fidius-cvedb 0.0.5 → 0.0.6

data/Rakefile

@@ -1,4 +1,4 @@
-require 'rubygems'
+require 'rubygems' # ruby 1.8
 require 'bundler'
 require 'rake/clean'
 
@@ -6,10 +6,11 @@ Bundler::GemHelper.install_tasks
 
 CLOBBER.include 'pkg'
 
+TEST_FILE = File.join('test', 'cve_parser_test.rb')
 
 namespace :nvd do
-
   desc 'Test parsing functionality of the gem.'
   task :test do
+    sh "ruby #{TEST_FILE}"
   end
 end

data/lib/cveparser/parser.rb

@@ -1,7 +1,8 @@
 # Author::    FIDIUS (mailto:grp-fidius@tzi.de) 
 # License::   Distributes under the same terms as fidius-cvedb Gem
+PARSER_DIR = File.dirname(File.expand_path(__FILE__))
 
-require "#{FIDIUS::CveDb::GEM_BASE}/cveparser/parser_model"
+require "#{PARSER_DIR}/parser_model"
 require 'rubygems'
 require 'nokogiri'
 

data/lib/fidius-cvedb.rb

@@ -1,4 +1,5 @@
 require 'fidius-cvedb/version'
+require 'active_record'
 
 module FIDIUS
   module CveDb

data/lib/fidius-cvedb/version.rb

@@ -1,5 +1,5 @@
 module FIDIUS
   module CveDb
-    VERSION = "0.0.5"
+    VERSION = "0.0.6"
   end
 end

data/test/cve_parser_test.rb

@@ -1,4 +1,7 @@
-$LOAD_PATH.unshift File.expand_path("../lib/cveparser/")
+TEST_DIR = File.dirname(File.expand_path(__FILE__))
+LIB_DIR = File.join(TEST_DIR, '..', 'lib', 'cveparser')
+
+$LOAD_PATH.unshift LIB_DIR
 require 'parser'
 require 'test/unit'
 
@@ -7,17 +10,20 @@ class TestCveParser < Test::Unit::TestCase
   include FIDIUS::NVDParser
   
   def test_should_parse_2_0_only
-    assert_raise(RuntimeError) { FIDIUS::NVDParser.parse_cve_file 'test_v2.xml' }
+    assert_raise(RuntimeError) { FIDIUS::NVDParser.parse_cve_file(
+                                 File.join(TEST_DIR, 'test_v2.xml')) }
   end
   
   def test_should_find_1_reference
-    entries = FIDIUS::NVDParser.parse_cve_file 'test_references.xml'
+    entries = FIDIUS::NVDParser.parse_cve_file(
+                File.join(TEST_DIR, 'test_references.xml'))
     assert_equal 1, entries.first.references.size, "The test_references.xml " +
         "contains one reference which should be found."
   end
   
   def test_should_find_3_nvd_entries
-    entries = FIDIUS::NVDParser.parse_cve_file 'test_entries.xml'
+    entries = FIDIUS::NVDParser.parse_cve_file(
+                File.join(TEST_DIR, 'test_3_entries.xml'))
     assert_equal 3, entries.size, "The test_entries.xml contains 3 NVD " +
         "entries which should be returned in an array."
   end

data/test/test_3_entries.xml

@@ -0,0 +1,99 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<nvd xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:cvss="http://scap.nist.gov/schema/cvss-v2/0.2" xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0" nvd_xml_version="2.0" pub_date="2011-02-10T06:05:00" xsi:schemaLocation="http://scap.nist.gov/schema/feed/vulnerability/2.0 http://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd">
+    <entry id="CVE-2009-5051">
+        <vuln:vulnerable-configuration id="http://nvd.nist.gov">
+            <cpe-lang:logical-test negate="false" operator="OR">
+                <cpe-lang:fact-ref name="cpe:/a:hastymail:hastymail2::beta1" />
+            </cpe-lang:logical-test>
+        </vuln:vulnerable-configuration>
+        <vuln:vulnerable-software-list>
+            <vuln:product>cpe:/a:hastymail:hastymail2::rc7</vuln:product>
+        </vuln:vulnerable-software-list>
+        <vuln:cve-id>CVE-2009-5051</vuln:cve-id>
+        <vuln:published-datetime>2011-01-18T13:03:06.533-05:00</vuln:published-datetime>
+        <vuln:last-modified-datetime>2011-01-18T00:00:00.000-05:00</vuln:last-modified-datetime>
+        <vuln:cvss>
+            <cvss:base_metrics>
+                <cvss:score>5.0</cvss:score>
+                <cvss:access-vector>NETWORK</cvss:access-vector>
+                <cvss:access-complexity>LOW</cvss:access-complexity>
+                <cvss:authentication>NONE</cvss:authentication>
+                <cvss:confidentiality-impact>PARTIAL</cvss:confidentiality-impact>
+                <cvss:integrity-impact>NONE</cvss:integrity-impact>
+                <cvss:availability-impact>NONE</cvss:availability-impact>
+                <cvss:source>http://nvd.nist.gov</cvss:source>
+                <cvss:generated-on-datetime>2011-01-18T13:11:00.000-05:00</cvss:generated-on-datetime>
+            </cvss:base_metrics>
+        </vuln:cvss>
+        <vuln:cwe id="CWE-16" />
+        <vuln:references xml:lang="en" reference_type="UNKNOWN">
+            <vuln:source>CONFIRM</vuln:source>
+            <vuln:reference xml:lang="en" href="http://www.hastymail.org/security/">http://www.hastymail.org/security/</vuln:reference>
+        </vuln:references>
+        <vuln:summary>Hastymail2 before RC 8 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.</vuln:summary>
+    </entry>
+    <entry id="CVE-2010-4166">
+        <vuln:vulnerable-configuration id="http://nvd.nist.gov">
+            <cpe-lang:logical-test negate="false" operator="OR">
+                <cpe-lang:fact-ref name="cpe:/a:joomla:joomla%21:1.5.13" />
+            </cpe-lang:logical-test>
+        </vuln:vulnerable-configuration>
+        <vuln:vulnerable-software-list>
+            <vuln:product>cpe:/a:joomla:joomla%21:1.5.9</vuln:product>
+        </vuln:vulnerable-software-list>
+        <vuln:cve-id>CVE-2010-4166</vuln:cve-id>
+        <vuln:published-datetime>2011-01-18T13:03:06.830-05:00</vuln:published-datetime>
+        <vuln:last-modified-datetime>2011-01-20T00:00:00.000-05:00</vuln:last-modified-datetime>
+        <vuln:cvss>
+            <cvss:base_metrics>
+                <cvss:score>7.5</cvss:score>
+                <cvss:access-vector>NETWORK</cvss:access-vector>
+                <cvss:access-complexity>LOW</cvss:access-complexity>
+                <cvss:authentication>NONE</cvss:authentication>
+                <cvss:confidentiality-impact>PARTIAL</cvss:confidentiality-impact>
+                <cvss:integrity-impact>PARTIAL</cvss:integrity-impact>
+                <cvss:availability-impact>PARTIAL</cvss:availability-impact>
+                <cvss:source>http://nvd.nist.gov</cvss:source>
+                <cvss:generated-on-datetime>2011-01-18T13:26:00.000-05:00</cvss:generated-on-datetime>
+            </cvss:base_metrics>
+        </vuln:cvss>
+        <vuln:cwe id="CWE-89" />
+        <vuln:references xml:lang="en" reference_type="UNKNOWN">
+            <vuln:source>MISC</vuln:source>
+            <vuln:reference xml:lang="en" href="http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg">http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg</vuln:reference>
+        </vuln:references>
+        <vuln:summary>Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 allow remote attackers to execute arbitrary SQL commands via (1) the filter_order parameter in a com_weblinks category action to index.php, (2) the filter_order_Dir parameter in a com_weblinks category action to index.php, or (3) the filter_order_Dir parameter in a com_messages action to administrator/index.php.</vuln:summary>
+    </entry>
+    <entry id="CVE-2010-4263">
+        <vuln:vulnerable-configuration id="http://nvd.nist.gov">
+            <cpe-lang:logical-test negate="false" operator="OR">
+                <cpe-lang:fact-ref name="cpe:/a:joomla:joomla%21:1.5.13" />
+            </cpe-lang:logical-test>
+        </vuln:vulnerable-configuration>
+        <vuln:vulnerable-software-list>
+            <vuln:product>cpe:/a:joomla:joomla%21:1.5.9</vuln:product>
+        </vuln:vulnerable-software-list>
+        <vuln:cve-id>CVE-2010-4166</vuln:cve-id>
+        <vuln:published-datetime>2011-01-18T13:03:06.830-05:00</vuln:published-datetime>
+        <vuln:last-modified-datetime>2011-01-20T00:00:00.000-05:00</vuln:last-modified-datetime>
+        <vuln:cvss>
+            <cvss:base_metrics>
+                <cvss:score>7.5</cvss:score>
+                <cvss:access-vector>NETWORK</cvss:access-vector>
+                <cvss:access-complexity>LOW</cvss:access-complexity>
+                <cvss:authentication>NONE</cvss:authentication>
+                <cvss:confidentiality-impact>PARTIAL</cvss:confidentiality-impact>
+                <cvss:integrity-impact>PARTIAL</cvss:integrity-impact>
+                <cvss:availability-impact>PARTIAL</cvss:availability-impact>
+                <cvss:source>http://nvd.nist.gov</cvss:source>
+                <cvss:generated-on-datetime>2011-01-18T13:26:00.000-05:00</cvss:generated-on-datetime>
+            </cvss:base_metrics>
+        </vuln:cvss>
+        <vuln:cwe id="CWE-89" />
+        <vuln:references xml:lang="en" reference_type="UNKNOWN">
+            <vuln:source>MISC</vuln:source>
+            <vuln:reference xml:lang="en" href="http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg">http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_%28filter_order_Dir%29_front.jpg</vuln:reference>
+        </vuln:references>
+        <vuln:summary>Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 allow remote attackers to execute arbitrary SQL commands via (1) the filter_order parameter in a com_weblinks category action to index.php, (2) the filter_order_Dir parameter in a com_weblinks category action to index.php, or (3) the filter_order_Dir parameter in a com_messages action to administrator/index.php.</vuln:summary>
+    </entry>
+</nvd>

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 0
   - 0
-  - 5
-  version: 0.0.5
+  - 6
+  version: 0.0.6
 platform: ruby
 authors: 
 - Andreas Bender
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-02-16 00:00:00 +01:00
+date: 2011-02-25 00:00:00 +01:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -82,6 +82,7 @@ files:
 - lib/tasks/nvd_migrate.rake
 - lib/tasks/parse_cves.rake
 - test/cve_parser_test.rb
+- test/test_3_entries.xml
 - test/test_references.xml
 - test/test_v2.xml
 has_rdoc: true