2019-07-10 15:20:22 +02:00
|
|
|
import json
|
|
|
|
import requests
|
2020-07-28 11:47:53 +02:00
|
|
|
from . import check_input_attribute, standard_error_message
|
|
|
|
from collections import defaultdict
|
|
|
|
from pymisp import MISPEvent, MISPObject
|
2019-07-10 15:20:22 +02:00
|
|
|
|
|
|
|
misperrors = {'error': 'Error'}
|
|
|
|
mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'}
|
2019-07-30 09:55:36 +02:00
|
|
|
moduleinfo = {'version': '1', 'author': 'Christian Studer',
|
|
|
|
'description': 'An expansion module to enrich a CVE attribute with the vulnerability information.',
|
|
|
|
'module-type': ['expansion', 'hover']}
|
2019-09-16 14:19:20 +02:00
|
|
|
moduleconfig = ["custom_API"]
|
2019-07-10 15:20:22 +02:00
|
|
|
cveapi_url = 'https://cve.circl.lu/api/cve/'
|
|
|
|
|
|
|
|
|
|
|
|
class VulnerabilityParser():
|
2019-09-16 14:19:20 +02:00
|
|
|
def __init__(self, attribute, vulnerability, api_url):
|
2019-08-02 15:35:33 +02:00
|
|
|
self.attribute = attribute
|
2019-07-10 15:20:22 +02:00
|
|
|
self.vulnerability = vulnerability
|
2019-09-16 14:19:20 +02:00
|
|
|
self.api_url = api_url
|
2019-07-10 15:20:22 +02:00
|
|
|
self.misp_event = MISPEvent()
|
2019-08-02 15:35:33 +02:00
|
|
|
self.misp_event.add_attribute(**attribute)
|
2019-08-01 14:55:53 +02:00
|
|
|
self.references = defaultdict(list)
|
2019-08-01 15:21:18 +02:00
|
|
|
self.capec_features = ('id', 'name', 'summary', 'prerequisites', 'solutions')
|
2019-07-10 15:20:22 +02:00
|
|
|
self.vulnerability_mapping = {
|
2022-07-28 14:41:32 +02:00
|
|
|
'id': 'id', 'summary': 'summary',
|
|
|
|
'vulnerable_configuration': 'vulnerable-configuration',
|
|
|
|
'vulnerable_configuration_cpe_2_2': 'vulnerable-configuration',
|
|
|
|
'Modified': 'modified', 'Published': 'published',
|
|
|
|
'references': 'references', 'cvss': 'cvss-score'}
|
2019-08-01 14:55:53 +02:00
|
|
|
self.weakness_mapping = {'name': 'name', 'description_summary': 'description',
|
|
|
|
'status': 'status', 'weaknessabs': 'weakness-abs'}
|
2019-07-10 15:20:22 +02:00
|
|
|
|
|
|
|
def get_result(self):
|
2019-08-01 15:37:10 +02:00
|
|
|
if self.references:
|
|
|
|
self.__build_references()
|
2019-08-05 11:33:04 +02:00
|
|
|
event = json.loads(self.misp_event.to_json())
|
2019-07-10 15:20:22 +02:00
|
|
|
results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])}
|
|
|
|
return {'results': results}
|
|
|
|
|
|
|
|
def parse_vulnerability_information(self):
|
|
|
|
vulnerability_object = MISPObject('vulnerability')
|
|
|
|
for feature in ('id', 'summary', 'Modified', 'cvss'):
|
|
|
|
value = self.vulnerability.get(feature)
|
|
|
|
if value:
|
2022-07-28 14:41:32 +02:00
|
|
|
vulnerability_object.add_attribute(self.vulnerability_mapping[feature], value)
|
2019-07-10 15:20:22 +02:00
|
|
|
if 'Published' in self.vulnerability:
|
2022-07-28 14:41:32 +02:00
|
|
|
vulnerability_object.add_attribute('published', self.vulnerability['Published'])
|
|
|
|
vulnerability_object.add_attribute('state', 'Published')
|
2019-10-23 11:55:36 +02:00
|
|
|
for feature in ('references', 'vulnerable_configuration', 'vulnerable_configuration_cpe_2_2'):
|
2019-07-10 15:20:22 +02:00
|
|
|
if feature in self.vulnerability:
|
2022-07-28 14:41:32 +02:00
|
|
|
relation = self.vulnerability_mapping[feature]
|
2019-07-10 15:20:22 +02:00
|
|
|
for value in self.vulnerability[feature]:
|
2019-10-23 11:55:36 +02:00
|
|
|
if isinstance(value, dict):
|
|
|
|
value = value['title']
|
2022-07-28 14:41:32 +02:00
|
|
|
vulnerability_object.add_attribute(relation, value)
|
2019-08-02 15:35:33 +02:00
|
|
|
vulnerability_object.add_reference(self.attribute['uuid'], 'related-to')
|
2020-10-01 22:44:39 +02:00
|
|
|
self.misp_event.add_object(vulnerability_object)
|
2019-10-23 11:55:36 +02:00
|
|
|
if 'cwe' in self.vulnerability and self.vulnerability['cwe'] not in ('Unknown', 'NVD-CWE-noinfo'):
|
2019-08-01 15:21:18 +02:00
|
|
|
self.__parse_weakness(vulnerability_object.uuid)
|
|
|
|
if 'capec' in self.vulnerability:
|
|
|
|
self.__parse_capec(vulnerability_object.uuid)
|
2019-08-01 14:55:53 +02:00
|
|
|
|
2019-08-01 15:37:10 +02:00
|
|
|
def __build_references(self):
|
|
|
|
for object_uuid, references in self.references.items():
|
|
|
|
for misp_object in self.misp_event.objects:
|
|
|
|
if misp_object.uuid == object_uuid:
|
|
|
|
for reference in references:
|
|
|
|
misp_object.add_reference(**reference)
|
|
|
|
break
|
|
|
|
|
2019-08-01 15:21:18 +02:00
|
|
|
def __parse_capec(self, vulnerability_uuid):
|
|
|
|
for capec in self.vulnerability['capec']:
|
2019-08-02 10:10:44 +02:00
|
|
|
capec_object = MISPObject('attack-pattern')
|
2019-08-01 15:21:18 +02:00
|
|
|
for feature in self.capec_features:
|
2022-07-28 14:41:32 +02:00
|
|
|
capec_object.add_attribute(feature, capec[feature])
|
2019-08-01 15:21:18 +02:00
|
|
|
for related_weakness in capec['related_weakness']:
|
2022-07-28 14:41:32 +02:00
|
|
|
capec_object.add_attribute('related-weakness', f"CWE-{related_weakness}")
|
2020-10-01 22:44:39 +02:00
|
|
|
self.misp_event.add_object(capec_object)
|
2020-10-22 23:25:20 +02:00
|
|
|
self.references[vulnerability_uuid].append(
|
|
|
|
{
|
|
|
|
'referenced_uuid': capec_object.uuid,
|
|
|
|
'relationship_type': 'targeted-by'
|
|
|
|
}
|
|
|
|
)
|
2019-08-01 15:21:18 +02:00
|
|
|
|
|
|
|
def __parse_weakness(self, vulnerability_uuid):
|
2021-04-08 19:14:13 +02:00
|
|
|
cwe_string, cwe_id = self.vulnerability['cwe'].split('-')[:2]
|
2019-09-16 14:19:20 +02:00
|
|
|
cwes = requests.get(self.api_url.replace('/cve/', '/cwe'))
|
2019-08-01 14:55:53 +02:00
|
|
|
if cwes.status_code == 200:
|
|
|
|
for cwe in cwes.json():
|
|
|
|
if cwe['id'] == cwe_id:
|
|
|
|
weakness_object = MISPObject('weakness')
|
2022-07-28 14:41:32 +02:00
|
|
|
weakness_object.add_attribute('id', f'{cwe_string}-{cwe_id}')
|
2019-08-01 14:55:53 +02:00
|
|
|
for feature, relation in self.weakness_mapping.items():
|
|
|
|
if cwe.get(feature):
|
2022-07-28 14:41:32 +02:00
|
|
|
weakness_object.add_attribute(relation, cwe[feature])
|
2020-10-01 22:44:39 +02:00
|
|
|
self.misp_event.add_object(weakness_object)
|
2020-10-22 23:25:20 +02:00
|
|
|
self.references[vulnerability_uuid].append(
|
|
|
|
{
|
|
|
|
'referenced_uuid': weakness_object.uuid,
|
|
|
|
'relationship_type': 'weakened-by'
|
|
|
|
}
|
|
|
|
)
|
2019-08-01 14:55:53 +02:00
|
|
|
break
|
2019-07-10 15:20:22 +02:00
|
|
|
|
|
|
|
|
2019-09-16 14:19:20 +02:00
|
|
|
def check_url(url):
|
|
|
|
return "{}/".format(url) if not url.endswith('/') else url
|
|
|
|
|
|
|
|
|
2019-07-10 15:20:22 +02:00
|
|
|
def handler(q=False):
|
|
|
|
if q is False:
|
|
|
|
return False
|
|
|
|
request = json.loads(q)
|
2020-07-28 11:47:53 +02:00
|
|
|
if not request.get('attribute') or not check_input_attribute(request['attribute']):
|
|
|
|
return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
|
2020-07-28 15:06:25 +02:00
|
|
|
attribute = request['attribute']
|
2019-07-10 15:20:22 +02:00
|
|
|
if attribute.get('type') != 'vulnerability':
|
|
|
|
misperrors['error'] = 'Vulnerability id missing.'
|
|
|
|
return misperrors
|
2019-09-16 14:19:20 +02:00
|
|
|
api_url = check_url(request['config']['custom_API']) if request['config'].get('custom_API') else cveapi_url
|
|
|
|
r = requests.get("{}{}".format(api_url, attribute['value']))
|
2019-07-10 15:20:22 +02:00
|
|
|
if r.status_code == 200:
|
|
|
|
vulnerability = r.json()
|
|
|
|
if not vulnerability:
|
|
|
|
misperrors['error'] = 'Non existing CVE'
|
|
|
|
return misperrors['error']
|
|
|
|
else:
|
2019-09-17 10:42:29 +02:00
|
|
|
misperrors['error'] = 'API not accessible'
|
2019-07-10 15:20:22 +02:00
|
|
|
return misperrors['error']
|
2019-09-16 14:19:20 +02:00
|
|
|
parser = VulnerabilityParser(attribute, vulnerability, api_url)
|
2019-07-10 15:20:22 +02:00
|
|
|
parser.parse_vulnerability_information()
|
|
|
|
return parser.get_result()
|
|
|
|
|
|
|
|
|
|
|
|
def introspection():
|
|
|
|
return mispattributes
|
|
|
|
|
|
|
|
|
|
|
|
def version():
|
|
|
|
moduleinfo['config'] = moduleconfig
|
|
|
|
return moduleinfo
|