From 7230380186703fbeaae3a3e0c7d2e32688449bf2 Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Wed, 7 Apr 2021 14:40:32 +0200 Subject: [PATCH 1/3] Use CVSS severity for SCAP and CERT again The 0 - 100 integer `score` element is replaced with a CVSS `severity` one as gvmd will continue using the previous severity scoring system. This still changes the name of the element compared to 20.08 to make the element names more consistent. --- CMakeLists.txt | 4 +- src/gmp.c | 53 +++++++-------- src/manage.h | 13 ++-- src/manage_pg.c | 34 ++++++---- src/manage_sql_secinfo.c | 109 ++++++++++++------------------ src/manage_sql_secinfo.h | 27 +++----- src/schema_formats/XML/GMP.xml.in | 58 +++++++--------- 7 files changed, 134 insertions(+), 164 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6dad450e4..1b1299149 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -98,9 +98,9 @@ include (CPack) set (GVMD_DATABASE_VERSION 241) -set (GVMD_SCAP_DATABASE_VERSION 17) +set (GVMD_SCAP_DATABASE_VERSION 18) -set (GVMD_CERT_DATABASE_VERSION 7) +set (GVMD_CERT_DATABASE_VERSION 8) set (GMP_VERSION "21.4") set (GMP_VERSION_FEED "21.04") diff --git a/src/gmp.c b/src/gmp.c index 30b8b50f9..5d999b05b 100644 --- a/src/gmp.c +++ b/src/gmp.c @@ -8958,28 +8958,26 @@ results_xml_append_nvt (iterator_t *results, GString *buffer, int cert_loaded) { if (g_str_has_prefix (oid, "CVE-")) { - int score; - gchar *cvss_base; + gchar *severity; - cvss_base = cve_cvss_base (oid); - score = cve_score (oid); + severity = cve_cvss_base (oid); buffer_xml_append_printf (buffer, "" "cve" "%s" "%s" - "" + "" "" "" "%s" "", oid, oid, - cvss_base, - score, + severity ? severity : "", + severity ? severity : "", result_iterator_port (results), oid); - g_free (cvss_base); + g_free (severity); return; } @@ -8990,6 +8988,7 @@ results_xml_append_nvt (iterator_t *results, GString *buffer, int cert_loaded) gchar **split, **item; get_data_t get; iterator_t iterator; + const char *severity; memset (&get, '\0', sizeof (get)); get.id = g_strdup (oid); @@ -8998,19 +8997,19 @@ results_xml_append_nvt (iterator_t *results, GString *buffer, int cert_loaded) assert (0); if (!next (&iterator)) abort (); + severity = ovaldef_info_iterator_severity (&iterator); buffer_xml_append_printf (buffer, "" "ovaldef" "%s" - "" + "%s" "" "" "summary=%s", oid, ovaldef_info_iterator_title (&iterator), - ovaldef_info_iterator_score (&iterator) - ? ovaldef_info_iterator_score (&iterator) - : "", + severity ? severity : "", + severity ? severity : "", ovaldef_info_iterator_description (&iterator)); g_free (get.id); cleanup_iterator (&iterator); @@ -13093,14 +13092,14 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) cpe_info_iterator_title (&info)); xml_string_append (result, "%s" - "%s" + "%s" "%s" "%s", cpe_info_iterator_nvd_id (&info) ? cpe_info_iterator_nvd_id (&info) : "", - cpe_info_iterator_score (&info) - ? cpe_info_iterator_score (&info) + cpe_info_iterator_severity (&info) + ? cpe_info_iterator_severity (&info) : "", cpe_info_iterator_cve_refs (&info), cpe_info_iterator_status (&info) @@ -13143,12 +13142,12 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) { xml_string_append (result, "" - "%s" + "%s" "%s" "%s" "%s", - cve_info_iterator_score (&info) - ? cve_info_iterator_score (&info) + cve_info_iterator_severity (&info) + ? cve_info_iterator_severity (&info) : "", cve_info_iterator_vector (&info), cve_info_iterator_description (&info), @@ -13224,7 +13223,7 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) "%s" "%s" "%s" - "%s" + "%s" "%s" "%s", ovaldef_info_iterator_version (&info), @@ -13232,8 +13231,8 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) ovaldef_info_iterator_status (&info), ovaldef_info_iterator_class (&info), ovaldef_info_iterator_title (&info), - ovaldef_info_iterator_score (&info) - ? ovaldef_info_iterator_score (&info) + ovaldef_info_iterator_severity (&info) + ? ovaldef_info_iterator_severity (&info) : "", ovaldef_info_iterator_cve_refs (&info), ovaldef_info_iterator_file (&info)); @@ -13248,12 +13247,12 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) "" "%s" "%s" - "%s" + "%s" "%s", cert_bund_adv_info_iterator_title (&info), cert_bund_adv_info_iterator_summary (&info), - cert_bund_adv_info_iterator_score(&info) - ? cert_bund_adv_info_iterator_score(&info) + cert_bund_adv_info_iterator_severity(&info) + ? cert_bund_adv_info_iterator_severity(&info) : "", cert_bund_adv_info_iterator_cve_refs (&info)); else if (g_strcmp0 ("dfn_cert_adv", get_info_data->type) == 0) @@ -13261,12 +13260,12 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error) "" "%s" "%s" - "%s" + "%s" "%s", dfn_cert_adv_info_iterator_title (&info), dfn_cert_adv_info_iterator_summary (&info), - dfn_cert_adv_info_iterator_score(&info) - ? dfn_cert_adv_info_iterator_score(&info) + dfn_cert_adv_info_iterator_severity(&info) + ? dfn_cert_adv_info_iterator_severity(&info) : "", dfn_cert_adv_info_iterator_cve_refs (&info)); else if (g_strcmp0 ("nvt", get_info_data->type) == 0) diff --git a/src/manage.h b/src/manage.h index b531100b6..4505ed4e4 100644 --- a/src/manage.h +++ b/src/manage.h @@ -3150,7 +3150,7 @@ const char* cpe_info_iterator_status (iterator_t*); const char * -cpe_info_iterator_score (iterator_t*); +cpe_info_iterator_severity (iterator_t*); const char* cpe_info_iterator_deprecated_by_id (iterator_t*); @@ -3170,7 +3170,7 @@ const char* cve_iterator_cvss_score (iterator_t*); const char* -cve_info_iterator_score (iterator_t*); +cve_info_iterator_severity (iterator_t*); const char* cve_info_iterator_vector (iterator_t*); @@ -3190,9 +3190,6 @@ cve_info_count (const get_data_t *get); gchar * cve_cvss_base (const gchar *); -int -cve_score (const gchar *); - /* OVAL definitions */ int init_ovaldef_info_iterator (iterator_t*, get_data_t*, const char*); @@ -3222,7 +3219,7 @@ const char* ovaldef_info_iterator_status (iterator_t*); const char* -ovaldef_info_iterator_score (iterator_t*); +ovaldef_info_iterator_severity (iterator_t*); const char* ovaldef_info_iterator_cve_refs (iterator_t*); @@ -3261,7 +3258,7 @@ const char* cert_bund_adv_info_iterator_cve_refs (iterator_t*); const char* -cert_bund_adv_info_iterator_score (iterator_t*); +cert_bund_adv_info_iterator_severity (iterator_t*); void init_cve_cert_bund_adv_iterator (iterator_t*, const char*, int, const char*); @@ -3290,7 +3287,7 @@ const char* dfn_cert_adv_info_iterator_cve_refs (iterator_t*); const char* -dfn_cert_adv_info_iterator_score (iterator_t*); +dfn_cert_adv_info_iterator_severity (iterator_t*); void init_cve_dfn_cert_adv_iterator (iterator_t*, const char*, int, const char*); diff --git a/src/manage_pg.c b/src/manage_pg.c index cc31e3c38..f99e049bd 100644 --- a/src/manage_pg.c +++ b/src/manage_pg.c @@ -1628,6 +1628,8 @@ manage_create_result_indexes () void create_view_vulns () { + sql ("DROP VIEW IF EXISTS vulns;"); + if (sql_int ("SELECT EXISTS (SELECT * FROM information_schema.tables" " WHERE table_catalog = '%s'" " AND table_schema = 'scap'" @@ -1639,17 +1641,17 @@ create_view_vulns () " AS (SELECT DISTINCT nvt FROM results" " WHERE (results.severity != " G_STRINGIFY (SEVERITY_ERROR) "))" " SELECT id, uuid, name, creation_time, modification_time," - " score, qod, 'nvt' AS type" + " score / 10.0 AS severity, qod, 'nvt' AS type" " FROM nvts" " WHERE uuid in (SELECT * FROM used_nvts)" " UNION SELECT id, uuid, name, creation_time, modification_time," - " score, " + " severity, " G_STRINGIFY (QOD_DEFAULT) " AS qod," " 'cve' AS type" " FROM cves" " WHERE uuid in (SELECT * FROM used_nvts)" " UNION SELECT id, uuid, name, creation_time, modification_time," - " score, " + " severity, " G_STRINGIFY (QOD_DEFAULT) " AS qod," " 'ovaldef' AS type" " FROM ovaldefs" @@ -1660,7 +1662,7 @@ create_view_vulns () " AS (SELECT DISTINCT nvt FROM results" " WHERE (results.severity != " G_STRINGIFY (SEVERITY_ERROR) "))" " SELECT id, uuid, name, creation_time, modification_time," - " score, qod, 'nvt' AS type" + " score / 10.0 AS severity, qod, 'nvt' AS type" " FROM nvts" " WHERE uuid in (SELECT * FROM used_nvts)"); } @@ -3029,7 +3031,7 @@ manage_db_init (const gchar *name) " title TEXT," " summary TEXT," " cve_refs INTEGER," - " score INTEGER);"); + " severity DOUBLE PRECISION);"); sql ("CREATE UNIQUE INDEX cert_bund_advs_idx" " ON cert.cert_bund_advs (name);"); sql ("CREATE INDEX cert_bund_advs_by_creation_time" @@ -3053,7 +3055,7 @@ manage_db_init (const gchar *name) " title TEXT," " summary TEXT," " cve_refs INTEGER," - " score INTEGER);"); + " severity DOUBLE PRECISION);"); sql ("CREATE UNIQUE INDEX dfn_cert_advs_idx" " ON cert.dfn_cert_advs (name);"); sql ("CREATE INDEX dfn_cert_advs_by_creation_time" @@ -3096,7 +3098,8 @@ manage_db_init (const gchar *name) /* Init tables. */ sql ("INSERT INTO cert.meta (name, value)" - " VALUES ('database_version', '7');"); + " VALUES ('database_version', '%i');", + GVMD_CERT_DATABASE_VERSION); sql ("INSERT INTO cert.meta (name, value)" " VALUES ('last_update', '0');"); } @@ -3138,7 +3141,7 @@ manage_db_init (const gchar *name) " modification_time integer," " cvss_vector text," " products text," - " score integer DEFAULT 0);"); + " severity DOUBLE PRECISION DEFAULT 0);"); sql ("CREATE TABLE scap2.cpes" " (id SERIAL PRIMARY KEY," @@ -3150,7 +3153,7 @@ manage_db_init (const gchar *name) " title text," " status text," " deprecated_by_id INTEGER," - " score integer DEFAULT 0," + " severity DOUBLE PRECISION DEFAULT 0," " cve_refs INTEGER DEFAULT 0," " nvd_id text);"); @@ -3172,7 +3175,7 @@ manage_db_init (const gchar *name) " description TEXT," " xml_file TEXT," " status TEXT," - " score integer DEFAULT 0," + " severity DOUBLE PRECISION DEFAULT 0," " cve_refs INTEGER DEFAULT 0);"); sql ("CREATE TABLE scap2.ovalfiles" @@ -3186,7 +3189,8 @@ manage_db_init (const gchar *name) /* Init tables. */ sql ("INSERT INTO scap2.meta (name, value)" - " VALUES ('database_version', '17');"); + " VALUES ('database_version', '%i');", + GVMD_SCAP_DATABASE_VERSION); sql ("INSERT INTO scap2.meta (name, value)" " VALUES ('last_update', '0');"); } @@ -3263,8 +3267,8 @@ manage_db_init_indexes (const gchar *name) " ON scap2.cves (creation_time);"); sql ("CREATE INDEX cves_by_modification_time_idx" " ON scap2.cves (modification_time);"); - sql ("CREATE INDEX cves_by_score" - " ON scap2.cves (score);"); + sql ("CREATE INDEX cves_by_severity" + " ON scap2.cves (severity);"); sql ("CREATE UNIQUE INDEX cpe_idx" " ON scap2.cpes (name);"); @@ -3272,8 +3276,8 @@ manage_db_init_indexes (const gchar *name) " ON scap2.cpes (creation_time);"); sql ("CREATE INDEX cpes_by_modification_time_idx" " ON scap2.cpes (modification_time);"); - sql ("CREATE INDEX cpes_by_score" - " ON scap2.cpes (score);"); + sql ("CREATE INDEX cpes_by_severity" + " ON scap2.cpes (severity);"); sql ("CREATE INDEX cpes_by_uuid" " ON scap2.cpes (uuid);"); diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c index b2890757b..986c16951 100644 --- a/src/manage_sql_secinfo.c +++ b/src/manage_sql_secinfo.c @@ -553,10 +553,10 @@ DEF_ACCESS (cpe_info_iterator_status, GET_ITERATOR_COLUMN_COUNT + 1); * * @param[in] iterator Iterator. * - * @return The highest severity score (10 * CVSS score) of the CPE, + * @return The highest severity score of the CPE, * or NULL if iteration is complete. Freed by cleanup_iterator. */ -DEF_ACCESS (cpe_info_iterator_score, GET_ITERATOR_COLUMN_COUNT + 3); +DEF_ACCESS (cpe_info_iterator_severity, GET_ITERATOR_COLUMN_COUNT + 3); /** * @brief Get the Number of CVE's referencing this cpe from a CPE iterator. @@ -621,14 +621,14 @@ init_cpe_cve_iterator (iterator_t *iterator, const char *cve, int ascending, assert (cve); quoted_cpe = sql_quote (cve); init_iterator (iterator, - "SELECT id, name, round(score / 10.0, 1) FROM cves" + "SELECT id, name, severity FROM cves" " WHERE id IN" " (SELECT cve FROM affected_products" " WHERE cpe =" " (SELECT id FROM cpes WHERE name = '%s'))" " ORDER BY %s %s;", quoted_cpe, - sort_field ? sort_field : "score DESC, name", + sort_field ? sort_field : "severity DESC, name", ascending ? "ASC" : "DESC"); g_free (quoted_cpe); } @@ -665,32 +665,12 @@ cve_cvss_base (const gchar *cve) { gchar *quoted_cve, *ret; quoted_cve = sql_quote (cve); - ret = sql_string ("SELECT score / 10.0 FROM cves WHERE name = '%s'", + ret = sql_string ("SELECT severity FROM cves WHERE name = '%s'", quoted_cve); g_free (quoted_cve); return ret; } -/** - * @brief Get the severity score from a CVE. - * - * @param[in] cve CVE-ID of the CVE to get the score of. - * - * @return Severity score (10 * CVSS score) of CVE. - */ -int -cve_score (const gchar *cve) -{ - gchar *quoted_cve; - int ret; - - quoted_cve = sql_quote (cve); - ret = sql_int ("SELECT score FROM cves WHERE name = '%s'", - quoted_cve); - g_free (quoted_cve); - return ret; -} - /** * @brief Count number of cve. * @@ -791,10 +771,10 @@ DEF_ACCESS (cve_info_iterator_products, GET_ITERATOR_COLUMN_COUNT + 1); * * @param[in] iterator Iterator. * - * @return The severity score (10 * CVSS score) of this CVE, - * or NULL if iteration is complete. Freed by cleanup_iterator. + * @return The severity score of this CVE, or NULL if iteration is complete. + * Freed by cleanup_iterator. */ -DEF_ACCESS (cve_info_iterator_score, GET_ITERATOR_COLUMN_COUNT + 2); +DEF_ACCESS (cve_info_iterator_severity, GET_ITERATOR_COLUMN_COUNT + 2); /** * @brief Get the Summary for this CVE. @@ -981,18 +961,18 @@ DEF_ACCESS (ovaldef_info_iterator_status, GET_ITERATOR_COLUMN_COUNT + 6); * * @param[in] iterator Iterator. * - * @return The maximum severity score (10 * CVSS score) of the OVAL - * definition, or NULL if iteration is complete. + * @return The maximum severity score of the OVAL definition, + * or NULL if iteration is complete. * Freed by cleanup_iterator. */ -DEF_ACCESS (ovaldef_info_iterator_score, GET_ITERATOR_COLUMN_COUNT + 7); +DEF_ACCESS (ovaldef_info_iterator_severity, GET_ITERATOR_COLUMN_COUNT + 7); /** * @brief Get number of referenced CVEs from an OVALDEF iterator. * * @param[in] iterator Iterator. * - * @return The maximum CVSS score of the OVAL definition, + * @return The number of CVEs referenced CVEs of the OVAL definition, * or NULL if iteration is complete. * Freed by cleanup_iterator. */ @@ -1251,11 +1231,12 @@ DEF_ACCESS (cert_bund_adv_info_iterator_cve_refs, * * @param[in] iterator Iterator. * - * @return The maximum severity score (10 * CVSS score) of the CVEs referenced + * @return The maximum severity score of the CVEs referenced * in the CERT-Bund advisory, or NULL if iteration is complete. * Freed by cleanup_iterator. */ -DEF_ACCESS (cert_bund_adv_info_iterator_score, GET_ITERATOR_COLUMN_COUNT + 3); +DEF_ACCESS (cert_bund_adv_info_iterator_severity, + GET_ITERATOR_COLUMN_COUNT + 3); /** * @brief Initialise CVE iterator, for CVEs referenced by a CERT-Bund advisory. @@ -1455,11 +1436,11 @@ DEF_ACCESS (dfn_cert_adv_info_iterator_cve_refs, GET_ITERATOR_COLUMN_COUNT + 2); * * @param[in] iterator Iterator. * - * @return The maximum score (10 * CVSS score) of the CVEs referenced + * @return The maximum score of the CVEs referenced * in the DFN-CERT advisory, or NULL if iteration is complete. * Freed by cleanup_iterator. */ -DEF_ACCESS (dfn_cert_adv_info_iterator_score, GET_ITERATOR_COLUMN_COUNT + 3); +DEF_ACCESS (dfn_cert_adv_info_iterator_severity, GET_ITERATOR_COLUMN_COUNT + 3); /** * @brief Initialise CVE iterator, for CVEs referenced by a DFN-CERT advisory. @@ -2712,7 +2693,7 @@ insert_cve_from_entry (element_t entry, element_t last_modified, { gboolean cvss_is_v3; element_t published, summary, cvss, score, base_metrics, cvss_vector, list; - int score_int; + double severity_dbl; gchar *quoted_id, *quoted_summary, *quoted_cvss_vector; gchar *quoted_software, *id; GString *software; @@ -2781,9 +2762,9 @@ insert_cve_from_entry (element_t entry, element_t last_modified, } if (score == NULL) - score_int = 0; + severity_dbl = 0; else - score_int = round (atof (element_text (score)) * 10); + severity_dbl = atof (element_text (score)); summary = element_child (entry, "vuln:summary"); if (summary == NULL) @@ -2829,15 +2810,15 @@ insert_cve_from_entry (element_t entry, element_t last_modified, cve = sql_int64_0 ("INSERT INTO scap2.cves" " (uuid, name, creation_time, modification_time," - " score, description, cvss_vector, products)" + " severity, description, cvss_vector, products)" " VALUES" " ('%s', '%s', %i, %i," - " %i, '%s', '%s', '%s')" + " %0.1f, '%s', '%s', '%s')" " ON CONFLICT (uuid) DO UPDATE" " SET name = EXCLUDED.name," " creation_time = EXCLUDED.creation_time," " modification_time = EXCLUDED.modification_time," - " score = EXCLUDED.score," + " severity = EXCLUDED.severity," " description = EXCLUDED.description," " cvss_vector = EXCLUDED.cvss_vector," " products = EXCLUDED.products" @@ -2846,7 +2827,7 @@ insert_cve_from_entry (element_t entry, element_t last_modified, quoted_id, time_published, time_modified, - score_int, + severity_dbl, quoted_summary, quoted_cvss_vector, quoted_software); @@ -3474,7 +3455,7 @@ update_ovaldef_xml (gchar **file_and_date, int private) " (uuid, name, comment, creation_time," " modification_time, version, deprecated, def_class," " title, description, xml_file, status," - " score, cve_refs)" + " severity, cve_refs)" " VALUES ('%s', '%s', '', %i, %i, %s, %i, '%s', '%s'," " '%s', '%s', '%s', 0, %i)" " ON CONFLICT (uuid) DO UPDATE" @@ -3489,7 +3470,7 @@ update_ovaldef_xml (gchar **file_and_date, int private) " description = EXCLUDED.description," " xml_file = EXCLUDED.xml_file," " status = EXCLUDED.status," - " score = 0," + " severity = 0," " cve_refs = EXCLUDED.cve_refs;", quoted_id, quoted_oval_id, @@ -4312,13 +4293,13 @@ update_cvss_dfn_cert (int updated_dfn_cert, int last_cert_update, { g_info ("Updating Max CVSS for DFN-CERT"); sql ("UPDATE cert.dfn_cert_advs" - " SET score = (SELECT max (score)" + " SET severity = (SELECT max (severity)" " FROM scap.cves" " WHERE name" " IN (SELECT cve_name" " FROM cert.dfn_cert_cves" " WHERE adv_id = dfn_cert_advs.id)" - " AND score != 0);"); + " AND severity != 0);"); g_info ("Updating DFN-CERT CVSS max succeeded."); } @@ -4343,13 +4324,13 @@ update_cvss_cert_bund (int updated_cert_bund, int last_cert_update, { g_info ("Updating Max CVSS for CERT-Bund"); sql ("UPDATE cert.cert_bund_advs" - " SET score = (SELECT max (score)" - " FROM scap.cves" - " WHERE name" + " SET severity = (SELECT max (severity)" + " FROM scap.cves" + " WHERE name" " IN (SELECT cve_name" " FROM cert.cert_bund_cves" " WHERE adv_id = cert_bund_advs.id)" - " AND score != 0);"); + " AND severity != 0);"); g_info ("Updating CERT-Bund CVSS max succeeded."); } @@ -4576,22 +4557,22 @@ update_scap_cvss () g_info ("Updating CVSS scores and CVE counts for CPEs"); sql ("UPDATE scap2.cpes" - " SET (score, cve_refs)" - " = (WITH affected_cves" - " AS (SELECT cve FROM scap2.affected_products" - " WHERE cpe=cpes.id)" - " SELECT (SELECT max (score) FROM scap2.cves" - " WHERE id IN (SELECT cve FROM affected_cves))," - " (SELECT count (*) FROM affected_cves));"); + " SET (severity, cve_refs)" + " = (WITH affected_cves" + " AS (SELECT cve FROM scap2.affected_products" + " WHERE cpe=cpes.id)" + " SELECT (SELECT max (severity) FROM scap2.cves" + " WHERE id IN (SELECT cve FROM affected_cves))," + " (SELECT count (*) FROM affected_cves));"); g_info ("Updating CVSS scores for OVAL definitions"); sql ("UPDATE scap2.ovaldefs" - " SET score = (SELECT max (score)" - " FROM scap2.cves" - " WHERE id IN (SELECT cve" - " FROM scap2.affected_ovaldefs" - " WHERE ovaldef=ovaldefs.id)" - " AND score != 0);"); + " SET severity = (SELECT max (severity)" + " FROM scap2.cves" + " WHERE id IN (SELECT cve" + " FROM scap2.affected_ovaldefs" + " WHERE ovaldef=ovaldefs.id)" + " AND severity != 0);"); } /** diff --git a/src/manage_sql_secinfo.h b/src/manage_sql_secinfo.h index 68a9d86c2..408092559 100644 --- a/src/manage_sql_secinfo.h +++ b/src/manage_sql_secinfo.h @@ -76,7 +76,7 @@ */ #define CVE_INFO_ITERATOR_FILTER_COLUMNS \ { GET_ITERATOR_FILTER_COLUMNS, "cvss_vector", "products", \ - "score", "description", "published", "severity", NULL } + "description", "published", "severity", NULL } /** * @brief CVE iterator columns. @@ -88,9 +88,8 @@ { "0", NULL, KEYWORD_TYPE_INTEGER }, \ { "cvss_vector", NULL, KEYWORD_TYPE_STRING }, \ { "products", NULL, KEYWORD_TYPE_STRING }, \ - { "score", NULL, KEYWORD_TYPE_INTEGER }, \ + { "severity", NULL, KEYWORD_TYPE_DOUBLE }, \ { "description", NULL, KEYWORD_TYPE_STRING }, \ - { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ { "creation_time", "published", KEYWORD_TYPE_INTEGER }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } @@ -100,8 +99,8 @@ */ #define CPE_INFO_ITERATOR_FILTER_COLUMNS \ { GET_ITERATOR_FILTER_COLUMNS, "title", "status", \ - "deprecated_by_id", "score", "cves", "nvd_id", \ - "severity", "score", NULL } + "deprecated_by_id", "severity", "cves", "nvd_id", \ + NULL } /** * @brief CPE iterator columns. @@ -114,10 +113,9 @@ { "title", NULL, KEYWORD_TYPE_STRING }, \ { "status", NULL, KEYWORD_TYPE_STRING }, \ { "deprecated_by_id", NULL, KEYWORD_TYPE_INTEGER }, \ - { "score", NULL, KEYWORD_TYPE_INTEGER }, \ + { "severity", NULL, KEYWORD_TYPE_DOUBLE }, \ { "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \ { "nvd_id", NULL, KEYWORD_TYPE_INTEGER }, \ - { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } @@ -127,7 +125,7 @@ #define OVALDEF_INFO_ITERATOR_FILTER_COLUMNS \ { GET_ITERATOR_FILTER_COLUMNS, "version", "deprecated", \ "class", "title", "description", "file", \ - "status", "cves", "score", "severity", \ + "status", "cves", "severity", \ NULL } /** @@ -145,9 +143,8 @@ { "description", NULL, KEYWORD_TYPE_STRING }, \ { "xml_file", "file", KEYWORD_TYPE_STRING }, \ { "status", NULL, KEYWORD_TYPE_STRING }, \ - { "score", NULL, KEYWORD_TYPE_INTEGER }, \ + { "severity", NULL, KEYWORD_TYPE_DOUBLE }, \ { "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \ - { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } @@ -156,7 +153,7 @@ */ #define CERT_BUND_ADV_INFO_ITERATOR_FILTER_COLUMNS \ { GET_ITERATOR_FILTER_COLUMNS, "title", "summary", \ - "cves", "score", "severity", NULL } + "cves", "severity", NULL } /** * @brief CERT_BUND_ADV iterator columns. @@ -169,8 +166,7 @@ { "title", NULL, KEYWORD_TYPE_STRING }, \ { "summary", NULL, KEYWORD_TYPE_STRING }, \ { "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \ - { "score", NULL, KEYWORD_TYPE_INTEGER }, \ - { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ + { "severity", NULL, KEYWORD_TYPE_DOUBLE }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } @@ -179,7 +175,7 @@ */ #define DFN_CERT_ADV_INFO_ITERATOR_FILTER_COLUMNS \ { GET_ITERATOR_FILTER_COLUMNS, "title", "summary", \ - "cves", "score", "severity", NULL } + "cves", "severity", NULL } /** * @brief DFN_CERT_ADV iterator columns. @@ -192,8 +188,7 @@ { "title", NULL, KEYWORD_TYPE_STRING }, \ { "summary", NULL, KEYWORD_TYPE_STRING }, \ { "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \ - { "score", NULL, KEYWORD_TYPE_INTEGER }, \ - { "score / 10.0", "severity", KEYWORD_TYPE_DOUBLE }, \ + { "severity", NULL, KEYWORD_TYPE_DOUBLE }, \ { NULL, NULL, KEYWORD_TYPE_UNKNOWN } \ } diff --git a/src/schema_formats/XML/GMP.xml.in b/src/schema_formats/XML/GMP.xml.in index 1dffb3d98..9ddebad44 100644 --- a/src/schema_formats/XML/GMP.xml.in +++ b/src/schema_formats/XML/GMP.xml.in @@ -11466,15 +11466,10 @@ along with this program. If not, see . name Name of the owner - - score - score - Severity score of the SecInfo - severity severity - CVSS-based severity of the SecInfo + CVSS severity score of the SecInfo @@ -11848,7 +11843,7 @@ along with this program. If not, see . title summary - score + severity cve_refs raw_data @@ -11868,10 +11863,10 @@ along with this program. If not, see . - score - Highest 0-100 severity score of CVEs referenced by the advisory + severity + Highest CVSS severity score of CVEs referenced by the advisory - score + severity @@ -11894,7 +11889,7 @@ along with this program. If not, see . nvd_id title - score + severity cve_refs status cves @@ -11916,10 +11911,10 @@ along with this program. If not, see . - score - The highest 0-100 severity score recorded for this CPE + severity + The highest CVSS severity score recorded for this CPE - score + severity @@ -11968,7 +11963,7 @@ along with this program. If not, see . cve - score + severity cvss_vector description products @@ -11978,10 +11973,10 @@ along with this program. If not, see . A CVE info element - score - Severity score (10 * CVSS Base Score) of the CVE + severity + CVSS severity score of the CVE - integer + severity @@ -12085,7 +12080,7 @@ along with this program. If not, see . title summary - score + severity cve_refs raw_data @@ -12105,10 +12100,10 @@ along with this program. If not, see . - score - Highest 0-100 severity score of CVEs referenced by the advisory + severity + Highest CVSS severity score of CVEs referenced by the advisory - score + severity @@ -12134,7 +12129,7 @@ along with this program. If not, see . status class title - score + severity cve_refs file description @@ -12177,10 +12172,10 @@ along with this program. If not, see . - score - Highest 0-100 severity score of CVEs referenced by the definition + severity + Highest CVSS severity score of CVEs referenced by the definition - score + severity @@ -25976,14 +25971,13 @@ along with this program. If not, see .

The elements CVSS and MAX_CVSS of CPEs, CVEs, OVAL definitions and - CERT advisories are replaced by the SCORE element that contains an - integer score in the range 0-100, which is generally the ten times - the CVSS base score. + CERT advisories are replaced by the SEVERITY element.

- NVTs still contain the CVSS_BASE element in addition to the new - SCORE for backward compatibility of reports. However, the use of - the CVSS_BASE element is deprecated. + NVTs still contain the CVSS_BASE element for backward compatibility + of reports. However, the use of the CVSS_BASE element is deprecated + and the score attribute of the new SEVERITIES element should be used + instead.

21.4 From 1bd118a2ee8c9af020a493c52d62d7e4ba10f250 Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Thu, 8 Apr 2021 09:13:47 +0200 Subject: [PATCH 2/3] Add SCAP and CERT severity change to CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 768b2fd7f..fbeb5cb53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Move EXE credential generation to a Python script [#1260](https://github.com/greenbone/gvmd/pull/1260) [#1262](https://github.com/greenbone/gvmd/pull/1262) - Clarify documentation for --scan-host parameter [#1277](https://github.com/greenbone/gvmd/pull/1277) - In result iterator access severity directly if possible [#1321](https://github.com/greenbone/gvmd/pull/1321) -- Change SCAP and CERT data to use new severity scoring [#1333](https://github.com/greenbone/gvmd/pull/1333) [#1357](https://github.com/greenbone/gvmd/pull/1357) [#1365](https://github.com/greenbone/gvmd/pull/1365) [#1457](https://github.com/greenbone/gvmd/pull/1457) +- Change SCAP and CERT data to use "severity" consistently [#1333](https://github.com/greenbone/gvmd/pull/1333) [#1357](https://github.com/greenbone/gvmd/pull/1357) [#1365](https://github.com/greenbone/gvmd/pull/1365) [#1457](https://github.com/greenbone/gvmd/pull/1457) [#1476](https://github.com/greenbone/gvmd/pull/1476) - Expect report format scripts to exit with code 0 [#1383](https://github.com/greenbone/gvmd/pull/1383) - Send entire families to ospd-openvas using VT_GROUP [#1384](https://github.com/greenbone/gvmd/pull/1384) - The internal list of current Local Security Checks for the 'Closed CVEs' feature was updated [#1381](https://github.com/greenbone/gvmd/pull/1381) From 1a82bb744d10ed33be6ac92e5f9bc0cc0b2d62c6 Mon Sep 17 00:00:00 2001 From: Timo Pollmeier Date: Thu, 8 Apr 2021 11:19:11 +0200 Subject: [PATCH 3/3] Use severity column in ovaldef_severity The function was still trying to use the score column that was replaced by severity. --- src/manage_sql_secinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c index 986c16951..f8cc192b2 100644 --- a/src/manage_sql_secinfo.c +++ b/src/manage_sql_secinfo.c @@ -1033,7 +1033,7 @@ ovaldef_severity (const char *id) assert (id); quoted_id = sql_quote (id); - ret = sql_string ("SELECT score / 10.0 FROM ovaldefs WHERE uuid = '%s';", + ret = sql_string ("SELECT severity FROM ovaldefs WHERE uuid = '%s';", quoted_id); g_free (quoted_id); return ret;