Cvssv2 vector to version fix (#58)

* Handle missing product_status and vectorString. * Venreability vection finished. * Don't produce output, when error occurred during parsing. * Fixes. * Typos fix. * Move checking SectionHandler.error_occurred together with schema validation. * Add baseSeverity field. * Use bisect to determine baseSeverity. * CVSS v2 doesn't have baseSeverity. * More meaningful config, example. * Update cvrf2csaf/config/config.yaml Co-authored-by: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> * Fix when to check fot cvss v3 vector. Co-authored-by: mzp <marek.zpevacek@t-mobile.cz> Co-authored-by: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
csaf-tools · Feb 18, 2022 · 867578e · 867578e
1 parent 6264235
commit 867578e
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/cvrf2csaf/section_handlers/vulnerability.py b/cvrf2csaf/section_handlers/vulnerability.py
@@ -147,13 +147,16 @@ def _parse_score_set(self, score_set_element, mapping, version, json_property, p
             else:
                 SectionHandler.error_occurred = True
                 logging.error('No CVSS vector string found on the input.')
-        else:
+
+        # DETERMINE CVSS v 3.x from vector if present
+        if 'vectorString' in cvss_score and json_property == 'cvss_v3':
             regex = "CVSS:(3\.[01]).*" # TODO: implement full regex check here?
             match = re.match(regex, cvss_score['vectorString'])
             if not match:
                 SectionHandler.error_occurred = True
                 logging.error(f'CVSS vector {cvss_score["vectorString"]} is not valid.')
             else:
+
                 version = match.groups()[0]
 
         cvss_score['version'] = version

diff --git a/examples/1.2/cvrf_example_vulnerabilities.xml b/examples/1.2/cvrf_example_vulnerabilities.xml
@@ -162,10 +162,19 @@
     <CVE>CVE-2017-3826</CVE>
     <CWE ID="CWE-601">URL Redirection to Untrusted Site ('Open Redirect')</CWE>
     <CWE ID="CWE-601">URL Redirection to Untrusted Site ('Open Redirect')</CWE>
+    <ProductStatuses>
+      <Status Type="Known Affected">
+        <ProductID>CVRFPID-223156</ProductID>
+      </Status>
+    </ProductStatuses>
     <CVSSScoreSets>
+      <ScoreSetV2>
+        <BaseScoreV2>7.5</BaseScoreV2>
+        <VectorV2>AV:A/AC:M/Au:N/C:N/I:C/A:P</VectorV2>
+      </ScoreSetV2>
       <ScoreSetV3>
         <BaseScoreV3>7.5</BaseScoreV3>
-        <VectorV3>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</VectorV3>
+        <VectorV3>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</VectorV3>
       </ScoreSetV3>
       </CVSSScoreSets>
     <Remediations>