cve_schema 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9b2fd7358b100af7647547bef7243cc4ad90e7808a569250e60823aec3ab5ac8
+  data.tar.gz: 930861c8ee83113009e4fa30461d87a85cdb6cffef2830c5af787fe188017385
+SHA512:
+  metadata.gz: ffd0c2410c39c7ce6709edfaf8967d43760f9d2b334b81d2f2743733857cc6776aa3301fe205ae96b03054f14801a80ee069126b57c89c6bcc15d73ad6311fd7
+  data.tar.gz: 34f0096b85d8e75bd72181e3a584f94f595c5ecd37d75c653ed5e0fd1c97905124d4b508feb4709eafac7c34812af006bd3d504696f6a17e34e2b11b5addcc7d

data/.document

@@ -0,0 +1,3 @@
+- 
+ChangeLog.md
+LICENSE.txt

data/.github/workflows/ruby.yml

@@ -0,0 +1,28 @@
+name: CI
+
+on: [ push, pull_request ]
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          # - 2.4
+          # - 2.5
+          # - 2.6
+          - 2.7
+          - 3.0
+          # - jruby
+    name: Ruby ${{ matrix.ruby }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - name: Install dependencies
+        run: bundle install --jobs 4 --retry 3
+      - name: Run tests
+        run: bundle exec rake test

data/.gitignore

@@ -0,0 +1,6 @@
+/.bundle
+/.yardoc/
+/Gemfile.lock
+/doc/
+/pkg/
+/vendor/cache/*.gem

data/.rspec

@@ -0,0 +1 @@
+--colour --format documentation

data/.yardopts

@@ -0,0 +1 @@
+--markup markdown --title "cve_schema Documentation" --protected

data/ChangeLog.md

@@ -0,0 +1,26 @@
+### 0.1.0 / 2021-01-14
+
+* Initial release:
+  * Supports [CVE JSON Schema v4.0].
+  * [ruby] >= 2.7.0
+  * Added {CVESchema::CVE}.
+  * Added {CVESchema::CVE::Affects}.
+  * Added {CVESchema::CVE::Configuration}.
+  * Added {CVESchema::CVE::Credit}.
+  * Added {CVESchema::CVE::DataMeta}.
+  * Added {CVESchema::CVE::Description}.
+  * Added {CVESchema::CVE::Exploit}.
+  * Added {CVESchema::CVE::ID}.
+  * Added {CVESchema::CVE::Impact}.
+  * Added {CVESchema::CVE::ProblemType}.
+  * Added {CVESchema::CVE::Product}.
+  * Added {CVESchema::CVE::Reference}.
+  * Added {CVESchema::CVE::Solution}.
+  * Added {CVESchema::CVE::Source}.
+  * Added {CVESchema::CVE::Timeline}.
+  * Added {CVESchema::CVE::Vendor}.
+  * Added {CVESchema::CVE::Version}.
+  * Added {CVESchema::CVE::WorkAround}.
+
+[CVE JSON Schema v4.0]: https://github.com/CVEProject/cve-schema/blob/master/schema/v4.0/DRAFT-JSON-file-format-v4.md
+[ruby]: https://www.ruby-lang.org/

data/Gemfile

@@ -0,0 +1,14 @@
+source 'https://rubygems.org'
+
+gemspec
+
+group :development do
+  gem 'rake'
+  gem 'rubygems-tasks', '~> 0.2'
+
+  gem 'json'
+  gem 'rspec', '~> 3.0'
+
+  gem 'kramdown'
+  gem 'yard', '~> 0.9'
+end

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2020-2021 Hal Brodigan
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,50 @@
+# cve_schema
+
+* [Homepage](https://github.com/postmodern/cve_schema#readme)
+* [Issues](https://github.com/postmodern/cve_schema/issues)
+* [Documentation](http://rubydoc.info/gems/cve_schema/frames)
+* [Email](mailto:postmodern.mod3 at gmail.com)
+
+## Description
+
+{CVESchema} provides common classes for CVE data and loading it from JSON.
+
+## Features
+
+* Supports [CVE JSON Schema v4.0]
+* Uses Plain-Old-Ruby-Objects (PORO) for speed!
+* No runtime dependencies.
+
+## Examples
+
+    require 'cve_schema'
+    include CVESchema
+
+    json = JSON.parse(File.read('path/to/CVE-YYYY-XXXX.json'))
+    cve = CVE.load(json)
+
+## Requirements
+
+* [ruby] >= 2.7.0
+
+## Install
+
+    $ gem install cve_schema
+
+## Benchmark
+
+    Loading all 192879 JSON files into memory. This may take a while ...
+    Mapping all 192879 to CVESchema::CVE objects ...
+    
+    Total:	 12.310090   0.275629  12.585719 ( 12.664896)
+    Avg:	  0.000064   0.000001   0.000065 (  0.000066)
+
+## Copyright
+
+Copyright (c) 2020-2021 Hal Brodigan
+
+See {file:LICENSE.txt} for details.
+
+[CVE JSON Schema v4.0]: https://github.com/CVEProject/cve-schema/blob/master/schema/v4.0/DRAFT-JSON-file-format-v4.md
+
+[ruby]: https://www.ruby-lang.org/

data/Rakefile

@@ -0,0 +1,23 @@
+# encoding: utf-8
+
+require 'rubygems'
+
+begin
+  require 'bundler/setup'
+rescue LoadError => e
+  abort e.message
+end
+
+require 'rake'
+require 'rubygems/tasks'
+Gem::Tasks.new
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new
+
+task :test    => :spec
+task :default => :spec
+
+require 'yard'
+YARD::Rake::YardocTask.new
+task :doc => :yard

data/benchmark.rb

@@ -0,0 +1,47 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'cve_schema/cve'
+require 'json'
+require 'benchmark'
+
+CVELIST = ENV.fetch('CVELIST',File.join(Gem.user_home,'src','cvelist'))
+
+unless File.directory?(CVELIST)
+  $stderr.puts "#{CVELIST} does not exist!"
+  $stderr.puts "Please run: git clone https://github.com/CVEProject/cvelist #{CVELIST}"
+  exit -1
+end
+
+begin
+  json_files = Dir.glob(File.join(CVELIST,'**','**','CVE-*.json'))
+  n = json_files.length
+
+  puts "Loading all #{n} JSON files into memory. This may take a while ..."
+
+  all_json = {}
+  json_files.each do |path|
+    all_json[path] = JSON.parse(File.read(path))
+  end
+
+  puts "Mapping all #{n} to #{CVESchema::CVE} objects ..."
+
+  results = Benchmark.measure do
+    all_json.each do |path,json|
+      begin
+        CVESchema::CVE.from_json(json)
+      rescue CVESchema::InvalidJSON
+        # ignore
+      rescue => error
+        $stderr.puts "error encountered while parsing #{path}"
+        raise(error)
+      end
+    end
+  end
+
+  puts
+  puts "Total:\t#{results}"
+  puts "Avg:\t#{results / n}"
+rescue Interrupt
+  exit 130
+end

data/cve_schema.gemspec

@@ -0,0 +1,61 @@
+# encoding: utf-8
+
+require 'yaml'
+
+Gem::Specification.new do |gem|
+  gemspec = YAML.load_file('gemspec.yml')
+
+  gem.name    = gemspec.fetch('name')
+  gem.version = gemspec.fetch('version') do
+                  lib_dir = File.join(File.dirname(__FILE__),'lib')
+                  $LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
+
+                  require 'cve_schema/version'
+                  CVESchema::VERSION
+                end
+
+  gem.summary     = gemspec['summary']
+  gem.description = gemspec['description']
+  gem.licenses    = Array(gemspec['license'])
+  gem.authors     = Array(gemspec['authors'])
+  gem.email       = gemspec['email']
+  gem.homepage    = gemspec['homepage']
+  gem.metadata    = gemspec['metadata'] if gemspec['metadata']
+
+  glob = lambda { |patterns| gem.files & Dir[*patterns] }
+
+  gem.files = `git ls-files`.split($/)
+  gem.files = glob[gemspec['files']] if gemspec['files']
+
+  gem.executables = gemspec.fetch('executables') do
+    glob['bin/*'].map { |path| File.basename(path) }
+  end
+  gem.default_executable = gem.executables.first if Gem::VERSION < '1.7.'
+
+  gem.extensions       = glob[gemspec['extensions'] || 'ext/**/extconf.rb']
+  gem.test_files       = glob[gemspec['test_files'] || '{test/{**/}*_test.rb']
+  gem.extra_rdoc_files = glob[gemspec['extra_doc_files'] || '*.{txt,md}']
+
+  gem.require_paths = Array(gemspec.fetch('require_paths') {
+    %w[ext lib].select { |dir| File.directory?(dir) }
+  })
+
+  gem.requirements              = Array(gemspec['requirements'])
+  gem.required_ruby_version     = gemspec['required_ruby_version']
+  gem.required_rubygems_version = gemspec['required_rubygems_version']
+  gem.post_install_message      = gemspec['post_install_message']
+
+  split = lambda { |string| string.split(/,\s*/) }
+
+  if gemspec['dependencies']
+    gemspec['dependencies'].each do |name,versions|
+      gem.add_dependency(name,split[versions])
+    end
+  end
+
+  if gemspec['development_dependencies']
+    gemspec['development_dependencies'].each do |name,versions|
+      gem.add_development_dependency(name,split[versions])
+    end
+  end
+end

data/gemspec.yml

@@ -0,0 +1,19 @@
+name: cve_schema
+summary: Common classes for CVE data
+description: |
+  CVESchema provides common classes for CVE data and loading it from JSON.
+license: MIT
+authors: Postmodern
+email: postmodern.mod3@gmail.com
+homepage: https://github.com/postmodern/cve_schema.rb#readme
+
+metadata:
+  documentation_uri: https://rubydoc.info/gems/cve_schema
+  source_code_uri:   https://github.com/postmodern/cve_schema.rb
+  bug_tracker_uri:   https://github.com/postmodern/cve_schema.rb/issues
+  changelog_uri:     https://github.com/postmodern/cve_schema.rb/blob/main/ChangeLog.md
+
+required_ruby_version: ">= 2.7.0"
+
+development_dependencies:
+  bundler: ~> 2.0

data/lib/cve_schema.rb

@@ -0,0 +1,2 @@
+require 'cve_schema/cve'
+require 'cve_schema/version'

data/lib/cve_schema/cve.rb

@@ -0,0 +1,257 @@
+# frozen_string_literal: true
+
+require 'cve_schema/exceptions'
+require 'cve_schema/cve/data_meta'
+require 'cve_schema/cve/affects'
+require 'cve_schema/cve/configuration'
+require 'cve_schema/cve/problem_type'
+require 'cve_schema/cve/reference'
+require 'cve_schema/cve/description'
+require 'cve_schema/cve/exploit'
+require 'cve_schema/cve/credit'
+require 'cve_schema/cve/impact'
+require 'cve_schema/cve/solution'
+require 'cve_schema/cve/source'
+require 'cve_schema/cve/work_around'
+require 'cve_schema/cve/timeline'
+
+module CVESchema
+  #
+  # Represents a `"cve"` JSON object.
+  #
+  class CVE
+
+    DATA_TYPES = {
+      'CVE' => :CVE,
+      'CNA' => :CNA,
+      'CVEMENTOR' => :CVEMENTOR
+    }
+
+    # @return [:CVE, :CNA, :CVEMENTOR]
+    attr_reader :data_type
+
+    DATA_FORMAT = {
+      'MITRE' => :MITRE
+    }
+
+    # @return [:MITRE]
+    attr_reader :data_format
+
+    DATA_VERSIONS = {
+      '4.0' => :"4.0"
+    }
+
+    # @return [:"4.0"]
+    attr_reader :data_version
+
+    # @return [DataMeta]
+    attr_reader :data_meta
+
+    alias metadata data_meta
+
+    # @return [Affects, nil]
+    attr_reader :affects
+
+    # @return [Array<Configuration>]
+    attr_reader :configuration
+
+    alias configurations configuration
+
+    # @return [ProblemType]
+    attr_reader :problemtype
+
+    alias problem_type problemtype
+    alias problem_types problemtype
+
+    # @return [Array<Reference>]
+    attr_reader :references
+
+    # @return [Array<Description>]
+    attr_reader :description
+
+    alias descriptions description
+
+    # @return [Array<Exploit>]
+    attr_reader :exploit
+
+    alias exploits exploit
+
+    # @return [Array<Credit>]
+    attr_reader :credit
+
+    alias credits credit
+
+    # @return [Impact, nil]
+    attr_reader :impact
+
+    # @return [Array<Solution>]
+    attr_reader :solution
+
+    alias solutions solution
+
+    # @return [Source, nil]
+    attr_reader :source
+
+    # @return [Array<WorkAround>]
+    attr_reader :work_around
+
+    alias work_arounds work_around
+
+    # @return [Array<Timeline>]
+    attr_reader :timeline
+
+    #
+    # Initializes the CVE.
+    #
+    # @param [:CVE, :CNA, :CVEMENTOR] data_type
+    #
+    # @param [:MITRE] data_format
+    #
+    # @param [:"4.0"] data_version
+    #
+    # @param [DataMeta] data_meta
+    #
+    # @param [Affects, nil] affects
+    #
+    # @param [Array<Configuration>] configuration
+    #
+    # @param [ArrayProblemType>] problemtype
+    #
+    # @param [Array<Reference>] references
+    #
+    # @param [Array<Description>] description
+    #
+    # @param [Array<Exploit>] exploit
+    #
+    # @param [Array<Credit>] credit
+    #
+    # @param [Array<Impact>] impact
+    #
+    # @param [Array<Solution>] solution
+    #
+    # @param [Source, nil] source
+    #
+    # @param [Array<WorkAround>] work_around
+    #
+    # @param [Array<Timeline>] timeline
+    #
+    # @api semipublic
+    #
+    def initialize(data_type: , data_format: , data_version: , data_meta: ,
+                   affects: nil,
+                   configuration: [],
+                   problemtype: [],
+                   references: [],
+                   description: [],
+                   exploit: [],
+                   credit: [],
+                   impact: nil,
+                   solution: [],
+                   source: nil,
+                   work_around: [],
+                   timeline: []
+                  )
+      @data_type    = data_type
+      @data_format  = data_format
+      @data_version = data_version
+
+      @data_meta = data_meta
+      @affects   = affects
+      @configuration = configuration
+      @problemtype = problemtype
+      @references = references
+      @description = description
+      @exploit = exploit
+      @credit = credit
+      @impact = impact
+      @solution = solution
+      @source = source
+      @work_around = work_around
+      @timeline = timeline
+    end
+
+    #
+    # Maps the JSON Hash into a Symbols Hash for {#initialize}.
+    #
+    # @param [Hash{String => Object}] json
+    #   The parsed JSON.
+    #
+    # @return [Hash{Symbol => Object}]
+    #   The maped Symbol Hash.
+    #   
+    # @raise [MissingJSONKey]
+    #   The `"data_type"`, `"data_format"`, `"data_version"`, or
+    #   `"CVE_data_key"` JSON keys were missing.
+    #
+    # @api semipublic
+    #
+    def self.from_json(json)
+      {
+        data_type:    if (data_type = json['data_type'])
+                        DATA_TYPES.fetch(data_type) do
+                          raise UnknownJSONValue.new('data_type',data_type)
+                        end
+                      else
+                        raise MissingJSONKey.new('data_type')
+                      end,
+
+        data_format:  if (data_format = json['data_format'])
+                        DATA_FORMAT.fetch(data_format) do
+                          raise UnknownJSONValue.new('data_format',data_format)
+                        end
+                      else
+                        raise MissingJSONKey.new('data_format')
+                      end,
+
+        data_version: if (data_version = json['data_version'])
+                        DATA_VERSIONS.fetch(data_version) do
+                          raise UnknownJSONValue.new('data_version',data_version)
+                        end
+                      else
+                        raise MissingJSONKey.new('data_version')
+                      end,
+
+        data_meta: if (cve_data_meta = json['CVE_data_meta'])
+                     DataMeta.load(cve_data_meta)
+                   else
+                     raise MissingJSONKey.new('CVE_data_meta')
+                   end,
+
+        affects:   json['affects'] && Affects.load(json['affects']),
+        configuration: Array(json['configuration']).map(&Configuration.method(:load)),
+        problemtype: Array(json['problemtype'] && json['problemtype']['problemtype_data']).map(&ProblemType.method(:load)),
+
+        references: Array(json['references'] && json['references']['reference_data']).map(&Reference.method(:load)),
+
+        description: Array(json['description'] && json['description']['description_data']).map(&Description.method(:load)),
+
+        exploit: Array(json['exploit']).map(&Exploit.method(:load)),
+        credit: Array(json['credit']).map(&Credit.method(:load)),
+        impact: json['impact'] && Impact.load(json['impact']),
+        solution: Array(json['solution']).map(&Solution.method(:load)),
+        source: json['source'] && Source.load(json['source']),
+        work_around: Array(json['work_around']).map(&WorkAround.method(:load)),
+        timeline: Array(json['timeline']).map(&Timeline.method(:load))
+      }
+    end
+
+    #
+    # Loads the CVE data from parsed JSON.
+    #
+    # @param [Hash{String => Object}] json
+    #   The parsed JSON.
+    #
+    # @return [self]
+    #
+    # @raise [MissingJSONKey]
+    #   The `"data_type"`, `"data_format"`, `"data_version"`, or
+    #   `"CVE_data_key"` JSON keys were missing.
+    #
+    # @api public
+    #
+    def self.load(json)
+      new(**from_json(json))
+    end
+
+  end
+end