Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(nvd): migrate to API 2.0 #374

Merged
merged 5 commits into from
Dec 18, 2023
Merged

refactor(nvd): migrate to API 2.0 #374

merged 5 commits into from
Dec 18, 2023

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen self-assigned this Dec 5, 2023
DmitriyLewen
DmitriyLewen commented Dec 7, 2023
View reviewed changes
pkg/vulnsrc/nvd/nvd.go Outdated
Comment on lines 152 to 168
func getCvssV3(metricsV31, metricsV30 []CvssMetricV3) (score float64, vector string, severity types.Severity) {
// order: v3.1 metrics => v3.0 metrics
// save the first `primary` metric
// if the `Primary` metric does not exist => save the first `Secondary` metric (v3.1 => v3.0)
for _, metricV3 := range append(metricsV31, metricsV30...) {
// save first metric or the `Primary` metric if `Secondary` metric was saved previously
if score == 0 || metricV3.Type == primaryType {
score = metricV3.CvssData.BaseScore
vector = metricV3.CvssData.VectorString
severity, _ = types.NewSeverity(metricV3.CvssData.BaseSeverity)
if metricV3.Type == primaryType {
return
}
}
}
return
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this case.
what to choose: “Secondary metric V31” or “Primary metric v30”.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I commented above, we should take metrics only from NVD here. So, the answer is:

  1. cvssMetricV31 with source: [email protected]
  2. cvssMetricV30 with source: [email protected]
  3. cvssMetricV31 from other vendors (ignore)
  4. cvssMetricV30 from other vendors (ignore)

We may want to use metrics from other vendors in the future, but it should be done in another PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your help!
Changed in 96b8f7d

@namandf
Copy link

namandf commented Dec 13, 2023
edited
Loading

Hi @DmitriyLewen , @knqyf263 , Hope you are doing great.

Just came across this PR.

  1. Do we intend to bring in this change before 15th?
  2. Will this fix require a trivy upgrade? I am assuming no, because its just a change in the way we gather data right?
  3. In case , we don't get this change by 15th which is the deadline for deprecation and 18th December NVD will stop supporting older feeds if i am not wrong, then what will be impact on trivy scans? Will we continue seeing older vulnerabilities while the new ones or updates will be missing?

Thank you

@DmitriyLewen
Copy link
Contributor Author

Hello @namandf

Do we intend to bring in this change before 15th?

We are trying to finish these changes before the 15th.

Will this fix require a trivy upgrade? I am assuming no, because its just a change in the way we gather data right?

right. This fix only for trivy-db. You will need only doewnload new DB.

In case , we don't get this change by 15th which is the deadline for deprecation and 18th December NVD will stop supporting older feeds if i am not wrong, then what will be impact on trivy scans? Will we continue seeing older vulnerabilities while the new ones or updates will be missing?

We only receive advisory information from nvd (severity, descriptions, etc.).
In this case, you will get all old and new CVEs, but there may be some typos/omissions in the vulnerability information.

@namandf
Copy link

namandf commented Dec 14, 2023
edited
Loading

Thank you for the update @DmitriyLewen .

We only receive advisory information from nvd (severity, descriptions, etc.). In this case, you will get all old and new CVEs, but there may be some typos/omissions in the vulnerability information.

Out of curiosity, do we rely on MITRE/cve.org for the CVE list? or are you suggesting that other databases bridge that gap?
MITRE also seems to have gone through a similar change. https://www.cve.org/Media/News/item/blog/2023/07/25/Legacy-Downloads-being-Phased-Out

@DmitriyLewen
Copy link
Contributor Author

Out of curiosity, do we rely on MITRE/cve.org for the CVE list?

No, we don't use MITRE/cve.org.

We use the following databases to get CVE list:
https://aquasecurity.github.io/trivy/v0.48/docs/scanner/vulnerability/#data-sources
https://aquasecurity.github.io/trivy/v0.48/docs/scanner/vulnerability/#data-sources_1

@namandf
Copy link

namandf commented Dec 15, 2023

Out of curiosity, do we rely on MITRE/cve.org for the CVE list?

No, we don't use MITRE/cve.org.

We use the following databases to get CVE list: https://aquasecurity.github.io/trivy/v0.48/docs/scanner/vulnerability/#data-sources https://aquasecurity.github.io/trivy/v0.48/docs/scanner/vulnerability/#data-sources_1

Got it. Thank you.

You might already be aware but looks like there is again a change in deadline.
Screenshot_2023_1215_075423

@DmitriyLewen
Copy link
Contributor Author

yes, thanks!

FYI - We have aquasecurity/trivy#5658

knqyf263
knqyf263 reviewed Dec 17, 2023
View reviewed changes
pkg/vulnsrc/nvd/nvd.go Outdated
func getCvssV2(metricsV2 []CvssMetricV2) (score float64, vector string, severity types.Severity) {
for _, metricV2 := range metricsV2 {
// save first metric or the `Primary` metric if `Secondary` metric was saved previously
if score == 0 || metricV2.Type == primaryType {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, the type doesn't matter. We need metrics from NVD, so I think we should take metrics with source: [email protected].

source identifies the organization that provided the metrics information and type identifies whether the organization is a primary or secondary source. Primary sources include the NVD and CNA who have reached the provider level in CVMAP. 10% of provider level submissions are audited by the NVD. If a submission has been audited the NVD will appear as the primary source and the provider level CNA will appear as the secondary source.

"cvssMetricV30": [
                        {
                            "source": "[email protected]",
                            "type": "Secondary",
                            "cvssData": {
                                "version": "3.0",
                                "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
                                "attackVector": "PHYSICAL",
                                "attackComplexity": "HIGH",
                                "privilegesRequired": "NONE",
                                "userInteraction": "NONE",
                                "scope": "UNCHANGED",
                                "confidentialityImpact": "NONE",
                                "integrityImpact": "LOW",
                                "availabilityImpact": "HIGH",
                                "baseScore": 4.8,
                                "baseSeverity": "MEDIUM"
                            },
                            "exploitabilityScore": 0.5,
                            "impactScore": 4.2
                        }
                    ],

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! fixed in 96b8f7d

pkg/vulnsrc/nvd/nvd.go Outdated
Comment on lines 152 to 168
func getCvssV3(metricsV31, metricsV30 []CvssMetricV3) (score float64, vector string, severity types.Severity) {
// order: v3.1 metrics => v3.0 metrics
// save the first `primary` metric
// if the `Primary` metric does not exist => save the first `Secondary` metric (v3.1 => v3.0)
for _, metricV3 := range append(metricsV31, metricsV30...) {
// save first metric or the `Primary` metric if `Secondary` metric was saved previously
if score == 0 || metricV3.Type == primaryType {
score = metricV3.CvssData.BaseScore
vector = metricV3.CvssData.VectorString
severity, _ = types.NewSeverity(metricV3.CvssData.BaseSeverity)
if metricV3.Type == primaryType {
return
}
}
}
return
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I commented above, we should take metrics only from NVD here. So, the answer is:

  1. cvssMetricV31 with source: [email protected]
  2. cvssMetricV30 with source: [email protected]
  3. cvssMetricV31 from other vendors (ignore)
  4. cvssMetricV30 from other vendors (ignore)

We may want to use metrics from other vendors in the future, but it should be done in another PR.

@knqyf263 knqyf263 marked this pull request as ready for review December 18, 2023 18:24
knqyf263
knqyf263 reviewed Dec 18, 2023
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I left a small comment.

pkg/vulnsrc/nvd/types.go Outdated
Comment on lines 5 to 20
ID string `json:"id"`
SourceIdentifier string `json:"sourceIdentifier,omitempty"`
Published string `json:"published"`
LastModified string `json:"lastModified"`
VulnStatus string `json:"vulnStatus,omitempty"`
EvaluatorComment string `json:"evaluatorComment,omitempty"`
EvaluatorSolution string `json:"evaluatorSolution,omitempty"`
EvaluatorImpact string `json:"evaluatorImpact,omitempty"`
CisaExploitAdd string `json:"cisaExploitAdd,omitempty"`
CisaActionDue string `json:"cisaActionDue,omitempty"`
Descriptions []LangString `json:"descriptions"`
Metrics Metrics `json:"metrics,omitempty"`
Weaknesses []Weakness `json:"weaknesses,omitempty"`
Configurations []Configuration `json:"configurations,omitempty"`
References []Reference `json:"references"`
VendorComments []VendorComment `json:"vendorComments,omitempty"`
Copy link
Collaborator

@knqyf263 knqyf263 Dec 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we remove unneeded fields? It helps us understand what fields we are using. Other structs as well.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed. Please let me know if I did something wrong.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point!
I checked your changes and don't see problem with that.

@knqyf263 knqyf263 merged commit 51be8d9 into aquasecurity:main Dec 18, 2023
2 checks passed
@DmitriyLewen DmitriyLewen deleted the nvd-api branch December 19, 2023 04:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DmitriyLewen @namandf @knqyf263