misp-modules/misp_modules/modules/expansion/cve_advanced.py

from collections import defaultdict
from pymisp import MISPEvent, MISPObject
import json
import requests

misperrors = {'error': 'Error'}
mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'}
moduleinfo = {'version': '1', 'author': 'Christian Studer',
              'description': 'An expansion module to enrich a CVE attribute with the vulnerability information.',
              'module-type': ['expansion', 'hover']}
moduleconfig = ["custom_API"]
cveapi_url = 'https://cve.circl.lu/api/cve/'


class VulnerabilityParser():
    def __init__(self, attribute, vulnerability, api_url):
        self.attribute = attribute
        self.vulnerability = vulnerability
        self.api_url = api_url
        self.misp_event = MISPEvent()
        self.misp_event.add_attribute(**attribute)
        self.references = defaultdict(list)
        self.capec_features = ('id', 'name', 'summary', 'prerequisites', 'solutions')
        self.vulnerability_mapping = {
            'id': ('text', 'id'), 'summary': ('text', 'summary'),
            'vulnerable_configuration': ('text', 'vulnerable_configuration'),
            'vulnerable_configuration_cpe_2_2': ('text', 'vulnerable_configuration'),
            'Modified': ('datetime', 'modified'), 'Published': ('datetime', 'published'),
            'references': ('link', 'references'), 'cvss': ('float', 'cvss-score')}
        self.weakness_mapping = {'name': 'name', 'description_summary': 'description',
                                 'status': 'status', 'weaknessabs': 'weakness-abs'}

    def get_result(self):
        if self.references:
            self.__build_references()
        event = json.loads(self.misp_event.to_json())
        results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])}
        return {'results': results}

    def parse_vulnerability_information(self):
        vulnerability_object = MISPObject('vulnerability')
        for feature in ('id', 'summary', 'Modified', 'cvss'):
            value = self.vulnerability.get(feature)
            if value:
                attribute_type, relation = self.vulnerability_mapping[feature]
                vulnerability_object.add_attribute(relation, **{'type': attribute_type, 'value': value})
        if 'Published' in self.vulnerability:
            vulnerability_object.add_attribute('published', **{'type': 'datetime', 'value': self.vulnerability['Published']})
            vulnerability_object.add_attribute('state', **{'type': 'text', 'value': 'Published'})
        for feature in ('references', 'vulnerable_configuration', 'vulnerable_configuration_cpe_2_2'):
            if feature in self.vulnerability:
                attribute_type, relation = self.vulnerability_mapping[feature]
                for value in self.vulnerability[feature]:
                    if isinstance(value, dict):
                        value = value['title']
                    vulnerability_object.add_attribute(relation, **{'type': attribute_type, 'value': value})
        vulnerability_object.add_reference(self.attribute['uuid'], 'related-to')
        self.misp_event.add_object(**vulnerability_object)
        if 'cwe' in self.vulnerability and self.vulnerability['cwe'] not in ('Unknown', 'NVD-CWE-noinfo'):
            self.__parse_weakness(vulnerability_object.uuid)
        if 'capec' in self.vulnerability:
            self.__parse_capec(vulnerability_object.uuid)

    def __build_references(self):
        for object_uuid, references in self.references.items():
            for misp_object in self.misp_event.objects:
                if misp_object.uuid == object_uuid:
                    for reference in references:
                        misp_object.add_reference(**reference)
                    break

    def __parse_capec(self, vulnerability_uuid):
        attribute_type = 'text'
        for capec in self.vulnerability['capec']:
            capec_object = MISPObject('attack-pattern')
            for feature in self.capec_features:
                capec_object.add_attribute(feature, **dict(type=attribute_type, value=capec[feature]))
            for related_weakness in capec['related_weakness']:
                attribute = dict(type='weakness', value="CWE-{}".format(related_weakness))
                capec_object.add_attribute('related-weakness', **attribute)
            self.misp_event.add_object(**capec_object)
            self.references[vulnerability_uuid].append(dict(referenced_uuid=capec_object.uuid,
                                                            relationship_type='targeted-by'))

    def __parse_weakness(self, vulnerability_uuid):
        attribute_type = 'text'
        cwe_string, cwe_id = self.vulnerability['cwe'].split('-')
        cwes = requests.get(self.api_url.replace('/cve/', '/cwe'))
        if cwes.status_code == 200:
            for cwe in cwes.json():
                if cwe['id'] == cwe_id:
                    weakness_object = MISPObject('weakness')
                    weakness_object.add_attribute('id', **dict(type=attribute_type, value='-'.join([cwe_string, cwe_id])))
                    for feature, relation in self.weakness_mapping.items():
                        if cwe.get(feature):
                            weakness_object.add_attribute(relation, **dict(type=attribute_type, value=cwe[feature]))
                    self.misp_event.add_object(**weakness_object)
                    self.references[vulnerability_uuid].append(dict(referenced_uuid=weakness_object.uuid,
                                                                    relationship_type='weakened-by'))
                    break


def check_url(url):
    return "{}/".format(url) if not url.endswith('/') else url


def handler(q=False):
    if q is False:
        return False
    request = json.loads(q)
    attribute = request.get('attribute')
    if attribute.get('type') != 'vulnerability':
        misperrors['error'] = 'Vulnerability id missing.'
        return misperrors
    api_url = check_url(request['config']['custom_API']) if request['config'].get('custom_API') else cveapi_url
    r = requests.get("{}{}".format(api_url, attribute['value']))
    if r.status_code == 200:
        vulnerability = r.json()
        if not vulnerability:
            misperrors['error'] = 'Non existing CVE'
            return misperrors['error']
    else:
        misperrors['error'] = 'API not accessible'
        return misperrors['error']
    parser = VulnerabilityParser(attribute, vulnerability, api_url)
    parser.parse_vulnerability_information()
    return parser.get_result()


def introspection():
    return mispattributes


def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo
add: Making vulnerability object reference to its related capec & cwe objects 2019-08-01 15:37:10 +02:00			`from collections import defaultdict`
fix: Making pep8 happy 2019-07-10 15:29:31 +02:00			`from pymisp import MISPEvent, MISPObject`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`import json`
			`import requests`

			`misperrors = {'error': 'Error'}`
			`mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'}`
fix: Fixed cvss-score object relation name 2019-07-30 09:55:36 +02:00			`moduleinfo = {'version': '1', 'author': 'Christian Studer',`
			`'description': 'An expansion module to enrich a CVE attribute with the vulnerability information.',`
			`'module-type': ['expansion', 'hover']}`
add: New parameter to specify a custom CVE API to query - Any API specified here must return the same format as the CIRCL CVE search one in order to be supported by the parsing functions, and ideally provide response to the same kind of requests (so the CWE search works as well) 2019-09-16 14:19:20 +02:00			`moduleconfig = ["custom_API"]`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`cveapi_url = 'https://cve.circl.lu/api/cve/'`


			`class VulnerabilityParser():`
add: New parameter to specify a custom CVE API to query - Any API specified here must return the same format as the CIRCL CVE search one in order to be supported by the parsing functions, and ideally provide response to the same kind of requests (so the CWE search works as well) 2019-09-16 14:19:20 +02:00			`def __init__(self, attribute, vulnerability, api_url):`
add: Added initial event to reference it from the vulnerability object created out of it 2019-08-02 15:35:33 +02:00			`self.attribute = attribute`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`self.vulnerability = vulnerability`
add: New parameter to specify a custom CVE API to query - Any API specified here must return the same format as the CIRCL CVE search one in order to be supported by the parsing functions, and ideally provide response to the same kind of requests (so the CWE search works as well) 2019-09-16 14:19:20 +02:00			`self.api_url = api_url`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`self.misp_event = MISPEvent()`
add: Added initial event to reference it from the vulnerability object created out of it 2019-08-02 15:35:33 +02:00			`self.misp_event.add_attribute(**attribute)`
add: Parsing CWE related to the CVE 2019-08-01 14:55:53 +02:00			`self.references = defaultdict(list)`
add: Parsing CAPEC information related to the CVE 2019-08-01 15:21:18 +02:00			`self.capec_features = ('id', 'name', 'summary', 'prerequisites', 'solutions')`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`self.vulnerability_mapping = {`
			`'id': ('text', 'id'), 'summary': ('text', 'summary'),`
fix: Updates following the latest CVE-search version - Support of the new vulnerable configuration field for CPE version > 2.2 - Support of different 'unknown CWE' message 2019-10-23 11:55:36 +02:00			`'vulnerable_configuration': ('text', 'vulnerable_configuration'),`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`'vulnerable_configuration_cpe_2_2': ('text', 'vulnerable_configuration'),`
			`'Modified': ('datetime', 'modified'), 'Published': ('datetime', 'published'),`
fix: Fixed cvss-score object relation name 2019-07-30 09:55:36 +02:00			`'references': ('link', 'references'), 'cvss': ('float', 'cvss-score')}`
add: Parsing CWE related to the CVE 2019-08-01 14:55:53 +02:00			`self.weakness_mapping = {'name': 'name', 'description_summary': 'description',`
			`'status': 'status', 'weaknessabs': 'weakness-abs'}`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00
			`def get_result(self):`
add: Making vulnerability object reference to its related capec & cwe objects 2019-08-01 15:37:10 +02:00			`if self.references:`
			`self.__build_references()`
fix: Fixed unnecessary dictionary field call - No longer necessary to go under 'Event' field since PyMISP does not contain it since the latest update 2019-08-05 11:33:04 +02:00			`event = json.loads(self.misp_event.to_json())`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])}`
			`return {'results': results}`

			`def parse_vulnerability_information(self):`
			`vulnerability_object = MISPObject('vulnerability')`
			`for feature in ('id', 'summary', 'Modified', 'cvss'):`
			`value = self.vulnerability.get(feature)`
			`if value:`
			`attribute_type, relation = self.vulnerability_mapping[feature]`
			`vulnerability_object.add_attribute(relation, **{'type': attribute_type, 'value': value})`
			`if 'Published' in self.vulnerability:`
			`vulnerability_object.add_attribute('published', **{'type': 'datetime', 'value': self.vulnerability['Published']})`
			`vulnerability_object.add_attribute('state', **{'type': 'text', 'value': 'Published'})`
fix: Updates following the latest CVE-search version - Support of the new vulnerable configuration field for CPE version > 2.2 - Support of different 'unknown CWE' message 2019-10-23 11:55:36 +02:00			`for feature in ('references', 'vulnerable_configuration', 'vulnerable_configuration_cpe_2_2'):`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`if feature in self.vulnerability:`
			`attribute_type, relation = self.vulnerability_mapping[feature]`
			`for value in self.vulnerability[feature]:`
fix: Updates following the latest CVE-search version - Support of the new vulnerable configuration field for CPE version > 2.2 - Support of different 'unknown CWE' message 2019-10-23 11:55:36 +02:00			`if isinstance(value, dict):`
			`value = value['title']`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`vulnerability_object.add_attribute(relation, **{'type': attribute_type, 'value': value})`
add: Added initial event to reference it from the vulnerability object created out of it 2019-08-02 15:35:33 +02:00			`vulnerability_object.add_reference(self.attribute['uuid'], 'related-to')`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`self.misp_event.add_object(**vulnerability_object)`
fix: Updates following the latest CVE-search version - Support of the new vulnerable configuration field for CPE version > 2.2 - Support of different 'unknown CWE' message 2019-10-23 11:55:36 +02:00			`if 'cwe' in self.vulnerability and self.vulnerability['cwe'] not in ('Unknown', 'NVD-CWE-noinfo'):`
add: Parsing CAPEC information related to the CVE 2019-08-01 15:21:18 +02:00			`self.__parse_weakness(vulnerability_object.uuid)`
			`if 'capec' in self.vulnerability:`
			`self.__parse_capec(vulnerability_object.uuid)`
add: Parsing CWE related to the CVE 2019-08-01 14:55:53 +02:00
add: Making vulnerability object reference to its related capec & cwe objects 2019-08-01 15:37:10 +02:00			`def __build_references(self):`
			`for object_uuid, references in self.references.items():`
			`for misp_object in self.misp_event.objects:`
			`if misp_object.uuid == object_uuid:`
			`for reference in references:`
			`misp_object.add_reference(**reference)`
			`break`

add: Parsing CAPEC information related to the CVE 2019-08-01 15:21:18 +02:00			`def __parse_capec(self, vulnerability_uuid):`
			`attribute_type = 'text'`
			`for capec in self.vulnerability['capec']:`
fix: Using the attack-pattern object template (copy-paste typo) 2019-08-02 10:10:44 +02:00			`capec_object = MISPObject('attack-pattern')`
add: Parsing CAPEC information related to the CVE 2019-08-01 15:21:18 +02:00			`for feature in self.capec_features:`
			`capec_object.add_attribute(feature, **dict(type=attribute_type, value=capec[feature]))`
			`for related_weakness in capec['related_weakness']:`
			`attribute = dict(type='weakness', value="CWE-{}".format(related_weakness))`
			`capec_object.add_attribute('related-weakness', **attribute)`
			`self.misp_event.add_object(**capec_object)`
add: Making vulnerability object reference to its related capec & cwe objects 2019-08-01 15:37:10 +02:00			`self.references[vulnerability_uuid].append(dict(referenced_uuid=capec_object.uuid,`
			`relationship_type='targeted-by'))`
add: Parsing CAPEC information related to the CVE 2019-08-01 15:21:18 +02:00
			`def __parse_weakness(self, vulnerability_uuid):`
add: Parsing CWE related to the CVE 2019-08-01 14:55:53 +02:00			`attribute_type = 'text'`
fix: Making pep8 happy 2019-08-01 17:17:16 +02:00			`cwe_string, cwe_id = self.vulnerability['cwe'].split('-')`
add: New parameter to specify a custom CVE API to query - Any API specified here must return the same format as the CIRCL CVE search one in order to be supported by the parsing functions, and ideally provide response to the same kind of requests (so the CWE search works as well) 2019-09-16 14:19:20 +02:00			`cwes = requests.get(self.api_url.replace('/cve/', '/cwe'))`
add: Parsing CWE related to the CVE 2019-08-01 14:55:53 +02:00			`if cwes.status_code == 200:`
			`for cwe in cwes.json():`
			`if cwe['id'] == cwe_id:`
			`weakness_object = MISPObject('weakness')`
			`weakness_object.add_attribute('id', **dict(type=attribute_type, value='-'.join([cwe_string, cwe_id])))`
			`for feature, relation in self.weakness_mapping.items():`
			`if cwe.get(feature):`
			`weakness_object.add_attribute(relation, **dict(type=attribute_type, value=cwe[feature]))`
			`self.misp_event.add_object(**weakness_object)`
add: Making vulnerability object reference to its related capec & cwe objects 2019-08-01 15:37:10 +02:00			`self.references[vulnerability_uuid].append(dict(referenced_uuid=weakness_object.uuid,`
			`relationship_type='weakened-by'))`
add: Parsing CWE related to the CVE 2019-08-01 14:55:53 +02:00			`break`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00

add: New parameter to specify a custom CVE API to query - Any API specified here must return the same format as the CIRCL CVE search one in order to be supported by the parsing functions, and ideally provide response to the same kind of requests (so the CWE search works as well) 2019-09-16 14:19:20 +02:00			`def check_url(url):`
			`return "{}/".format(url) if not url.endswith('/') else url`


new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`def handler(q=False):`
			`if q is False:`
			`return False`
			`request = json.loads(q)`
			`attribute = request.get('attribute')`
			`if attribute.get('type') != 'vulnerability':`
			`misperrors['error'] = 'Vulnerability id missing.'`
			`return misperrors`
add: New parameter to specify a custom CVE API to query - Any API specified here must return the same format as the CIRCL CVE search one in order to be supported by the parsing functions, and ideally provide response to the same kind of requests (so the CWE search works as well) 2019-09-16 14:19:20 +02:00			`api_url = check_url(request['config']['custom_API']) if request['config'].get('custom_API') else cveapi_url`
			`r = requests.get("{}{}".format(api_url, attribute['value']))`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`if r.status_code == 200:`
			`vulnerability = r.json()`
			`if not vulnerability:`
			`misperrors['error'] = 'Non existing CVE'`
			`return misperrors['error']`
			`else:`
Cleaning the error message The original message can be confusing is the user change to is own API. 2019-09-17 10:42:29 +02:00			`misperrors['error'] = 'API not accessible'`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`return misperrors['error']`
add: New parameter to specify a custom CVE API to query - Any API specified here must return the same format as the CIRCL CVE search one in order to be supported by the parsing functions, and ideally provide response to the same kind of requests (so the CWE search works as well) 2019-09-16 14:19:20 +02:00			`parser = VulnerabilityParser(attribute, vulnerability, api_url)`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`parser.parse_vulnerability_information()`
			`return parser.get_result()`


			`def introspection():`
			`return mispattributes`


			`def version():`
			`moduleinfo['config'] = moduleconfig`
			`return moduleinfo`