Retrieve vulnerability description with ADPs' data

[pereyra-m]

Related issue
Closes #25481

Description

This PR allows to select the source for the description data used to populate the vulnerability field.
First, it was required to store the missing descriptive information in the queue/vd/feed DB. Then, the databaseFeedManager was updated to build the final description considering the ADPs from the shortName and subShortName.

The corresponding UTs were added to make sure the data was updated with the required keys, and then properly assembled in the get request. To maintain retro-compatibility, the NVD related entries weren't modified.

Tests

It was confirmed that the final size of the DB is within the acceptable range. At the offset 891035, this the final size

root@fb659c773250:/var/ossec# du -h queue/vd/feed/
5.9G	queue/vd/feed/

Manual tests: see comment below.

• Compilation without warnings in every supported platform

  • Linux

• Source installation

• Added unit tests (for new features)

[sebasfalcone]

Analysis

The issue with the CVEs that are marked as under evaluation despite having descriptive information available is due to a bug in the isUnderEvaluation logic:

wazuh/src/wazuh_modules/vulnerability_scanner/src/scanOrchestrator/eventDetailsBuilder.hpp

Lines 219 to 224 in 6563d68

	const auto isUnderEvaluation = [&returnData]()
	{
	return Utils::floatToDoubleRound(returnData.data->scoreBase(), 2) == 0 ||
	returnData.data->classification()->str().empty() ||
	returnData.data->severity()->str().empty();
	};

The logic should be instead:

 const auto isUnderEvaluation = [&returnData]() 
 { 
     return Utils::floatToDoubleRound(returnData.data->scoreBase(), 2) == 0 || 
            returnData.data->scoreVersion()->str().empty() || 
            returnData.data->severity()->str().empty(); 
 }; 

[sebasfalcone]

LGTM!

The testing landed good results, the descriptive information is being obtained from the corresponding vendor or the NVD

The issue @MiguelazoDS found in regard of the under_analisis field was addressed in this commit

[sebasfalcone]

Functional testing

Centos 8

CVE-2024-26838

Indexer:

      {
        "_index": "wazuh-states-vulnerabilities-thinkpad-sebas",
        "_id": "001_19925e120611a2d5c4acf440079c390dc0ada4b8_CVE-2024-26838",
        "_score": 1,
        "_source": {
          "agent": {
            "id": "001",
            "name": "centos8",
            "type": "Wazuh",
            "version": "v4.9.0"
          },
          "host": {
            "os": {
              "full": "CentOS Linux 8.5.2111",
              "kernel": "4.18.0-348.7.1.el8_5.x86_64",
              "name": "CentOS Linux",
              "platform": "centos",
              "type": "centos",
              "version": "8.5.2111"
            }
          },
          "package": {
            "architecture": "x86_64",
            "description": "Python bindings for apps which will manipulate perf events",
            "installed": "2023-11-01T20:38:57.000Z",
            "name": "python3-perf",
            "size": 372789,
            "type": "rpm",
            "version": "4.18.0-348.7.1.el8_5"
          },
          "vulnerability": {
            "category": "Packages",
            "classification": "-",
            "description": "DOCUMENTATION: The MITRE CVE dictionary describes this issue as: In the Linux kernel, the following vulnerability has been resolved:  RDMA/irdma: Fix KASAN issue with tasklet  KASAN testing revealed the following issue assocated with freeing an IRQ.  [50006.466686] Call Trace: [50006.466691]  <IRQ> [50006.489538]  dump_stack+0x5c/0x80 [50006.493475]  print_address_description.constprop.6+0x1a/0x150 [50006.499872]  ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.505742]  ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.511644]  kasan_report.cold.11+0x7f/0x118 [50006.516572]  ? irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.522473]  irdma_sc_process_ceq+0x483/0x790 [irdma] [50006.528232]  irdma_process_ceq+0xb2/0x400 [irdma] [50006.533601]  ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma] [50006.540298]  irdma_ceq_dpc+0x44/0x100 [irdma] [50006.545306]  tasklet_action_common.isra.14+0x148/0x2c0 [50006.551096]  __do_softirq+0x1d0/0xaf8 [50006.555396]  irq_exit_rcu+0x219/0x260 [50006.559670]  irq_exit+0xa/0x20 [50006.563320]  smp_apic_timer_interrupt+0x1bf/0x690 [50006.568645]  apic_timer_interrupt+0xf/0x20 [50006.573341]  </IRQ>  The issue is that a tasklet could be pending on another core racing the delete of the irq.  Fix by insuring any scheduled tasklet is killed after deleting the irq.",
            "detected_at": "2024-09-27T01:18:30.316Z",
            "enumeration": "CVE",
            "id": "CVE-2024-26838",
            "published_at": "2024-04-17T10:15:09Z",
            "reference": "https://access.redhat.com/security/cve/CVE-2024-26838",
            "scanner": {
              "source": "Red Hat CVE Database",
              "vendor": "Wazuh"
            },
            "score": {
              "base": 4.4,
              "version": "3.1"
            },
            "severity": "Medium",
            "under_evaluation": false
          },
          "wazuh": {
            "cluster": {
              "name": "Thinkpad-Sebas"
            },
            "schema": {
              "version": "1.0.0"
            }
          }
        }
      }

Description 🟢

• RedHat: DOCUMENTATION: The MITRE CVE dictionary describes this issue as: In the Linux kernel, the following vulnerability
• NVD: In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix KASAN issue with tasklet

CVSS 🟢

• Redhat: 4.4
• NVD: 5.5

[sebasfalcone]

Functional testing

Pypi

Indexer

      {
        "_index": "wazuh-states-vulnerabilities-thinkpad-sebas",
        "_id": "000_2f6e6738cd66732cba19df00662691fa0f272237_CVE-2024-34064",
        "_score": 5.4109426,
        "_source": {
          "agent": {
            "id": "000",
            "name": "Thinkpad-Sebas",
            "type": "Wazuh",
            "version": "v4.10.0"
          },
          "host": {
            "os": {
              "full": "Linux Mint 21.1 (Vera)",
              "kernel": "5.15.0-119-generic",
              "name": "Linux Mint",
              "platform": "linuxmint",
              "type": "linuxmint",
              "version": "21.1"
            }
          },
          "package": {
            "name": "Jinja2",
            "path": "/home/sebas/.local/lib/python3.10/site-packages/Jinja2-3.1.3.dist-info/METADATA",
            "size": 0,
            "type": "pypi",
            "version": "3.1.3"
          },
          "vulnerability": {
            "category": "Packages",
            "classification": "-",
            "description": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter",
            "detected_at": "2024-09-27T01:18:09.363Z",
            "enumeration": "CVE",
            "id": "CVE-2024-34064",
            "published_at": "2024-05-06T15:15:23Z",
            "reference": "https://github.com/pallets/jinja, https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb, https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj, https://lists.fedoraproject.org/archives/list/[email protected]/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC, https://lists.fedoraproject.org/archives/list/[email protected]/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE, https://lists.fedoraproject.org/archives/list/[email protected]/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS, https://lists.fedoraproject.org/archives/list/[email protected]/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS, https://nvd.nist.gov/vuln/detail/CVE-2024-34064",
            "scanner": {
              "source": "Open Source Vulnerabilities",
              "vendor": "Wazuh"
            },
            "score": {
              "base": 5.4,
              "version": "3.1"
            },
            "severity": "Medium",
            "under_evaluation": false
          },
          "wazuh": {
            "cluster": {
              "name": "Thinkpad-Sebas"
            },
            "schema": {
              "version": "1.0.0"
            }
          }
        }
      }

Description 🟢

• OSV: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
• NVD: Jinja is an extensible templating engine. The xmlattr filter in affected version

CVSS 🟢

• OSV: 5.4
• NVD: 5.4

[sebasfalcone]

Functional testing

CVE-2022-40023 - CVSS information not in ADP

This test verifies that the NVD information is used if the ADP doesn't have the corresponding information

Indexer

      {
        "_index": "wazuh-states-vulnerabilities-thinkpad-sebas",
        "_id": "000_f862ea4e955d202b0a5aa16e83d96e4ad9cdee09_CVE-2022-40023",
        "_score": 14.753093,
        "_source": {
          "agent": {
            "id": "000",
            "name": "Thinkpad-Sebas",
            "type": "Wazuh",
            "version": "v4.10.0"
          },
          "host": {
            "os": {
              "full": "Linux Mint 21.1 (Vera)",
              "kernel": "5.15.0-119-generic",
              "name": "Linux Mint",
              "platform": "linuxmint",
              "type": "linuxmint",
              "version": "21.1"
            }
          },
          "package": {
            "name": "Mako",
            "path": "/usr/lib/python3/dist-packages/Mako-1.1.3-py3.10.egg-info/PKG-INFO",
            "size": 0,
            "type": "pypi",
            "version": "1.1.3"
          },
          "vulnerability": {
            "category": "Packages",
            "classification": "CVSS",
            "description": "mako is vulnerable to Regular Expression Denial of Service",
            "detected_at": "2024-09-27T16:00:37.634Z",
            "enumeration": "CVE",
            "id": "CVE-2022-40023",
            "published_at": "2022-09-07T13:15:09Z",
            "reference": "https://github.com/advisories/GHSA-v973-fxgf-6xhp, https://github.com/pypa/advisory-database/tree/main/vulns/mako/PYSEC-2022-260.yaml, https://github.com/sqlalchemy/mako, https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21, https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c, https://github.com/sqlalchemy/mako/issues/366, https://lists.debian.org/debian-lts-announce/2022/09/msg00026.html, https://nvd.nist.gov/vuln/detail/CVE-2022-40023, https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages, https://pyup.io/vulnerabilities/CVE-2022-40023/50870, https://pyup.io/vulnerabilities/CVE-2022-40023/50870/",
            "scanner": {
              "source": "Open Source Vulnerabilities",
              "vendor": "Wazuh"
            },
            "score": {
              "base": 7.5,
              "version": "3.1"
            },
            "severity": "High",
            "under_evaluation": false
          },
          "wazuh": {
            "cluster": {
              "name": "Thinkpad-Sebas"
            },
            "schema": {
              "version": "1.0.0"
            }
          }
        }
      }

Description 🟢

• Pypi: mako is vulnerable to Regular Expression Denial of Service
• NVD: Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

CVSS 🟢

• Pypi: null
• NVD: 7.5

Seba make the latest changes.