Merge pull request #437 from chrisr3d/main

New expansion module to get the vulnerabilities related to a CPE
2020-11-02 20:35:38 +01:00 · 2020-11-02 20:35:38 +01:00 · 900fe56fbb
parent 08d648e2f4 260bddb3cf
commit 900fe56fbb
4 changed files with 150 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -31,6 +31,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
 * [CIRCL Passive SSL](misp_modules/modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificate(s) seen.
 * [countrycode](misp_modules/modules/expansion/countrycode.py) - a hover module to tell you what country a URL belongs to.
 * [CrowdStrike Falcon](misp_modules/modules/expansion/crowdstrike_falcon.py) - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.
+* [CPE](misp_modules/modules/expansion/cpe.py) - An expansion module to query the CVE Search API with a cpe code, to get its related vulnerabilities.
 * [CVE](misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
 * [CVE advanced](misp_modules/modules/expansion/cve_advanced.py) - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).
 * [Cuckoo submit](misp_modules/modules/expansion/cuckoo_submit.py) - A hover module to submit malware sample, url, attachment, domain to Cuckoo Sandbox.
--- a/doc/README.md
+++ b/doc/README.md
@ -222,6 +222,27 @@ Module to expand country codes.

 -----

+#### [cpe](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cpe.py)
+
+<img src=logos/cpe.py height=60>
+
+An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities.
+- **features**:
+>The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities.  
+>The list of vulnerabilities is then parsed and returned as vulnerability objects.
+>
+>Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default cve.circl.lu api url is used.
+>
+>In order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one.
+- **input**:
+>CPE attribute.
+- **output**:
+>The vulnerabilities related to the CPE.
+- **references**:
+>https://cve.circl.lu/api/
+
+-----
+
 #### [crowdstrike_falcon](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/crowdstrike_falcon.py)

 <img src=logos/crowdstrike.png height=60>
@ -1786,7 +1807,7 @@ Simple export of a MISP event to PDF.
 >  'Activate_galaxy_description' is a boolean (True or void) to activate the description of event related galaxies.
 >  'Activate_related_events' is a boolean (True or void) to activate the description of related event. Be aware this might leak information on confidential events linked to the current event !
 >  'Activate_internationalization_fonts' is a boolean (True or void) to activate Noto fonts instead of default fonts (Helvetica). This allows the support of CJK alphabet. Be sure to have followed the procedure to download Noto fonts (~70Mo) in the right place (/tools/pdf_fonts/Noto_TTF), to allow PyMisp to find and use them during PDF generation.
->  'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option 
+>  'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option
 - **input**:
 >MISP Event
 - **output**:
--- a/misp_modules/modules/expansion/init.py
+++ b/misp_modules/modules/expansion/init.py
@ -5,8 +5,8 @@ import sys
 sys.path.append('{}/lib'.format('/'.join((os.path.realpath(__file__)).split('/')[:-3])))

 __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'circl_passivessl',
-           'countrycode', 'cve', 'cve_advanced', 'dns', 'btc_steroids', 'domaintools', 'eupi', 'eql',
-           'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal',
+           'countrycode', 'cve', 'cve_advanced', 'cpe', 'dns', 'btc_steroids', 'domaintools', 'eupi',
+           'eql', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal',
           'whois', 'shodan', 'reversedns', 'geoip_asn', 'geoip_city', 'geoip_country', 'wiki', 'iprep',
           'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon',
           'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl',
--- a/misp_modules/modules/expansion/cpe.py
+++ b/misp_modules/modules/expansion/cpe.py
@ -0,0 +1,125 @@
+import json
+import requests
+from . import check_input_attribute, standard_error_message
+from pymisp import MISPEvent, MISPObject
+
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['cpe'], 'format': 'misp_standard'}
+moduleinfo = {
+    'version': '1',
+    'author': 'Christian Studer',
+    'description': 'An expansion module to enrich a CPE attribute with its related vulnerabilities.',
+    'module-type': ['expansion', 'hover']
+}
+moduleconfig = ["custom_API_URL", "limit"]
+cveapi_url = 'https://cvepremium.circl.lu/api/cvefor/'
+
+
+class VulnerabilitiesParser():
+    def __init__(self, attribute, api_url):
+        self.attribute = attribute
+        self.api_url = api_url
+        self.misp_event = MISPEvent()
+        self.misp_event.add_attribute(**attribute)
+        self.vulnerability_mapping = {
+            'id': {
+                'type': 'vulnerability',
+                'object_relation': 'id'
+            },
+            'summary': {
+                'type': 'text',
+                'object_relation': 'summary'
+            },
+            'vulnerable_configuration': {
+                'type': 'cpe',
+                'object_relation': 'vulnerable_configuration'
+            },
+            'vulnerable_configuration_cpe_2_2': {
+                'type': 'cpe',
+                'object_relation': 'vulnerable_configuration'
+            },
+            'Modified': {
+                'type': 'datetime',
+                'object_relation': 'modified'
+            },
+            'Published': {
+                'type': 'datetime',
+                'object_relation': 'published'
+            },
+            'references': {
+                'type': 'link',
+                'object_relation': 'references'
+            },
+            'cvss': {
+                'type': 'float',
+                'object_relation': 'cvss-score'
+            }
+        }
+
+    def parse_vulnerabilities(self, vulnerabilities):
+        for vulnerability in vulnerabilities:
+            vulnerability_object = MISPObject('vulnerability')
+            for feature in ('id', 'summary', 'Modified', 'Published', 'cvss'):
+                if vulnerability.get(feature):
+                    attribute = {'value': vulnerability[feature]}
+                    attribute.update(self.vulnerability_mapping[feature])
+                    vulnerability_object.add_attribute(**attribute)
+            if vulnerability.get('Published'):
+                vulnerability_object.add_attribute(**{
+                    'type': 'text',
+                    'object_relation': 'state',
+                    'value': 'Published'
+                })
+            for feature in ('references', 'vulnerable_configuration', 'vulnerable_configuration_cpe_2_2'):
+                if vulnerability.get(feature):
+                    for value in vulnerability[feature]:
+                        if isinstance(value, dict):
+                            value = value['title']
+                        attribute = {'value': value}
+                        attribute.update(self.vulnerability_mapping[feature])
+                        vulnerability_object.add_attribute(**attribute)
+            vulnerability_object.add_reference(self.attribute['uuid'], 'related-to')
+            self.misp_event.add_object(vulnerability_object)
+
+    def get_result(self):
+        event = json.loads(self.misp_event.to_json())
+        results = {key: event[key] for key in ('Attribute', 'Object')}
+        return {'results': results}
+
+
+def check_url(url):
+    return url if url.endswith('/') else f"{url}/"
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    if not request.get('attribute') or not check_input_attribute(request['attribute']):
+        return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
+    attribute = request['attribute']
+    if attribute.get('type') != 'cpe':
+        return {'error': 'Wrong input attribute type.'}
+    api_url = check_url(request['config']['custom_API_URL']) if request['config'].get('custom_API_URL') else cveapi_url
+    url = f"{api_url}{attribute['value']}"
+    if request['config'].get('limit'):
+        url = f"{url}/{request['config']['limit']}"
+    response = requests.get(url)
+    if response.status_code == 200:
+        vulnerabilities = response.json()
+        if not vulnerabilities:
+            return {'error': 'No related vulnerability for this CPE.'}
+    else:
+        return {'error': 'API not accessible.'}
+    parser = VulnerabilitiesParser(attribute, api_url)
+    parser.parse_vulnerabilities(vulnerabilities)
+    return parser.get_result()
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo