-
-
Notifications
You must be signed in to change notification settings - Fork 26
/
NvdCveClientBuilder.java
573 lines (539 loc) · 18.4 KB
/
NvdCveClientBuilder.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
/*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* Copyright (c) 2022-2023 Jeremy Long. All Rights Reserved.
*/
package io.github.jeremylong.openvulnerability.client.nvd;
import io.github.jeremylong.openvulnerability.client.HttpAsyncClientSupplier;
import org.apache.hc.core5.http.NameValuePair;
import org.apache.hc.core5.http.message.BasicNameValuePair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.ArrayList;
import java.util.List;
/**
* Used to build an NVD CVE API client. As the NvdCveClient client is autocloseable the builder should be used in a try
* with resources:
*
* <pre>
* try (NvdCveClient api = NvdCveClientBuilder.aNvdCveApi().build()) {
* while (api.hasNext()) {
* Collection<DefCveItem> items = api.next();
* }
* }
* </pre>
*/
public final class NvdCveClientBuilder {
/**
* Reference to the logger.
*/
private static final Logger LOG = LoggerFactory.getLogger(NvdCveClientBuilder.class);
/**
* A list of filters to apply to the request.
*/
private final List<NameValuePair> filters = new ArrayList<>();
/**
* The NVD CVE API key.
*/
private String apiKey;
/**
* The endpoint for the NVD CVE API.
*/
private String endpoint;
/**
* The number of results per page.
*/
private int resultsPerPage;
/**
* The minimum delay between API calls in milliseconds.
*/
private long delay;
/**
* The maximum number of retries for 503 and 429 responses from the NVD.
*/
private int maxRetryCount = 10;
/**
* The number of threads to use when calling the NVD API.
*/
private int threadCount = 1;
/**
* The maximum number of pages to retrieve from the NVD API.
*/
private int maxPageCount = 0;
private HttpAsyncClientSupplier httpClientSupplier;
/**
* Private constructor for a builder.
*/
private NvdCveClientBuilder() {
}
/**
* Begin building the NVD CVE API Object.
*
* @return the builder
*/
public static NvdCveClientBuilder aNvdCveApi() {
return new NvdCveClientBuilder();
}
/**
* Use an NVD CVE API key.
*
* @param apiKey the NVD CVE API key.
* @return the builder
* @see <a href="https://nvd.nist.gov/developers/request-an-api-key">NVD CVE API Request an API Key</a>
*/
public NvdCveClientBuilder withApiKey(String apiKey) {
this.apiKey = apiKey;
return this;
}
/**
* Use an alternative endpoint for the NVD CVE API.
*
* @param endpoint the endpoint for the NVD CVE API
* @return the builder
*/
public NvdCveClientBuilder withEndpoint(String endpoint) {
this.endpoint = endpoint;
return this;
}
/**
* Use a minimum delay in milliseconds between API calls; useful if you run into issues with rate limiting.
*
* @param milliseconds the minimum number of milliseconds between API calls to the NVD CVE API
* @return the builder
*/
public NvdCveClientBuilder withDelay(long milliseconds) {
this.delay = milliseconds;
return this;
}
/**
* Set the maximum number of retries for 503 and 429 responses from the NVD; default is 10.
*
* @param maxRetryCount the maximum number of retries for 503 and 429 responses from the NVD.
* @return the builder
*/
public NvdCveClientBuilder withMaxRetryCount(int maxRetryCount) {
this.maxRetryCount = maxRetryCount;
return this;
}
/**
* Set the number of threads to use when calling the NVD API.
*
* @param count the number of threads to use when calling the NVD API
* @return the builder
*/
public NvdCveClientBuilder withThreadCount(int count) {
this.threadCount = count;
return this;
}
/**
* Set the maximum number of pages to retrieve from the NVD API.
*
* @param count the maximum number of pages to retrieve from the NVD API
* @return the builder
*/
public NvdCveClientBuilder withMaxPageCount(int count) {
this.maxPageCount = count;
return this;
}
/**
* Use a specific number of results per page. Value must be between 1 and 2000. The default value is 2000.
*
* @param resultsPerPage the number of results per page
* @return the builder
*/
public NvdCveClientBuilder withResultsPerPage(int resultsPerPage) {
if (resultsPerPage > 0 && resultsPerPage <= 2000) {
this.resultsPerPage = resultsPerPage;
} else {
LOG.warn("Invalid results per page - must be between 1 and 2000: {}", resultsPerPage);
}
return this;
}
/**
* Add a querystring parameter to filter the call to the NVD CVE API.
*
* @param filter the querystring parameter
* @param value the querystring parameter value
* @return the builder
*/
public NvdCveClientBuilder withFilter(String filter, String value) {
filters.add(new BasicNameValuePair(filter, value));
return this;
}
/**
* Add a querystring parameter to filter the call to the NVD CVE API.
*
* @param filter the querystring parameter
* @param value the querystring parameter value
* @return the builder
*/
public NvdCveClientBuilder withFilter(Filter filter, String value) {
filters.add(new BasicNameValuePair(filter.toParameterName(), value));
return this;
}
/**
* Add a querystring parameter to filter the call to the NVD CVE API.
*
* @param filter the querystring parameter
* @return the builder
*/
public NvdCveClientBuilder withFilter(BooleanFilter filter) {
filters.add(new BasicNameValuePair(filter.toParameterName(), null));
return this;
}
/**
* Use a range of no more than 120 days on the last modified dates to filter the results.
*
* @param utcStartDate the UTC date time for the range start
* @param utcEndDate the UTC date time for the range end
* @return the builder
*/
public NvdCveClientBuilder withLastModifiedFilter(ZonedDateTime utcStartDate, ZonedDateTime utcEndDate) {
DateTimeFormatter dtf = DateTimeFormatter.ofPattern("uuuu-MM-dd'T'HH:mm:ssX");
filters.add(new BasicNameValuePair("lastModStartDate", utcStartDate.format(dtf)));
filters.add(new BasicNameValuePair("lastModEndDate", utcEndDate.format(dtf)));
return this;
}
/**
* Filter the results with a range of published date times.
*
* @param utcStartDate the UTC date time for the range start
* @param utcEndDate the UTC date time for the range end
* @return the builder
*/
public NvdCveClientBuilder withPublishedDateFilter(ZonedDateTime utcStartDate, ZonedDateTime utcEndDate) {
DateTimeFormatter dtf = DateTimeFormatter.ofPattern("uuuu-MM-dd'T'HH:mm:ssX");
filters.add(new BasicNameValuePair("pubStartDate", utcStartDate.format(dtf)));
filters.add(new BasicNameValuePair("pubEndDate", utcEndDate.format(dtf)));
return this;
}
/**
* Filter the results for a specific CVSS V2 Severity.
*
* @param severity the severity
* @return the builder
*/
public NvdCveClientBuilder withCvssV2SeverityFilter(CvssV2Severity severity) {
withFilter("cvssV2Severity", severity.toString());
return this;
}
/**
* Filter the results for a specific CVSS V3 Severity.
*
* @param severity the severity
* @return the builder
*/
public NvdCveClientBuilder withCvssV3SeverityFilter(CvssV3Severity severity) {
withFilter("cvssV3Severity", severity.toString());
return this;
}
/**
* This parameter filters CVE more broadly than cpeName. The exact value of {cpe match string} is compared against
* the CPE Match Criteria present on CVE applicability statements.
*
* @param virtualMatchString virtual matching CPE
* @return the builder
* @see <a href=
* "https://nvd.nist.gov/developers/vulnerabilities#cves-virtualMatchString">cves-virtualMatchString</a>
*/
public NvdCveClientBuilder withVirtualMatchString(String virtualMatchString) {
withFilter("virtualMatchString", virtualMatchString);
return this;
}
/**
* The virtualMatchString parameter may be combined with versionStart and versionStartType to return only the CVEs
* associated with CPEs in specific version ranges.
*
* @param versionStart the version start
* @return the builder
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-versionStart">cves-versionStart</a>
*/
public NvdCveClientBuilder withVersionStart(String versionStart) {
withFilter("versionStart", versionStart);
return this;
}
/**
* The virtualMatchString parameter may be combined with versionStart and versionStartType to return only the CVEs
* associated with CPEs in specific version ranges.
*
* @param versionStart the version start
* @param startType including or excluding
* @return the builder
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-versionStart">cves-versionStart</a>
*/
public NvdCveClientBuilder withVersionStart(String versionStart, VersionType startType) {
withFilter("versionStart", versionStart);
withFilter("versionStartType", startType.toString().toLowerCase());
return this;
}
/**
* The virtualMatchString parameter may be combined with versionEnd and versionEndType to return only the CVEs
* associated with CPEs in specific version ranges.
*
* @param versionEnd the version end
* @return the builder
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-versionEnd">cves-versionEnd</a>
*/
public NvdCveClientBuilder withVersionEnd(String versionEnd) {
withFilter("versionEnd", versionEnd);
return this;
}
/**
* The virtualMatchString parameter may be combined with versionEnd and versionEndType to return only the CVEs
* associated with CPEs in specific version ranges.
*
* @param versionEnd the version end
* @param endType including or excluding
* @return the builder
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-versionEnd">cves-versionEnd</a>
*/
public NvdCveClientBuilder withVersionEnd(String versionEnd, VersionType endType) {
withFilter("versionEnd", versionEnd);
withFilter("versionEndType", endType.toString().toLowerCase());
return this;
}
/**
* Provide a supplier for custom HTTP clients.
* <p>
* Note that {@link #withDelay(long)} and {@link #withMaxRetryCount(int)} have no effect when a custom
* {@link HttpAsyncClientSupplier} is provided. Instead, clients created by the supplier should be configured to use
* {@link NvdApiRetryStrategy} with the desired delay and retry count values.
*
* @param httpClientSupplier supplier for custom HTTP clients; if {@code null} a default client will be used
* @return the builder
*/
public NvdCveClientBuilder withHttpClientSupplier(final HttpAsyncClientSupplier httpClientSupplier) {
this.httpClientSupplier = httpClientSupplier;
return this;
}
/**
* Build the NVD CVE API client.
*
* @return the NVD CVE API client
*/
public NvdCveClient build() {
NvdCveClient client = new NvdCveClient(apiKey, endpoint, delay, threadCount, maxPageCount, maxRetryCount,
httpClientSupplier);
if (!filters.isEmpty()) {
client.setFilters(filters);
}
if (resultsPerPage > 0) {
client.setResultsPerPage(resultsPerPage);
}
return client;
}
public enum VersionType {
INCLUDING, EXCLUDING
}
/**
* Parameters to the NVD CVE API used to filter the results.
*/
public enum Filter {
/**
* Returns the vulnerabilities associated with a specific CPE.
*
* <pre>
* cpeName=cpe:2.3:a:apache:log4j:2.0:*:*:*:*:*:*:*
* </pre>
*
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-cpeName">NVD CVE API</a>
*/
CPE_NAME,
/**
* Returns a specific vulnerability.
*
* <pre>
* cveId = CVE - 2021 - 44228
* </pre>
*
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-cveId">NVD CVE API</a>
*/
CVE_ID,
/**
* Returns vulnerabilities that match a specific CVSS V2 Metric; full or partial vector strings may be used.
*
* <pre>
* parameter: cvssV2Metrics=AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
* </pre>
*
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-cvssV3Metrics">NVD CVE API</a>
*/
CVSS_V2_METRICS,
/**
* Returns vulnerabilities that match a specific CVSS V3 Metric; full or partial vector strings may be used.
*
* <pre>
* cvssV3Metrics=AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
* </pre>
*
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-cvssV3Severity">NVD CVE API</a>
*/
CVSS_V3_METRICS,
/**
* Returns vulnerabilities that have a specific CWE.
*
* <pre>
* cweId = CWE - 287
* </pre>
*
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-cweId">NVD CVE API</a>
*/
CWE_ID,
/**
* Returns vulnerabilities that have an exact key word sequence in the description.
*
* <pre>
* keywordExactMatch=exact words
* </pre>
*
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-keywordExactMatch">NVD CVE API</a>
*/
KEYWORD_EXACT_MATCH,
/**
* Returns vulnerabilities where all the keywords are in the description.
*
* <pre>
* keywordSearch = words
* </pre>
*
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-keywordSearch">NVD CVE API</a>
*/
KEYWORD_SEARCH;
/**
* Returns the API querystring parameter.
*
* @return the API querystring parameter
*/
public String toParameterName() {
switch (this) {
case CPE_NAME:
return "cpeName";
case CVE_ID:
return "cveId";
case CVSS_V2_METRICS:
return "cvssV2Metrics";
case CVSS_V3_METRICS:
return "cvssV3Metrics";
case CWE_ID:
return "cweId";
case KEYWORD_EXACT_MATCH:
return "keywordExactMatch";
case KEYWORD_SEARCH:
return "keywordSearch";
}
return "unknown";
}
}
/**
* Filters for the NVD CVE API that are used without parameters.
*/
public enum BooleanFilter {
/**
* Returns vulnerabilities with have CERT alerts.
*
* <pre>
* hasCertAlerts
* </pre>
*
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-hasCertAlerts">NVD CVE API</a>
*/
HAS_CERT_ALERTS,
/**
* Returns vulnerabilities with have CERT notes.
*
* <pre>
* hasCertNotes
* </pre>
*
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-hasCertNotes">NVD CVE API</a>
*/
HAS_CERT_NOTES,
/**
* Returns vulnerabilities with Known Exploited Vulnerabilities information.
*
* <pre>
* hasKev
* </pre>
*
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-hasKev">NVD CVE API</a>
*/
HAS_KEV,
/**
* Returns vulnerabilities that have OVAL information.
*
* <pre>
* hasOval
* </pre>
*
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-hasOval">NVD CVE API</a>
*/
HAS_OVAL,
/**
* Used in conjunction with the CPE Search and returns only those considered vulnerable.
*
* <pre>
* isVulnerable
* </pre>
*
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#ccves-isVulnerable">NVD CVE API</a>
*/
IS_VULNERABLE,
/**
* Do not include rejected CVEs.
*
* <pre>
* noRejected
* </pre>
*
* @see <a href="https://nvd.nist.gov/developers/vulnerabilities#cves-noRejected">NVD CVE API</a>
*/
NO_REJECTED;
/**
* Returns the API querystring parameter.
*
* @return the API querystring parameter
*/
public String toParameterName() {
switch (this) {
case HAS_CERT_ALERTS:
return "hasCertAlerts";
case HAS_CERT_NOTES:
return "hasCertNotes";
case HAS_KEV:
return "hasKev";
case HAS_OVAL:
return "hasOval";
case IS_VULNERABLE:
return "isVulnerable";
case NO_REJECTED:
return "noRejected";
}
return "unknown";
}
}
/**
* The CVSS V2 Severity.
*/
public enum CvssV2Severity {
LOW, MEDIUM, HIGH
}
/**
* The CVSS V3 Severity.
*/
public enum CvssV3Severity {
LOW, MEDIUM, HIGH, CRITICAL
}
}