Add cvss information from nvd

[amousset]

Adds the base cvss information, fetched from nvd using the CVE ids in the aliases.
This was done using the following quick-and-dirty shell script:

#!/bin/bash

set -e

cd crates

for adv in $(ls -1 */*.md | sort); do
  echo "${adv}"
  # skip if cvss already defined
  if grep -q "^cvss =" "${adv}"; then
    echo "   already has a cvss filed, skipping"
    continue;
  fi
  if ! grep -q "^aliases = .*CVE.*" "${adv}"; then
    echo "   does not have aliases, skipping"
    continue;
  fi
  r_aliases=$(grep aliases ${adv} | cut -d "=" -f2 | sed "s/[,\"\[\]]*//g")
  # define an array
  aliases=(${r_aliases})

  for alias in "${aliases[@]}"; do
    if echo ${alias} | grep -q CVE
    then
      echo "   querying ${alias}"
      vector=$(curl -sS https://services.nvd.nist.gov/rest/json/cve/1.0/${alias} | jq '.result.CVE_Items[0].impact.baseMetricV3.cvssV3.vectorString')
      if [ "$vector" = "null" ]
      then
        echo "   can't find information"
        continue
      fi
      # insert as many cvss line as CVEs is vectors are different
      if ! grep -q "cvss = ${vector}" "${adv}"
      then
        sed -i "/^aliases.*=.*/a cvss = ${vector}" "${adv}"
      fi
      # rate limiting for nvd api
      sleep 0.5
    fi
  done
  # remove cvss for advisories with several different vectors
  num=$(grep -c "cvss =" "${adv}")
  if [ "$num" -gt "1" ]
  then
    sed -i '/cvss =/d' "${adv}"
    echo "   ${adv} has aliases with ${num} different vectors, skipping"
  fi
done

• When the advisory has several CVE aliases with different cvss, the advisory is skipped
• When the advisory already has a cvss field, it is skipped

In the future, this could be properly added to an automated curation tool that would keep information in sync with external sources.

We could also add CWE data to the advisories (but I'm not sure it would be relevant for rustsec).

[Shnatsel]

Thanks! Before we merge this, we need to check if the CVE terms of use are compatible with our CC0 license, since we're importing data from them (not just link to their identifiers).

[Qwaz]

Note for the future: The wasmtime CVE entries for CVE-2021-39216, CVE-2021-39219, and CVE-2021-39218 say "It is awaiting reanalysis which may result in further changes to the information provided." We might need to change its CVSS score if they are updated.

[amousset]

The CVSS data comes from the NVD API (part of NIST) and is not provided by MITRE, and the docs for the API used in this pull request are on https://nvd.nist.gov/vuln/data-feeds. This page states that:

The entire NVD database can be downloaded from this web page for public use. All NIST publications are available in the public domain according to Title 17 of the United States Code, however acknowledgement of the NVD when using our information is always appreciated.

So it seems to me that the actual question is the compatibility of this with CC0.

[tarcieri]

Looks good. Thanks!