-
Notifications
You must be signed in to change notification settings - Fork 5
/
cve2hs.go
177 lines (136 loc) · 3.57 KB
/
cve2hs.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
package main
import (
"os"
"fmt"
"time"
"bufio"
"strings"
"net/url"
"io/ioutil"
"database/sql"
"encoding/xml"
"encoding/json"
_ "github.com/mattn/go-sqlite3"
)
var entries entry
type entry struct {
Items []struct {
Name string `xml:"cve-id"`
Date string `xml:"published-datetime"`
Summary string `xml:"summary"`
Weakness struct {
Name string `xml:"id,attr"`
} `xml:"cwe"`
Classification struct {
Severity float64 `xml:"score"`
AccessVector string `xml:"access-vector"`
AccessComplexity string `xml:"access-complexity"`
Authentication string `xml:"authentication"`
ConfidentialityImpact string `xml:"confidentiality-impact"`
IntegrityImpact string `xml:"integrity-impact"`
AvailablityImpact string `xml:"availability-impact"`
} `xml:"cvss>base_metrics"`
Software []string `xml:"vulnerable-software-list>product"`
} `xml:"entry"`
}
// Reads the specified XML file and sends the entries for processing.
func parseInput(file string) error {
var err error
var fp *os.File
if fp, err = os.Open(file); err != nil {
return err
}
defer fp.Close()
txt, _ := ioutil.ReadAll(fp)
if err = xml.Unmarshal(txt, &entries); err != nil {
return err
}
return err
}
// Writes the globally loaded entries to the specified file.
func serializeEntries(file string, debug bool) error {
var err error
if debug {
var fp *os.File
if fp, err = os.Create(file); err != nil {
return err
}
defer fp.Close()
bw := bufio.NewWriter(fp)
var bs []byte
bs, err = json.MarshalIndent(entries, "", "\t")
bw.Write(bs)
bw.Flush()
return err
}
var db *sql.DB
var tx *sql.Tx
var stm1, stm2 *sql.Stmt
if db, err = sql.Open("sqlite3", file); err != nil {
return err
}
defer db.Close()
db.Exec(`create table vulns (id int not null, cve text, date int, descr text, severity real, access char(1), primary key(id))`)
db.Exec(`create table affected (vuln_id int not null, cpe text, foreign key(vuln_id) references vulns(id))`)
db.Exec(`create index cpe_vuln_idx on affected (cpe collate nocase)`)
if tx, err = db.Begin(); err != nil {
return err
}
defer tx.Commit()
stm1, _ = tx.Prepare("insert into vulns values (?, ?, ?, ?, ?, ?)")
stm2, _ = tx.Prepare("insert into affected values (?, ?)")
defer stm1.Close()
defer stm2.Close()
for id, entry := range entries.Items {
vs := 0
for _, cpe := range entry.Software {
if strings.HasPrefix(cpe, "cpe:/a:") || strings.HasPrefix(cpe, "cpe:/o:") {
vs++
break
}
}
if vs == 0 {
continue
}
pubdate, _ := time.Parse(time.RFC3339, entry.Date)
unixtime := pubdate.Unix()
if _, err = stm1.Exec(id, entry.Name[4:], unixtime, entry.Summary, entry.Classification.Severity, strings.ToLower(entry.Classification.AccessVector)[:1]); err != nil {
fmt.Printf("%#v\n", err);
continue
}
for _, cpe := range entry.Software {
if strings.HasPrefix(cpe, "cpe:/a:") || strings.HasPrefix(cpe, "cpe:/o:") {
cpe, _ = url.QueryUnescape(cpe)
if _, err = stm2.Exec(id, cpe[5:]); err != nil {
fmt.Printf("%#v\n", err);
continue
}
}
}
}
tx.Exec(`vacuum;`)
return err
}
// Entry point of the application.
func main() {
if len(os.Args) < 3 {
println("usage: cve2hs [--json] input output")
os.Exit(-1)
}
var err error
var dbg bool
if os.Args[1] == "--json" {
dbg = true
os.Args = os.Args[1:]
}
println("Parsing CVE database...")
if err = parseInput(os.Args[1]); err != nil {
println(err)
os.Exit(-1)
}
println("Writing parsed data...")
if err = serializeEntries(os.Args[2], dbg); err != nil {
println(err)
os.Exit(-1)
}
}