Skip to content

Commit

Permalink
Use CVSS severity for SCAP and CERT again
Browse files Browse the repository at this point in the history 
The 0 - 100 integer `score` element is replaced with a CVSS `severity`
one as gvmd will continue using the previous severity scoring system.
This still changes the name of the element compared to 20.08 to make the
element names more consistent.
  • Loading branch information
@timopollmeier
timopollmeier committed Apr 7, 2021
1 parent 99c2cf4 commit 24f2df8
Show file tree
Hide file tree
Showing 7 changed files with 133 additions and 163 deletions.
4 changes: 2 additions & 2 deletions CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,9 +98,9 @@ include (CPack)

set (GVMD_DATABASE_VERSION 241)

set (GVMD_SCAP_DATABASE_VERSION 17)
set (GVMD_SCAP_DATABASE_VERSION 18)

set (GVMD_CERT_DATABASE_VERSION 7)
set (GVMD_CERT_DATABASE_VERSION 8)

set (GMP_VERSION "21.4")
set (GMP_VERSION_FEED "21.04")
Expand Down
53 changes: 26 additions & 27 deletions src/gmp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8958,28 +8958,26 @@ results_xml_append_nvt (iterator_t *results, GString *buffer, int cert_loaded)
{
if (g_str_has_prefix (oid, "CVE-"))
{
int score;
gchar *cvss_base;
gchar *severity;

cvss_base = cve_cvss_base (oid);
score = cve_score (oid);
severity = cve_cvss_base (oid);
buffer_xml_append_printf (buffer,
"<nvt oid=\"%s\">"
"<type>cve</type>"
"<name>%s</name>"
"<cvss_base>%s</cvss_base>"
"<severities score=\"%i\">"
"<severities score=\"%s\">"
"</severities>"
"<cpe id='%s'/>"
"<cve>%s</cve>"
"</nvt>",
oid,
oid,
cvss_base,
score,
severity ? severity : "",
severity ? severity : "",
result_iterator_port (results),
oid);
g_free (cvss_base);
g_free (severity);
return;
}

Expand All @@ -8990,6 +8988,7 @@ results_xml_append_nvt (iterator_t *results, GString *buffer, int cert_loaded)
gchar **split, **item;
get_data_t get;
iterator_t iterator;
const char *severity;

memset (&get, '\0', sizeof (get));
get.id = g_strdup (oid);
Expand All @@ -8998,19 +8997,19 @@ results_xml_append_nvt (iterator_t *results, GString *buffer, int cert_loaded)
assert (0);
if (!next (&iterator))
abort ();
severity = ovaldef_info_iterator_severity (&iterator);
buffer_xml_append_printf (buffer,
"<nvt oid=\"%s\">"
"<type>ovaldef</type>"
"<name>%s</name>"
"<family/>"
"<cvss_base>%s</cvss_base>"
"<severities score=\"%s\">"
"</severities>"
"<tags>summary=%s</tags>",
oid,
ovaldef_info_iterator_title (&iterator),
ovaldef_info_iterator_score (&iterator)
? ovaldef_info_iterator_score (&iterator)
: "",
severity ? severity : "",
severity ? severity : "",
ovaldef_info_iterator_description (&iterator));
g_free (get.id);
cleanup_iterator (&iterator);
Expand Down Expand Up @@ -13093,14 +13092,14 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
cpe_info_iterator_title (&info));
xml_string_append (result,
"<nvd_id>%s</nvd_id>"
"<score>%s</score>"
"<severity>%s</severity>"
"<cve_refs>%s</cve_refs>"
"<status>%s</status>",
cpe_info_iterator_nvd_id (&info)
? cpe_info_iterator_nvd_id (&info)
: "",
cpe_info_iterator_score (&info)
? cpe_info_iterator_score (&info)
cpe_info_iterator_severity (&info)
? cpe_info_iterator_severity (&info)
: "",
cpe_info_iterator_cve_refs (&info),
cpe_info_iterator_status (&info)
Expand Down Expand Up @@ -13143,12 +13142,12 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
{
xml_string_append (result,
"<cve>"
"<score>%s</score>"
"<severity>%s</severity>"
"<cvss_vector>%s</cvss_vector>"
"<description>%s</description>"
"<products>%s</products>",
cve_info_iterator_score (&info)
? cve_info_iterator_score (&info)
cve_info_iterator_severity (&info)
? cve_info_iterator_severity (&info)
: "",
cve_info_iterator_vector (&info),
cve_info_iterator_description (&info),
Expand Down Expand Up @@ -13224,16 +13223,16 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
"<status>%s</status>"
"<class>%s</class>"
"<title>%s</title>"
"<score>%s</score>"
"<severity>%s</severity>"
"<cve_refs>%s</cve_refs>"
"<file>%s</file>",
ovaldef_info_iterator_version (&info),
ovaldef_info_iterator_deprecated (&info),
ovaldef_info_iterator_status (&info),
ovaldef_info_iterator_class (&info),
ovaldef_info_iterator_title (&info),
ovaldef_info_iterator_score (&info)
? ovaldef_info_iterator_score (&info)
ovaldef_info_iterator_severity (&info)
? ovaldef_info_iterator_severity (&info)
: "",
ovaldef_info_iterator_cve_refs (&info),
ovaldef_info_iterator_file (&info));
Expand All @@ -13248,25 +13247,25 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
"<cert_bund_adv>"
"<title>%s</title>"
"<summary>%s</summary>"
"<score>%s</score>"
"<severity>%s</severity>"
"<cve_refs>%s</cve_refs>",
cert_bund_adv_info_iterator_title (&info),
cert_bund_adv_info_iterator_summary (&info),
cert_bund_adv_info_iterator_score(&info)
? cert_bund_adv_info_iterator_score(&info)
cert_bund_adv_info_iterator_severity(&info)
? cert_bund_adv_info_iterator_severity(&info)
: "",
cert_bund_adv_info_iterator_cve_refs (&info));
else if (g_strcmp0 ("dfn_cert_adv", get_info_data->type) == 0)
xml_string_append (result,
"<dfn_cert_adv>"
"<title>%s</title>"
"<summary>%s</summary>"
"<score>%s</score>"
"<severity>%s</severity>"
"<cve_refs>%s</cve_refs>",
dfn_cert_adv_info_iterator_title (&info),
dfn_cert_adv_info_iterator_summary (&info),
dfn_cert_adv_info_iterator_score(&info)
? dfn_cert_adv_info_iterator_score(&info)
dfn_cert_adv_info_iterator_severity(&info)
? dfn_cert_adv_info_iterator_severity(&info)
: "",
dfn_cert_adv_info_iterator_cve_refs (&info));
else if (g_strcmp0 ("nvt", get_info_data->type) == 0)
Expand Down
13 changes: 5 additions & 8 deletions src/manage.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3150,7 +3150,7 @@ const char*
cpe_info_iterator_status (iterator_t*);

const char *
cpe_info_iterator_score (iterator_t*);
cpe_info_iterator_severity (iterator_t*);

const char*
cpe_info_iterator_deprecated_by_id (iterator_t*);
Expand All @@ -3170,7 +3170,7 @@ const char*
cve_iterator_cvss_score (iterator_t*);

const char*
cve_info_iterator_score (iterator_t*);
cve_info_iterator_severity (iterator_t*);

const char*
cve_info_iterator_vector (iterator_t*);
Expand All @@ -3190,9 +3190,6 @@ cve_info_count (const get_data_t *get);
gchar *
cve_cvss_base (const gchar *);

int
cve_score (const gchar *);

/* OVAL definitions */
int
init_ovaldef_info_iterator (iterator_t*, get_data_t*, const char*);
Expand Down Expand Up @@ -3222,7 +3219,7 @@ const char*
ovaldef_info_iterator_status (iterator_t*);

const char*
ovaldef_info_iterator_score (iterator_t*);
ovaldef_info_iterator_severity (iterator_t*);

const char*
ovaldef_info_iterator_cve_refs (iterator_t*);
Expand Down Expand Up @@ -3261,7 +3258,7 @@ const char*
cert_bund_adv_info_iterator_cve_refs (iterator_t*);

const char*
cert_bund_adv_info_iterator_score (iterator_t*);
cert_bund_adv_info_iterator_severity (iterator_t*);

void
init_cve_cert_bund_adv_iterator (iterator_t*, const char*, int, const char*);
Expand Down Expand Up @@ -3290,7 +3287,7 @@ const char*
dfn_cert_adv_info_iterator_cve_refs (iterator_t*);

const char*
dfn_cert_adv_info_iterator_score (iterator_t*);
dfn_cert_adv_info_iterator_severity (iterator_t*);

void
init_cve_dfn_cert_adv_iterator (iterator_t*, const char*, int, const char*);
Expand Down
34 changes: 19 additions & 15 deletions src/manage_pg.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1628,6 +1628,8 @@ manage_create_result_indexes ()
void
create_view_vulns ()
{
sql ("DROP VIEW IF EXISTS vulns;");

if (sql_int ("SELECT EXISTS (SELECT * FROM information_schema.tables"
" WHERE table_catalog = '%s'"
" AND table_schema = 'scap'"
Expand All @@ -1639,17 +1641,17 @@ create_view_vulns ()
" AS (SELECT DISTINCT nvt FROM results"
" WHERE (results.severity != " G_STRINGIFY (SEVERITY_ERROR) "))"
" SELECT id, uuid, name, creation_time, modification_time,"
" score, qod, 'nvt' AS type"
" score / 10.0 AS severity, qod, 'nvt' AS type"
" FROM nvts"
" WHERE uuid in (SELECT * FROM used_nvts)"
" UNION SELECT id, uuid, name, creation_time, modification_time,"
" score, "
" severity, "
G_STRINGIFY (QOD_DEFAULT) " AS qod,"
" 'cve' AS type"
" FROM cves"
" WHERE uuid in (SELECT * FROM used_nvts)"
" UNION SELECT id, uuid, name, creation_time, modification_time,"
" score, "
" severity, "
G_STRINGIFY (QOD_DEFAULT) " AS qod,"
" 'ovaldef' AS type"
" FROM ovaldefs"
Expand All @@ -1660,7 +1662,7 @@ create_view_vulns ()
" AS (SELECT DISTINCT nvt FROM results"
" WHERE (results.severity != " G_STRINGIFY (SEVERITY_ERROR) "))"
" SELECT id, uuid, name, creation_time, modification_time,"
" score, qod, 'nvt' AS type"
" score / 10.0 AS severity, qod, 'nvt' AS type"
" FROM nvts"
" WHERE uuid in (SELECT * FROM used_nvts)");
}
Expand Down Expand Up @@ -3029,7 +3031,7 @@ manage_db_init (const gchar *name)
" title TEXT,"
" summary TEXT,"
" cve_refs INTEGER,"
" score INTEGER);");
" severity DOUBLE PRECISION);");
sql ("CREATE UNIQUE INDEX cert_bund_advs_idx"
" ON cert.cert_bund_advs (name);");
sql ("CREATE INDEX cert_bund_advs_by_creation_time"
Expand All @@ -3053,7 +3055,7 @@ manage_db_init (const gchar *name)
" title TEXT,"
" summary TEXT,"
" cve_refs INTEGER,"
" score INTEGER);");
" severity DOUBLE PRECISION);");
sql ("CREATE UNIQUE INDEX dfn_cert_advs_idx"
" ON cert.dfn_cert_advs (name);");
sql ("CREATE INDEX dfn_cert_advs_by_creation_time"
Expand Down Expand Up @@ -3096,7 +3098,8 @@ manage_db_init (const gchar *name)
/* Init tables. */

sql ("INSERT INTO cert.meta (name, value)"
" VALUES ('database_version', '7');");
" VALUES ('database_version', '%i');",
GVMD_CERT_DATABASE_VERSION);
sql ("INSERT INTO cert.meta (name, value)"
" VALUES ('last_update', '0');");
}
Expand Down Expand Up @@ -3138,7 +3141,7 @@ manage_db_init (const gchar *name)
" modification_time integer,"
" cvss_vector text,"
" products text,"
" score integer DEFAULT 0);");
" severity DOUBLE PRECISION DEFAULT 0);");

sql ("CREATE TABLE scap2.cpes"
" (id SERIAL PRIMARY KEY,"
Expand All @@ -3150,7 +3153,7 @@ manage_db_init (const gchar *name)
" title text,"
" status text,"
" deprecated_by_id INTEGER,"
" score integer DEFAULT 0,"
" severity DOUBLE PRECISION DEFAULT 0,"
" cve_refs INTEGER DEFAULT 0,"
" nvd_id text);");

Expand All @@ -3172,7 +3175,7 @@ manage_db_init (const gchar *name)
" description TEXT,"
" xml_file TEXT,"
" status TEXT,"
" score integer DEFAULT 0,"
" severity DOUBLE PRECISION DEFAULT 0,"
" cve_refs INTEGER DEFAULT 0);");

sql ("CREATE TABLE scap2.ovalfiles"
Expand All @@ -3186,7 +3189,8 @@ manage_db_init (const gchar *name)
/* Init tables. */

sql ("INSERT INTO scap2.meta (name, value)"
" VALUES ('database_version', '17');");
" VALUES ('database_version', '%i');",
GVMD_SCAP_DATABASE_VERSION);
sql ("INSERT INTO scap2.meta (name, value)"
" VALUES ('last_update', '0');");
}
Expand Down Expand Up @@ -3263,17 +3267,17 @@ manage_db_init_indexes (const gchar *name)
" ON scap2.cves (creation_time);");
sql ("CREATE INDEX cves_by_modification_time_idx"
" ON scap2.cves (modification_time);");
sql ("CREATE INDEX cves_by_score"
" ON scap2.cves (score);");
sql ("CREATE INDEX cves_by_severity"
" ON scap2.cves (severity);");

sql ("CREATE UNIQUE INDEX cpe_idx"
" ON scap2.cpes (name);");
sql ("CREATE INDEX cpes_by_creation_time_idx"
" ON scap2.cpes (creation_time);");
sql ("CREATE INDEX cpes_by_modification_time_idx"
" ON scap2.cpes (modification_time);");
sql ("CREATE INDEX cpes_by_score"
" ON scap2.cpes (score);");
sql ("CREATE INDEX cpes_by_severity"
" ON scap2.cpes (severity);");
sql ("CREATE INDEX cpes_by_uuid"
" ON scap2.cpes (uuid);");

Expand Down
Loading

0 comments on commit 24f2df8

Please sign in to comment.