vulnsrc_rhel: cve impact

use the specific CVE's impact field instead of the RHSA's one
quay · Sep 14, 2018 · c4ffa0c · c4ffa0c
1 parent a90db71
commit c4ffa0c
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 26 deletions.
diff --git a/ext/vulnsrc/rhel/rhel.go b/ext/vulnsrc/rhel/rhel.go
@@ -65,6 +65,8 @@ type definition struct {
 	Description string      `xml:"metadata>description"`
 	References  []reference `xml:"metadata>reference"`
 	Criteria    criteria    `xml:"criteria"`
+	Severity    string      `xml:"metadata>advisory>severity"`
+	Cves        []cve       `xml:"metadata>advisory>cve"`
 }
 
 type reference struct {
@@ -73,6 +75,12 @@ type reference struct {
 	ID     string `xml:"ref_id,attr"`
 }
 
+type cve struct {
+	Impact string `xml:"impact,attr"`
+	Href   string `xml:"href,attr"`
+	ID     string `xml:",chardata"`
+}
+
 type criteria struct {
 	Operator   string      `xml:"operator,attr"`
 	Criterias  []*criteria `xml:"criteria"`
@@ -203,7 +211,7 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi
 				Vulnerability: database.Vulnerability{
 					Name:        rhsaName(definition),
 					Link:        rhsaLink(definition),
-					Severity:    severity(definition),
+					Severity:    severity(definition.Severity),
 					Description: description(definition),
 				},
 			}
@@ -218,12 +226,16 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi
 			}
 
 			// Create one vulnerability by CVE
-			for _, reference := range definition.References[1:] {
-				vulnerability.Name = reference.ID
-				vulnerability.Link = reference.URI
+			for _, currentCve := range definition.Cves {
+				vulnerability.Name = currentCve.ID
+				vulnerability.Link = currentCve.Href
+				if currentCve.Impact != "" {
+					vulnerability.Severity = severity(currentCve.Impact)
+				} else {
+					vulnerability.Severity = severity(definition.Severity)
+				}
 				vulnerabilities = append(vulnerabilities, vulnerability)
 			}
-
 		}
 	}
 
@@ -374,8 +386,8 @@ func description(def definition) (desc string) {
 	return
 }
 
-func severity(def definition) database.Severity {
-	switch strings.TrimSpace(def.Title[strings.LastIndex(def.Title, "(")+1 : len(def.Title)-1]) {
+func severity(sev string) database.Severity {
+	switch strings.Title(sev) {
 	case "Low":
 		return database.LowSeverity
 	case "Moderate":
@@ -385,7 +397,7 @@ func severity(def definition) database.Severity {
 	case "Critical":
 		return database.CriticalSeverity
 	default:
-		log.Warningf("could not determine vulnerability severity from: %s.", def.Title)
+		log.Warningf("could not determine vulnerability severity from: %s.", sev)
 		return database.UnknownSeverity
 	}
 }

diff --git a/ext/vulnsrc/rhel/rhel_test.go b/ext/vulnsrc/rhel/rhel_test.go
@@ -39,6 +39,11 @@ func TestRHELParserMultipleCVE(t *testing.T) {
 		"CVE-2015-2729", "CVE-2015-2731", "CVE-2015-2733", "CVE-2015-2734", "CVE-2015-2735", "CVE-2015-2736",
 		"CVE-2015-2737", "CVE-2015-2738", "CVE-2015-2739", "CVE-2015-2740", "CVE-2015-2741", "CVE-2015-2743",
 	}
+	expectedSeverity := []database.Severity{database.CriticalSeverity, database.HighSeverity, database.HighSeverity,
+		database.MediumSeverity, database.MediumSeverity, database.MediumSeverity, database.CriticalSeverity,
+		database.CriticalSeverity, database.CriticalSeverity, database.CriticalSeverity, database.CriticalSeverity,
+		database.CriticalSeverity, database.CriticalSeverity, database.CriticalSeverity, database.CriticalSeverity,
+		database.MediumSeverity, database.MediumSeverity}
 	expectedFeatures := []database.AffectedFeature{
 		{
 			Namespace: database.Namespace{
@@ -65,7 +70,7 @@ func TestRHELParserMultipleCVE(t *testing.T) {
 		for i, vulnerability := range vulnerabilities {
 			assert.Equal(t, expectedCve[i], vulnerability.Name)
 			assert.Equal(t, fmt.Sprintf("https://access.redhat.com/security/cve/%s", expectedCve[i]), vulnerability.Link)
-			assert.Equal(t, database.CriticalSeverity, vulnerability.Severity)
+			assert.Equal(t, expectedSeverity[i], vulnerability.Severity)
 			assert.Equal(t, `Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.`, vulnerability.Description)
 
 			for _, expectedFeature := range expectedFeatures {

diff --git a/ext/vulnsrc/rhel/testdata/fetcher_rhel_test.2.xml b/ext/vulnsrc/rhel/testdata/fetcher_rhel_test.2.xml
@@ -50,23 +50,23 @@ Firefox.</description>
         <rights>Copyright 2015 Red Hat, Inc.</rights>
         <issued date="2015-07-02"/>
         <updated date="2015-07-02"/>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2722">CVE-2015-2722</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2724">CVE-2015-2724</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2725">CVE-2015-2725</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2727">CVE-2015-2727</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2728">CVE-2015-2728</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2729">CVE-2015-2729</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2731">CVE-2015-2731</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2733">CVE-2015-2733</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2734">CVE-2015-2734</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2735">CVE-2015-2735</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2736">CVE-2015-2736</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2737">CVE-2015-2737</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2738">CVE-2015-2738</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2739">CVE-2015-2739</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2740">CVE-2015-2740</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2741">CVE-2015-2741</cve>
-        <cve href="https://access.redhat.com/security/cve/CVE-2015-2743">CVE-2015-2743</cve>
+        <cve cvss2="6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P" cwe="CWE-416" href="https://access.redhat.com/security/cve/CVE-2015-2722" public="20150702">CVE-2015-2722</cve>
+        <cve cvss2="6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P" href="https://access.redhat.com/security/cve/CVE-2015-2724" impact="important" public="20150702">CVE-2015-2724</cve>
+        <cve cvss2="6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P" href="https://access.redhat.com/security/cve/CVE-2015-2725" impact="important" public="20150702">CVE-2015-2725</cve>
+        <cve cvss2="5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P" href="https://access.redhat.com/security/cve/CVE-2015-2727" impact="moderate" public="20150702">CVE-2015-2727</cve>
+        <cve cvss2="5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P" cwe="CWE-843" href="https://access.redhat.com/security/cve/CVE-2015-2728" impact="moderate" public="20150702">CVE-2015-2728</cve>
+        <cve cvss2="5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P" cwe="CWE-125" href="https://access.redhat.com/security/cve/CVE-2015-2729" impact="moderate" public="20150702">CVE-2015-2729</cve>
+        <cve cvss2="6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P" cwe="CWE-416" href="https://access.redhat.com/security/cve/CVE-2015-2731" public="20150702">CVE-2015-2731</cve>
+        <cve cvss2="6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P" cwe="CWE-416" href="https://access.redhat.com/security/cve/CVE-2015-2733" public="20150702">CVE-2015-2733</cve>
+        <cve cvss2="6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P" href="https://access.redhat.com/security/cve/CVE-2015-2734" public="20150702">CVE-2015-2734</cve>
+        <cve cvss2="6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P" href="https://access.redhat.com/security/cve/CVE-2015-2735" public="20150702">CVE-2015-2735</cve>
+        <cve cvss2="6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P" href="https://access.redhat.com/security/cve/CVE-2015-2736" public="20150702">CVE-2015-2736</cve>
+        <cve cvss2="6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P" href="https://access.redhat.com/security/cve/CVE-2015-2737" public="20150702">CVE-2015-2737</cve>
+        <cve cvss2="6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P" href="https://access.redhat.com/security/cve/CVE-2015-2738" public="20150702">CVE-2015-2738</cve>
+        <cve cvss2="6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P" href="https://access.redhat.com/security/cve/CVE-2015-2739" public="20150702">CVE-2015-2739</cve>
+        <cve cvss2="6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P" href="https://access.redhat.com/security/cve/CVE-2015-2740" public="20150702">CVE-2015-2740</cve>
+        <cve cvss2="4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N" href="https://access.redhat.com/security/cve/CVE-2015-2741" impact="moderate" public="20150702">CVE-2015-2741</cve>
+        <cve cvss2="5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P" cwe="CWE-250" href="https://access.redhat.com/security/cve/CVE-2015-2743" impact="moderate" public="20150702">CVE-2015-2743</cve>
         <bugzilla href="https://bugzilla.redhat.com/1236947" id="1236947">CVE-2015-2724 CVE-2015-2725 Mozilla: Miscellaneous memory safety hazards (rv:31.8 / rv:38.1) (MFSA 2015-59)</bugzilla>
         <bugzilla href="https://bugzilla.redhat.com/1236950" id="1236950">CVE-2015-2727 Mozilla: Local files or privileged URLs in pages can be opened into new tabs (MFSA 2015-60)</bugzilla>
         <bugzilla href="https://bugzilla.redhat.com/1236951" id="1236951">CVE-2015-2728 Mozilla: Type confusion in Indexed Database Manager (MFSA 2015-61)</bugzilla>