Improve quality of cpe, purl_prefix and vers (#155)

* Introduced a method to clean cpe uri

Signed-off-by: Prabhu Subramanian <[email protected]>

* Clean purl prefix and vers

Signed-off-by: Prabhu Subramanian <[email protected]>

* Fix tests

Signed-off-by: Prabhu Subramanian <[email protected]>

* Make use of target_sw to improve purl prefix for generic packages

Signed-off-by: Prabhu Subramanian <[email protected]>

* Keep 2018 as the default year

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "appthreat-vulnerability-db"
-version = "6.0.8"
+version = "6.0.9"
 description = "AppThreat's vulnerability database and package search library with a built-in sqlite based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities."
 authors = [
     {name = "Team AppThreat", email = "[email protected]"},

test/data/CVE-2018-9840.json

@@ -0,0 +1,123 @@
+{
+  "id": "CVE-2018-9840",
+  "sourceIdentifier": "[email protected]",
+  "published": "2018-04-10T05:29:00.207",
+  "lastModified": "2019-10-03T00:03:26.223",
+  "vulnStatus": "Analyzed",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "The Open Whisper Signal app before 2.23.2 for iOS allows physically proximate attackers to bypass the screen locker feature via certain rapid sequences of actions that include app opening, clicking on cancel, and using the home button."
+    },
+    {
+      "lang": "es",
+      "value": "La aplicación Open Whisper Signal, en versiones anteriores a la 2.23.2 para iOS, permite que atacantes cercanos físicamente omitan la característica de bloqueo de pantalla mediante determinadas secuencias rápidas de acciones que incluyen la apertura de apps, clics en cancelar y el uso del botón de inicio."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV30": [
+      {
+        "source": "[email protected]",
+        "type": "Primary",
+        "cvssData": {
+          "version": "3.0",
+          "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+          "attackVector": "PHYSICAL",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "HIGH",
+          "integrityImpact": "HIGH",
+          "availabilityImpact": "HIGH",
+          "baseScore": 6.8,
+          "baseSeverity": "MEDIUM"
+        },
+        "exploitabilityScore": 0.9,
+        "impactScore": 5.9
+      }
+    ],
+    "cvssMetricV2": [
+      {
+        "source": "[email protected]",
+        "type": "Primary",
+        "cvssData": {
+          "version": "2.0",
+          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+          "accessVector": "LOCAL",
+          "accessComplexity": "LOW",
+          "authentication": "NONE",
+          "confidentialityImpact": "PARTIAL",
+          "integrityImpact": "PARTIAL",
+          "availabilityImpact": "PARTIAL",
+          "baseScore": 4.6
+        },
+        "baseSeverity": "MEDIUM",
+        "exploitabilityScore": 3.9,
+        "impactScore": 6.4,
+        "acInsufInfo": false,
+        "obtainAllPrivilege": false,
+        "obtainUserPrivilege": false,
+        "obtainOtherPrivilege": false,
+        "userInteractionRequired": false
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "[email protected]",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "NVD-CWE-noinfo"
+        }
+      ]
+    }
+  ],
+  "configurations": [
+    {
+      "nodes": [
+        {
+          "operator": "OR",
+          "negate": false,
+          "cpeMatch": [
+            {
+              "vulnerable": true,
+              "criteria": "cpe:2.3:a:signal:signal:*:*:*:*:*:iphone_os:*:*",
+              "matchCriteriaId": "E791C3AF-A1F9-4564-AAB1-FAE3D608F176",
+              "versionEndExcluding": "2.23.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "http://nint.en.do/Signal-Bypass-Screen-locker.php",
+      "source": "[email protected]",
+      "tags": [
+        "Broken Link",
+        "Third Party Advisory"
+      ]
+    },
+    {
+      "url": "https://github.com/signalapp/Signal-iOS/commit/018a35df7b42b4941cb4dfc9f462b37c3fafd9e9",
+      "source": "[email protected]",
+      "tags": [
+        "Patch",
+        "Third Party Advisory"
+      ]
+    },
+    {
+      "url": "https://github.com/signalapp/Signal-iOS/commits/release/2.23.2",
+      "source": "[email protected]",
+      "tags": [
+        "Issue Tracking",
+        "Patch",
+        "Third Party Advisory"
+      ]
+    }
+  ]
+}

test/data/CVE-2021-27434.json

@@ -0,0 +1,138 @@
+{
+  "id": "CVE-2021-27434",
+  "sourceIdentifier": "[email protected]",
+  "published": "2021-05-20T14:15:07.767",
+  "lastModified": "2023-10-15T16:18:45.880",
+  "vulnStatus": "Analyzed",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Products with Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only) are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow."
+    },
+    {
+      "lang": "es",
+      "value": "Productos con el programa Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versiones V3.0.7 y anteriores (solo versiones de .NET 4.5, 4.0 y 3.5 Framework) son vulnerables a una recursividad no controlada, que puede permitir a un atacante desencadenar un desbordamiento de pila"
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "[email protected]",
+        "type": "Primary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "HIGH",
+          "integrityImpact": "NONE",
+          "availabilityImpact": "NONE",
+          "baseScore": 7.5,
+          "baseSeverity": "HIGH"
+        },
+        "exploitabilityScore": 3.9,
+        "impactScore": 3.6
+      }
+    ],
+    "cvssMetricV2": [
+      {
+        "source": "[email protected]",
+        "type": "Primary",
+        "cvssData": {
+          "version": "2.0",
+          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+          "accessVector": "NETWORK",
+          "accessComplexity": "LOW",
+          "authentication": "NONE",
+          "confidentialityImpact": "PARTIAL",
+          "integrityImpact": "NONE",
+          "availabilityImpact": "NONE",
+          "baseScore": 5
+        },
+        "baseSeverity": "MEDIUM",
+        "exploitabilityScore": 10,
+        "impactScore": 2.9,
+        "acInsufInfo": false,
+        "obtainAllPrivilege": false,
+        "obtainUserPrivilege": false,
+        "obtainOtherPrivilege": false,
+        "userInteractionRequired": false
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "[email protected]",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-674"
+        }
+      ]
+    },
+    {
+      "source": "[email protected]",
+      "type": "Secondary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-200"
+        }
+      ]
+    }
+  ],
+  "configurations": [
+    {
+      "operator": "AND",
+      "nodes": [
+        {
+          "operator": "OR",
+          "negate": false,
+          "cpeMatch": [
+            {
+              "vulnerable": true,
+              "criteria": "cpe:2.3:a:unified-automation:.net_based_opc_ua_client\\/server_sdk:*:*:*:*:*:*:*:*",
+              "matchCriteriaId": "72FFADD0-F648-492C-9A45-1456EEDAAD06",
+              "versionEndIncluding": "3.0.7"
+            }
+          ]
+        },
+        {
+          "operator": "OR",
+          "negate": false,
+          "cpeMatch": [
+            {
+              "vulnerable": false,
+              "criteria": "cpe:2.3:a:microsoft:.net_framework:3.5:*:*:*:*:*:*:*",
+              "matchCriteriaId": "E039CE1F-B988-4741-AE2E-5B36E2AF9688"
+            },
+            {
+              "vulnerable": false,
+              "criteria": "cpe:2.3:a:microsoft:.net_framework:4.0:*:*:*:*:*:*:*",
+              "matchCriteriaId": "792B417F-96A0-4E9D-9E79-5D7F982E2225"
+            },
+            {
+              "vulnerable": false,
+              "criteria": "cpe:2.3:a:microsoft:.net_framework:4.5:*:*:*:*:*:*:*",
+              "matchCriteriaId": "61FAD9EE-FA7F-4B39-8A9B-AFFAEC8BF214"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-133-04",
+      "source": "[email protected]",
+      "tags": [
+        "Third Party Advisory",
+        "US Government Resource"
+      ]
+    }
+  ]
+}

test/test_source.py

@@ -12,12 +12,11 @@
 from vdb.lib.nvd import NvdSource
 from vdb.lib.osv import OSVSource
 
-# Temp directories were not working on macOS GitHub runners
 test_tmp_dir = os.getenv("TEST_VDB_HOME", tempfile.mkdtemp(prefix="vdb6-tests-"))
 os.makedirs(test_tmp_dir, exist_ok=True)
-db6.get(
-    os.path.join(test_tmp_dir, "data.vdb6"), os.path.join(test_tmp_dir, "index.vdb6")
-)
+
+# Use in-memory database for testing
+db6.get(":memory:", ":memory:")
 
 
 @pytest.fixture
@@ -83,6 +82,24 @@ def test_nvd_api_git_json():
         return json.loads(fp.read())
 
 
+@pytest.fixture
+def test_nvd_api_cpes_json():
+    test_cve_data = os.path.join(
+        os.path.dirname(os.path.realpath(__file__)), "data", "CVE-2021-27434.json"
+    )
+    with open(test_cve_data, mode="r", encoding="utf-8") as fp:
+        return json.loads(fp.read())
+
+
+@pytest.fixture
+def test_nvd_api_signal_json():
+    test_cve_data = os.path.join(
+        os.path.dirname(os.path.realpath(__file__)), "data", "CVE-2018-9840.json"
+    )
+    with open(test_cve_data, mode="r", encoding="utf-8") as fp:
+        return json.loads(fp.read())
+
+
 @pytest.fixture
 def test_osv_rust_json():
     test_cve_data = os.path.join(
@@ -663,6 +680,48 @@ def test_nvd_api_convert(
     assert results_count == 1
 
 
+def test_nvd_api_convert2(test_nvd_api_cpes_json):
+    nvdlatest = NvdSource()
+    #cpes_json
+    vulnerabilities = nvdlatest.convert(test_nvd_api_cpes_json)
+    assert len(vulnerabilities) == 1
+    assert len(vulnerabilities[0].details) == 2
+    db6.clear_all()
+    nvdlatest.store(vulnerabilities)
+    cve_data_count, cve_index_count = db6.stats()
+    assert cve_data_count == 1
+    assert cve_index_count == 1
+    results_count = len(list(search.search_by_any("CVE-2021-27434")))
+    assert results_count == 1
+    results_count = len(
+        list(
+            search.search_by_any(".net_based_opc_ua_client:server_sdk:*")
+        )
+    )
+    assert results_count == 1
+
+
+def test_nvd_api_convert3(test_nvd_api_signal_json):
+    db6.clear_all()
+    nvdlatest = NvdSource()
+    # signal ios
+    vulnerabilities = nvdlatest.convert(test_nvd_api_signal_json)
+    assert len(vulnerabilities) == 1
+    assert len(vulnerabilities[0].details) == 2
+    nvdlatest.store(vulnerabilities)
+    cve_data_count, cve_index_count = db6.stats()
+    assert cve_data_count == 2
+    assert cve_index_count == 2
+    results_count = len(list(search.search_by_any("CVE-2018-9840")))
+    assert results_count == 2
+    results_count = len(
+        list(
+            search.search_by_any("pkg:generic/ios/signal")
+        )
+    )
+    assert results_count == 1
+
+
 @pytest.mark.skip(reason="This downloads and tests with live data")
 def test_nvd_download():
     nvdlatest = NvdSource()

test/test_utils.py

@@ -900,6 +900,18 @@ def test_purl_vers_convert():
             ],
             "vers:generic/<001a3278b5572e52c0ecac0bd1157bf2599502b7",
         ),
+        (
+            "cisco",
+            [
+                {
+                    "version": r"6.3\(1\)",
+                    "status": "affected",
+                    "versionType": "cisco",
+                    "lessThanOrEqual": r"6.3\(1\)",
+                }
+            ],
+            "vers:cisco/6.3-1",
+        ),
     ]
     for tt in test_tuples:
         assert utils.to_purl_vers(tt[0], tt[1]) == tt[2]
@@ -1022,3 +1034,18 @@ def test_vers_compare():
     assert not utils.vers_compare("1.13.0", "vers:rpm/<=1.12.8-24.el8_8.1")
     assert utils.vers_compare("5.5", "vers:deb/<5.6~rc2")
     assert not utils.vers_compare("5.7", "vers:deb/<5.6~rc2")
+
+
+def test_clean_cpe_uri():
+    test_tuples = (
+        [None, None],
+        ["cpe:2.3:a:unified-automation:.net_based_opc_ua_client\\/server_sdk:*:*:*:*:*:*:*:*", "cpe:2.3:a:unified-automation:.net_based_opc_ua_client/server_sdk:*:*:*:*:*:*:*:*"],
+        ["cpe:2.3:a:cisco:dna_spaces\\:_connector:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:dna_spaces:_connector:*:*:*:*:*:*:*:*"],
+        ["cpe:2.3:a:trendmicro:antivirus_\\+_security_2019:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:trendmicro:antivirus_security_2019:15.0:*:*:*:*:*:*:*"],
+        ["cpe:2.3:a:eleopard:animate_it\\!:*:*:*:*:*:wordpress:*:*", "cpe:2.3:a:eleopard:animate_it:*:*:*:*:*:wordpress:*:*"],
+        ["cpe:2.3:a:icegram:email_subscribers_\\\u0026_newsletters:*:*:*:*:*:wordpress:*:*", "cpe:2.3:a:icegram:email_subscribers_newsletters:*:*:*:*:*:wordpress:*:*"],
+        ["cpe:2.3:a:display_post_meta,_term_meta,_comment_meta,_and_user_meta_project/display_post_meta,_term_meta,_comment_meta,_and_user_meta", "cpe:2.3:a:display_post_meta_term_meta_comment_meta_and_user_meta_project/display_post_meta_term_meta_comment_meta_and_user_meta"],
+        ["cpe:2.3:a:[gwa]_autoresponder_project/[gwa]_autoresponder", "cpe:2.3:a:gwa_autoresponder_project/gwa_autoresponder"]
+    )
+    for tt in test_tuples:
+        assert utils.clean_cpe_uri(tt[0]) == tt[1]