mirror of https://github.com/MISP/misp-modules
add: [vulnerability_lookup] Enhanced CSAF format parsing
- Supporting NCSC-NL CSAF format & the CISA CSAF
format prefixed with `va`
- Extracting cpe information from `product_tree`
for all the CSAF formats
pull/709/head
Christian Studer
parent
8b3da50c57
commit
4ff402e117
|
|
@ -74,8 +74,8 @@ class VulnerabilityLookupMapping(VulnerabilityMapping):
|
||||||
__source_mapping.update(
|
__source_mapping.update(
|
||||||
dict.fromkeys(
|
dict.fromkeys(
|
||||||
(
|
(
|
||||||
'cisco', 'icsa', 'icsma', 'nn', 'oxas',
|
'cisco', 'icsa', 'icsma', 'ncsc', 'nn', 'oxas',
|
||||||
'rhba', 'rhea', 'rhsa', 'sca', 'ssa', 'wid'
|
'rhba', 'rhea', 'rhsa', 'sca', 'ssa', 'va', 'wid'
|
||||||
),
|
),
|
||||||
'_parse_csaf_description'
|
'_parse_csaf_description'
|
||||||
)
|
)
|
||||||
|
|
@ -161,6 +161,15 @@ class VulnerabilityLookupParser(VulnerabilityParser):
|
||||||
feature = self.mapping.source_mapping(alias.split('-')[0].lower())
|
feature = self.mapping.source_mapping(alias.split('-')[0].lower())
|
||||||
yield getattr(self, feature)(vulnerability)
|
yield getattr(self, feature)(vulnerability)
|
||||||
|
|
||||||
|
def _parse_csaf_branch(self, branch: list) -> Iterator[str]:
|
||||||
|
for sub_branch in branch:
|
||||||
|
if sub_branch.get('branches'):
|
||||||
|
yield from self._parse_csaf_branch(sub_branch['branches'])
|
||||||
|
else:
|
||||||
|
cpe = sub_branch.get('product', {}).get('product_identification_helper', {}).get('cpe')
|
||||||
|
if cpe is not None:
|
||||||
|
yield cpe
|
||||||
|
|
||||||
def _parse_csaf_description(self, lookup_result: dict) -> str:
|
def _parse_csaf_description(self, lookup_result: dict) -> str:
|
||||||
description = lookup_result['document']
|
description = lookup_result['document']
|
||||||
|
|
||||||
|
|
@ -172,6 +181,10 @@ class VulnerabilityLookupParser(VulnerabilityParser):
|
||||||
for reference in description.get('references', []):
|
for reference in description.get('references', []):
|
||||||
misp_object.add_attribute('references', reference['url'])
|
misp_object.add_attribute('references', reference['url'])
|
||||||
misp_object.add_attribute('credit', description['publisher']['name'])
|
misp_object.add_attribute('credit', description['publisher']['name'])
|
||||||
|
branches = lookup_result.get('product_tree', {}).get('branches', [])
|
||||||
|
if branches:
|
||||||
|
for cpe in set(self._parse_csaf_branch(branches)):
|
||||||
|
misp_object.add_attribute('vulnerable-configuration', cpe)
|
||||||
misp_object.add_reference(self.misp_attribute.uuid, 'describes')
|
misp_object.add_reference(self.misp_attribute.uuid, 'describes')
|
||||||
vulnerability_object = self.misp_event.add_object(misp_object)
|
vulnerability_object = self.misp_event.add_object(misp_object)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue