Skip to content

dyesmar/cve

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
cmd/cve
cmd/cve
 
 
testdata
testdata
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cve.go
cve.go
 
 
cve_test.go
cve_test.go
 
 
go.mod
go.mod
 
 

Repository files navigation

cve

Package cve provides a consistent mechanism for parsing, storing, and using CVE identifiers as specified by the MITRE Corporation. This package conforms to the 2014 CVE ID Syntax change.

This code hit the cutting room floor from one of my private projects, so I thought I'd share.

SPDX short identifier: BSD-3-Clause

Installation

Assuming you have Go installed…

go get github.com/dyesmar/cve

Usage

import "github.com/dyesmar/cve"

There are two APIs for creating new CVE types:

// New
cve, err := cve.New(2020, 6629)

// Parse
cve, err := cve.Parse("CVE-2020-6629")

Once created, there are several methods you can call on a CVE type:

  • String returns the string reprentation of the receiver.
  • URL returns the NVD URL representation of the receiver.
  • MarkdownLink returns the Markdown link representation of the receiver.

The included sample program illustrates how these APIs can be used:

go run cmd/cve/main.go CVE-2020-6629

There will be no output from the program, but it should open your preferred web browser and point it to the URL for CVE-2020-6629 at NVD.

Implementation details and caveats

Internally, CVE identifiers are stored as a pair of uint types, one for the year part and one for the sequence number. This may seem wasteful, but consider:

  • This code will continue to work in, say, AD 4324534534.
  • This code will survive the initial onslaught of mass CVE filings perpetrated by our AI overlords. 😅

Unfortunately, storing the sequence number as a uint causes the implementation to fail three of MITRE's valid test cases:

  • CVE-2014-1111111111111111111111
  • CVE-2014-11111111111111111111111
  • CVE-2014-111111111111111111111111

These sequence numbers are too large to store in a uint. One solution would be to store the sequence number as a big.Int, but that seems excessive. Alternately, the CVE sequence number could be stored as a string, but that would require more code to achieve the same level of error checking present for the uint sequence number. I'm fine with sequence numbers having Uint.max as an upper bound.

Legal

Copyright © 2020 Ramsey Dow. All rights reserved.

Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.

About

Parse and use CVE identifiers

Topics

go cve mitre

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases 3

CVE v1.1.1 Latest
Oct 2, 2024
+ 2 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages