diff --git a/vulnerabilities/pipelines/apache_log4j_importer.py b/vulnerabilities/pipelines/apache_log4j_importer.py index 1b582f464..7d45725e0 100644 --- a/vulnerabilities/pipelines/apache_log4j_importer.py +++ b/vulnerabilities/pipelines/apache_log4j_importer.py @@ -19,11 +19,14 @@ from packageurl import PackageURL from univers.versions import MavenVersion +from vulnerabilities import severity_systems from vulnerabilities.importer import AdvisoryData from vulnerabilities.importer import AffectedPackage from vulnerabilities.importer import Reference +from vulnerabilities.importer import VulnerabilitySeverity from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline from vulnerabilities.utils import fetch_response +from vulnerabilities.utils import get_cwe_id logger = logging.getLogger(__name__) @@ -157,12 +160,30 @@ def _process_vulnerability(self, vulnerability) -> Iterable[AdvisoryData]: if vulnerability.published: published_str = str(vulnerability.published) date_published = parse(published_str).replace(tzinfo=pytz.UTC) + severities = [] + weaknesses = [] + for cwe in vulnerability.cwes: + cwe_id = cwe + weaknesses.append(get_cwe_id(f"CWE-{cwe_id}")) references = [ Reference(url=f"https://nvd.nist.gov/vuln/detail/{cve_id}", reference_id=cve_id), Reference(url=f"{self.ASF_PAGE_URL}#{cve_id}", reference_id=cve_id), ] + for rating in vulnerability.ratings: + cvssv3_score = str(rating.score) + cvssv3_vector = rating.vector + cvssv3_url = str(rating.source.url) + severities.append( + VulnerabilitySeverity( + system=severity_systems.CVSSV3, + value=cvssv3_score, + scoring_elements=cvssv3_vector, + ) + ) + references.append(Reference(url=cvssv3_url, severities=severities)) + fixed_versions = self._extract_fixed_versions(vulnerability.recommendation) affected_packages = self._get_affected_packages(vulnerability, fixed_versions) @@ -173,6 +194,7 @@ def _process_vulnerability(self, vulnerability) -> Iterable[AdvisoryData]: affected_packages=affected_packages, references=references, date_published=date_published, + weaknesses=weaknesses, url=f"{self.ASF_PAGE_URL}#{cve_id}", ) diff --git a/vulnerabilities/tests/test_data/apache_log4j/parse-advisory-apache-log4j-expected.json b/vulnerabilities/tests/test_data/apache_log4j/parse-advisory-apache-log4j-expected.json index a20e8402b..6bc58dfd0 100644 --- a/vulnerabilities/tests/test_data/apache_log4j/parse-advisory-apache-log4j-expected.json +++ b/vulnerabilities/tests/test_data/apache_log4j/parse-advisory-apache-log4j-expected.json @@ -30,10 +30,24 @@ "reference_type": "", "url": "https://logging.apache.org/security.html#CVE-2017-5645", "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P)&version=2.0", + "severities": [ + { + "system": "cvssv3", + "value": "7.5", + "scoring_elements": "AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ] } ], "date_published": "2017-04-17T00:00:00+00:00", - "weaknesses": [], + "weaknesses": [ + 502 + ], "url": "https://logging.apache.org/security.html#CVE-2017-5645" }, { @@ -79,10 +93,24 @@ "reference_type": "", "url": "https://logging.apache.org/security.html#CVE-2020-9488", "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N&version=3.1", + "severities": [ + { + "system": "cvssv3", + "value": "3.7", + "scoring_elements": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ] } ], "date_published": "2017-04-27T00:00:00+00:00", - "weaknesses": [], + "weaknesses": [ + 295 + ], "url": "https://logging.apache.org/security.html#CVE-2020-9488" }, { @@ -140,10 +168,27 @@ "reference_type": "", "url": "https://logging.apache.org/security.html#CVE-2021-44228", "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1", + "severities": [ + { + "system": "cvssv3", + "value": "10.0", + "scoring_elements": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + ] } ], "date_published": "2021-12-10T00:00:00+00:00", - "weaknesses": [], + "weaknesses": [ + 20, + 400, + 502, + 917 + ], "url": "https://logging.apache.org/security.html#CVE-2021-44228" }, { @@ -201,10 +246,25 @@ "reference_type": "", "url": "https://logging.apache.org/security.html#CVE-2021-44832", "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H&version=3.1", + "severities": [ + { + "system": "cvssv3", + "value": "6.6", + "scoring_elements": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ] } ], "date_published": "2021-12-28T00:00:00+00:00", - "weaknesses": [], + "weaknesses": [ + 20, + 74 + ], "url": "https://logging.apache.org/security.html#CVE-2021-44832" }, { @@ -262,10 +322,24 @@ "reference_type": "", "url": "https://logging.apache.org/security.html#CVE-2021-45046", "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1", + "severities": [ + { + "system": "cvssv3", + "value": "9.0", + "scoring_elements": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + ] } ], "date_published": "2021-12-14T00:00:00+00:00", - "weaknesses": [], + "weaknesses": [ + 917 + ], "url": "https://logging.apache.org/security.html#CVE-2021-45046" }, { @@ -323,10 +397,25 @@ "reference_type": "", "url": "https://logging.apache.org/security.html#CVE-2021-45105", "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1", + "severities": [ + { + "system": "cvssv3", + "value": "5.9", + "scoring_elements": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ] } ], "date_published": "2021-12-18T00:00:00+00:00", - "weaknesses": [], + "weaknesses": [ + 20, + 674 + ], "url": "https://logging.apache.org/security.html#CVE-2021-45105" } ] \ No newline at end of file