fidius-cvedb 0.0.5 → 0.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/Rakefile +3 -2
- data/lib/cveparser/parser.rb +2 -1
- data/lib/fidius-cvedb.rb +1 -0
- data/lib/fidius-cvedb/version.rb +1 -1
- data/test/cve_parser_test.rb +10 -4
- data/test/test_3_entries.xml +99 -0
- metadata +4 -3
data/Rakefile
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
require 'rubygems'
|
|
1
|
+
require 'rubygems' # ruby 1.8
|
|
2
2
|
require 'bundler'
|
|
3
3
|
require 'rake/clean'
|
|
4
4
|
|
|
@@ -6,10 +6,11 @@ Bundler::GemHelper.install_tasks
|
|
|
6
6
|
|
|
7
7
|
CLOBBER.include 'pkg'
|
|
8
8
|
|
|
9
|
+
TEST_FILE = File.join('test', 'cve_parser_test.rb')
|
|
9
10
|
|
|
10
11
|
namespace :nvd do
|
|
11
|
-
|
|
12
12
|
desc 'Test parsing functionality of the gem.'
|
|
13
13
|
task :test do
|
|
14
|
+
sh "ruby #{TEST_FILE}"
|
|
14
15
|
end
|
|
15
16
|
end
|
data/lib/cveparser/parser.rb
CHANGED
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
# Author:: FIDIUS (mailto:grp-fidius@tzi.de)
|
|
2
2
|
# License:: Distributes under the same terms as fidius-cvedb Gem
|
|
3
|
+
PARSER_DIR = File.dirname(File.expand_path(__FILE__))
|
|
3
4
|
|
|
4
|
-
require "#{
|
|
5
|
+
require "#{PARSER_DIR}/parser_model"
|
|
5
6
|
require 'rubygems'
|
|
6
7
|
require 'nokogiri'
|
|
7
8
|
|
data/lib/fidius-cvedb.rb
CHANGED
data/lib/fidius-cvedb/version.rb
CHANGED
data/test/cve_parser_test.rb
CHANGED
|
@@ -1,4 +1,7 @@
|
|
|
1
|
-
|
|
1
|
+
TEST_DIR = File.dirname(File.expand_path(__FILE__))
|
|
2
|
+
LIB_DIR = File.join(TEST_DIR, '..', 'lib', 'cveparser')
|
|
3
|
+
|
|
4
|
+
$LOAD_PATH.unshift LIB_DIR
|
|
2
5
|
require 'parser'
|
|
3
6
|
require 'test/unit'
|
|
4
7
|
|
|
@@ -7,17 +10,20 @@ class TestCveParser < Test::Unit::TestCase
|
|
|
7
10
|
include FIDIUS::NVDParser
|
|
8
11
|
|
|
9
12
|
def test_should_parse_2_0_only
|
|
10
|
-
assert_raise(RuntimeError) { FIDIUS::NVDParser.parse_cve_file
|
|
13
|
+
assert_raise(RuntimeError) { FIDIUS::NVDParser.parse_cve_file(
|
|
14
|
+
File.join(TEST_DIR, 'test_v2.xml')) }
|
|
11
15
|
end
|
|
12
16
|
|
|
13
17
|
def test_should_find_1_reference
|
|
14
|
-
entries = FIDIUS::NVDParser.parse_cve_file
|
|
18
|
+
entries = FIDIUS::NVDParser.parse_cve_file(
|
|
19
|
+
File.join(TEST_DIR, 'test_references.xml'))
|
|
15
20
|
assert_equal 1, entries.first.references.size, "The test_references.xml " +
|
|
16
21
|
"contains one reference which should be found."
|
|
17
22
|
end
|
|
18
23
|
|
|
19
24
|
def test_should_find_3_nvd_entries
|
|
20
|
-
entries = FIDIUS::NVDParser.parse_cve_file
|
|
25
|
+
entries = FIDIUS::NVDParser.parse_cve_file(
|
|
26
|
+
File.join(TEST_DIR, 'test_3_entries.xml'))
|
|
21
27
|
assert_equal 3, entries.size, "The test_entries.xml contains 3 NVD " +
|
|
22
28
|
"entries which should be returned in an array."
|
|
23
29
|
end
|
|
@@ -0,0 +1,99 @@
|
|
|
1
|
+
<?xml version='1.0' encoding='UTF-8'?>
|
|
2
|
+
<nvd xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:cvss="http://scap.nist.gov/schema/cvss-v2/0.2" xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0" nvd_xml_version="2.0" pub_date="2011-02-10T06:05:00" xsi:schemaLocation="http://scap.nist.gov/schema/feed/vulnerability/2.0 http://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd">
|
|
3
|
+
<entry id="CVE-2009-5051">
|
|
4
|
+
<vuln:vulnerable-configuration id="http://nvd.nist.gov">
|
|
5
|
+
<cpe-lang:logical-test negate="false" operator="OR">
|
|
6
|
+
<cpe-lang:fact-ref name="cpe:/a:hastymail:hastymail2::beta1" />
|
|
7
|
+
</cpe-lang:logical-test>
|
|
8
|
+
</vuln:vulnerable-configuration>
|
|
9
|
+
<vuln:vulnerable-software-list>
|
|
10
|
+
<vuln:product>cpe:/a:hastymail:hastymail2::rc7</vuln:product>
|
|
11
|
+
</vuln:vulnerable-software-list>
|
|
12
|
+
<vuln:cve-id>CVE-2009-5051</vuln:cve-id>
|
|
13
|
+
<vuln:published-datetime>2011-01-18T13:03:06.533-05:00</vuln:published-datetime>
|
|
14
|
+
<vuln:last-modified-datetime>2011-01-18T00:00:00.000-05:00</vuln:last-modified-datetime>
|
|
15
|
+
<vuln:cvss>
|
|
16
|
+
<cvss:base_metrics>
|
|
17
|
+
<cvss:score>5.0</cvss:score>
|
|
18
|
+
<cvss:access-vector>NETWORK</cvss:access-vector>
|
|
19
|
+
<cvss:access-complexity>LOW</cvss:access-complexity>
|
|
20
|
+
<cvss:authentication>NONE</cvss:authentication>
|
|
21
|
+
<cvss:confidentiality-impact>PARTIAL</cvss:confidentiality-impact>
|
|
22
|
+
<cvss:integrity-impact>NONE</cvss:integrity-impact>
|
|
23
|
+
<cvss:availability-impact>NONE</cvss:availability-impact>
|
|
24
|
+
<cvss:source>http://nvd.nist.gov</cvss:source>
|
|
25
|
+
<cvss:generated-on-datetime>2011-01-18T13:11:00.000-05:00</cvss:generated-on-datetime>
|
|
26
|
+
</cvss:base_metrics>
|
|
27
|
+
</vuln:cvss>
|
|
28
|
+
<vuln:cwe id="CWE-16" />
|
|
29
|
+
<vuln:references xml:lang="en" reference_type="UNKNOWN">
|
|
30
|
+
<vuln:source>CONFIRM</vuln:source>
|
|
31
|
+
<vuln:reference xml:lang="en" href="http://www.hastymail.org/security/">http://www.hastymail.org/security/</vuln:reference>
|
|
32
|
+
</vuln:references>
|
|
33
|
+
<vuln:summary>Hastymail2 before RC 8 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.</vuln:summary>
|
|
34
|
+
</entry>
|
|
35
|
+
<entry id="CVE-2010-4166">
|
|
36
|
+
<vuln:vulnerable-configuration id="http://nvd.nist.gov">
|
|
37
|
+
<cpe-lang:logical-test negate="false" operator="OR">
|
|
38
|
+
<cpe-lang:fact-ref name="cpe:/a:joomla:joomla%21:1.5.13" />
|
|
39
|
+
</cpe-lang:logical-test>
|
|
40
|
+
</vuln:vulnerable-configuration>
|
|
41
|
+
<vuln:vulnerable-software-list>
|
|
42
|
+
<vuln:product>cpe:/a:joomla:joomla%21:1.5.9</vuln:product>
|
|
43
|
+
</vuln:vulnerable-software-list>
|
|
44
|
+
<vuln:cve-id>CVE-2010-4166</vuln:cve-id>
|
|
45
|
+
<vuln:published-datetime>2011-01-18T13:03:06.830-05:00</vuln:published-datetime>
|
|
46
|
+
<vuln:last-modified-datetime>2011-01-20T00:00:00.000-05:00</vuln:last-modified-datetime>
|
|
47
|
+
<vuln:cvss>
|
|
48
|
+
<cvss:base_metrics>
|
|
49
|
+
<cvss:score>7.5</cvss:score>
|
|
50
|
+
<cvss:access-vector>NETWORK</cvss:access-vector>
|
|
51
|
+
<cvss:access-complexity>LOW</cvss:access-complexity>
|
|
52
|
+
<cvss:authentication>NONE</cvss:authentication>
|
|
53
|
+
<cvss:confidentiality-impact>PARTIAL</cvss:confidentiality-impact>
|
|
54
|
+
<cvss:integrity-impact>PARTIAL</cvss:integrity-impact>
|
|
55
|
+
<cvss:availability-impact>PARTIAL</cvss:availability-impact>
|
|
56
|
+
<cvss:source>http://nvd.nist.gov</cvss:source>
|
|
57
|
+
<cvss:generated-on-datetime>2011-01-18T13:26:00.000-05:00</cvss:generated-on-datetime>
|
|
58
|
+
</cvss:base_metrics>
|
|
59
|
+
</vuln:cvss>
|
|
60
|
+
<vuln:cwe id="CWE-89" />
|
|
61
|
+
<vuln:references xml:lang="en" reference_type="UNKNOWN">
|
|
62
|
+
<vuln:source>MISC</vuln:source>
|
|
63
|
+
<vuln:reference xml:lang="en" href="http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg">http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg</vuln:reference>
|
|
64
|
+
</vuln:references>
|
|
65
|
+
<vuln:summary>Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 allow remote attackers to execute arbitrary SQL commands via (1) the filter_order parameter in a com_weblinks category action to index.php, (2) the filter_order_Dir parameter in a com_weblinks category action to index.php, or (3) the filter_order_Dir parameter in a com_messages action to administrator/index.php.</vuln:summary>
|
|
66
|
+
</entry>
|
|
67
|
+
<entry id="CVE-2010-4263">
|
|
68
|
+
<vuln:vulnerable-configuration id="http://nvd.nist.gov">
|
|
69
|
+
<cpe-lang:logical-test negate="false" operator="OR">
|
|
70
|
+
<cpe-lang:fact-ref name="cpe:/a:joomla:joomla%21:1.5.13" />
|
|
71
|
+
</cpe-lang:logical-test>
|
|
72
|
+
</vuln:vulnerable-configuration>
|
|
73
|
+
<vuln:vulnerable-software-list>
|
|
74
|
+
<vuln:product>cpe:/a:joomla:joomla%21:1.5.9</vuln:product>
|
|
75
|
+
</vuln:vulnerable-software-list>
|
|
76
|
+
<vuln:cve-id>CVE-2010-4166</vuln:cve-id>
|
|
77
|
+
<vuln:published-datetime>2011-01-18T13:03:06.830-05:00</vuln:published-datetime>
|
|
78
|
+
<vuln:last-modified-datetime>2011-01-20T00:00:00.000-05:00</vuln:last-modified-datetime>
|
|
79
|
+
<vuln:cvss>
|
|
80
|
+
<cvss:base_metrics>
|
|
81
|
+
<cvss:score>7.5</cvss:score>
|
|
82
|
+
<cvss:access-vector>NETWORK</cvss:access-vector>
|
|
83
|
+
<cvss:access-complexity>LOW</cvss:access-complexity>
|
|
84
|
+
<cvss:authentication>NONE</cvss:authentication>
|
|
85
|
+
<cvss:confidentiality-impact>PARTIAL</cvss:confidentiality-impact>
|
|
86
|
+
<cvss:integrity-impact>PARTIAL</cvss:integrity-impact>
|
|
87
|
+
<cvss:availability-impact>PARTIAL</cvss:availability-impact>
|
|
88
|
+
<cvss:source>http://nvd.nist.gov</cvss:source>
|
|
89
|
+
<cvss:generated-on-datetime>2011-01-18T13:26:00.000-05:00</cvss:generated-on-datetime>
|
|
90
|
+
</cvss:base_metrics>
|
|
91
|
+
</vuln:cvss>
|
|
92
|
+
<vuln:cwe id="CWE-89" />
|
|
93
|
+
<vuln:references xml:lang="en" reference_type="UNKNOWN">
|
|
94
|
+
<vuln:source>MISC</vuln:source>
|
|
95
|
+
<vuln:reference xml:lang="en" href="http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg">http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg</vuln:reference>
|
|
96
|
+
</vuln:references>
|
|
97
|
+
<vuln:summary>Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 allow remote attackers to execute arbitrary SQL commands via (1) the filter_order parameter in a com_weblinks category action to index.php, (2) the filter_order_Dir parameter in a com_weblinks category action to index.php, or (3) the filter_order_Dir parameter in a com_messages action to administrator/index.php.</vuln:summary>
|
|
98
|
+
</entry>
|
|
99
|
+
</nvd>
|
metadata
CHANGED
|
@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
|
|
|
5
5
|
segments:
|
|
6
6
|
- 0
|
|
7
7
|
- 0
|
|
8
|
-
-
|
|
9
|
-
version: 0.0.
|
|
8
|
+
- 6
|
|
9
|
+
version: 0.0.6
|
|
10
10
|
platform: ruby
|
|
11
11
|
authors:
|
|
12
12
|
- Andreas Bender
|
|
@@ -15,7 +15,7 @@ autorequire:
|
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
17
|
|
|
18
|
-
date: 2011-02-
|
|
18
|
+
date: 2011-02-25 00:00:00 +01:00
|
|
19
19
|
default_executable:
|
|
20
20
|
dependencies:
|
|
21
21
|
- !ruby/object:Gem::Dependency
|
|
@@ -82,6 +82,7 @@ files:
|
|
|
82
82
|
- lib/tasks/nvd_migrate.rake
|
|
83
83
|
- lib/tasks/parse_cves.rake
|
|
84
84
|
- test/cve_parser_test.rb
|
|
85
|
+
- test/test_3_entries.xml
|
|
85
86
|
- test/test_references.xml
|
|
86
87
|
- test/test_v2.xml
|
|
87
88
|
has_rdoc: true
|