cve 0.1.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 0f70a573dcb61f792c4dc6b8c7a381393c10bbc7e4c32cede0cf8b51ec8992ea
+  data.tar.gz: 13b7641c5dd0383ad258711c3dd8f2c6b0a22fd30ff8d06a4ec521d4aab2ae30
+SHA512:
+  metadata.gz: 9e2731047003d100271d2059820c5d8bde6332ddf23794a67a0019a6150eb982ae2f4bddda18cbc96477b9af36f8ef6e6a0d85433e821bb715d47845292abb8c
+  data.tar.gz: 8185220576d82f7be99e6e787787870a2c58cfb52c2bdbdf3dd1ba3814a71611578dafc811be47d11a5164637703cea658fca9e092d2987c0f88395194e35f03

data/Gemfile

@@ -0,0 +1,8 @@
+source 'https://rubygems.org'
+
+gem 'gems'
+
+gem 'color_pound_spec_reporter'
+gem 'httparty', '~> 0.22'
+gem 'minitest', '~> 5.18'
+gem 'minitest-reporters', '~> 1.6'

data/README.md

@@ -0,0 +1,18 @@
+# Book & Owl CVE Lookup Utility
+
+## Overview
+
+A simple utility to lookup CVE entries in the NIST database for a specific product and version ("cpe").
+
+## Usage
+
+`cve <search|help|legal> [product] [version]`
+
+Commands  
+  - search: search NIST vulnerabilty database for [product] and [version]  
+  - help: display usage information (i.e. this message)  
+  - legal: display license and related information for CVE Lookup Utility and NIST NVD data  
+
+## License
+
+The CVE Lookup Utility is licensed under the MIT License. See LICENSE file or `cve legal` for details.

data/Rakefile

@@ -0,0 +1,53 @@
+require "rake/testtask"
+
+namespace :test do
+  Rake::TestTask.new(:all) do |task|
+    task.description = "Run all unit and integration tests"
+    task.libs << ["test", "test/unit" "lib"]
+    task.test_files = FileList["test/unit/*_test.rb", "test/integration/*_test.rb"]
+  end
+
+  Rake::TestTask.new(:unit) do |task|
+    task.description = "Run unit tests"
+    task.libs << ["test", "test/unit" "lib"]
+    task.test_files = FileList["test/unit/*_test.rb"]
+  end
+
+  Rake::TestTask.new(:integration) do |task|
+    task.description = "Run integration tests"
+    task.libs << ["test", "test/unit" "lib"]
+    task.test_files = FileList["test/integration/*_test.rb"]
+  end
+
+  desc "Run all benchmark evaluations"
+  task :benchmark do
+    Dir.glob("test/benchmarks/*_bench.rb") do |benchmark|
+      puts "\nRunning..."
+      ruby "-I lib -I test/benchmarks #{benchmark}"
+      puts "\n\n#{"-" * 8}\n"
+    end
+  end
+end
+
+desc "Print the specs"
+task :print_specs do
+  puts "\n"
+  FileList["test/unit/*_test.rb", "test/integration/*_test.rb"].each do |f|
+    puts "\n#{f}\n"
+    indent = 2
+    File.readlines(f).each do |line|
+      indent += 1 if /\bdo\b/ =~ line
+      case
+      when /describe\s*\'(.*)\'/ =~ line
+        puts "#{"  " * indent}#{$1}"
+      when /it\s*\'(.*)\'/ =~ line
+        puts "#{"  " * indent}#{$1}"
+      when /^\s*end/ =~ line
+        indent = [indent -= 1, 0].max
+      end
+    end
+  end
+end
+
+task :default => "test:unit"
+task :test => "test:unit"

data/bin/cve

@@ -0,0 +1,41 @@
+#!/usr/bin/env ruby
+
+##
+# Copyright (c) 2024 Gerald Hilts
+# License: MIT (https://github.com/gwhilts/cve_lookup/blob/main/LICENSE)
+#
+# This file is the entry-point to app.
+# It is a executable shell script that accepts
+# and parses command line arguments then hands
+# things of off to an appropriate class-based
+# object.
+##
+
+$LOAD_PATH.unshift File.join(File.expand_path(File.join(File.realpath(__FILE__), "../..")), "lib")
+
+require 'legal_helper'
+require 'search'
+
+@help = <<~END_QUOTE
+  Usage: cve <search|help|legal> [product] [version]
+
+  Commands
+    - search: search NIST vulnerabilty database for [product] and [version]
+    - help: display this message
+    - legal: display license and related information for CVE Lookup Utility and NIST NVD data
+
+END_QUOTE
+
+case ARGV[0]
+when 'help'
+  puts @help
+when 'legal'
+  LegalHelper.print_info
+when 'search'
+  Search.new(ARGV[1], ARGV[2]).run
+else
+  puts 'Error: unknown or missing command'
+  puts @help
+end
+
+exit 0

data/lib/io_helper.rb

@@ -0,0 +1,31 @@
+# (c) 2024 Gerald Hilts
+# License: MIT (https://github.com/gwhilts/cve_lookup/blob/main/LICENSE)
+
+class IOHelper
+  require "io/console"
+
+  def initialize(test_mode = false)
+    @test = test_mode
+  end
+  
+  def request(prompt, test_val = "TEST")
+    unless @test
+      print "#{prompt} "
+      $stdin.gets.chomp
+    else
+      test_val
+    end
+  end
+
+  def request_from_range(range, test_val = 0)
+    unless @test
+      response = ""
+      until (response.match /^(\d+|X)/) && (range.include? response.to_i) do
+        response = request("#{range.first} - #{range.last}: ")
+      end
+      response
+    else
+      test_val
+    end
+  end
+end

data/lib/legal_helper.rb

@@ -0,0 +1,70 @@
+# (c) 2024 Gerald Hilts
+# License: MIT (https://github.com/gwhilts/cve_lookup/blob/main/LICENSE)
+
+class LegalHelper
+  def self.license
+    File.read(File.join(File.expand_path(File.join(File.realpath(__FILE__), "../..")), "LICENSE"))
+  end
+
+  def self.nvd_info
+    <<~END_QUOTE
+    NIST NVD
+    ========
+
+    The CVE Lookup Utility uses application programming interfaces (APIs) to 
+    retreive information from the National Vulnerability Database (NVD), a U.S. 
+    government repository of standards based vulnerability management data.
+
+    This data is made available by the National Institute of Standards and 
+    Technology (NIST) as a "as a public service" with the following legal 
+    disclaimer:
+
+      The National Vulnerability Database (NVD) is a repository of standards based 
+      vulnerability data. The Database is maintained by the National Institute of 
+      Standards and Technology (NIST), an agency of the Federal Government, and is 
+      being provided as a public service. Much of the data in NVD records is derived 
+      from publicly available data sources, including product information and 
+      manufacturer/developer information. NIST does not evaluate, review, or test 
+      software or code contained within the NVD. The NVD is expressly provided 
+      “AS IS.” NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, 
+      INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS 
+      FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND DATA ACCURACY. NIST does not 
+      warrant or make any representations regarding the use of the NVD, its contents, 
+      or the results obtained therefrom, including but not limited to the correctness, 
+      accuracy, reliability, or usefulness of the NVD. You are solely responsible for 
+      determining the appropriateness of your use of the NVD and its contents and you
+      assume all risks associated with its use.
+    
+    (see https://nvd.nist.gov/general/legal-disclaimer)
+
+    The CVE Lookup Utility is not endorsed or certified by the NVD.
+    END_QUOTE
+  end
+
+  def self.third_party_info
+    <<~END_QUOTE
+    Ruby Gems
+    =========
+
+    Although not present in the code itself, various Ruby Gem libraries 
+    that CVE Lookup Utility rely upon may be installed along with it
+    if they are not already present in the user's environment.
+
+    These libraries are released under various licenses. See
+    
+      https://github.com/gwhilts/cve_lookup/blob/main/THIRD_PARTY.md
+
+    for more details.
+    END_QUOTE
+  end
+
+  def self.print_info
+    puts "\n"
+    puts license
+    puts "\n(https://github.com/gwhilts/cve_lookup/blob/main/LICENSE)\n\n"
+    puts nvd_info
+    puts "\n\n"
+    puts third_party_info
+  end
+  
+end

data/lib/nvd_helper.rb

@@ -0,0 +1,41 @@
+# (c) 2024 Gerald Hilts
+# License: MIT (https://github.com/gwhilts/cve_lookup/blob/main/LICENSE)
+
+class NVDHelper
+  require 'httparty'
+  require 'cgi'
+
+  NIST_API_SERVER = "https://services.nvd.nist.gov"
+  NIST_CVE_URL_BASE = "https://nvd.nist.gov/vuln/detail/"
+
+  def self.cpe_list_for(name, version)
+    begin
+      HTTParty.get(cpe_uri(name, version))['products'].map do |p|
+        { title: p['cpe']['titles'][0]['title'], cpe_name: p['cpe']['cpeName'] }
+      end
+    rescue
+      []
+    end
+  end
+
+  def self.cpe_uri(name, version)
+    "#{NIST_API_SERVER}/rest/json/cpes/2.0?cpeMatchString=cpe:2.3:*:*:#{CGI.escape(name)}:#{CGI.escape(version)}"
+  end
+
+  def self.cve_list_for(cpe_name)
+    # begin
+      HTTParty.get(cve_uri(cpe_name))["vulnerabilities"].map { |v| v["cve"]["id"] }
+    # rescue
+    #   []
+    # end
+  end
+
+  def self.cve_uri(cpe_name)
+    "#{NIST_API_SERVER}/rest/json/cves/2.0?cpeName=#{cpe_name}"
+  end
+
+  def self.detail_urls_for(cve_list)
+    cve_list.map { |cve| NIST_CVE_URL_BASE + cve }
+  end
+
+end

data/lib/search.rb

@@ -0,0 +1,73 @@
+# (c) 2024 Gerald Hilts
+# License: MIT (https://github.com/gwhilts/cve_lookup/blob/main/LICENSE)
+
+class Search
+  require 'io_helper'
+  require 'nvd_helper'
+
+  def initialize(product, version, test_mode = false)
+    @cpe_name = ""
+    @cpe_title = ""
+    @product = product
+    @version = version
+    @io = IOHelper.new(test_mode)
+  end
+
+  def run()
+    set_product_name
+    set_version
+    select_cpe
+    present_cve_list
+  end
+
+  def set_product_name
+     @product = @product || @io.request('Product name:')
+  end
+
+  def set_version
+    @version = @version || @io.request('Version number:')
+  end
+
+  def select_cpe
+    puts "Searching CPE Dictionary for : #{@product} v#{@version} ...\n--\n"
+    
+    cpe_list = NVDHelper.cpe_list_for(@product, @version)
+    
+    if cpe_list.count > 0
+      puts "Please select a product:\n\n"
+      cpe_list.each_with_index do |cve, i|
+        puts "#{i}: #{cve[:title]} (#{cve[:cpe_name]}"
+      end
+      puts "X: eXit and try again.\n\n"
+    else
+      puts "Unable to locate any entries for #{@product} v#{@version} in the CPE Dictionary."
+      puts 'Please try again.'
+      exit 0
+    end
+
+    case index = @io.request_from_range(0..(cpe_list.count - 1))
+    when "X"
+      exit 0
+    else
+      @cpe_title = cpe_list[index.to_i][:title]
+      @cpe_name = cpe_list[index.to_i][:cpe_name]
+    end
+    
+  end
+
+  def present_cve_list
+    cve_list = NVDHelper.cve_list_for(@cpe_name)
+    
+    puts "\n--\nSearching Nist National Vulnerability Database for #{@cpe_title}\n\n"
+    case cve_list.count
+    when 0
+      puts "Unable to located any CVEs for #{@product} v#{@version}."
+    when 1
+      puts "The following CVE is associated with #{@product} v#{@version}:\n\n"
+      puts cve_list.map { |cve| "https://nvd.nist.gov/vuln/detail/#{cve}" }
+    else
+      puts "The following CVEs are associated with #{@product} v#{@version}:\n\n"
+      puts cve_list.map { |cve| "https://nvd.nist.gov/vuln/detail/#{cve}" }
+    end
+  end
+end

metadata

@@ -0,0 +1,93 @@
+--- !ruby/object:Gem::Specification
+name: cve
+version: !ruby/object:Gem::Version
+  version: 0.1.2
+platform: ruby
+authors:
+- Gerald Hilts
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2024-10-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: gems
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.22.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.22.0
+description: Command-line tool to search the NIST National Vulnerability Database
+  for CVE reports associated with a specific product and version.
+email:
+- gwhilts@booknowl.com
+executables:
+- cve
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- README.md
+- Rakefile
+- bin/cve
+- lib/io_helper.rb
+- lib/legal_helper.rb
+- lib/nvd_helper.rb
+- lib/search.rb
+homepage: https://github.com/gwhilts/cve
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.20
+signing_key:
+specification_version: 4
+summary: CVE Lookup Utility
+test_files: []