Merge pull request fkie-cad#9 from e-m-b-a/cvss_info

Show CVSS2&3 base values in emba version vulnerability checker
m-1-k-3 · Dec 2, 2020 · f491728 · f491728
2 parents 2e96056 + 97d2a34
commit f491728
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 16 deletions.
diff --git a/README.md b/README.md
@@ -7,7 +7,7 @@ emba comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See LICENSE file for usage of this software.
 
-Emba is licensed under GPLv3
+emba is licensed under GPLv3
 
 Author(s): Michael Messner, Pascal Eckmann
 -->

diff --git a/check_project.sh b/check_project.sh
@@ -8,7 +8,7 @@
 # welcome to redistribute it under the terms of the GNU General Public License.
 # See LICENSE file for usage of this software.
 #
-# Emba is licensed under GPLv3
+# emba is licensed under GPLv3
 #
 # Author(s): Michael Messner, Pascal Eckmann
 

diff --git a/emba.sh b/emba.sh
@@ -8,7 +8,7 @@
 # welcome to redistribute it under the terms of the GNU General Public License.
 # See LICENSE file for usage of this software.
 #
-# Emba is licensed under GPLv3
+# emba is licensed under GPLv3
 #
 # Author(s): Michael Messner, Pascal Eckmann
 
@@ -70,6 +70,7 @@ main()
   export HELP_DIR="./helpers"
   export MOD_DIR="./modules"
   export VUL_FEED_DB="$EXT_DIR""/allitems.csv"
+  export VUL_FEED_CVSS_DB="$EXT_DIR""/allitemscvss.csv"
   export BASE_LINUX_FILES="$CONFIG_DIR""/linux_common_files.txt"
 
   echo

diff --git a/installer.sh b/installer.sh
@@ -29,22 +29,54 @@ fi
 
 echo -e "\\n""$ORANGE""$BOLD""Install needed packages""$NC"
 apt-get update
-apt-get install tree
-apt-get install yara
-apt-get install shellcheck
-apt-get install device-tree-compiler
-apt-get install docker.io
+apt-get install tree -y
+apt-get install yara -y
+apt-get install shellcheck -y
+apt-get install device-tree-compiler -y
+apt-get install docker.io -y
+apt-get install unzip -y
+
 
 if ! [[ -d "external" ]] ; then
   mkdir external
 fi
-echo -e "\\n""$ORANGE""$BOLD""Downloading vulnerability database""$NC"
+
+echo -e "\\n""$ORANGE""$BOLD""Downloading vulnerability database from cve.mitre.org""$NC"
 if ! [[ -f "external/allitems.csv" ]] ; then
   wget https://cve.mitre.org/data/downloads/allitems.csv -O external/allitems.csv
 else
   echo -e "$ORANGE""Vulnerability database is already downloaded""$NC"
 fi
 
+echo -e "\\n""$ORANGE""$BOLD""Downloading vulnerability databases from nvd.nist.gov""$NC"
+if ! [[ -f "external/allitemscvss.csv" ]] ; then
+  if ! [[ -d "external/nvd" ]] ; then
+    mkdir external/nvd
+  fi
+  NVD_URL="https://nvd.nist.gov/feeds/json/cve/1.1/"
+  apt-get install jq -y
+  for YEAR in $(seq 2002 $(($(date +%Y)))); do
+    NVD_FILE="nvdcve-1.1-""$YEAR"".json"
+    if ! [[ -f "external/nvd/""$NVD_FILE"".zip" ]] ; then
+      wget "$NVD_URL""$NVD_FILE"".zip" -O "external/nvd/""$NVD_FILE"".zip"
+    else
+      echo -e "$ORANGE""$NVD_FILE"".zip is already downloaded""$NC"
+    fi
+    if [[ -f "external/nvd/""$NVD_FILE"".zip" ]] ; then
+      unzip -o "./external/nvd/""$NVD_FILE"".zip" -d "./external/nvd"
+      jq -r '. | .CVE_Items[] | [.cve.CVE_data_meta.ID, (.impact.baseMetricV2.cvssV2.baseScore|tostring), (.impact.baseMetricV3.cvssV3.baseScore|tostring)] | @csv' "./external/nvd/""$NVD_FILE" -c | sed -e 's/\"//g' >> "./external/allitemscvss.csv"
+      rm "external/nvd/""$NVD_FILE"".zip"
+      rm "external/nvd/""$NVD_FILE"
+    else
+      echo -e "$ORANGE""$NVD_FILE"" is not available or a valid zip archive""$NC"
+    fi
+  done
+  rmdir "external/nvd/"
+else
+  echo -e "$ORANGE""Vulnerability database is already downloaded and created""$NC"
+fi
+
+
 echo -e "\\n""$ORANGE""$BOLD""Downloading linux-exploit-suggester""$NC"
 if ! [[ -f "external/linux-exploit-suggester.sh" ]] ; then
   wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O external/linux-exploit-suggester.sh
@@ -120,9 +152,8 @@ fi
 
 # aha for html generation
 echo -e "\\n""$ORANGE""$BOLD""Downloading aha""$NC"
-if ! [[ -f "external/aha-master" ]] ; then
+if ! [[ -f "external/aha" ]] ; then
   apt-get install make
-  apt-get install unzip
   wget https://github.com/theZiz/aha/archive/master.zip -O external/aha-master.zip
   unzip ./external/aha-master.zip -d ./external
   rm external/aha-master.zip

diff --git a/modules/S30_version_vulnerability_check.sh b/modules/S30_version_vulnerability_check.sh
@@ -89,15 +89,53 @@ print_vul() {
     FIRST_LINE="$(echo "$TEXT" | cut -c 1-"$(($(tput cols) - 2))")"
     LAST_LINES="$(echo "$TEXT" | cut -c "$(($(tput cols) - 1))"-)"
 
-    #LAST_LINES="$(echo "$LAST_LINES" | sed -r "s/(.{""$WIDTH""})/&\n/g")"
     readarray -t L_LINES < <(echo "$LAST_LINES" | sed -r "s/(.{""$WIDTH""})/&\n/g")
 
-    print_output "$FIRST_LINE"
+    print_output "$(echo "$FIRST_LINE" | sed -r '/^\s*$/d')"
     for E_LINE in "${L_LINES[@]}"; do
-      print_output "                ""$( echo "$E_LINE" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
+      if [[ -n "$E_LINE" ]]; then
+        print_output "                ""$( echo "$E_LINE" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
+      fi
     done
-    if [[ ${#L_LINES[0]} -gt 0 ]]; then
-      echo
+
+    if [[ -f "$VUL_FEED_CVSS_DB" ]]; then
+      CVSS_VALUES="$(grep "$(echo "$FIRST_LINE" | cut -d' ' -f 1)" "$VUL_FEED_CVSS_DB")"
+      CVSS2="$(echo "$CVSS_VALUES" | cut -f 2 -d ",")"
+      CVSS3="$(echo "$CVSS_VALUES" | cut -f 3 -d ",")"
+      CVSS_STRING=""
+      if ! [[ "$CVSS2" == "null" ]]; then
+        CVSS_STRING="$CVSS_STRING""CVSS2: ""$(color_cvss2 "$CVSS2")""   "
+      fi
+      if ! [[ "$CVSS3" == "null" ]]; then
+        CVSS_STRING="$CVSS_STRING""CVSS3: ""$(color_cvss3 "$CVSS3")"
+      fi
+      print_output "                ""$CVSS_STRING"
     fi
+
+    echo
   done
 }
+
+color_cvss2() {
+  FIRST_NUM="$(echo "$1" | cut -f 1 -d ".")"
+  if (( $((FIRST_NUM)) < 4 )) ; then
+    echo "$GREEN""$1""$NC"
+  elif (( 3 < $((FIRST_NUM)) )) && (( $((FIRST_NUM)) < 7 )) ; then
+    echo "$ORANGE""$1""$NC"
+  elif (( 6 < $((FIRST_NUM)) )) ; then
+    echo "$MAGENTA""$1""$NC"
+  fi
+}
+
+color_cvss3() {
+  FIRST_NUM="$(echo "$1" | cut -f 1 -d ".")"
+  if (( $((FIRST_NUM)) < 4 )) ; then
+    echo "$GREEN""$1""$NC"
+  elif (( 3 < $((FIRST_NUM)) )) && (( $((FIRST_NUM)) < 7 )) ; then
+    echo "$ORANGE""$1""$NC"
+  elif (( 6 < $((FIRST_NUM)) )) && (( $((FIRST_NUM)) < 9 )) ; then
+    echo "$MAGENTA""$1""$NC"
+  elif (( 8 < $((FIRST_NUM)) )) ; then
+    echo "$RED""$1""$NC"
+  fi
+}