisory['url'] db_rec.metadata_json = advisory['Metadata'] references = [ "https://nvd.nist.gov/vuln/detail/{}".format(i) for i in advisory['CVE'] ] db_rec.references = references # Set the `FixedArtifact` to an empty list so that a cascade deletion # gets rid of the associated fixes. If the advisory has been withdrawn, # this field will a string with a date. if advisory['withdrawn'] is not None: db_rec.fixed_in = [] return db_rec for f in advisory['FixedIn']: fix = FixedArtifact() fix.name = f['name'] # this is an unfortunate lie, 'version' has to be a range in order # to be processed correctly. If there is a real fix version, it # will be set in the `fix_metadata`. fix.version = f.get('range', 'None') fix.version_format = 'semver' fix.vulnerability_id = db_rec.id fix.namespace_name = f['namespace'] fix.vendor_no_advisory = False # the advisory summary is the same as db_rec.description, do we need to do this again? fix.fix_metadata = {'first_patched_version': f['identifier']} db_rec.fixed_in.append(fix) return db_rec
def map(self, record_json): if not record_json: return None # Handle a 'Vulnerability' wrapper around the specific record. If not present, assume a direct record if len(list( record_json.keys())) == 1 and record_json.get("Vulnerability"): vuln = record_json["Vulnerability"] else: vuln = record_json db_rec = Vulnerability() db_rec.id = vuln["Name"] db_rec.namespace_name = self.group db_rec.severity = vuln.get("Severity", "Unknown") db_rec.link = vuln.get("Link") description = vuln.get("Description", "") if description: db_rec.description = ( vuln.get("Description", "") if len(vuln.get("Description", "")) < self.MAX_STR_LEN else (vuln.get("Description")[:self.MAX_STR_LEN - 8] + "...")) else: db_rec.description = "" db_rec.fixed_in = [] # db_rec.vulnerable_in = [] # db_rec.metadata_json = json.dumps(vuln.get('Metadata')) if 'Metadata' in vuln else None db_rec.additional_metadata = vuln.get("Metadata", {}) cvss_data = vuln.get("Metadata", {}).get("NVD", {}).get("CVSSv2") if cvss_data: db_rec.cvss2_vectors = cvss_data.get("Vectors") db_rec.cvss2_score = cvss_data.get("Score") # Process Fixes if "FixedIn" in vuln: for f in vuln["FixedIn"]: fix = FixedArtifact() fix.name = f["Name"] fix.version = f["Version"] fix.version_format = f["VersionFormat"] fix.epochless_version = re.sub(r"^[0-9]*:", "", f["Version"]) fix.vulnerability_id = db_rec.id fix.namespace_name = self.group fix.vendor_no_advisory = f.get("VendorAdvisory", {}).get("NoAdvisory", False) fix.fix_metadata = ({ "VendorAdvisorySummary": f["VendorAdvisory"]["AdvisorySummary"] } if f.get("VendorAdvisory", {}).get("AdvisorySummary", []) else None) db_rec.fixed_in.append(fix) # if 'VulnerableIn' in vuln: # for v in vuln['VulnerableIn']: # v_in = VulnerableArtifact() # v_in.name = v['Name'] # v_in.version = v['Version'] # v_in.version_format = v['VersionFormat'] # v_in.epochless_version = re.sub(r'^[0-9]*:', '', v['Version']) # v_in.vulnerability_id = db_rec.id # v_in.namespace_name = self.group # # db_rec.vulnerable_in.append(v_in) return db_rec