cve_schema 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. checksums.yaml +7 -0
  2. data/.document +3 -0
  3. data/.github/workflows/ruby.yml +28 -0
  4. data/.gitignore +6 -0
  5. data/.rspec +1 -0
  6. data/.yardopts +1 -0
  7. data/ChangeLog.md +26 -0
  8. data/Gemfile +14 -0
  9. data/LICENSE.txt +20 -0
  10. data/README.md +50 -0
  11. data/Rakefile +23 -0
  12. data/benchmark.rb +47 -0
  13. data/cve_schema.gemspec +61 -0
  14. data/gemspec.yml +19 -0
  15. data/lib/cve_schema.rb +2 -0
  16. data/lib/cve_schema/cve.rb +257 -0
  17. data/lib/cve_schema/cve/affects.rb +55 -0
  18. data/lib/cve_schema/cve/configuration.rb +14 -0
  19. data/lib/cve_schema/cve/credit.rb +14 -0
  20. data/lib/cve_schema/cve/data_meta.rb +185 -0
  21. data/lib/cve_schema/cve/description.rb +24 -0
  22. data/lib/cve_schema/cve/exploit.rb +14 -0
  23. data/lib/cve_schema/cve/has_lang_value.rb +93 -0
  24. data/lib/cve_schema/cve/id.rb +79 -0
  25. data/lib/cve_schema/cve/impact.rb +75 -0
  26. data/lib/cve_schema/cve/impact/cvss_v2.rb +318 -0
  27. data/lib/cve_schema/cve/impact/cvss_v3.rb +388 -0
  28. data/lib/cve_schema/cve/na.rb +8 -0
  29. data/lib/cve_schema/cve/problem_type.rb +56 -0
  30. data/lib/cve_schema/cve/product.rb +79 -0
  31. data/lib/cve_schema/cve/reference.rb +82 -0
  32. data/lib/cve_schema/cve/solution.rb +14 -0
  33. data/lib/cve_schema/cve/source.rb +75 -0
  34. data/lib/cve_schema/cve/timeline.rb +65 -0
  35. data/lib/cve_schema/cve/timestamp.rb +25 -0
  36. data/lib/cve_schema/cve/vendor.rb +83 -0
  37. data/lib/cve_schema/cve/version.rb +126 -0
  38. data/lib/cve_schema/cve/work_around.rb +14 -0
  39. data/lib/cve_schema/exceptions.rb +20 -0
  40. data/lib/cve_schema/version.rb +6 -0
  41. data/spec/affects_spec.rb +28 -0
  42. data/spec/configuration_spec.rb +6 -0
  43. data/spec/credit_spec.rb +6 -0
  44. data/spec/cve_schema_spec.rb +8 -0
  45. data/spec/cve_spec.rb +414 -0
  46. data/spec/data_meta_spec.rb +167 -0
  47. data/spec/description.rb +24 -0
  48. data/spec/exploit_spec.rb +6 -0
  49. data/spec/fixtures/CVE-2020-1994.json +140 -0
  50. data/spec/fixtures/CVE-2020-2005.json +152 -0
  51. data/spec/fixtures/CVE-2020-2050.json +233 -0
  52. data/spec/fixtures/CVE-2020-4700.json +99 -0
  53. data/spec/has_lang_value_spec.rb +56 -0
  54. data/spec/id_spec.rb +91 -0
  55. data/spec/impact/cvss_v3_spec.rb +118 -0
  56. data/spec/impact_spec.rb +45 -0
  57. data/spec/na_spec.rb +14 -0
  58. data/spec/problem_type_spec.rb +26 -0
  59. data/spec/product_spec.rb +73 -0
  60. data/spec/reference_spec.rb +70 -0
  61. data/spec/shared_examples.rb +19 -0
  62. data/spec/solution_spec.rb +6 -0
  63. data/spec/source_spec.rb +84 -0
  64. data/spec/spec_helper.rb +4 -0
  65. data/spec/timeline_spec.rb +86 -0
  66. data/spec/timestamp_spec.rb +24 -0
  67. data/spec/vendor_spec.rb +73 -0
  68. data/spec/version_spec.rb +104 -0
  69. data/spec/work_around_spec.rb +6 -0
  70. metadata +133 -0
data/spec/data_meta_spec.rb ADDED
@@ -0,0 +1,167 @@
1
+ require 'spec_helper'
2
+ require 'shared_examples'
3
+ require 'cve_schema/cve/data_meta'
4
+
5
+ describe CVESchema::CVE::DataMeta do
6
+ describe "#initialize" do
7
+ let(:id) { CVESchema::CVE::ID.parse('CVE-2021-9999') }
8
+ let(:assigner) { 'foo@example.com' }
9
+
10
+ describe "required keywords" do
11
+ context "when id: is not given" do
12
+ it do
13
+ expect {
14
+ described_class.new(assigner: assigner)
15
+ }.to raise_error(ArgumentError)
16
+ end
17
+ end
18
+
19
+ context "when assigner: is not given" do
20
+ it do
21
+ expect {
22
+ described_class.new(id: id)
23
+ }.to raise_error(ArgumentError)
24
+ end
25
+ end
26
+ end
27
+
28
+ context "when updated: is given" do
29
+ let(:updated) { Time.now }
30
+
31
+ subject do
32
+ described_class.new(id: id, assigner: assigner, updated: updated)
33
+ end
34
+
35
+ it "must set #updated" do
36
+ expect(subject.updated).to eq(updated)
37
+ end
38
+ end
39
+ end
40
+
41
+ describe ".load" do
42
+ include_examples ".load"
43
+
44
+ let(:json_node) { json_tree['CVE_data_meta'] }
45
+
46
+ context '"ID":' do
47
+ let(:json_value) { json_node['ID'] }
48
+ let(:expected) { CVESchema::CVE::ID.parse(json_value) }
49
+
50
+ it 'must parse the "ID": CVE ID and set #id' do
51
+ expect(subject.id).to eq(expected)
52
+ end
53
+
54
+ context 'when the "ID" key is missing' do
55
+ before { json_node.delete('ID') }
56
+
57
+ it do
58
+ expect {
59
+ described_class.load(json_node)
60
+ }.to raise_error(CVESchema::CVE::MissingJSONKey)
61
+ end
62
+ end
63
+ end
64
+
65
+ context '"ASSIGNER":' do
66
+ it "must set #assigner" do
67
+ expect(subject.assigner).to eq(json_node['ASSIGNER'])
68
+ end
69
+
70
+ context 'when the "ASSIGNER" key is missing' do
71
+ before { json_node.delete('ASSIGNER') }
72
+
73
+ it do
74
+ expect {
75
+ described_class.load(json_node)
76
+ }.to raise_error(CVESchema::CVE::MissingJSONKey)
77
+ end
78
+ end
79
+ end
80
+
81
+ context '"UPDATED":' do
82
+ pending 'need to find a CVE with the "UPDATED": key' do
83
+ let(:json_value) { json_node['UPDATED'] }
84
+ let(:expected) { CVESchema::CVE::Timestamp.parse(json_value) }
85
+
86
+ it 'must parse the "UPDATED": Timestamp and set #updated' do
87
+ expect(subject.updated).to eq(expected)
88
+ end
89
+ end
90
+ end
91
+
92
+ context '"SERIAL":' do
93
+ pending 'need to find a CVE with the "SERIAL": key' do
94
+ it "must set #serial" do
95
+ expect(subject.serial).to eq(json_node['SERIAL'])
96
+ end
97
+ end
98
+ end
99
+
100
+ context '"DATE_REQUESTED":' do
101
+ pending 'need to find a CVE with the "DATE_REQUESTED": key' do
102
+ let(:json_value) { json_node['DATE_REQUESTED'] }
103
+ let(:expected) { CVESchema::CVE::Timestamp.parse(json_value) }
104
+
105
+ it 'must parse the "DATE_REQUESTED": Timestamp and set #date_requested' do
106
+ expect(subject.date_requested).to eq(expected)
107
+ end
108
+ end
109
+ end
110
+
111
+ context '"DATE_ASSIGNED":' do
112
+ pending 'need to find a CVE with the "DATE_ASSIGNED": key' do
113
+ let(:json_value) { json_node['DATE_ASSIGNED'] }
114
+ let(:expected) { CVESchema::CVE::Timestamp.parse(json_value) }
115
+
116
+ it 'must parse the "DATE_ASSIGNED": Timestamp and set #date_assigned' do
117
+ expect(subject.date_assigned).to eq(expected)
118
+ end
119
+ end
120
+ end
121
+
122
+ context '"DATE_PUBLIC":' do
123
+ let(:json_value) { json_node['DATE_PUBLIC'] }
124
+ let(:expected) { CVESchema::CVE::Timestamp.parse(json_value) }
125
+
126
+ it 'must parse the "DATE_PUBLIC": Timestamp and set #date_public' do
127
+ expect(subject.date_public).to eq(expected)
128
+ end
129
+ end
130
+
131
+ context '"STATE":' do
132
+ let(:json_value) { json_node['STATE'] }
133
+ let(:expected) { json_value.to_sym }
134
+
135
+ it 'must parse the "STATE": value and set #state' do
136
+ expect(subject.state).to eq(expected)
137
+ end
138
+ end
139
+
140
+ context '"TITLE":' do
141
+ it "must set #title" do
142
+ expect(subject.title).to eq(json_node['TITLE'])
143
+ end
144
+ end
145
+
146
+ context '"REQUESTER":' do
147
+ pending 'need to find a CVE with the "REQUESTED": key' do
148
+ it "must set #serial" do
149
+ expect(subject.serial).to eq(json_node['REQUESTER'])
150
+ end
151
+ end
152
+ end
153
+
154
+ context '"REPLACED_BY":' do
155
+ pending 'need to find a CVE with the "REPLACED_BY": key' do
156
+ let(:json_value) { json_node['REPLACED_BY'] }
157
+ let(:expected) do
158
+ json_value.split(',').map(&CVESchema::CVE::ID.method(:parse))
159
+ end
160
+
161
+ it 'must parse the "REPLACED_BY": String of IDs and set #replaced_by' do
162
+ expect(subject.replaced_by).to eq(expected)
163
+ end
164
+ end
165
+ end
166
+ end
167
+ end
data/spec/description.rb ADDED
@@ -0,0 +1,24 @@
1
+ require 'spec_helper'
2
+ require 'cve_schema/cve/description'
3
+
4
+ describe CVESchema::CVE::Description do
5
+ it { expect(described_class).to include(CVESchema::CVE::HasLangValue) }
6
+
7
+ describe "#na?" do
8
+ let(:lang) { 'eng' }
9
+
10
+ subject { described_class.new(lang: lang, value: value) }
11
+
12
+ context "when value is 'n/a'" do
13
+ let(:value) { 'n/a' }
14
+
15
+ it { expect(subject.na?).to be(true) }
16
+ end
17
+
18
+ context "when value is not 'n/a'" do
19
+ let(:value) { 'foo' }
20
+
21
+ it { expect(subject.na?).to be(false) }
22
+ end
23
+ end
24
+ end
data/spec/exploit_spec.rb ADDED
@@ -0,0 +1,6 @@
1
+ require 'spec_helper'
2
+ require 'cve_schema/cve/exploit'
3
+
4
+ describe CVESchema::CVE::Exploit do
5
+ it { expect(described_class).to include(CVESchema::CVE::HasLangValue) }
6
+ end
data/spec/fixtures/CVE-2020-1994.json ADDED
@@ -0,0 +1,140 @@
1
+ {
2
+ "CVE_data_meta": {
3
+ "ASSIGNER": "psirt@paloaltonetworks.com",
4
+ "DATE_PUBLIC": "2020-05-13T16:00:00.000Z",
5
+ "ID": "CVE-2020-1994",
6
+ "STATE": "PUBLIC",
7
+ "TITLE": "PAN-OS: Predictable temporary file vulnerability"
8
+ },
9
+ "affects": {
10
+ "vendor": {
11
+ "vendor_data": [
12
+ {
13
+ "product": {
14
+ "product_data": [
15
+ {
16
+ "product_name": "PAN-OS",
17
+ "version": {
18
+ "version_data": [
19
+ {
20
+ "version_affected": "<",
21
+ "version_name": "8.1",
22
+ "version_value": "8.1.13"
23
+ },
24
+ {
25
+ "version_affected": "<",
26
+ "version_name": "9.0",
27
+ "version_value": "9.0.7"
28
+ },
29
+ {
30
+ "version_affected": "=",
31
+ "version_name": "7.1",
32
+ "version_value": "7.1.*"
33
+ },
34
+ {
35
+ "version_affected": "=",
36
+ "version_name": "8.0",
37
+ "version_value": "8.0.*"
38
+ },
39
+ {
40
+ "version_affected": "!>=",
41
+ "version_name": "8.1",
42
+ "version_value": "8.1.13"
43
+ },
44
+ {
45
+ "version_affected": "!>=",
46
+ "version_name": "9.0",
47
+ "version_value": "9.0.7"
48
+ },
49
+ {
50
+ "version_affected": "!>=",
51
+ "version_name": "9.1",
52
+ "version_value": "9.1.0"
53
+ }
54
+ ]
55
+ }
56
+ }
57
+ ]
58
+ },
59
+ "vendor_name": "Palo Alto Networks"
60
+ }
61
+ ]
62
+ }
63
+ },
64
+ "credit": [
65
+ {
66
+ "lang": "eng",
67
+ "value": "This issue was found by a customer."
68
+ }
69
+ ],
70
+ "data_format": "MITRE",
71
+ "data_type": "CVE",
72
+ "data_version": "4.0",
73
+ "description": {
74
+ "description_data": [
75
+ {
76
+ "lang": "eng",
77
+ "value": "A predictable temporary file vulnerability in PAN-OS allows a local authenticated user with shell access to corrupt arbitrary system files affecting the integrity of the system. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7."
78
+ }
79
+ ]
80
+ },
81
+ "generator": {
82
+ "engine": "Vulnogram 0.0.9"
83
+ },
84
+ "impact": {
85
+ "cvss": {
86
+ "attackComplexity": "HIGH",
87
+ "attackVector": "LOCAL",
88
+ "availabilityImpact": "NONE",
89
+ "baseScore": 4.1,
90
+ "baseSeverity": "MEDIUM",
91
+ "confidentialityImpact": "NONE",
92
+ "integrityImpact": "HIGH",
93
+ "privilegesRequired": "HIGH",
94
+ "scope": "UNCHANGED",
95
+ "userInteraction": "NONE",
96
+ "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
97
+ "version": "3.1"
98
+ }
99
+ },
100
+ "problemtype": {
101
+ "problemtype_data": [
102
+ {
103
+ "description": [
104
+ {
105
+ "lang": "eng",
106
+ "value": "CWE-377 Insecure Temporary File"
107
+ }
108
+ ]
109
+ }
110
+ ]
111
+ },
112
+ "references": {
113
+ "reference_data": [
114
+ {
115
+ "refsource": "MISC",
116
+ "url": "https://security.paloaltonetworks.com/CVE-2020-1994",
117
+ "name": "https://security.paloaltonetworks.com/CVE-2020-1994"
118
+ }
119
+ ]
120
+ },
121
+ "solution": [
122
+ {
123
+ "lang": "eng",
124
+ "value": "This issue is fixed in PAN-OS 8.1.13, PAN-OS 9.0.7, PAN-OS 9.1.0, and all later PAN-OS versions.\n\nPAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.\n\nPAN-OS 7.1 is on extended support until June 30, 2020, and is only being considered for critical security vulnerability fixes."
125
+ }
126
+ ],
127
+ "source": {
128
+ "defect": [
129
+ "PAN-123391"
130
+ ],
131
+ "discovery": "USER"
132
+ },
133
+ "timeline": [
134
+ {
135
+ "lang": "eng",
136
+ "time": "2020-05-13T16:00:00.000Z",
137
+ "value": "Initial publication"
138
+ }
139
+ ]
140
+ }
data/spec/fixtures/CVE-2020-2005.json ADDED
@@ -0,0 +1,152 @@
1
+ {
2
+ "CVE_data_meta": {
3
+ "ASSIGNER": "psirt@paloaltonetworks.com",
4
+ "DATE_PUBLIC": "2020-05-13T16:00:00.000Z",
5
+ "ID": "CVE-2020-2005",
6
+ "STATE": "PUBLIC",
7
+ "TITLE": "PAN-OS: GlobalProtect Clientless VPN session hijacking"
8
+ },
9
+ "affects": {
10
+ "vendor": {
11
+ "vendor_data": [
12
+ {
13
+ "product": {
14
+ "product_data": [
15
+ {
16
+ "product_name": "PAN-OS",
17
+ "version": {
18
+ "version_data": [
19
+ {
20
+ "version_affected": "<",
21
+ "version_name": "7.1",
22
+ "version_value": "7.1.26"
23
+ },
24
+ {
25
+ "version_affected": "<",
26
+ "version_name": "8.1",
27
+ "version_value": "8.1.13"
28
+ },
29
+ {
30
+ "version_affected": "<",
31
+ "version_name": "9.0",
32
+ "version_value": "9.0.7"
33
+ },
34
+ {
35
+ "version_affected": "!>=",
36
+ "version_name": "7.1",
37
+ "version_value": "7.1.26"
38
+ },
39
+ {
40
+ "version_affected": "!>=",
41
+ "version_name": "8.1",
42
+ "version_value": "8.1.13"
43
+ },
44
+ {
45
+ "version_affected": "!>=",
46
+ "version_name": "9.0",
47
+ "version_value": "9.0.7"
48
+ },
49
+ {
50
+ "version_affected": "=",
51
+ "version_name": "8.0",
52
+ "version_value": "8.0.*"
53
+ }
54
+ ]
55
+ }
56
+ }
57
+ ]
58
+ },
59
+ "vendor_name": "Palo Alto Networks"
60
+ }
61
+ ]
62
+ }
63
+ },
64
+ "configuration": [
65
+ {
66
+ "lang": "eng",
67
+ "value": "This issue only affects firewalls configured with GlobalProtect Clientless VPN."
68
+ }
69
+ ],
70
+ "credit": [
71
+ {
72
+ "lang": "eng",
73
+ "value": "This issue was discovered by Ron Masas of Palo Alto Networks during internal security review."
74
+ }
75
+ ],
76
+ "data_format": "MITRE",
77
+ "data_type": "CVE",
78
+ "data_version": "4.0",
79
+ "description": {
80
+ "description_data": [
81
+ {
82
+ "lang": "eng",
83
+ "value": "A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect Clientless VPN that can compromise the user's active session. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7; All versions of PAN-OS 8.0."
84
+ }
85
+ ]
86
+ },
87
+ "generator": {
88
+ "engine": "Vulnogram 0.0.9"
89
+ },
90
+ "impact": {
91
+ "cvss": {
92
+ "attackComplexity": "LOW",
93
+ "attackVector": "NETWORK",
94
+ "availabilityImpact": "NONE",
95
+ "baseScore": 7.1,
96
+ "baseSeverity": "HIGH",
97
+ "confidentialityImpact": "HIGH",
98
+ "integrityImpact": "LOW",
99
+ "privilegesRequired": "NONE",
100
+ "scope": "UNCHANGED",
101
+ "userInteraction": "REQUIRED",
102
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
103
+ "version": "3.1"
104
+ }
105
+ },
106
+ "problemtype": {
107
+ "problemtype_data": [
108
+ {
109
+ "description": [
110
+ {
111
+ "lang": "eng",
112
+ "value": "CWE-79 Cross-site Scripting (XSS)"
113
+ }
114
+ ]
115
+ }
116
+ ]
117
+ },
118
+ "references": {
119
+ "reference_data": [
120
+ {
121
+ "refsource": "MISC",
122
+ "url": "https://security.paloaltonetworks.com/CVE-2020-2005",
123
+ "name": "https://security.paloaltonetworks.com/CVE-2020-2005"
124
+ }
125
+ ]
126
+ },
127
+ "solution": [
128
+ {
129
+ "lang": "eng",
130
+ "value": "This issue is fixed in PAN-OS 7.1.26, PAN-OS 8.1.13, PAN-OS 9.0.7, and all later versions of PAN-OS.\n\nPAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies."
131
+ }
132
+ ],
133
+ "source": {
134
+ "defect": [
135
+ "GPCON-551"
136
+ ],
137
+ "discovery": "INTERNAL"
138
+ },
139
+ "timeline": [
140
+ {
141
+ "lang": "eng",
142
+ "time": "2020-05-13T16:00:00.000Z",
143
+ "value": "Initial publication"
144
+ }
145
+ ],
146
+ "work_around": [
147
+ {
148
+ "lang": "eng",
149
+ "value": "Configure GlobalProtect Clientless VPN to only access known trusted websites, and block access all other websites."
150
+ }
151
+ ]
152
+ }