Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update nvd fields #30799

Merged
merged 3 commits into from
Nov 26, 2023
Merged

update nvd fields #30799

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
97ed637
update nvd fields
epartington Nov 10, 2023
0cd8ce7
Update NationalVulnerabilityDatabaseFeed.yml
epartington Nov 11, 2023
d2673af
update field and release notes
epartington Nov 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Packs/NationalVulnerabilityDatabaseFeed/.pack-ignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[known_words]
cvssversion
cvsstable
cvssscore
1 change: 1 addition & 0 deletions ...ulnerabilityDatabaseFeed/Integrations/NationalVulnerabilityDatabaseFeed/CONTRIBUTORS.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
["Eric Partington"]
37 changes: 28 additions & 9 deletions ...eFeed/Integrations/NationalVulnerabilityDatabaseFeed/NationalVulnerabilityDatabaseFeed.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
from CommonServerPython import * # noqa # pylint: disable=unused-wildcard-import
from CommonServerUserPython import * # noqa

from typing import Dict, Any, List
from typing import Any
from datetime import datetime, timedelta
from time import sleep
import urllib3
Expand All @@ -21,7 +21,7 @@


def parse_cve_data(item=None) -> dict:
fields = dict()
fields = {}
if item and isinstance(item, dict):

# Populate common fields
Expand All @@ -32,10 +32,12 @@ def parse_cve_data(item=None) -> dict:
description = cve.get('description', {}).get('description_data')
if "en" in [x.get('lang') for x in description]:
fields['cvedescription'] = description[([x.get('lang') for x in description]).index('en')].get('value')
# mirror the description fields so that the default cve layout renders with complete data
fields['description'] = fields['cvedescription']

# References
if "references" in cve:
references: List = cve.get('references', {}).get('reference_data')
references: list = cve.get('references', {}).get('reference_data')
fields['publications'] = [
{
"link": x.get('url'),
Expand All @@ -58,6 +60,7 @@ def parse_cve_data(item=None) -> dict:
if "cvssV2" in base_metric_v2:
cvss_v2 = base_metric_v2.get('cvssV2')
all_cvss.append({"cvssV2": cvss_v2})
fields['cvss'] = all_cvss

# Base Metric V3
if "baseMetricV3" in impact:
Expand All @@ -74,9 +77,25 @@ def parse_cve_data(item=None) -> dict:
}
)
fields['cvss3'] = cvss_v3_data

cvss_data = []
for k, v in cvss_v3.items():
cvss_data.append(
{
"metrics": camel_case_to_underscore(k).replace("_", " ").title(),
"value": v
}
)
fields['cvsstable'] = cvss_data
# additional fields to write to CVE default layout
fields['cvssvector'] = cvss_v3.get('vectorString')
# mirror fields so that default cve layout renders properly
fields['cvss'] = cvss_v3.get('baseScore')
fields['cvssscore'] = cvss_v3.get('baseScore')
Comment on lines +93 to +94
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the cvss & cvssscore the same value?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes they are the same score. The default CVE layout has both listed as fields and there is a field driven automation that leverage the cvss score to show a colored number at the top of the layout. The current integrations were not writing to CVSS Score so the layout was always blank and not showing value. So I added the integration to write to both which helps fill out the layout better OOTB.

fields['cvssversion'] = cvss_v3.get('version')

fields['cvss'] = all_cvss
# this eneded up being a json blob which should be fixed to the baseScore value above
# fields['cvss'] = all_cvss

return fields

Expand All @@ -98,7 +117,7 @@ def extract_descriptions(data_item={}) -> list:
# ========================================== Generic Query ===============================================#


def test_module(client: BaseClient, params: Dict[str, Any]):
def test_module(client: BaseClient, params: dict[str, Any]):

api_key = params.get('apiKey')
try:
Expand All @@ -109,7 +128,7 @@ def test_module(client: BaseClient, params: Dict[str, Any]):
params['apiKey'] = api_key
res = client._http_request('GET', full_url='https://services.nvd.nist.gov/rest/json/cpes/1.0', params=params)
if "error" in res:
return_error((res.get('error')))
return_error(res.get('error'))
elif "resultsPerPage" in res:
return_results('ok')
except Exception as err:
Expand Down Expand Up @@ -138,9 +157,9 @@ def fetch_indicators_command(client, params):
startIndex = 0
resultsPerPage = 2000
data_items = []
indicators: List[Dict] = []
indicators: list[dict] = []
last_run_data = demisto.getLastRun()
run_times: List[datetime] = []
run_times: list[datetime] = []
run_limit = 9

# If there is no last run date, use the history specified in the params
Expand Down Expand Up @@ -293,7 +312,7 @@ def fetch_indicators_command(client, params):
elif get_type == 'CVE' and data_items:
for item in data_items:
item['type'] = "CVE"
fields: Dict = parse_cve_data(item)
fields: dict = parse_cve_data(item)
indicators.append({
"value": item.get('cve', {}).get('CVE_data_meta', {}).get('ID'),
"type": FeedIndicatorType.CVE,
Expand Down
8 changes: 4 additions & 4 deletions ...Feed/Integrations/NationalVulnerabilityDatabaseFeed/NationalVulnerabilityDatabaseFeed.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
commonfields:

Check failure on line 1 in Packs/NationalVulnerabilityDatabaseFeed/Integrations/NationalVulnerabilityDatabaseFeed/NationalVulnerabilityDatabaseFeed.yml

View workflow job for this annotation

GitHub Actions / pre-commit-community-level

Validation Error DO106 

The docker image tag is not the latest numeric tag, please update it.
The docker image tag in the yml file is: 3.10.13.80014
The latest docker image tag in docker hub is: 3.10.13.80593

You can check for the most updated version of demisto/python3 here: https://hub.docker.com/r/demisto/python3/tags 
To update the docker image run:
demisto-sdk format -ud -i Packs/NationalVulnerabilityDatabaseFeed/Integrations/NationalVulnerabilityDatabaseFeed/NationalVulnerabilityDatabaseFeed.yml
id: National Vulnerability Database
version: -1
name: National Vulnerability Database
display: National Vulnerability Database
category: Data Enrichment & Threat Intelligence
description: CVE feed from the National Vulnerability Database
description: CVE feed from the National Vulnerability Database.
detaileddescription: >-
## National Vunerability Database Feed

Expand Down Expand Up @@ -201,15 +201,15 @@
commands:
- name: nvd-get-indicators
arguments: []
description: Retrieves CVEs from NVD
description: Retrieves CVEs from NVD.
outputs:
- contextPath: CPE.cpe23Uril
description: This element identifies a CPE by the CPE 2.3 Naming specification
description: This element identifies a CPE by the CPE 2.3 Naming specification.
type: String
- contextPath: CPE.titles
description: This element contains the human-readable, English title for the CPE.
type: Unknown
dockerimage: demisto/python3:3.10.12.63474
dockerimage: demisto/python3:3.10.13.80014
feed: true
subtype: python3
isFetchSamples: true
Expand Down
4 changes: 4 additions & 0 deletions Packs/NationalVulnerabilityDatabaseFeed/ReleaseNotes/1_0_4.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#### Integrations
##### National Vulnerability Database
- Updated the Docker image to: *demisto/python3:3.10.13.80014*.
- Updated the integration to write to default CVE layout fields for *cvss*, *cvssversion*, *cvsstable*, *cvssscore* and *description*.
2 changes: 1 addition & 1 deletion Packs/NationalVulnerabilityDatabaseFeed/pack_metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "National Vulnerability Database Feed",
"description": "CVE and CPE feed from the National Vulnerability Database",
"support": "community",
"currentVersion": "1.0.3",
"currentVersion": "1.0.4",
"author": "Adam Burt",
"url": "https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/bd-p/Cortex_XSOAR_Discussions",
"email": "",
Expand Down
Loading