cve_schema 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (70) hide show
  1. checksums.yaml +7 -0
  2. data/.document +3 -0
  3. data/.github/workflows/ruby.yml +28 -0
  4. data/.gitignore +6 -0
  5. data/.rspec +1 -0
  6. data/.yardopts +1 -0
  7. data/ChangeLog.md +26 -0
  8. data/Gemfile +14 -0
  9. data/LICENSE.txt +20 -0
  10. data/README.md +50 -0
  11. data/Rakefile +23 -0
  12. data/benchmark.rb +47 -0
  13. data/cve_schema.gemspec +61 -0
  14. data/gemspec.yml +19 -0
  15. data/lib/cve_schema.rb +2 -0
  16. data/lib/cve_schema/cve.rb +257 -0
  17. data/lib/cve_schema/cve/affects.rb +55 -0
  18. data/lib/cve_schema/cve/configuration.rb +14 -0
  19. data/lib/cve_schema/cve/credit.rb +14 -0
  20. data/lib/cve_schema/cve/data_meta.rb +185 -0
  21. data/lib/cve_schema/cve/description.rb +24 -0
  22. data/lib/cve_schema/cve/exploit.rb +14 -0
  23. data/lib/cve_schema/cve/has_lang_value.rb +93 -0
  24. data/lib/cve_schema/cve/id.rb +79 -0
  25. data/lib/cve_schema/cve/impact.rb +75 -0
  26. data/lib/cve_schema/cve/impact/cvss_v2.rb +318 -0
  27. data/lib/cve_schema/cve/impact/cvss_v3.rb +388 -0
  28. data/lib/cve_schema/cve/na.rb +8 -0
  29. data/lib/cve_schema/cve/problem_type.rb +56 -0
  30. data/lib/cve_schema/cve/product.rb +79 -0
  31. data/lib/cve_schema/cve/reference.rb +82 -0
  32. data/lib/cve_schema/cve/solution.rb +14 -0
  33. data/lib/cve_schema/cve/source.rb +75 -0
  34. data/lib/cve_schema/cve/timeline.rb +65 -0
  35. data/lib/cve_schema/cve/timestamp.rb +25 -0
  36. data/lib/cve_schema/cve/vendor.rb +83 -0
  37. data/lib/cve_schema/cve/version.rb +126 -0
  38. data/lib/cve_schema/cve/work_around.rb +14 -0
  39. data/lib/cve_schema/exceptions.rb +20 -0
  40. data/lib/cve_schema/version.rb +6 -0
  41. data/spec/affects_spec.rb +28 -0
  42. data/spec/configuration_spec.rb +6 -0
  43. data/spec/credit_spec.rb +6 -0
  44. data/spec/cve_schema_spec.rb +8 -0
  45. data/spec/cve_spec.rb +414 -0
  46. data/spec/data_meta_spec.rb +167 -0
  47. data/spec/description.rb +24 -0
  48. data/spec/exploit_spec.rb +6 -0
  49. data/spec/fixtures/CVE-2020-1994.json +140 -0
  50. data/spec/fixtures/CVE-2020-2005.json +152 -0
  51. data/spec/fixtures/CVE-2020-2050.json +233 -0
  52. data/spec/fixtures/CVE-2020-4700.json +99 -0
  53. data/spec/has_lang_value_spec.rb +56 -0
  54. data/spec/id_spec.rb +91 -0
  55. data/spec/impact/cvss_v3_spec.rb +118 -0
  56. data/spec/impact_spec.rb +45 -0
  57. data/spec/na_spec.rb +14 -0
  58. data/spec/problem_type_spec.rb +26 -0
  59. data/spec/product_spec.rb +73 -0
  60. data/spec/reference_spec.rb +70 -0
  61. data/spec/shared_examples.rb +19 -0
  62. data/spec/solution_spec.rb +6 -0
  63. data/spec/source_spec.rb +84 -0
  64. data/spec/spec_helper.rb +4 -0
  65. data/spec/timeline_spec.rb +86 -0
  66. data/spec/timestamp_spec.rb +24 -0
  67. data/spec/vendor_spec.rb +73 -0
  68. data/spec/version_spec.rb +104 -0
  69. data/spec/work_around_spec.rb +6 -0
  70. metadata +133 -0
data/spec/data_meta_spec.rb ADDED
@@ -0,0 +1,167 @@
1
+ require 'spec_helper'
2
+ require 'shared_examples'
3
+ require 'cve_schema/cve/data_meta'
4
+
5
+ describe CVESchema::CVE::DataMeta do
6
+ describe "#initialize" do
7
+ let(:id) { CVESchema::CVE::ID.parse('CVE-2021-9999') }
8
+ let(:assigner) { 'foo@example.com' }
9
+
10
+ describe "required keywords" do
11
+ context "when id: is not given" do
12
+ it do
13
+ expect {
14
+ described_class.new(assigner: assigner)
15
+ }.to raise_error(ArgumentError)
16
+ end
17
+ end
18
+
19
+ context "when assigner: is not given" do
20
+ it do
21
+ expect {
22
+ described_class.new(id: id)
23
+ }.to raise_error(ArgumentError)
24
+ end
25
+ end
26
+ end
27
+
28
+ context "when updated: is given" do
29
+ let(:updated) { Time.now }
30
+
31
+ subject do
32
+ described_class.new(id: id, assigner: assigner, updated: updated)
33
+ end
34
+
35
+ it "must set #updated" do
36
+ expect(subject.updated).to eq(updated)
37
+ end
38
+ end
39
+ end
40
+
41
+ describe ".load" do
42
+ include_examples ".load"
43
+
44
+ let(:json_node) { json_tree['CVE_data_meta'] }
45
+
46
+ context '"ID":' do
47
+ let(:json_value) { json_node['ID'] }
48
+ let(:expected) { CVESchema::CVE::ID.parse(json_value) }
49
+
50
+ it 'must parse the "ID": CVE ID and set #id' do
51
+ expect(subject.id).to eq(expected)
52
+ end
53
+
54
+ context 'when the "ID" key is missing' do
55
+ before { json_node.delete('ID') }
56
+
57
+ it do
58
+ expect {
59
+ described_class.load(json_node)
60
+ }.to raise_error(CVESchema::CVE::MissingJSONKey)
61
+ end
62
+ end
63
+ end
64
+
65
+ context '"ASSIGNER":' do
66
+ it "must set #assigner" do
67
+ expect(subject.assigner).to eq(json_node['ASSIGNER'])
68
+ end
69
+
70
+ context 'when the "ASSIGNER" key is missing' do
71
+ before { json_node.delete('ASSIGNER') }
72
+
73
+ it do
74
+ expect {
75
+ described_class.load(json_node)
76
+ }.to raise_error(CVESchema::CVE::MissingJSONKey)
77
+ end
78
+ end
79
+ end
80
+
81
+ context '"UPDATED":' do
82
+ pending 'need to find a CVE with the "UPDATED": key' do
83
+ let(:json_value) { json_node['UPDATED'] }
84
+ let(:expected) { CVESchema::CVE::Timestamp.parse(json_value) }
85
+
86
+ it 'must parse the "UPDATED": Timestamp and set #updated' do
87
+ expect(subject.updated).to eq(expected)
88
+ end
89
+ end
90
+ end
91
+
92
+ context '"SERIAL":' do
93
+ pending 'need to find a CVE with the "SERIAL": key' do
94
+ it "must set #serial" do
95
+ expect(subject.serial).to eq(json_node['SERIAL'])
96
+ end
97
+ end
98
+ end
99
+
100
+ context '"DATE_REQUESTED":' do
101
+ pending 'need to find a CVE with the "DATE_REQUESTED": key' do
102
+ let(:json_value) { json_node['DATE_REQUESTED'] }
103
+ let(:expected) { CVESchema::CVE::Timestamp.parse(json_value) }
104
+
105
+ it 'must parse the "DATE_REQUESTED": Timestamp and set #date_requested' do
106
+ expect(subject.date_requested).to eq(expected)
107
+ end
108
+ end
109
+ end
110
+
111
+ context '"DATE_ASSIGNED":' do
112
+ pending 'need to find a CVE with the "DATE_ASSIGNED": key' do
113
+ let(:json_value) { json_node['DATE_ASSIGNED'] }
114
+ let(:expected) { CVESchema::CVE::Timestamp.parse(json_value) }
115
+
116
+ it 'must parse the "DATE_ASSIGNED": Timestamp and set #date_assigned' do
117
+ expect(subject.date_assigned).to eq(expected)
118
+ end
119
+ end
120
+ end
121
+
122
+ context '"DATE_PUBLIC":' do
123
+ let(:json_value) { json_node['DATE_PUBLIC'] }
124
+ let(:expected) { CVESchema::CVE::Timestamp.parse(json_value) }
125
+
126
+ it 'must parse the "DATE_PUBLIC": Timestamp and set #date_public' do
127
+ expect(subject.date_public).to eq(expected)
128
+ end
129
+ end
130
+
131
+ context '"STATE":' do
132
+ let(:json_value) { json_node['STATE'] }
133
+ let(:expected) { json_value.to_sym }
134
+
135
+ it 'must parse the "STATE": value and set #state' do
136
+ expect(subject.state).to eq(expected)
137
+ end
138
+ end
139
+
140
+ context '"TITLE":' do
141
+ it "must set #title" do
142
+ expect(subject.title).to eq(json_node['TITLE'])
143
+ end
144
+ end
145
+
146
+ context '"REQUESTER":' do
147
+ pending 'need to find a CVE with the "REQUESTED": key' do
148
+ it "must set #serial" do
149
+ expect(subject.serial).to eq(json_node['REQUESTER'])
150
+ end
151
+ end
152
+ end
153
+
154
+ context '"REPLACED_BY":' do
155
+ pending 'need to find a CVE with the "REPLACED_BY": key' do
156
+ let(:json_value) { json_node['REPLACED_BY'] }
157
+ let(:expected) do
158
+ json_value.split(',').map(&CVESchema::CVE::ID.method(:parse))
159
+ end
160
+
161
+ it 'must parse the "REPLACED_BY": String of IDs and set #replaced_by' do
162
+ expect(subject.replaced_by).to eq(expected)
163
+ end
164
+ end
165
+ end
166
+ end
167
+ end
data/spec/description.rb ADDED
@@ -0,0 +1,24 @@
1
+ require 'spec_helper'
2
+ require 'cve_schema/cve/description'
3
+
4
+ describe CVESchema::CVE::Description do
5
+ it { expect(described_class).to include(CVESchema::CVE::HasLangValue) }
6
+
7
+ describe "#na?" do
8
+ let(:lang) { 'eng' }
9
+
10
+ subject { described_class.new(lang: lang, value: value) }
11
+
12
+ context "when value is 'n/a'" do
13
+ let(:value) { 'n/a' }
14
+
15
+ it { expect(subject.na?).to be(true) }
16
+ end
17
+
18
+ context "when value is not 'n/a'" do
19
+ let(:value) { 'foo' }
20
+
21
+ it { expect(subject.na?).to be(false) }
22
+ end
23
+ end
24
+ end
data/spec/exploit_spec.rb ADDED
@@ -0,0 +1,6 @@
1
+ require 'spec_helper'
2
+ require 'cve_schema/cve/exploit'
3
+
4
+ describe CVESchema::CVE::Exploit do
5
+ it { expect(described_class).to include(CVESchema::CVE::HasLangValue) }
6
+ end
data/spec/fixtures/CVE-2020-1994.json ADDED
@@ -0,0 +1,140 @@
1
+ {
2
+ "CVE_data_meta": {
3
+ "ASSIGNER": "psirt@paloaltonetworks.com",
4
+ "DATE_PUBLIC": "2020-05-13T16:00:00.000Z",
5
+ "ID": "CVE-2020-1994",
6
+ "STATE": "PUBLIC",
7
+ "TITLE": "PAN-OS: Predictable temporary file vulnerability"
8
+ },
9
+ "affects": {
10
+ "vendor": {
11
+ "vendor_data": [
12
+ {
13
+ "product": {
14
+ "product_data": [
15
+ {
16
+ "product_name": "PAN-OS",
17
+ "version": {
18
+ "version_data": [
19
+ {
20
+ "version_affected": "<",
21
+ "version_name": "8.1",
22
+ "version_value": "8.1.13"
23
+ },
24
+ {
25
+ "version_affected": "<",
26
+ "version_name": "9.0",
27
+ "version_value": "9.0.7"
28
+ },
29
+ {
30
+ "version_affected": "=",
31
+ "version_name": "7.1",
32
+ "version_value": "7.1.*"
33
+ },
34
+ {
35
+ "version_affected": "=",
36
+ "version_name": "8.0",
37
+ "version_value": "8.0.*"
38
+ },
39
+ {
40
+ "version_affected": "!>=",
41
+ "version_name": "8.1",
42
+ "version_value": "8.1.13"
43
+ },
44
+ {
45
+ "version_affected": "!>=",
46
+ "version_name": "9.0",
47
+ "version_value": "9.0.7"
48
+ },
49
+ {
50
+ "version_affected": "!>=",
51
+ "version_name": "9.1",
52
+ "version_value": "9.1.0"
53
+ }
54
+ ]
55
+ }
56
+ }
57
+ ]
58
+ },
59
+ "vendor_name": "Palo Alto Networks"
60
+ }
61
+ ]
62
+ }
63
+ },
64
+ "credit": [
65
+ {
66
+ "lang": "eng",
67
+ "value": "This issue was found by a customer."
68
+ }
69
+ ],
70
+ "data_format": "MITRE",
71
+ "data_type": "CVE",
72
+ "data_version": "4.0",
73
+ "description": {
74
+ "description_data": [
75
+ {
76
+ "lang": "eng",
77
+ "value": "A predictable temporary file vulnerability in PAN-OS allows a local authenticated user with shell access to corrupt arbitrary system files affecting the integrity of the system. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7."
78
+ }
79
+ ]
80
+ },
81
+ "generator": {
82
+ "engine": "Vulnogram 0.0.9"
83
+ },
84
+ "impact": {
85
+ "cvss": {
86
+ "attackComplexity": "HIGH",
87
+ "attackVector": "LOCAL",
88
+ "availabilityImpact": "NONE",
89
+ "baseScore": 4.1,
90
+ "baseSeverity": "MEDIUM",
91
+ "confidentialityImpact": "NONE",
92
+ "integrityImpact": "HIGH",
93
+ "privilegesRequired": "HIGH",
94
+ "scope": "UNCHANGED",
95
+ "userInteraction": "NONE",
96
+ "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
97
+ "version": "3.1"
98
+ }
99
+ },
100
+ "problemtype": {
101
+ "problemtype_data": [
102
+ {
103
+ "description": [
104
+ {
105
+ "lang": "eng",
106
+ "value": "CWE-377 Insecure Temporary File"
107
+ }
108
+ ]
109
+ }
110
+ ]
111
+ },
112
+ "references": {
113
+ "reference_data": [
114
+ {
115
+ "refsource": "MISC",
116
+ "url": "https://security.paloaltonetworks.com/CVE-2020-1994",
117
+ "name": "https://security.paloaltonetworks.com/CVE-2020-1994"
118
+ }
119
+ ]
120
+ },
121
+ "solution": [
122
+ {
123
+ "lang": "eng",
124
+ "value": "This issue is fixed in PAN-OS 8.1.13, PAN-OS 9.0.7, PAN-OS 9.1.0, and all later PAN-OS versions.\n\nPAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.\n\nPAN-OS 7.1 is on extended support until June 30, 2020, and is only being considered for critical security vulnerability fixes."
125
+ }
126
+ ],
127
+ "source": {
128
+ "defect": [
129
+ "PAN-123391"
130
+ ],
131
+ "discovery": "USER"
132
+ },
133
+ "timeline": [
134
+ {
135
+ "lang": "eng",
136
+ "time": "2020-05-13T16:00:00.000Z",
137
+ "value": "Initial publication"
138
+ }
139
+ ]
140
+ }
data/spec/fixtures/CVE-2020-2005.json ADDED
@@ -0,0 +1,152 @@
1
+ {
2
+ "CVE_data_meta": {
3
+ "ASSIGNER": "psirt@paloaltonetworks.com",
4
+ "DATE_PUBLIC": "2020-05-13T16:00:00.000Z",
5
+ "ID": "CVE-2020-2005",
6
+ "STATE": "PUBLIC",
7
+ "TITLE": "PAN-OS: GlobalProtect Clientless VPN session hijacking"
8
+ },
9
+ "affects": {
10
+ "vendor": {
11
+ "vendor_data": [
12
+ {
13
+ "product": {
14
+ "product_data": [
15
+ {
16
+ "product_name": "PAN-OS",
17
+ "version": {
18
+ "version_data": [
19
+ {
20
+ "version_affected": "<",
21
+ "version_name": "7.1",
22
+ "version_value": "7.1.26"
23
+ },
24
+ {
25
+ "version_affected": "<",
26
+ "version_name": "8.1",
27
+ "version_value": "8.1.13"
28
+ },
29
+ {
30
+ "version_affected": "<",
31
+ "version_name": "9.0",
32
+ "version_value": "9.0.7"
33
+ },
34
+ {
35
+ "version_affected": "!>=",
36
+ "version_name": "7.1",
37
+ "version_value": "7.1.26"
38
+ },
39
+ {
40
+ "version_affected": "!>=",
41
+ "version_name": "8.1",
42
+ "version_value": "8.1.13"
43
+ },
44
+ {
45
+ "version_affected": "!>=",
46
+ "version_name": "9.0",
47
+ "version_value": "9.0.7"
48
+ },
49
+ {
50
+ "version_affected": "=",
51
+ "version_name": "8.0",
52
+ "version_value": "8.0.*"
53
+ }
54
+ ]
55
+ }
56
+ }
57
+ ]
58
+ },
59
+ "vendor_name": "Palo Alto Networks"
60
+ }
61
+ ]
62
+ }
63
+ },
64
+ "configuration": [
65
+ {
66
+ "lang": "eng",
67
+ "value": "This issue only affects firewalls configured with GlobalProtect Clientless VPN."
68
+ }
69
+ ],
70
+ "credit": [
71
+ {
72
+ "lang": "eng",
73
+ "value": "This issue was discovered by Ron Masas of Palo Alto Networks during internal security review."
74
+ }
75
+ ],
76
+ "data_format": "MITRE",
77
+ "data_type": "CVE",
78
+ "data_version": "4.0",
79
+ "description": {
80
+ "description_data": [
81
+ {
82
+ "lang": "eng",
83
+ "value": "A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect Clientless VPN that can compromise the user's active session. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7; All versions of PAN-OS 8.0."
84
+ }
85
+ ]
86
+ },
87
+ "generator": {
88
+ "engine": "Vulnogram 0.0.9"
89
+ },
90
+ "impact": {
91
+ "cvss": {
92
+ "attackComplexity": "LOW",
93
+ "attackVector": "NETWORK",
94
+ "availabilityImpact": "NONE",
95
+ "baseScore": 7.1,
96
+ "baseSeverity": "HIGH",
97
+ "confidentialityImpact": "HIGH",
98
+ "integrityImpact": "LOW",
99
+ "privilegesRequired": "NONE",
100
+ "scope": "UNCHANGED",
101
+ "userInteraction": "REQUIRED",
102
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
103
+ "version": "3.1"
104
+ }
105
+ },
106
+ "problemtype": {
107
+ "problemtype_data": [
108
+ {
109
+ "description": [
110
+ {
111
+ "lang": "eng",
112
+ "value": "CWE-79 Cross-site Scripting (XSS)"
113
+ }
114
+ ]
115
+ }
116
+ ]
117
+ },
118
+ "references": {
119
+ "reference_data": [
120
+ {
121
+ "refsource": "MISC",
122
+ "url": "https://security.paloaltonetworks.com/CVE-2020-2005",
123
+ "name": "https://security.paloaltonetworks.com/CVE-2020-2005"
124
+ }
125
+ ]
126
+ },
127
+ "solution": [
128
+ {
129
+ "lang": "eng",
130
+ "value": "This issue is fixed in PAN-OS 7.1.26, PAN-OS 8.1.13, PAN-OS 9.0.7, and all later versions of PAN-OS.\n\nPAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies."
131
+ }
132
+ ],
133
+ "source": {
134
+ "defect": [
135
+ "GPCON-551"
136
+ ],
137
+ "discovery": "INTERNAL"
138
+ },
139
+ "timeline": [
140
+ {
141
+ "lang": "eng",
142
+ "time": "2020-05-13T16:00:00.000Z",
143
+ "value": "Initial publication"
144
+ }
145
+ ],
146
+ "work_around": [
147
+ {
148
+ "lang": "eng",
149
+ "value": "Configure GlobalProtect Clientless VPN to only access known trusted websites, and block access all other websites."
150
+ }
151
+ ]
152
+ }