cpe23 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: aab30b1d7b5b8b3a9be29bc890e242c9ab72d2d47f13ebbe8268d680e9995dd5
+  data.tar.gz: 9a3bddfa0059410d25ce32c8aa8dfce9fefd0b0a23bf6ce224cb0957c9e1c12d
+SHA512:
+  metadata.gz: c0183e27dec8bde99cbf321e832ac5d21ea05ac2df87d0b128e56d0c67427776669a11144e2b4665b3ce81c3f8365954df55c239779a4099cd1a0e34365906fa
+  data.tar.gz: aea8a89821b56ffa184bc200b3d2aa62b5326aaf5780b4e8b6d62d3d75b0f53aac63f616f838a8fc9043e7c2d8c340650b8183384c08e9d5d8c91728d05a0a87

data/.gitignore

@@ -0,0 +1,8 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.travis.yml

@@ -0,0 +1,6 @@
+---
+language: ruby
+cache: bundler
+rvm:
+  - 2.7.0
+before_install: gem install bundler -v 2.1.4

data/Gemfile

@@ -0,0 +1,12 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in cpe23.gemspec
+gemspec
+
+gem "rake", "~> 12.0"
+gem "minitest", "~> 5.0"
+
+gem "pry", "~> 0.12.2", :groups => [:development, :test]
+
+gem "pry-byebug", "~> 3.8", :groups => [:development, :test]
+

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Jeremy Symon
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,52 @@
+# Cpe23
+
+Parse and serialise CPEs in CPE23, URI, and WFN formats.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'cpe23'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install cpe23
+
+## Usage
+
+Parse a CPE in CPE23, URI, or WFN format:
+``` ruby
+Cpe23.parse(string)
+```
+
+Serialise a CPE:
+``` ruby
+cpe.to_str
+cpe.to_uri
+cpe.to_wfn
+```
+
+Compare two CPEs:
+ - all non-wildcard components must match
+ - version compares the least specific of the two CPEs
+ - CPEs that differ only in version are ordered by their version
+
+## Development
+
+After checking out the repo, run `bundle install` to install dependencies. Then, run `rake test` to run the tests.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/jtsymon/cpe23.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
+
+task :default => :test

data/cpe23.gemspec

@@ -0,0 +1,26 @@
+require_relative 'lib/cpe23/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "cpe23"
+  spec.version       = Cpe23::VERSION
+  spec.authors       = ["Jeremy Symon"]
+  spec.email         = ["jtsymon@gmail.com"]
+
+  spec.summary       = %q{CPE parser/generator/matcher}
+  spec.description   = %q{Library for parsing, generating, and matching CPEs}
+  spec.homepage      = "https://github.com/jtsymon/cpe23"
+  spec.license       = "MIT"
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
+
+  spec.metadata["homepage_uri"] = spec.homepage
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+  spec.add_runtime_dependency('citrus', '~> 3.0')
+end

data/lib/cpe23.rb

@@ -0,0 +1,293 @@
+# frozen_string_literal: true
+
+require 'cpe23/version'
+require 'cpe23/version_wildcard'
+require 'citrus'
+
+Citrus.load(File.expand_path('cpe23/wfn', File.dirname(__FILE__)))
+Citrus.load(File.expand_path('cpe23/cpe23', File.dirname(__FILE__)))
+
+# Implementation of CPE 2.3: https://cpe.mitre.org/specification
+class Cpe23
+  include Comparable
+  # The part attribute SHALL have one of these three string values:
+  # The value "a", when the WFN is for a class of applications.
+  # The value "o", when the WFN is for a class of operating systems.
+  # The value "h", when the WFN is for a class of hardware devices.
+  attr_accessor :part
+
+  # Values for this attribute SHOULD describe or identify the person or
+  # organization that manufactured or created the product. Values for this
+  # attribute SHOULD be selected from an attribute-specific valid-values list,
+  # which MAY be defined by other specifications that utilize this
+  # specification. Any character string meeting the requirements for WFNs (cf.
+  # 5.3.2) MAY be specified as the value of the attribute.
+  attr_accessor :vendor
+
+  # Values for this attribute SHOULD describe or identify the most common and
+  # recognizable title or name of the product. Values for this attribute SHOULD
+  # be selected from an attribute-specific valid-values list, which MAYbe
+  # defined by other specifications that utilize this specification. Any
+  # character string meeting the requirements for WFNs(cf. 5.3.2) MAY be
+  # specified as the value of the attribute.
+  attr_accessor :product
+
+  # Values for this attribute SHOULD be vendor-specific alphanumeric strings
+  # characterizing the particular release version of the product. Version
+  # information SHOULD be copied directly (with escaping of printable
+  # non-alphanumeric characters as required) from discoverable data and SHOULD
+  # NOT be truncated or otherwise modified. Any character string meeting the
+  # requirements for WFNs (cf. 5.3.2) MAY be specified as the value of the
+  # attribute.
+  def version_raw
+    @version
+  end
+
+  def version
+    Cpe23::Version.new(@version)
+  end
+
+  attr_writer :version
+
+  # Values for this attribute SHOULD be vendor-specific alphanumeric strings
+  # characterizing the particular update, service pack, or point release of the
+  # product.Values for this attribute SHOULD be selected from an
+  # attribute-specific valid-values list, which MAYbe defined by other
+  # specifications that utilize this specification. Any character string meeting
+  # the requirements for WFNs (cf. 5.3.2) MAYbe specified as the value of the
+  # attribute.
+  attr_accessor :update
+
+  # The edition attribute isconsidered deprecatedin this specification, and it
+  # SHOULD be assigned the logical value ANY except where required for backward
+  # compatibility with version 2.2 of the CPE specification.This attribute is
+  # referred to as the "legacyedition" attribute. If this attribute is used,
+  # values for this attribute SHOULD capture edition-related terms applied by
+  # the vendor to the product. Values for this attribute SHOULD be selected from
+  # an attribute-specific valid-values list, which MAYbe defined by other
+  # specifications that utilize this specification. Any character string meeting
+  # the requirements for WFNs (cf. 5.3.2) MAY be specified as the value of the
+  # attribute.
+  attr_accessor :edition
+
+  # Values for thisattribute SHALL be valid language tagsas defined by
+  # [RFC5646], and SHOULD be used to define the language supported in the user
+  # interface of the product being described.Although any valid language tag MAY
+  # be used, only tags containing language and region codes SHOULD be used.
+  attr_accessor :language
+
+  # Values for this attribute SHOULD characterize how the product is tailored to
+  # a particular market or class of end users. Values for this attribute SHOULD
+  # be selected from an attribute-specific valid-values list, which MAYbe
+  # defined by other specifications that utilize this specification. Any
+  # character string meeting the requirements for WFNs(cf. 5.3.2) MAYbe
+  # specified as the value of the attribute.
+  attr_accessor :sw_edition
+
+  # Values for this attribute SHOULDcharacterize the software computing
+  # environment within which the product operates.Values for this attribute
+  # SHOULD be selected from an attribute-specific valid-values list, which MAYbe
+  # defined by other specifications that utilize this specification. Any
+  # character string meeting the requirements for WFNs(cf. 5.3.2) MAYbe
+  # specified as the value of the attribute.
+  attr_accessor :target_sw
+
+  # Valuesfor this attribute SHOULD characterize the instruction set
+  # architecture (e.g., x86) on which the product being described or identified
+  # by the WFN operates. Bytecode-intermediate languages, such as Java bytecode
+  # for the Java Virtual Machine or Microsoft Common Intermediate Language for
+  # the Common Language Runtime virtual machine, SHALL be considered instruction
+  # set architectures. Values for this attribute SHOULD be selected from an
+  # attribute-specific valid-values list, which MAY be defined by other
+  # specifications that utilize this specification. Any character string meeting
+  # the requirements for WFNs(cf. 5.3.2) MAY be specified as the value of the
+  # attribute.
+  attr_accessor :target_hw
+
+  # Values for this attribute SHOULD capture any other general descriptive or
+  # identifying information which is vendor-or product-specific and which does
+  # not logically fit in any other attribute value. Values SHOULD NOT be used
+  # for storing instance-specific data (e.g., globally-unique identifiers or
+  # Internet Protocol addresses).Values for this attribute SHOULD be selected
+  # from a valid-values list that is refined over time; this list MAYbe defined
+  # by other specifications that utilize this specification. Any character
+  # string meeting the requirements for WFNs (cf. 5.3.2) MAYbe specified as the
+  # value of the attribute.
+  attr_accessor :other
+
+  def initialize(part: nil, vendor: nil, product: nil, version: nil,
+                 update: nil, edition: nil, language: nil, sw_edition: nil,
+                 target_sw: nil, target_hw: nil, other: nil)
+    @part = part
+    @vendor = vendor
+    @product = product
+    @version = version
+    @update = update
+    @edition = edition
+    @language = language
+    @sw_edition = sw_edition
+    @target_sw = target_sw
+    @target_hw = target_hw
+    @other = other
+  end
+
+  def <=>(other)
+    unless other.is_a? Cpe23
+      begin
+        other = Cpe23.parse(other)
+      rescue StandardError
+        return nil
+      end
+    end
+    return nil unless
+      Cpe23.attr_match?(part, other.part) &&
+      Cpe23.attr_match?(vendor, other.vendor) &&
+      Cpe23.attr_match?(product, other.product) &&
+      Cpe23.attr_match?(update, other.update) &&
+      Cpe23.attr_match?(edition, other.edition) &&
+      Cpe23.attr_match?(language, other.language) &&
+      Cpe23.attr_match?(target_sw, other.target_sw) &&
+      Cpe23.attr_match?(target_hw, other.target_hw) &&
+      Cpe23.attr_match?(self.other, other.other)
+
+    version <=> other.version
+  end
+
+  def to_wfn
+    attrs = %i[part vendor product version update edition language sw_edition
+               target_sw target_hw other].map do |key|
+      value = instance_variable_get("@#{key}")
+      str = case value
+            when nil then 'NA'
+            when '*' then 'ANY'
+            else "\"#{value.downcase}\""
+            end
+      "#{key}=#{str}"
+    end
+    "wfn:[#{attrs.join(',')}]"
+  end
+
+  def to_uri
+    fields = [@part, @vendor, @product, @version, @update, @edition, @language]
+    # Strip trailing empty fields
+    fields = fields[0...-1] while fields.any? && fields[-1].nil?
+    fields.map! do |f|
+      f.sub('?', '%01')
+       .sub('*', '%02')
+    end
+    'cpe:/' + fields.join(':').downcase
+  end
+
+  def to_str
+    ['cpe', '2.3', @part, @vendor, @product, @version, @update, @edition,
+     @language, @sw_edition, @target_sw, @target_hw, @other].join(':').downcase
+  end
+
+  alias to_s to_str
+
+  class << self
+    def parse(str)
+      str = str.strip
+      if str.start_with? 'wfn:'
+        parse_wfn(str)
+      elsif str.start_with? 'cpe:/'
+        parse_uri(str)
+      elsif str.start_with? 'cpe:2.3:'
+        parse_str(str)
+      else
+        raise ArgumentError, 'CPE malformed'
+      end
+    end
+
+    def attr_match?(first, second)
+      first == '*' || second == '*' || first == second
+    end
+
+    private
+
+    def parse_wfn(str)
+      data = {}
+      WFN.parse(str)[:attr].each do |attr|
+        key = attr.capture(:symbol).value.to_sym
+        value = attr.capture(:value).then do |val|
+          if (str = val.capture(:string))
+            str.capture(:content).value
+          else
+            # Translate WFN special values (only applies to non-string)
+            case (str = val.value)
+            when 'ANY' then '*'
+            when 'NA' then nil
+            else str
+            end
+          end
+        end
+        if data.include? key
+          raise ArgumentError, 'Attribute defined multiple times'
+        end
+
+        data[key] = value
+      end
+
+      new(**data)
+    end
+
+    def parse_uri(str)
+      tag, body = str.split(':/', 2)
+      raise ArgumentError, 'Not a CPE URI' if tag != 'cpe' || body.nil?
+
+      body.sub!('%01', '?')
+      body.sub!('%02', '*')
+
+      data = {}
+      data[:part], data[:vendor], data[:product], data[:version], data[:update],
+        data[:edition], data[:language], remainder = body.split(':')
+
+      raise ArgumentError, 'CPE URI malformed' unless remainder.nil?
+
+      # All attributes are optional.
+      new(**data)
+    end
+
+    # Faster implementation of CPE parser... Citrus is not fast :(
+    def parse_cpe23(str)
+      raise ArgumentError, 'Not a CPE str' unless str.start_with?('cpe:2.3')
+
+      index = 7
+      size = str.size
+      char = str[index]
+      attr = 11.times.map do
+        raise ArgumentError, 'CPE formatted string malformed' if char != ':'
+
+        index += 1
+        attr_index = index
+        until index >= size || (char = str[index]) == ':'
+          index += 1
+          index += 1 if char == '\\' # Skip escaped characters
+        end
+        str[attr_index...index]
+      end
+      raise ArgumentError, 'CPE formatted string malformed' if index != size
+
+      attr
+    end
+
+    def parse_str(str)
+      # attr = Cpe23.parse(str)[:attr].map(&:value)
+      attr = parse_cpe23(str)
+      data = {}
+      data[:part], data[:vendor], data[:product], data[:version],
+        data[:update], data[:edition], data[:language], data[:sw_edition],
+        data[:target_sw], data[:target_hw], data[:other], remainder = attr
+
+      # All attributes MUST appear
+      if data.any? { |_k, v| v.nil? } || !remainder.nil?
+        raise ArgumentError, 'CPE formatted string malformed'
+      end
+
+      # Remove empty attributes to avoid confusing the constructor
+      data.reject! { |_k, v| v.empty? }
+
+      new(**data)
+    end
+  end
+end

data/lib/cpe23/cpe23.citrus

@@ -0,0 +1,13 @@
+grammar CPE23
+  rule cpe23
+    'cpe:2.3' (':' attr) 11*11
+  end
+
+  rule escaped
+    '\\' .
+  end
+
+  rule attr
+    (escaped | /[^:]/)*
+  end
+end

data/lib/cpe23/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class Cpe23
+  VERSION = '0.1.0'
+end

data/lib/cpe23/version_wildcard.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+class Cpe23
+  class Version
+    include Comparable
+    attr_reader :parts
+
+    def initialize(str)
+      @parts = str.split('.')
+      wildcard_index = @parts.index '*'
+      if wildcard_index.nil?
+        @parts << '*'
+      elsif wildcard_index < @parts.size - 1
+        raise 'Wildcard must be at the end of a version'
+      end
+    end
+
+    def <=>(other)
+      unless other.is_a? Version
+        begin
+          other = Version.new(other)
+        rescue StandardError
+          return nil
+        end
+      end
+      @parts.zip(other.parts).each do |a, b|
+        break if a == '*' || b == '*'
+
+        # Compare parts numerically if they are numeric
+        if int?(a) && int?(b)
+          a = a.to_i
+          b = b.to_i
+        end
+        return -1 if a.to_i < b.to_i
+        return 1 if a.to_i > b.to_i
+      end
+      0
+    end
+
+    private
+
+    def int?(str)
+      true if Integer(str)
+    rescue StandardError
+      false
+    end
+  end
+end

data/lib/cpe23/wfn.citrus

@@ -0,0 +1,33 @@
+grammar WFN
+  rule wfn
+    'wfn:[' space (attr (space ',' space attr)*)? space ']'
+  end
+
+  rule attr
+    symbol space '=' space value
+  end
+
+  rule symbol
+    [a-zA-Z0-9_]*
+  end
+
+  rule escaped
+    '\\' .
+  end
+
+  rule content
+    (escaped | /[^"]/)*
+  end
+
+  rule string
+    '"' content '"'
+  end
+
+  rule value
+    string | symbol
+  end
+
+  rule space
+    [ \t]*
+  end
+end

metadata

@@ -0,0 +1,70 @@
+--- !ruby/object:Gem::Specification
+name: cpe23
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Jeremy Symon
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-02-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: citrus
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: Library for parsing, generating, and matching CPEs
+email:
+- jtsymon@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- cpe23.gemspec
+- lib/cpe23.rb
+- lib/cpe23/cpe23.citrus
+- lib/cpe23/version.rb
+- lib/cpe23/version_wildcard.rb
+- lib/cpe23/wfn.citrus
+homepage: https://github.com/jtsymon/cpe23
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/jtsymon/cpe23
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: CPE parser/generator/matcher
+test_files: []