[Marketplace Contribution] VulnDB - Content Pack Update #38727
Conversation
content-bot
added
Contribution
content-bot
changed the base branch from
master
to
contrib/xsoar-contrib_nelsandr-cigna-contrib-VulnDB
|
Thank you for your contribution. Your generosity and caring are unrivaled! Rest assured - our content wizard @sapirshuker will very shortly look over your proposed changes. |
|
Thanks for contributing to the XSOAR marketplace. To receive credit for your generous contribution, please ask the reviewer to update your information in the pack contributors file. See more information here link |
content-bot
added
the
Contribution Form Filled
Contribution Pack ResubmittedContributor: @nelsandr-cigna |
sapirshuker
added
the
ready-for-instance-test
There was a problem hiding this comment.
Hey, Good job! Thank you for your contribution, please see my comments.
In addition, please note I updated the release notes for you, please let me know if I missed something regrading the functionally you added in order to update the release notes. Also, I added some section headers since you can not change it from the UI.
Please feel free to reach out to me with any questions - I'm available here or on slack :)
You can add the fixes / changes by using the resubmit option resubmit-a-content-pack, or by using GitHub Codespaces - GitHub Codespaces documentation.
Thanks again!
| name: vuln_id | ||
| required: true | ||
| description: Returns the PDF report for a vulnerability as generated by VulnDB. | ||
| name: vulndb-get-vuln-report-by-vuln-id |
There was a problem hiding this comment.
Since the return value is a report please follow the following conventions
| # Parse out the filename from this return | ||
| report_file_name = res.headers.get('content-disposition').split(';')[1].split('"')[1] | ||
|
|
||
| return_results(fileResult(report_file_name, report_file)) |
There was a problem hiding this comment.
Since the return value is a report please follow the following conventions
| report_file = res.content | ||
|
|
||
| # 'content-disposition' comes back in the following format: | ||
| # attachment; filename="VulnDB ID 389586.pdf"; filename*=UTF-8''VulnDB%20ID%20389586.pdf |
There was a problem hiding this comment.
Make sure there is no sensitive information here or replace any sensitive information with dummy values.
There was a problem hiding this comment.
Confirmed that is not sensitive/internal information. VulnDB is built around those integer IDs, any VulnDB customer could see the same report ID.
| res = client.http_file_request(f'/vulnerabilities/{vulndb_id}.pdf') | ||
|
|
||
| # Byte data of the result file | ||
| report_file = res.content |
There was a problem hiding this comment.
What happens if an incorrect vuln_id is used?
There was a problem hiding this comment.
The user receives the following error
Failed to execute vulndb-get-vuln-report-by-vuln-id command. Error: Error in API call [406] - Not Acceptable
This is similar to the existing behaivor for the vulndb-get-vuln-by-id command which returns
Failed to execute vulndb-get-vuln-by-id command. Error: Error in API call [404] - Not Found
{"error_id": 6151795, "error": "Unable to find a vulnerability with id 1234132432932928"}```
| description: Returns the CPE(s) for a vulnerability, by VulnDB ID. | ||
| name: vulndb-get-cpe-by-vuln-id | ||
| outputs: | ||
| - contextPath: VulnDB.CPE |
There was a problem hiding this comment.
Context outputs should be in the form Product.Entity.Something.
Let's add the Entity. Maybe we can change it to ?
VulnDB.Vulnerability.CPE
| @@ -60,6 +69,7 @@ def vulndb_vulnerability_to_entry(vuln): | |||
| 'SolutionDate': vuln.get('solution_date', '').rstrip('Z'), | |||
| 'DiscoveryDate': vuln.get('disclosure_date', '').rstrip('Z'), | |||
| 'ExploitPublishDate': vuln.get('exploit_publish_date', '').rstrip('Z'), | |||
| 'TechnicalDescription': vuln.get('t_description', '') | |||
There was a problem hiding this comment.
I don't see that the changes you made are relevant to this function. I would appreciate an explanation of the significance of adding these items. If you can include relevant references, I would be grateful.
There was a problem hiding this comment.
The technical description fields includes information that has been added after the initial creation of the vuln in VulnDB. This contextual information is useful for an analyst trying to determine the risk the vulnerability represents.
|
|
||
| timeline_details = { | ||
| 'DiscoveryDate': vuln.get('discovery_date', '').rstrip('Z'), | ||
| 'DisclosureDate': vuln.get('disclosure_date', '').rstrip('Z'), |
There was a problem hiding this comment.
I don't see that the changes you made are relevant to this function. I would appreciate an explanation of the significance of adding these items. If you can include relevant references, I would be grateful.
There was a problem hiding this comment.
The timeline details are the data present in this section of a VulnDB vulnerability. These are useful when determining the risk a vulnerability presents to your org by letting you know how long a vuln has been public, if/when it was exploited, whether the vendor has acknowledged the vuln, etc.
| @@ -2,7 +2,7 @@ | |||
| "name": "VulnDB", | |||
| "description": "Lists all of the security vulnerabilities for various products (OS,Applications) etc)", | |||
| "support": "xsoar", | |||
| "currentVersion": "1.0.12", | |||
There was a problem hiding this comment.
Let's change the version revision (to 1.0.13) to according to the docs
| name: vulndb-get-vuln-report-by-vuln-id | ||
| - arguments: | ||
| - description: VulnDB vulnerability ID. | ||
| name: vuln_id |
There was a problem hiding this comment.
Do we have a way to retrieve the vuln_id with a command? Is there a command we can add to fetch the id?
There was a problem hiding this comment.
There are several existing commands that allow the user to fetch a vuln_id including vulndb-get-vuln-by-product-id, vulndb-get-vuln-by-vendor-and-product-id, vulndb-get-vuln-by-vendor-and-product-name,vulndb-get-vuln-by-vendor-id and lastly, my new command vulndb-get-vuln-by-cve-id
| def vulndb_get_cpe_command(args: dict, client: Client): | ||
| vulndb_id = args['vuln_id'] | ||
|
|
||
| res = client.http_request(f'/vulnerabilities/{vulndb_id}?show_cpe=true') |
There was a problem hiding this comment.
Is this filter (show_cpe=true) customized or do all users have the same? I couldn't find it in the product documentation.
There was a problem hiding this comment.
That param is built into VulnDB's API (https://vulndb.flashpoint.io/documentation/api). There is a section "Pulling Vulnerability Information", that shows optional params including "show_cpe=true".
sapirshuker
added
pending-contributor
|
For the Reviewer: Trigger build request has been accepted for this contribution PR. |
|
For the Reviewer: Successfully created a pipeline in GitLab with url: https://gitlab.xdr.pan.local/xdr/cortex-content/content/-/pipelines/2552889 |
content-bot
removed
the
ready-for-instance-test
xsoar-bot
force-pushed
the
nelsandr-cigna-contrib-VulnDB
branch
from
3124a20 to
85ddffd
Compare
Contribution Pack ResubmittedContributor: @nelsandr-cigna |
|
Hey @nelsandr-cigna |
|
|
Status
Contributor
@nelsandr-cigna
Auto-Generated Documentation Requiring Modification
Video Link
Short demo video of the Pack usage. Speeds up the review. Optional but recommended. Use a video sharing service such as Google Drive or YouTube.