Feat/multiple platform cpes

pkg/process/v5/transformers/nvd/test-fixtures/cve-2020-10729.json

@@ -0,0 +1,166 @@
+{
+  "cve": {
+    "id": "CVE-2020-10729",
+    "sourceIdentifier": "[email protected]",
+    "published": "2021-05-27T19:15:07.880",
+    "lastModified": "2021-12-10T19:57:06.357",
+    "vulnStatus": "Analyzed",
+    "descriptions": [
+      {
+        "lang": "en",
+        "value": "A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6."
+      },
+      {
+        "lang": "es",
+        "value": "Se encontró un fallo en el uso de valores insuficientemente aleatorios en Ansible. Dos búsquedas de contraseñas aleatorias de la misma longitud generan el mismo valor que la acción de almacenamiento en caché de la plantilla para el mismo archivo, ya que no se realiza una reevaluación. La mayor amenaza de esta vulnerabilidad sería que todas las contraseñas estén expuestas a la vez para el archivo. Este fallo afecta a Ansible Engine versiones anteriores a 2.9.6"
+      }
+    ],
+    "metrics": {
+      "cvssMetricV31": [
+        {
+          "source": "[email protected]",
+          "type": "Primary",
+          "cvssData": {
+            "version": "3.1",
+            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+            "attackVector": "LOCAL",
+            "attackComplexity": "LOW",
+            "privilegesRequired": "LOW",
+            "userInteraction": "NONE",
+            "scope": "UNCHANGED",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "NONE",
+            "availabilityImpact": "NONE",
+            "baseScore": 5.5,
+            "baseSeverity": "MEDIUM"
+          },
+          "exploitabilityScore": 1.8,
+          "impactScore": 3.6
+        }
+      ],
+      "cvssMetricV2": [
+        {
+          "source": "[email protected]",
+          "type": "Primary",
+          "cvssData": {
+            "version": "2.0",
+            "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
+            "accessVector": "LOCAL",
+            "accessComplexity": "LOW",
+            "authentication": "NONE",
+            "confidentialityImpact": "PARTIAL",
+            "integrityImpact": "NONE",
+            "availabilityImpact": "NONE",
+            "baseScore": 2.1
+          },
+          "baseSeverity": "LOW",
+          "exploitabilityScore": 3.9,
+          "impactScore": 2.9,
+          "acInsufInfo": false,
+          "obtainAllPrivilege": false,
+          "obtainUserPrivilege": false,
+          "obtainOtherPrivilege": false,
+          "userInteractionRequired": false
+        }
+      ]
+    },
+    "weaknesses": [
+      {
+        "source": "[email protected]",
+        "type": "Primary",
+        "description": [
+          {
+            "lang": "en",
+            "value": "CWE-330"
+          }
+        ]
+      },
+      {
+        "source": "[email protected]",
+        "type": "Secondary",
+        "description": [
+          {
+            "lang": "en",
+            "value": "CWE-330"
+          }
+        ]
+      }
+    ],
+    "configurations": [
+      {
+        "operator": "AND",
+        "nodes": [
+          {
+            "operator": "OR",
+            "negate": false,
+            "cpeMatch": [
+              {
+                "vulnerable": true,
+                "criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*",
+                "versionEndExcluding": "2.9.6",
+                "matchCriteriaId": "EDFA8005-6FBE-4032-A499-608B7FA34F56"
+              }
+            ]
+          },
+          {
+            "operator": "OR",
+            "negate": false,
+            "cpeMatch": [
+              {
+                "vulnerable": false,
+                "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
+                "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"
+              },
+              {
+                "vulnerable": false,
+                "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
+                "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "nodes": [
+          {
+            "operator": "OR",
+            "negate": false,
+            "cpeMatch": [
+              {
+                "vulnerable": true,
+                "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
+                "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "references": [
+      {
+        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831089",
+        "source": "[email protected]",
+        "tags": [
+          "Issue Tracking",
+          "Vendor Advisory"
+        ]
+      },
+      {
+        "url": "https://github.com/ansible/ansible/issues/34144",
+        "source": "[email protected]",
+        "tags": [
+          "Exploit",
+          "Issue Tracking",
+          "Third Party Advisory"
+        ]
+      },
+      {
+        "url": "https://www.debian.org/security/2021/dsa-4950",
+        "source": "[email protected]",
+        "tags": [
+          "Third Party Advisory"
+        ]
+      }
+    ]
+  }
+}

pkg/process/v5/transformers/nvd/test-fixtures/cve-2022-0543.json

@@ -0,0 +1,183 @@
+{
+  "cve": {
+    "id": "CVE-2022-0543",
+    "sourceIdentifier": "[email protected]",
+    "published": "2022-02-18T20:15:17.583",
+    "lastModified": "2023-09-29T15:55:24.533",
+    "vulnStatus": "Analyzed",
+    "cisaExploitAdd": "2022-03-28",
+    "cisaActionDue": "2022-04-18",
+    "cisaRequiredAction": "Apply updates per vendor instructions.",
+    "cisaVulnerabilityName": "Debian-specific Redis Server Lua Sandbox Escape Vulnerability",
+    "descriptions": [
+      {
+        "lang": "en",
+        "value": "It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution."
+      },
+      {
+        "lang": "es",
+        "value": "Se ha detectado que redis, una base de datos persistente de valores clave, debido a un problema de empaquetado, es propenso a un escape del sandbox de Lua (específico de Debian), que podría resultar en una ejecución de código remota"
+      }
+    ],
+    "metrics": {
+      "cvssMetricV31": [
+        {
+          "source": "[email protected]",
+          "type": "Primary",
+          "cvssData": {
+            "version": "3.1",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+            "attackVector": "NETWORK",
+            "attackComplexity": "LOW",
+            "privilegesRequired": "NONE",
+            "userInteraction": "NONE",
+            "scope": "CHANGED",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "HIGH",
+            "availabilityImpact": "HIGH",
+            "baseScore": 10,
+            "baseSeverity": "CRITICAL"
+          },
+          "exploitabilityScore": 3.9,
+          "impactScore": 6
+        }
+      ],
+      "cvssMetricV2": [
+        {
+          "source": "[email protected]",
+          "type": "Primary",
+          "cvssData": {
+            "version": "2.0",
+            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
+            "accessVector": "NETWORK",
+            "accessComplexity": "LOW",
+            "authentication": "NONE",
+            "confidentialityImpact": "COMPLETE",
+            "integrityImpact": "COMPLETE",
+            "availabilityImpact": "COMPLETE",
+            "baseScore": 10
+          },
+          "baseSeverity": "HIGH",
+          "exploitabilityScore": 10,
+          "impactScore": 10,
+          "acInsufInfo": false,
+          "obtainAllPrivilege": false,
+          "obtainUserPrivilege": false,
+          "obtainOtherPrivilege": false,
+          "userInteractionRequired": false
+        }
+      ]
+    },
+    "weaknesses": [
+      {
+        "source": "[email protected]",
+        "type": "Primary",
+        "description": [
+          {
+            "lang": "en",
+            "value": "CWE-862"
+          }
+        ]
+      }
+    ],
+    "configurations": [
+      {
+        "operator": "AND",
+        "nodes": [
+          {
+            "operator": "OR",
+            "negate": false,
+            "cpeMatch": [
+              {
+                "vulnerable": true,
+                "criteria": "cpe:2.3:a:redis:redis:-:*:*:*:*:*:*:*",
+                "matchCriteriaId": "5EBE5E1C-C881-4A76-9E36-4FB7C48427E6"
+              }
+            ]
+          },
+          {
+            "operator": "OR",
+            "negate": false,
+            "cpeMatch": [
+              {
+                "vulnerable": false,
+                "criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
+                "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB"
+              },
+              {
+                "vulnerable": false,
+                "criteria": "cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:-:*:*:*",
+                "matchCriteriaId": "3D94DA3B-FA74-4526-A0A0-A872684598C6"
+              },
+              {
+                "vulnerable": false,
+                "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
+                "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"
+              },
+              {
+                "vulnerable": false,
+                "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
+                "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"
+              },
+              {
+                "vulnerable": false,
+                "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
+                "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "references": [
+      {
+        "url": "http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html",
+        "source": "[email protected]",
+        "tags": [
+          "Exploit",
+          "Third Party Advisory",
+          "VDB Entry"
+        ]
+      },
+      {
+        "url": "https://bugs.debian.org/1005787",
+        "source": "[email protected]",
+        "tags": [
+          "Issue Tracking",
+          "Patch",
+          "Third Party Advisory"
+        ]
+      },
+      {
+        "url": "https://lists.debian.org/debian-security-announce/2022/msg00048.html",
+        "source": "[email protected]",
+        "tags": [
+          "Mailing List",
+          "Third Party Advisory"
+        ]
+      },
+      {
+        "url": "https://security.netapp.com/advisory/ntap-20220331-0004/",
+        "source": "[email protected]",
+        "tags": [
+          "Third Party Advisory"
+        ]
+      },
+      {
+        "url": "https://www.debian.org/security/2022/dsa-5081",
+        "source": "[email protected]",
+        "tags": [
+          "Mailing List",
+          "Third Party Advisory"
+        ]
+      },
+      {
+        "url": "https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce",
+        "source": "[email protected]",
+        "tags": [
+          "Third Party Advisory"
+        ]
+      }
+    ]
+  }
+}

pkg/process/v5/transformers/nvd/transform.go

@@ -46,10 +46,10 @@ func Transform(vulnerability unmarshal.NVDVulnerability) ([]data.Entry, error) {
 			cpes.Add(grypeNamespace.Resolver().Normalize(m.Criteria))
 		}
 
-		if p.PlatformCPE != nil {
+		if p.PlatformCPE != "" {
 			qualifiers = []qualifier.Qualifier{platformcpe.Qualifier{
 				Kind: "platform-cpe",
-				CPE:  *p.PlatformCPE,
+				CPE:  p.PlatformCPE,
 			}}
 		}