MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

add: New parameter to specify a custom CVE API to query 

- Any API specified here must return the same
  format as the CIRCL CVE search one in order to
  be supported by the parsing functions, and
  ideally provide response to the same kind of
  requests (so the CWE search works as well)
pull/334/head
chrisr3d 2019-09-16 14:19:20 +02:00
parent c019e4d997
commit 8d33d6c18c
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
misp_modules/modules/expansion/cve_advanced.py
View File

@ -8,14 +8,15 @@ mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'}
moduleinfo = {'version': '1', 'author': 'Christian Studer', moduleinfo = {'version': '1', 'author': 'Christian Studer',
'description': 'An expansion module to enrich a CVE attribute with the vulnerability information.', 'description': 'An expansion module to enrich a CVE attribute with the vulnerability information.',
'module-type': ['expansion', 'hover']} 'module-type': ['expansion', 'hover']}
moduleconfig = [] moduleconfig = ["custom_API"]
cveapi_url = 'https://cve.circl.lu/api/cve/' cveapi_url = 'https://cve.circl.lu/api/cve/'
class VulnerabilityParser(): class VulnerabilityParser():
def __init__(self, attribute, vulnerability): def __init__(self, attribute, vulnerability, api_url):
self.attribute = attribute self.attribute = attribute
self.vulnerability = vulnerability self.vulnerability = vulnerability
self.api_url = api_url
self.misp_event = MISPEvent() self.misp_event = MISPEvent()
self.misp_event.add_attribute(**attribute) self.misp_event.add_attribute(**attribute)
self.references = defaultdict(list) self.references = defaultdict(list)
@ -81,7 +82,7 @@ class VulnerabilityParser():
def __parse_weakness(self, vulnerability_uuid): def __parse_weakness(self, vulnerability_uuid):
attribute_type = 'text' attribute_type = 'text'
cwe_string, cwe_id = self.vulnerability['cwe'].split('-') cwe_string, cwe_id = self.vulnerability['cwe'].split('-')
cwes = requests.get(cveapi_url.replace('/cve/', '/cwe')) cwes = requests.get(self.api_url.replace('/cve/', '/cwe'))
if cwes.status_code == 200: if cwes.status_code == 200:
for cwe in cwes.json(): for cwe in cwes.json():
if cwe['id'] == cwe_id: if cwe['id'] == cwe_id:
@ -96,6 +97,10 @@ class VulnerabilityParser():
break break
def check_url(url):
return "{}/".format(url) if not url.endswith('/') else url
def handler(q=False): def handler(q=False):
if q is False: if q is False:
return False return False
@ -104,7 +109,8 @@ def handler(q=False):
if attribute.get('type') != 'vulnerability': if attribute.get('type') != 'vulnerability':
misperrors['error'] = 'Vulnerability id missing.' misperrors['error'] = 'Vulnerability id missing.'
return misperrors return misperrors
r = requests.get("{}{}".format(cveapi_url, attribute['value'])) api_url = check_url(request['config']['custom_API']) if request['config'].get('custom_API') else cveapi_url
r = requests.get("{}{}".format(api_url, attribute['value']))
if r.status_code == 200: if r.status_code == 200:
vulnerability = r.json() vulnerability = r.json()
if not vulnerability: if not vulnerability:
@ -113,7 +119,7 @@ def handler(q=False):
else: else:
misperrors['error'] = 'cve.circl.lu API not accessible' misperrors['error'] = 'cve.circl.lu API not accessible'
return misperrors['error'] return misperrors['error']
parser = VulnerabilityParser(attribute, vulnerability) parser = VulnerabilityParser(attribute, vulnerability, api_url)
parser.parse_vulnerability_information() parser.parse_vulnerability_information()
return parser.get_result() return parser.get_result()