spiderlabs / cve_server Goto Github PK
View Code? Open in Web Editor NEWSimple REST-style web service for the CVE searching
License: Apache License 2.0
Simple REST-style web service for the CVE searching
License: Apache License 2.0
References:
https://nvd.nist.gov/vuln/data-feeds#JSON_FEED
It also could be good idea to add the CVSS 3 attributes and support for new CVE-ID format.
https://github.com/SpiderLabs/cve_server/blob/master/scripts/install.sh#L122
these arguments should be properly escaped
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
when this is echoed to the user, the variables are empty, so the copy/paste does not work
This would make the deployment of a CVE server so much easier to do.
Let me know if you want help or suggestions there, I know for a fact if it were dockerized I could make use of this tomorrow
When doing a request to http://localhost:9292/v1/cves/CVE-2018-5744 I get multiple CVEs:
There are ruby gems that are not compatible with 2.4.1, we must update them.
The NVD was recently updated and the URL to get the XML files is:
I think we can really drive adoption and interest in the CVE server project if we simply provide a ready-made VM with the CVE server installed. Alternatively, what if you could provide an installation/setup script that made it dirt simple for someone to take a vanilla Ubuntu build and "curl path | bash" for a guided install.
I think this is the one missing link to getting people really excited about using this internally.
I'm also willing to help if you guys haven't already started pursuing this or have interest in doing it yourselves.
HUGS
Hello!
After I'm testing your application I was faced with an interesting issue.
I was tried to ask CVE-s for postgresql:postgresql:9.3.10. (with: /v1/cpe_with_version/postgresql:postgresql:9.3.10)
And it return some CVE-s: ["CVE-2016-5423","CVE-2016-5424","CVE-2017-12172","CVE-2017-15098","CVE-2017-7484","CVE-2017-7485","CVE-2017-7486","CVE-2017-7546","CVE-2017-7547"]
These are good, but in the JSON what the program fetched there are more CVE-s for that module, and here you can see the remaining missing CVE-s: cvedetails.com
I chceked the CVE-s and it's looks like, where there is exact version number under: configurations->nodes->{0}(just for example)->cpe_match->{0} cpe23uri the endpoint returns it.
BUT if in this node there is a "versionStartIncluding" : "9.3", "versionEndIncluding" : "11.2" (for example) this CVE is not returned. (CVE-2019-9193) This is false, you can see this on cvedetails.com
In the Mongodb here is an example for the good CVE:
{ "_id" : ObjectId("5e85cfb2aac28c4aa9e6c6de"), "id" : "CVE-2016-5424", "summary" : "PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) \" (double quote), (2) \\ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.", "cwe" : "CWE-94", "published_at" : ISODate("2016-12-09T23:59:00Z"), "updated_at" : ISODate("2018-01-05T02:31:00Z"), "cvss" : { "access_vector" : "NETWORK", "access_complexity" : "HIGH", "authentication" : "SINGLE", "confidentiality_impact" : "PARTIAL", "integrity_impact" : "PARTIAL", "availability_impact" : "PARTIAL", "base_score" : 4.6, "vector" : "AV:N/AC:H/Au:S/C:P/I:P/A:P" }, "cvssv3" : { "attack_vector" : "NETWORK", "attack_complexity" : "HIGH", "privileges_required" : "LOW", "user_interaction" : "REQUIRED", "scope" : "UNCHANGED", "confidentiality_impact" : "HIGH", "integrity_impact" : "HIGH", "availability_impact" : "HIGH", "base_score" : 7.1, "base_severity" : "HIGH", "vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, "references" : [ { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1781.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1820.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1821.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-2606.html" }, { "href" : "http://www.debian.org/security/2016/dsa-3646" }, { "href" : "http://www.securityfocus.com/bid/92435" }, { "href" : "http://www.securitytracker.com/id/1036617" }, { "href" : "https://access.redhat.com/errata/RHSA-2017:2425" }, { "href" : "https://security.gentoo.org/glsa/201701-33" }, { "href" : "https://www.postgresql.org/about/news/1688/" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-1-23.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-2-18.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-3-14.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-4-9.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-5-4.html" } ], "cpes_affected" : [ ], "cpes" : [ "debian:debian_linux", "postgresql:postgresql" ], "cpes_with_version" : [ "debian:debian_linux:8.0", "postgresql:postgresql", "postgresql:postgresql:9.2", "postgresql:postgresql:9.2.1", "postgresql:postgresql:9.2.2", "postgresql:postgresql:9.2.3", "postgresql:postgresql:9.2.4", "postgresql:postgresql:9.2.5", "postgresql:postgresql:9.2.6", "postgresql:postgresql:9.2.7", "postgresql:postgresql:9.2.8", "postgresql:postgresql:9.2.9", "postgresql:postgresql:9.2.10", "postgresql:postgresql:9.2.11", "postgresql:postgresql:9.2.12", "postgresql:postgresql:9.2.13", "postgresql:postgresql:9.2.14", "postgresql:postgresql:9.2.15", "postgresql:postgresql:9.2.16", "postgresql:postgresql:9.2.17", "postgresql:postgresql:9.3", "postgresql:postgresql:9.3.1", "postgresql:postgresql:9.3.2", "postgresql:postgresql:9.3.3", "postgresql:postgresql:9.3.4", "postgresql:postgresql:9.3.5", "postgresql:postgresql:9.3.6", "postgresql:postgresql:9.3.7", "postgresql:postgresql:9.3.8", "postgresql:postgresql:9.3.9", "postgresql:postgresql:9.3.10", "postgresql:postgresql:9.3.11", "postgresql:postgresql:9.3.12", "postgresql:postgresql:9.3.13", "postgresql:postgresql:9.4", "postgresql:postgresql:9.4.1", "postgresql:postgresql:9.4.2", "postgresql:postgresql:9.4.3", "postgresql:postgresql:9.4.4", "postgresql:postgresql:9.4.5", "postgresql:postgresql:9.4.6", "postgresql:postgresql:9.4.7", "postgresql:postgresql:9.4.8", "postgresql:postgresql:9.5", "postgresql:postgresql:9.5.1", "postgresql:postgresql:9.5.2", "postgresql:postgresql:9.5.3" ] }
And for the bad one:
{ "_id" : ObjectId("5e85cfb2aac28c4aa9e6cc56"), "id" : "CVE-2016-7048", "summary" : "The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5 might allow remote attackers to execute arbitrary code by leveraging use of HTTP to download software.", "cwe" : "CWE-284", "published_at" : ISODate("2018-08-20T21:29:00Z"), "updated_at" : ISODate("2018-10-12T20:12:00Z"), "cvss" : { "access_vector" : "NETWORK", "access_complexity" : "MEDIUM", "authentication" : "NONE", "confidentiality_impact" : "COMPLETE", "integrity_impact" : "COMPLETE", "availability_impact" : "COMPLETE", "base_score" : 9.3, "vector" : "AV:N/AC:M/Au:N/C:C/I:C/A:C" }, "cvssv3" : { "attack_vector" : "NETWORK", "attack_complexity" : "HIGH", "privileges_required" : "NONE", "user_interaction" : "NONE", "scope" : "UNCHANGED", "confidentiality_impact" : "HIGH", "integrity_impact" : "HIGH", "availability_impact" : "HIGH", "base_score" : 8.1, "base_severity" : "HIGH", "vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "references" : [ { "href" : "https://bugzilla.redhat.com/show_bug.cgi?id=1378043" }, { "href" : "https://www.postgresql.org/support/security/" } ], "cpes_affected" : [ ], "cpes" : [ "postgresql:postgresql" ], "cpes_with_version" : [ "postgresql:postgresql" ] }
Could you fix that problem? So the server should watch for this versionStartIncluding and versionEndIncluding numbers.
Thank you!
There are several gems based on Capistrano, it is good idea to find a better way to implement a easy deployment.
When the node.xpath(path)[0] object is nil there is no way to invoke to the content method.
A call to http://IP/v1/cpes_affected/ returns []
A call to http://IP/v1/cpes_affected/some_cpe returns {"error":"not-found"}
Hi, nice work.
I am setting up this server, I am getting this error, meanwhile server itself working when I check with CVE.
Uncompressing /root/cve_server/lib/cve_server/../../nvd_data/nvdcve-2002.xml.gz
Exporting data into the CVE collection
/usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/searchable.rb:165:in evaluate': Undefined namespace prefix: .//vuln:summary (Nokogiri::XML::XPath::SyntaxError) from /usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/searchable.rb:165:in
block in xpath'
from /usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/searchable.rb:156:in map' from /usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/searchable.rb:156:in
xpath'
from /root/cve_server/lib/cve_server/nvd/entry.rb:30:in xpath_content' from /root/cve_server/lib/cve_server/nvd/entry.rb:16:in
to_hash'
from /root/cve_server/lib/cve_server/nvd/reader.rb:17:in block in all_cve' from /usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/node_set.rb:187:in
block in each'
from /usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/node_set.rb:186:in upto' from /usr/local/rvm/gems/ruby-2.3.0/gems/nokogiri-1.6.7.2/lib/nokogiri/xml/node_set.rb:186:in
each'
from /root/cve_server/lib/cve_server/nvd/reader.rb:16:in collect' from /root/cve_server/lib/cve_server/nvd/reader.rb:16:in
all_cve'
from ./bin/seed:18:in block in <main>' from ./bin/seed:13:in
each'
from ./bin/seed:13:in `
Thanks in advance
travis ci is pretty handy for public projects like this, just add a .travis file and have an org admin enable it on the repo. This will mean that new PRs will automatically be run against the unit-tests and will report in the PR request.
Creating this because I noticed all the default URLs are HTTP, which could be MiTM'd.
Maybe cve_server could be adapted to support LetsEncrypt using something like this:
https://github.com/unixcharles/acme-client
By default maybe it could serve a self-signed certificate as a fall-back, but there could be a STDERR/STDOUT nag upon invocation for setting the users specific LetsEncrypt API key.
There are vulnerabilities for the following gems:
Update those gems to more recent versions
I've addressed this issue, fixed in:
#17
CWEs are clubbed as a string.
For example, for CVE-2016-2107, we get:
"id": "CVE-2016-2107",
...
"cwe": "CWE-310CWE-200",
...
Anyhow, the correct result might be something like:
"id": "CVE-2016-2107",
...
"cwe": [
"CWE-310",
"CWE-200"
],
The reason this is happening is the join
in https://github.com/SpiderLabs/cve_server/blob/master/lib/cve_server/nvd/json/entry.rb#L45
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.