From 4ff402e117d469838d7acb87f3fa44ce6c7c4c7e Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Mon, 16 Dec 2024 16:41:01 +0100 Subject: [PATCH] add: [vulnerability_lookup] Enhanced CSAF format parsing - Supporting NCSC-NL CSAF format & the CISA CSAF format prefixed with `va` - Extracting cpe information from `product_tree` for all the CSAF formats --- .../modules/expansion/vulnerability_lookup.py | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/misp_modules/modules/expansion/vulnerability_lookup.py b/misp_modules/modules/expansion/vulnerability_lookup.py index 0e32fa10..e5f40713 100644 --- a/misp_modules/modules/expansion/vulnerability_lookup.py +++ b/misp_modules/modules/expansion/vulnerability_lookup.py @@ -74,8 +74,8 @@ class VulnerabilityLookupMapping(VulnerabilityMapping): __source_mapping.update( dict.fromkeys( ( - 'cisco', 'icsa', 'icsma', 'nn', 'oxas', - 'rhba', 'rhea', 'rhsa', 'sca', 'ssa', 'wid' + 'cisco', 'icsa', 'icsma', 'ncsc', 'nn', 'oxas', + 'rhba', 'rhea', 'rhsa', 'sca', 'ssa', 'va', 'wid' ), '_parse_csaf_description' ) @@ -161,6 +161,15 @@ class VulnerabilityLookupParser(VulnerabilityParser): feature = self.mapping.source_mapping(alias.split('-')[0].lower()) yield getattr(self, feature)(vulnerability) + def _parse_csaf_branch(self, branch: list) -> Iterator[str]: + for sub_branch in branch: + if sub_branch.get('branches'): + yield from self._parse_csaf_branch(sub_branch['branches']) + else: + cpe = sub_branch.get('product', {}).get('product_identification_helper', {}).get('cpe') + if cpe is not None: + yield cpe + def _parse_csaf_description(self, lookup_result: dict) -> str: description = lookup_result['document'] @@ -172,6 +181,10 @@ class VulnerabilityLookupParser(VulnerabilityParser): for reference in description.get('references', []): misp_object.add_attribute('references', reference['url']) misp_object.add_attribute('credit', description['publisher']['name']) + branches = lookup_result.get('product_tree', {}).get('branches', []) + if branches: + for cpe in set(self._parse_csaf_branch(branches)): + misp_object.add_attribute('vulnerable-configuration', cpe) misp_object.add_reference(self.misp_attribute.uuid, 'describes') vulnerability_object = self.misp_event.add_object(misp_object)