MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

fix: [cve] fix CVE module to new vulnerability.circl.lu url

pull/681/head
Christophe Vandeplas 2024-08-09 09:53:14 +02:00
parent 291cbad875
commit dd3ac91afd
No known key found for this signature in database
GPG Key ID: BDC48619FFDC5A5B
10 changed files with 78 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -17,6 +17,7 @@ site*
#venv
venv*
.venv/
#vscode
.vscode*

8
documentation/README.md
View File

@ -263,7 +263,7 @@ An expansion module to query the CVE search API with a cpe code to get its relat
>The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities.
>The list of vulnerabilities is then parsed and returned as vulnerability objects.
>
>Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default cve.circl.lu api url is used.
>Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default vulnerability.circl.lu api url is used.
>
>In order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one.
- **input**:
@ -271,7 +271,7 @@ An expansion module to query the CVE search API with a cpe code to get its relat
- **output**:
>The vulnerabilities related to the CPE.
- **references**:
>https://cve.circl.lu/api/
>https://vulnerability.circl.lu/api/
-----
@ -381,7 +381,7 @@ An expansion hover module to expand information about CVE id.
- **output**:
>Text giving information about the CVE related to the Vulnerability.
- **references**:
> - https://cve.circl.lu/
> - https://vulnerability.circl.lu/
> - https://cve.mitre.org/
-----
@ -402,7 +402,7 @@ An expansion module to query the CIRCL CVE search API for more information about
- **output**:
>Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns.
- **references**:
> - https://cve.circl.lu
> - https://vulnerability.circl.lu
> - https://cve/mitre.org/
-----

8
documentation/mkdocs/expansion.md
View File

@ -260,7 +260,7 @@ An expansion module to query the CVE search API with a cpe code to get its relat
>The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities.
>The list of vulnerabilities is then parsed and returned as vulnerability objects.
>
>Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default cve.circl.lu api url is used.
>Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default vulnerability.circl.lu api url is used.
>
>In order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one.
- **input**:
@ -268,7 +268,7 @@ An expansion module to query the CVE search API with a cpe code to get its relat
- **output**:
>The vulnerabilities related to the CPE.
- **references**:
>https://cve.circl.lu/api/
>https://vulnerability.circl.lu/api/
-----
@ -378,7 +378,7 @@ An expansion hover module to expand information about CVE id.
- **output**:
>Text giving information about the CVE related to the Vulnerability.
- **references**:
> - https://cve.circl.lu/
> - https://vulnerability.circl.lu/
> - https://cve.mitre.org/
-----
@ -399,7 +399,7 @@ An expansion module to query the CIRCL CVE search API for more information about
- **output**:
>Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns.
- **references**:
> - https://cve.circl.lu
> - https://vulnerability.circl.lu
> - https://cve/mitre.org/
-----

4
documentation/website/expansion/cpe.json
View File

@ -4,7 +4,7 @@
"input": "CPE attribute.",
"output": "The vulnerabilities related to the CPE.",
"references": [
"https://cve.circl.lu/api/"
"https://vulnerability.circl.lu/api/"
],
"features": "The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities. \nThe list of vulnerabilities is then parsed and returned as vulnerability objects.\n\nUsers can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default cve.circl.lu api url is used.\n\nIn order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one."
"features": "The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities. \nThe list of vulnerabilities is then parsed and returned as vulnerability objects.\n\nUsers can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default vulnerability.circl.lu api url is used.\n\nIn order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one."
}

2
documentation/website/expansion/cve.json
View File

@ -4,7 +4,7 @@
"input": "Vulnerability attribute.",
"output": "Text giving information about the CVE related to the Vulnerability.",
"references": [
"https://cve.circl.lu/",
"https://vulnerability.circl.lu/",
"https://cve.mitre.org/"
],
"features": "The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to get information about the vulnerability as it is described in the list of CVEs."

2
documentation/website/expansion/cve_advanced.json
View File

@ -4,7 +4,7 @@
"input": "Vulnerability attribute.",
"output": "Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns.",
"references": [
"https://cve.circl.lu",
"https://vulnerability.circl.lu",
"https://cve/mitre.org/"
],
"features": "The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to gather additional information.\n\nThe result of the query is then parsed to return additional information about the vulnerability, like its cvss score or some references, as well as the potential related weaknesses and attack patterns.\n\nThe vulnerability additional data is returned in a vulnerability MISP object, and the related additional information are put into weakness and attack-pattern MISP objects."

11
misp_modules/modules/expansion/cve.py
View File

@ -3,9 +3,9 @@ import requests
misperrors = {'error': 'Error'}
mispattributes = {'input': ['vulnerability'], 'output': ['text']}
moduleinfo = {'version': '0.3', 'author': 'Alexandre Dulaunoy', 'description': 'An expansion hover module to expand information about CVE id.', 'module-type': ['hover']}
moduleinfo = {'version': '0.4', 'author': 'Alexandre Dulaunoy', 'description': 'An expansion hover module to expand information about CVE id.', 'module-type': ['hover']}
moduleconfig = ["custom_API"]
cveapi_url = 'https://cve.circl.lu/api/cve/'
cveapi_url = 'https://vulnerability.circl.lu/api/cve/'
def check_url(url):
@ -24,10 +24,9 @@ def handler(q=False):
r = requests.get("{}{}".format(api_url, request.get('vulnerability')))
if r.status_code == 200:
vulnerability = json.loads(r.text)
if vulnerability:
if vulnerability.get('summary'):
summary = vulnerability['summary']
else:
try:
summary = vulnerability['containers']['cna']['descriptions'][0]['value']
except Exception:
summary = 'Non existing CVE'
else:
misperrors['error'] = 'API not accessible'

2
tests/bodysourcecache.json
View File

@ -1 +1 @@
{"module": "sourcecache", "link": "http://cve.circl.lu/" }
{"module": "sourcecache", "link": "http://vulnerability.circl.lu/" }

24
tests/test.py
View File

@ -15,6 +15,7 @@ from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.header import Header
class TestModules(unittest.TestCase):
def setUp(self):
@ -30,6 +31,29 @@ class TestModules(unittest.TestCase):
def test_cve(self):
with open('tests/bodycve.json', 'r') as f:
response = requests.post(self.url + "query", data=f.read())
expected_response = {
'results': [
{
'types': ['text'],
'values': 'Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability."'
}
]
}
self.assertDictEqual(response.json(), expected_response)
print(response.json())
response.connection.close()
def test_invalid_cve(self):
response = requests.post(self.url + "query", data='{"module": "cve", "vulnerability": "CVE-INVALID"}')
expected_response = {
'results': [
{
'types': ['text'],
'values': 'Non existing CVE'
}
]
}
self.assertDictEqual(response.json(), expected_response)
print(response.json())
response.connection.close()

15
tests/test_expansions.py
View File

@ -192,7 +192,7 @@ class TestExpansions(unittest.TestCase):
self.assertIn(self.get_values(response), results)
def test_cve(self):
query = {"module": "cve", "vulnerability": "CVE-2010-4444", "config": {"custom_API": "https://cve.circl.lu/api/cve/"}}
query = {"module": "cve", "vulnerability": "CVE-2010-4444", "config": {"custom_API": "https://vulnerability.circl.lu/api/cve/"}}
response = self.misp_modules_post(query)
self.assertTrue(self.get_values(response).startswith("Unspecified vulnerability in Oracle Sun Java System Access Manager"))
@ -548,6 +548,7 @@ class TestExpansions(unittest.TestCase):
query = {"module": "stix2_pattern_syntax_validator", "stix2-pattern": "[ipv4-addr:value = '8.8.8.8']"}
response = self.misp_modules_post(query)
self.assertEqual(self.get_values(response), 'Syntax valid')
def test_threatcrowd(self):
if LiveCI:
return True
@ -589,6 +590,7 @@ class TestExpansions(unittest.TestCase):
response = self.misp_modules_post(query)
self.assertTrue(self.get_values(response), result)
@unittest.skip("Service doesn't work")
def test_urlhaus(self):
query_types = ('domain', 'ip-src', 'sha256', 'url')
query_values = ('www.bestwpdesign.com', '79.118.195.239',
@ -768,9 +770,18 @@ class TestExpansions(unittest.TestCase):
def test_yara_query(self):
query = {"module": "yara_query", "md5": "b2a5abfeef9e36964281a31e17b57c97"}
response = self.misp_modules_post(query)
self.assertEqual(self.get_values(response), 'import "hash"\r\nrule MD5 {\r\n\tcondition:\r\n\t\thash.md5(0, filesize) == "b2a5abfeef9e36964281a31e17b57c97"\r\n}')
expected_result = 'import "hash"\r\nrule MD5 {\r\n\tcondition:\r\n\t\thash.md5(0, filesize) == "b2a5abfeef9e36964281a31e17b57c97"\r\n}'
self.assertEqual(self.get_values(response), expected_result)
def test_yara_validator(self):
query = {"module": "yara_syntax_validator", "yara": 'import "hash"\r\nrule MD5 {\r\n\tcondition:\r\n\t\thash.md5(0, filesize) == "b2a5abfeef9e36964281a31e17b57c97"\r\n}'}
response = self.misp_modules_post(query)
self.assertEqual(self.get_values(response), 'Syntax valid')
@unittest.skip("Not developed yet")
def test_yara_export(self):
query = {"module": "yara_export"}
response = self.misp_modules_post(query)
expected_result = ''
self.assertEqual(self.get_values(response), expected_result)