misp-modules/misp_modules/modules/expansion/cve_advanced.py

import json
import requests
from . import check_input_attribute, standard_error_message
from collections import defaultdict
from pymisp import MISPAttribute, MISPEvent, MISPObject

misperrors = {'error': 'Error'}
mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'}
moduleinfo = {
    'version': '2',
    'author': 'Christian Studer',
    'description': 'An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).',
    'module-type': ['expansion', 'hover'],
    'name': 'CVE Advanced Lookup',
    'logo': 'cve.png',
    'requirements': [],
    'features': 'The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to gather additional information.\n\nThe result of the query is then parsed to return additional information about the vulnerability, like its cvss score or some references, as well as the potential related weaknesses and attack patterns.\n\nThe vulnerability additional data is returned in a vulnerability MISP object, and the related additional information are put into weakness and attack-pattern MISP objects.',
    'references': ['https://vulnerability.circl.lu', 'https://cve/mitre.org/'],
    'input': 'Vulnerability attribute.',
    'output': 'Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns.',
}
moduleconfig = ["custom_API"]
cveapi_url = 'https://cvepremium.circl.lu/api/'


class VulnerabilityParser():
    def __init__(self, attribute, api_url):
        misp_attribute = MISPAttribute()
        misp_attribute.from_dict(**attribute)
        misp_event = MISPEvent()
        misp_event.add_attribute(**misp_attribute)
        self.__misp_attribute = misp_attribute
        self.__misp_event = misp_event
        self.__api_url = api_url
        self.references = defaultdict(list)
        self.__capec_features = ('id', 'name', 'summary', 'prerequisites', 'solutions')
        self.__vulnerability_mapping = {
            'id': 'id', 'summary': 'summary',
            'Modified': 'modified', 'cvss3': 'cvss-score',
            'cvss3-vector': 'cvss-string'
        }
        self.__vulnerability_multiple_mapping = {
            'vulnerable_configuration': 'vulnerable-configuration',
            'vulnerable_configuration_cpe_2_2': 'vulnerable-configuration',
            'references': 'references'
        }
        self.__weakness_mapping = {
            'name': 'name', 'description_summary': 'description',
            'status': 'status', 'weaknessabs': 'weakness-abs'
        }

    @property
    def api_url(self) -> str:
        return self.__api_url

    @property
    def capec_features(self) -> tuple:
        return self.__capec_features

    @property
    def misp_attribute(self) -> MISPAttribute:
        return self.__misp_attribute

    @property
    def misp_event(self) -> MISPEvent:
        return self.__misp_event

    @property
    def vulnerability_mapping(self) -> dict:
        return self.__vulnerability_mapping

    @property
    def vulnerability_multiple_mapping(self) -> dict:
        return self.__vulnerability_multiple_mapping

    @property
    def weakness_mapping(self) -> dict:
        return self.__weakness_mapping

    def get_result(self):
        if self.references:
            self.__build_references()
        event = json.loads(self.misp_event.to_json())
        results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])}
        return {'results': results}

    def parse_vulnerability_information(self, vulnerability):
        vulnerability_object = MISPObject('vulnerability')
        for feature, relation in self.vulnerability_mapping.items():
            if vulnerability.get(feature):
                vulnerability_object.add_attribute(relation, vulnerability[feature])
        if 'Published' in vulnerability:
            vulnerability_object.add_attribute('published', vulnerability['Published'])
            vulnerability_object.add_attribute('state', 'Published')
        for feature, relation in self.vulnerability_multiple_mapping.items():
            if feature in vulnerability:
                for value in vulnerability[feature]:
                    if isinstance(value, dict):
                        value = value['title']
                    vulnerability_object.add_attribute(relation, value)
        vulnerability_object.add_reference(self.misp_attribute.uuid, 'related-to')
        self.misp_event.add_object(vulnerability_object)
        if 'cwe' in vulnerability and vulnerability['cwe'] not in ('Unknown', 'NVD-CWE-noinfo'):
            self.__parse_weakness(vulnerability['cwe'], vulnerability_object.uuid)
        if 'capec' in vulnerability:
            self.__parse_capec(vulnerability['capec'], vulnerability_object.uuid)

    def __build_references(self):
        for object_uuid, references in self.references.items():
            for misp_object in self.misp_event.objects:
                if misp_object.uuid == object_uuid:
                    for reference in references:
                        misp_object.add_reference(**reference)
                    break

    def __parse_capec(self, capec_values, vulnerability_uuid):
        for capec in capec_values:
            capec_object = MISPObject('attack-pattern')
            for feature in self.capec_features:
                capec_object.add_attribute(feature, capec[feature])
            for related_weakness in capec['related_weakness']:
                capec_object.add_attribute('related-weakness', f"CWE-{related_weakness}")
            self.misp_event.add_object(capec_object)
            self.references[vulnerability_uuid].append(
                {
                    'referenced_uuid': capec_object.uuid,
                    'relationship_type': 'targeted-by'
                }
            )

    def __parse_weakness(self, cwe_value, vulnerability_uuid):
        cwe_string, cwe_id = cwe_value.split('-')[:2]
        cwe = requests.get(f'{self.api_url}cwe/{cwe_id}')
        if cwe.status_code == 200:
            cwe = cwe.json()
            weakness_object = MISPObject('weakness')
            weakness_object.add_attribute('id', f'{cwe_string}-{cwe_id}')
            for feature, relation in self.weakness_mapping.items():
                if cwe.get(feature):
                    weakness_object.add_attribute(relation, cwe[feature])
            self.misp_event.add_object(weakness_object)
            self.references[vulnerability_uuid].append(
                {
                    'referenced_uuid': weakness_object.uuid,
                    'relationship_type': 'weakened-by'
                }
            )


def check_url(url):
    return f"{url}/" if not url.endswith('/') else url


def handler(q=False):
    if q is False:
        return False
    request = json.loads(q)
    if not request.get('attribute') or not check_input_attribute(request['attribute']):
        return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
    attribute = request['attribute']
    if attribute.get('type') != 'vulnerability':
        misperrors['error'] = 'Vulnerability id missing.'
        return misperrors
    api_url = check_url(request['config']['custom_API']) if request.get('config', {}).get('custom_API') else cveapi_url
    r = requests.get(f"{api_url}cve/{attribute['value']}")
    if r.status_code == 200:
        vulnerability = r.json()
        if not vulnerability:
            misperrors['error'] = 'Non existing CVE'
            return misperrors['error']
    else:
        misperrors['error'] = 'API not accessible'
        return misperrors['error']
    parser = VulnerabilityParser(attribute, api_url)
    parser.parse_vulnerability_information(vulnerability)
    return parser.get_result()


def introspection():
    return mispattributes


def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`import json`
			`import requests`
add: Specific error message for misp_standard format expansion modules - Checking if the input format is respected and displaying an error message if it is not 2020-07-28 11:47:53 +02:00			`from . import check_input_attribute, standard_error_message`
			`from collections import defaultdict`
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`from pymisp import MISPAttribute, MISPEvent, MISPObject`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00
			`misperrors = {'error': 'Error'}`
			`mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'}`
chg: [doc] Big doc revamp #680 2024-08-12 11:23:10 +02:00			`moduleinfo = {`
			`'version': '2',`
			`'author': 'Christian Studer',`
			`'description': 'An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).',`
			`'module-type': ['expansion', 'hover'],`
			`'name': 'CVE Advanced Lookup',`
			`'logo': 'cve.png',`
			`'requirements': [],`
			'features': 'The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to gather additional information.\n\nThe result of the query is then parsed to return additional information about the vulnerability, like its cvss score or some references, as well as the potential related weaknesses and attack patterns.\n\nThe vulnerability additional data is returned in a vulnerability MISP object, and the related additional information are put into weakness and attack-pattern MISP objects.',
			`'references': ['https://vulnerability.circl.lu', 'https://cve/mitre.org/'],`
			`'input': 'Vulnerability attribute.',`
			`'output': 'Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns.',`
			`}`
add: New parameter to specify a custom CVE API to query - Any API specified here must return the same format as the CIRCL CVE search one in order to be supported by the parsing functions, and ideally provide response to the same kind of requests (so the CWE search works as well) 2019-09-16 14:19:20 +02:00			`moduleconfig = ["custom_API"]`
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`cveapi_url = 'https://cvepremium.circl.lu/api/'`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00

			`class VulnerabilityParser():`
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`def __init__(self, attribute, api_url):`
			`misp_attribute = MISPAttribute()`
			`misp_attribute.from_dict(**attribute)`
			`misp_event = MISPEvent()`
			`misp_event.add_attribute(**misp_attribute)`
			`self.__misp_attribute = misp_attribute`
			`self.__misp_event = misp_event`
			`self.__api_url = api_url`
add: Parsing CWE related to the CVE 2019-08-01 14:55:53 +02:00			`self.references = defaultdict(list)`
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`self.__capec_features = ('id', 'name', 'summary', 'prerequisites', 'solutions')`
			`self.__vulnerability_mapping = {`
fix: fix vulnerable_configuration object ref, rely on template. Related #853 2022-07-28 14:41:32 +02:00			`'id': 'id', 'summary': 'summary',`
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`'Modified': 'modified', 'cvss3': 'cvss-score',`
			`'cvss3-vector': 'cvss-string'`
			`}`
			`self.__vulnerability_multiple_mapping = {`
fix: fix vulnerable_configuration object ref, rely on template. Related #853 2022-07-28 14:41:32 +02:00			`'vulnerable_configuration': 'vulnerable-configuration',`
			`'vulnerable_configuration_cpe_2_2': 'vulnerable-configuration',`
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`'references': 'references'`
			`}`
			`self.__weakness_mapping = {`
			`'name': 'name', 'description_summary': 'description',`
			`'status': 'status', 'weaknessabs': 'weakness-abs'`
			`}`

			`@property`
			`def api_url(self) -> str:`
			`return self.__api_url`

			`@property`
			`def capec_features(self) -> tuple:`
			`return self.__capec_features`

			`@property`
			`def misp_attribute(self) -> MISPAttribute:`
			`return self.__misp_attribute`

			`@property`
			`def misp_event(self) -> MISPEvent:`
			`return self.__misp_event`

			`@property`
			`def vulnerability_mapping(self) -> dict:`
			`return self.__vulnerability_mapping`

			`@property`
			`def vulnerability_multiple_mapping(self) -> dict:`
			`return self.__vulnerability_multiple_mapping`

			`@property`
			`def weakness_mapping(self) -> dict:`
			`return self.__weakness_mapping`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00
			`def get_result(self):`
add: Making vulnerability object reference to its related capec & cwe objects 2019-08-01 15:37:10 +02:00			`if self.references:`
			`self.__build_references()`
fix: Fixed unnecessary dictionary field call - No longer necessary to go under 'Event' field since PyMISP does not contain it since the latest update 2019-08-05 11:33:04 +02:00			`event = json.loads(self.misp_event.to_json())`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])}`
			`return {'results': results}`

chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`def parse_vulnerability_information(self, vulnerability):`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`vulnerability_object = MISPObject('vulnerability')`
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`for feature, relation in self.vulnerability_mapping.items():`
			`if vulnerability.get(feature):`
			`vulnerability_object.add_attribute(relation, vulnerability[feature])`
			`if 'Published' in vulnerability:`
			`vulnerability_object.add_attribute('published', vulnerability['Published'])`
fix: fix vulnerable_configuration object ref, rely on template. Related #853 2022-07-28 14:41:32 +02:00			`vulnerability_object.add_attribute('state', 'Published')`
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`for feature, relation in self.vulnerability_multiple_mapping.items():`
			`if feature in vulnerability:`
			`for value in vulnerability[feature]:`
fix: Updates following the latest CVE-search version - Support of the new vulnerable configuration field for CPE version > 2.2 - Support of different 'unknown CWE' message 2019-10-23 11:55:36 +02:00			`if isinstance(value, dict):`
			`value = value['title']`
fix: fix vulnerable_configuration object ref, rely on template. Related #853 2022-07-28 14:41:32 +02:00			`vulnerability_object.add_attribute(relation, value)`
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`vulnerability_object.add_reference(self.misp_attribute.uuid, 'related-to')`
fix: [cve_advanced] Avoiding potential MISP object references issues - Adding objects as dictionaries in an event may cause issues in some cases. It is better to pass the MISP object as is, as it is already a valid object since the MISPObject class is used 2020-10-01 22:44:39 +02:00			`self.misp_event.add_object(vulnerability_object)`
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`if 'cwe' in vulnerability and vulnerability['cwe'] not in ('Unknown', 'NVD-CWE-noinfo'):`
			`self.__parse_weakness(vulnerability['cwe'], vulnerability_object.uuid)`
			`if 'capec' in vulnerability:`
			`self.__parse_capec(vulnerability['capec'], vulnerability_object.uuid)`
add: Parsing CWE related to the CVE 2019-08-01 14:55:53 +02:00
add: Making vulnerability object reference to its related capec & cwe objects 2019-08-01 15:37:10 +02:00			`def __build_references(self):`
			`for object_uuid, references in self.references.items():`
			`for misp_object in self.misp_event.objects:`
			`if misp_object.uuid == object_uuid:`
			`for reference in references:`
			`misp_object.add_reference(**reference)`
			`break`

chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`def __parse_capec(self, capec_values, vulnerability_uuid):`
			`for capec in capec_values:`
fix: Using the attack-pattern object template (copy-paste typo) 2019-08-02 10:10:44 +02:00			`capec_object = MISPObject('attack-pattern')`
add: Parsing CAPEC information related to the CVE 2019-08-01 15:21:18 +02:00			`for feature in self.capec_features:`
fix: fix vulnerable_configuration object ref, rely on template. Related #853 2022-07-28 14:41:32 +02:00			`capec_object.add_attribute(feature, capec[feature])`
add: Parsing CAPEC information related to the CVE 2019-08-01 15:21:18 +02:00			`for related_weakness in capec['related_weakness']:`
fix: fix vulnerable_configuration object ref, rely on template. Related #853 2022-07-28 14:41:32 +02:00			`capec_object.add_attribute('related-weakness', f"CWE-{related_weakness}")`
fix: [cve_advanced] Avoiding potential MISP object references issues - Adding objects as dictionaries in an event may cause issues in some cases. It is better to pass the MISP object as is, as it is already a valid object since the MISPObject class is used 2020-10-01 22:44:39 +02:00			`self.misp_event.add_object(capec_object)`
fix: [cve-advanced] Using the cpe and weakness attribute types 2020-10-22 23:25:20 +02:00			`self.references[vulnerability_uuid].append(`
			`{`
			`'referenced_uuid': capec_object.uuid,`
			`'relationship_type': 'targeted-by'`
			`}`
			`)`
add: Parsing CAPEC information related to the CVE 2019-08-01 15:21:18 +02:00
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`def __parse_weakness(self, cwe_value, vulnerability_uuid):`
			`cwe_string, cwe_id = cwe_value.split('-')[:2]`
			`cwe = requests.get(f'{self.api_url}cwe/{cwe_id}')`
			`if cwe.status_code == 200:`
			`cwe = cwe.json()`
			`weakness_object = MISPObject('weakness')`
			`weakness_object.add_attribute('id', f'{cwe_string}-{cwe_id}')`
			`for feature, relation in self.weakness_mapping.items():`
			`if cwe.get(feature):`
			`weakness_object.add_attribute(relation, cwe[feature])`
			`self.misp_event.add_object(weakness_object)`
			`self.references[vulnerability_uuid].append(`
			`{`
			`'referenced_uuid': weakness_object.uuid,`
			`'relationship_type': 'weakened-by'`
			`}`
			`)`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00

add: New parameter to specify a custom CVE API to query - Any API specified here must return the same format as the CIRCL CVE search one in order to be supported by the parsing functions, and ideally provide response to the same kind of requests (so the CWE search works as well) 2019-09-16 14:19:20 +02:00			`def check_url(url):`
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`return f"{url}/" if not url.endswith('/') else url`
add: New parameter to specify a custom CVE API to query - Any API specified here must return the same format as the CIRCL CVE search one in order to be supported by the parsing functions, and ideally provide response to the same kind of requests (so the CWE search works as well) 2019-09-16 14:19:20 +02:00

new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`def handler(q=False):`
			`if q is False:`
			`return False`
			`request = json.loads(q)`
add: Specific error message for misp_standard format expansion modules - Checking if the input format is respected and displaying an error message if it is not 2020-07-28 11:47:53 +02:00			`if not request.get('attribute') or not check_input_attribute(request['attribute']):`
			`return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}`
fix: Fixed pep8 + some copy paste issues introduced with the latest commits 2020-07-28 15:06:25 +02:00			`attribute = request['attribute']`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`if attribute.get('type') != 'vulnerability':`
			`misperrors['error'] = 'Vulnerability id missing.'`
			`return misperrors`
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`api_url = check_url(request['config']['custom_API']) if request.get('config', {}).get('custom_API') else cveapi_url`
			`r = requests.get(f"{api_url}cve/{attribute['value']}")`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`if r.status_code == 200:`
			`vulnerability = r.json()`
			`if not vulnerability:`
			`misperrors['error'] = 'Non existing CVE'`
			`return misperrors['error']`
			`else:`
Cleaning the error message The original message can be confusing is the user change to is own API. 2019-09-17 10:42:29 +02:00			`misperrors['error'] = 'API not accessible'`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`return misperrors['error']`
chg: [cve_advanced] Updated the module to use cvepremium & a few improvements 2022-10-25 22:20:30 +02:00			`parser = VulnerabilityParser(attribute, api_url)`
			`parser.parse_vulnerability_information(vulnerability)`
new: First version of an advanced CVE parser module - Using cve.circl.lu as well as the initial module - Going deeper into the CVE parsing - More parsing to come with the CWE, CAPEC and so on 2019-07-10 15:20:22 +02:00			`return parser.get_result()`


			`def introspection():`
			`return mispattributes`


			`def version():`
			`moduleinfo['config'] = moduleconfig`
			`return moduleinfo`