Skip to content

Commit

Permalink
Change deprecated_by of CPEs to a list.
Browse files Browse the repository at this point in the history
  • Loading branch information
@timopollmeier
timopollmeier committed Oct 2, 2024
1 parent 00dbe56 commit 12b44f3
Show file tree
Hide file tree
Showing 5 changed files with 103 additions and 28 deletions.
14 changes: 8 additions & 6 deletions src/gmp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13438,16 +13438,18 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)

if (get_info_data->details == 1)
{
const char *deprecated_by_id
= cpe_info_iterator_deprecated_by_id (&info);
if (deprecated_by_id && strcmp (deprecated_by_id, ""))
iterator_t deprecated_by, cves, refs;

init_cpe_deprecated_by_iterator (&deprecated_by,

Check warning on line 13443 in src/gmp.c

View check run for this annotation

Codecov / codecov/patch

src/gmp.c#L13443 

Added line #L13443 was not covered by tests
get_iterator_name (&info));
while (next (&deprecated_by))
{
xml_string_append (result,

Check warning on line 13447 in src/gmp.c

View check run for this annotation

Codecov / codecov/patch

src/gmp.c#L13447 

Added line #L13447 was not covered by tests
"<deprecated_by>%s</deprecated_by>",
deprecated_by_id);
"<deprecated_by cpe_id=\"%s\"/>",
cpe_deprecated_by_iterator_deprecated_by
(&deprecated_by));
}

iterator_t cves, refs;
g_string_append (result, "<cves>");
init_cpe_cve_iterator (&cves, get_iterator_name (&info), 0, NULL);
while (next (&cves))
Expand Down
6 changes: 6 additions & 0 deletions src/manage.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3339,6 +3339,12 @@ manage_scap_update_time ();

/* CPE. */

void
init_cpe_deprecated_by_iterator (iterator_t *, const char *);

const char *
cpe_deprecated_by_iterator_deprecated_by (iterator_t *);

void
init_cpe_cve_iterator (iterator_t *, const char *, int, const char *);

Expand Down
5 changes: 5 additions & 0 deletions src/manage_pg.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3538,6 +3538,11 @@ manage_db_init (const gchar *name)
" ref TEXT,"
" type TEXT);");

sql ("CREATE TABLE scap2.cpes_deprecated_by"

Check warning on line 3541 in src/manage_pg.c

View check run for this annotation

Codecov / codecov/patch

src/manage_pg.c#L3541 

Added line #L3541 was not covered by tests
" (id SERIAL PRIMARY KEY,"
" cpe TEXT,"
" deprecated_by TEXT);");

sql ("CREATE TABLE scap2.cpe_match_nodes"
" (id SERIAL PRIMARY KEY,"
" parent_id INTEGER DEFAULT 0,"
Expand Down
93 changes: 71 additions & 22 deletions src/manage_sql_secinfo.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -696,6 +696,28 @@ cve_info_filter_columns ()
return filter_columns;
}

/**
* @brief Initialise an iterator listing CPEs another CPE is deprecated_by.
*
* @param[in] iterator Iterator.
* @param[in] cpe CPE to get which other CPEs it's deprecated by.
*/
void
init_cpe_deprecated_by_iterator (iterator_t *iterator, const char *cpe)

Check warning on line 706 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L706 

Added line #L706 was not covered by tests
{
gchar *quoted_cpe;
assert (cpe);
quoted_cpe = sql_quote (cpe);
init_iterator (iterator,

Check warning on line 711 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L709-L711 

Added lines #L709 - L711 were not covered by tests
"SELECT deprecated_by FROM cpes_deprecated_by"
" WHERE cpe = '%s'"
" ORDER BY deprecated_by;",
quoted_cpe);
g_free (quoted_cpe);

Check warning on line 716 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L716 

Added line #L716 was not covered by tests
}

DEF_ACCESS (cpe_deprecated_by_iterator_deprecated_by, 0);

Check warning on line 719 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L719 

Added line #L719 was not covered by tests

/**
* @brief Initialise an CVE iterator, for CVEs reported for a certain CPE.
*
Expand Down Expand Up @@ -2272,19 +2294,19 @@ scap_cpes_json_skip_to_products (gvm_json_pull_parser_t *parser,
/**
* @brief Insert a SCAP CPE from JSON.
*
* @param[in] inserts Pointer to SQL buffer.
* @param[in] inserts Pointer to SQL buffer for main CPE entries.
* @param[in] deprecated_by_inserts Pointer to SQL buffer for deprecated_by.
* @param[in] product_item JSON object from the products list.
*
* @return 0 success, -1 error.
*/
static int
handle_json_cpe_item (inserts_t *inserts, cJSON *product_item)
handle_json_cpe_item (inserts_t *inserts, inserts_t *deprecated_by_inserts,

Check warning on line 2304 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2304 

Added line #L2304 was not covered by tests
cJSON *product_item)
{
cJSON *cpe_item;
char *name, *cpe_name_id, *last_modified, *title_text;
char *deprecated_by;
gchar *quoted_name, *quoted_title, *quoted_cpe_name_id;
gchar *quoted_deprecated_by;
cJSON *titles, *title;
time_t modification_time;
int deprecated;
Expand Down Expand Up @@ -2347,64 +2369,84 @@ handle_json_cpe_item (inserts_t *inserts, cJSON *product_item)
return -1;

Check warning on line 2369 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2368-L2369 

Added lines #L2368 - L2369 were not covered by tests
}

deprecated_by = NULL;
quoted_name = fs_to_uri_convert_and_quote_cpe_name (name);

Check warning on line 2372 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2372 

Added line #L2372 was not covered by tests
if (deprecated)
{
/* CPEs can have multiple deprecatedBy entries,
* but for the GMP field only the first one is used */
cJSON *deprecated_by_array, *first_deprecated_by;
cJSON *deprecated_by_array, *deprecated_by_item;
char *deprecated_by_id;
gchar *quoted_deprecated_by_id;
deprecated_by_array = cJSON_GetObjectItemCaseSensitive (cpe_item,

Check warning on line 2380 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2380 

Added line #L2380 was not covered by tests
"deprecatedBy");
if (! cJSON_IsArray (deprecated_by_array))
{
g_warning ("%s: 'deprecatedBy' field missing or not an array",

Check warning on line 2384 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2384 

Added line #L2384 was not covered by tests
__func__);
g_free (quoted_name);
return -1;

Check warning on line 2387 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2386-L2387 

Added lines #L2386 - L2387 were not covered by tests
}
else if (cJSON_GetArraySize (deprecated_by_array) == 0)

Check warning on line 2389 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2389 

Added line #L2389 was not covered by tests
{
g_warning ("%s: 'deprecatedBy' array is empty",

Check warning on line 2391 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2391 

Added line #L2391 was not covered by tests
__func__);
g_free (quoted_name);
return -1;

Check warning on line 2394 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2393-L2394 

Added lines #L2393 - L2394 were not covered by tests
}

first_deprecated_by = cJSON_GetArrayItem (deprecated_by_array, 0);
deprecated_by = json_object_item_string (first_deprecated_by, "cpeName");
if (deprecated_by == NULL)
cJSON_ArrayForEach (deprecated_by_item, deprecated_by_array)

Check warning on line 2397 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2397 

Added line #L2397 was not covered by tests
{
g_warning ("%s: Could not get 'cpeName' string from 'deprecatedBy'",
__func__);
return -1;
deprecated_by_id = json_object_item_string (deprecated_by_item,

Check warning on line 2399 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2399 

Added line #L2399 was not covered by tests
"cpeName");
if (deprecated_by_id == NULL)
{
g_warning ("%s: 'cpeName' field in 'deprecatedBy' missing or not"

Check warning on line 2403 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2403 

Added line #L2403 was not covered by tests
" a string",
__func__);
g_free (quoted_name);
return -1;

Check warning on line 2407 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2406-L2407 

Added lines #L2406 - L2407 were not covered by tests
}

quoted_deprecated_by_id
= fs_to_uri_convert_and_quote_cpe_name (deprecated_by_id);

Check warning on line 2411 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2411 

Added line #L2411 was not covered by tests

g_message ("%s deprecated by %s", quoted_name, quoted_deprecated_by_id);

Check warning on line 2413 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2413 

Added line #L2413 was not covered by tests

first = inserts_check_size (deprecated_by_inserts);

Check warning on line 2415 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2415 

Added line #L2415 was not covered by tests

g_string_append_printf (deprecated_by_inserts->statement,

Check warning on line 2417 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2417 

Added line #L2417 was not covered by tests
"%s ('%s', '%s')",
first ? "" : ",",
quoted_name,
quoted_deprecated_by_id);

deprecated_by_inserts->current_chunk_size++;

Check warning on line 2423 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2423 

Added line #L2423 was not covered by tests

g_free (quoted_deprecated_by_id);

Check warning on line 2425 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2425 

Added line #L2425 was not covered by tests
}
}

quoted_name = fs_to_uri_convert_and_quote_cpe_name (name);
quoted_cpe_name_id = sql_quote (cpe_name_id);
quoted_title = sql_quote (title_text ? title_text : "");

Check warning on line 2430 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2429-L2430 

Added lines #L2429 - L2430 were not covered by tests
quoted_deprecated_by
= deprecated_by ? fs_to_uri_convert_and_quote_cpe_name (deprecated_by)
: NULL;

first = inserts_check_size (inserts);

Check warning on line 2432 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2432 

Added line #L2432 was not covered by tests

g_string_append_printf (inserts->statement,

Check warning on line 2434 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2434 

Added line #L2434 was not covered by tests
"%s ('%s', '%s', '%s', %li, %li, %d, '%s', '%s')",
"%s ('%s', '%s', '%s', %li, %li, %d, '%s')",
first ? "" : ",",
quoted_name,
quoted_name,
quoted_title,
modification_time,
modification_time,
deprecated,
quoted_deprecated_by ? quoted_deprecated_by : "",
quoted_cpe_name_id);

inserts->current_chunk_size++;

Check warning on line 2445 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2445 

Added line #L2445 was not covered by tests

g_free (quoted_title);
g_free (quoted_name);
g_free (quoted_cpe_name_id);

Check warning on line 2449 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2447-L2449 

Added lines #L2447 - L2449 were not covered by tests
g_free (quoted_deprecated_by);

return 0;

Check warning on line 2451 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2451 

Added line #L2451 was not covered by tests
}
Expand Down Expand Up @@ -2490,7 +2532,7 @@ handle_json_cpe_refs (inserts_t *inserts, cJSON *product_item)
static int
update_scap_cpes_from_json_file (const gchar *path)

Check warning on line 2533 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2533 

Added line #L2533 was not covered by tests
{
inserts_t inserts;
inserts_t inserts, deprecated_by_inserts;
gvm_json_pull_parser_t parser;
gvm_json_pull_event_t event;
FILE *json_stream = fopen (path, "r");

Check warning on line 2538 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2538 

Added line #L2538 was not covered by tests
Expand All @@ -2517,7 +2559,7 @@ update_scap_cpes_from_json_file (const gchar *path)
setting_secinfo_sql_buffer_threshold_bytes (),
"INSERT INTO scap2.cpes"
" (uuid, name, title, creation_time,"
" modification_time, deprecated, deprecated_by_id,"
" modification_time, deprecated,"
" cpe_name_id)"
" VALUES",
" ON CONFLICT (uuid) DO UPDATE"
Expand All @@ -2529,6 +2571,12 @@ update_scap_cpes_from_json_file (const gchar *path)
" deprecated_by_id = EXCLUDED.deprecated_by_id,"
" cpe_name_id = EXCLUDED.cpe_name_id");

inserts_init (&deprecated_by_inserts, 10,

Check warning on line 2574 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2574 

Added line #L2574 was not covered by tests
setting_secinfo_sql_buffer_threshold_bytes (),
"INSERT INTO scap2.cpes_deprecated_by (cpe, deprecated_by)"
" VALUES ",
"");

while (event.type == GVM_JSON_PULL_EVENT_OBJECT_START)
{
gchar *error_message;
Expand All @@ -2543,7 +2591,7 @@ update_scap_cpes_from_json_file (const gchar *path)
sql_commit ();
return -1;

Check warning on line 2592 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2586-L2592 

Added lines #L2586 - L2592 were not covered by tests
}
if (handle_json_cpe_item (&inserts, entry))
if (handle_json_cpe_item (&inserts, &deprecated_by_inserts, entry))
{
gvm_json_pull_event_cleanup (&event);
gvm_json_pull_parser_cleanup (&parser);
Expand All @@ -2556,6 +2604,7 @@ update_scap_cpes_from_json_file (const gchar *path)
gvm_json_pull_parser_next (&parser, &event);

Check warning on line 2604 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2603-L2604 

Added lines #L2603 - L2604 were not covered by tests
}
inserts_run (&inserts, TRUE);
inserts_run (&deprecated_by_inserts, TRUE);
sql_commit ();
gvm_json_pull_parser_cleanup (&parser);

Check warning on line 2609 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2606-L2609 

Added lines #L2606 - L2609 were not covered by tests

Expand Down
13 changes: 13 additions & 0 deletions src/schema_formats/XML/GMP.xml.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12996,6 +12996,7 @@ END:VCALENDAR
<e>severity</e>
<e>cve_refs</e>
<e>deprecated</e>
<any><e>deprecated_by</e></any>
<o><e>cves</e></o>
<o><e>references</e></o>
<o><e>raw_data</e></o>
Expand Down Expand Up @@ -13036,6 +13037,18 @@ END:VCALENDAR
<t>boolean</t>
</pattern>
</ele>
<ele>
<name>deprecated_by</name>
<summary>Another CPE the current one is deprecated by</summary>
<pattern>
<attrib>
<name>cpe_id</name>
<type>uuid</type>
<summary>CPE id the current CPE is deprecated by</summary>
<required>1</required>
</attrib>
</pattern>
</ele>
<ele>
<name>cves</name>
<summary>CVEs referring to this CPE. Only when details were requested</summary>
Expand Down

0 comments on commit 12b44f3

Please sign in to comment.