Skip to content

Commit

Permalink
feat: added config option to allow CVE matches without version constr…
Browse files Browse the repository at this point in the history
…aints
  • Loading branch information
jstucke committed Dec 11, 2024
1 parent 2aa83a0 commit 770a7f5
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 6 deletions.
2 changes: 2 additions & 0 deletions src/config/fact-core-config.toml
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,8 @@ name = "cve_lookup"
processes = 4
# CVE scores greater or equal to this value are shown as "critical"
min-critical-score = 9.0
# match CVE entries without versions constraints (`false` by default due to the high risk of false positives)
match-any = false

[[backend.plugin]]
name = "cwe_checker"
Expand Down
3 changes: 2 additions & 1 deletion src/plugins/analysis/cve_lookup/code/cve_lookup.py
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,15 @@ class AnalysisPlugin(AnalysisBasePlugin):

def additional_setup(self):
self.min_crit_score = getattr(config.backend.plugin.get(self.NAME, {}), 'min-critical-score', 9.0)
self.match_any = getattr(config.backend.plugin.get(self.NAME, {}), 'match-any', False)

def process_object(self, file_object: FileObject) -> FileObject:
"""
Process the given file object and look up vulnerabilities for each software component.
"""
cves = {'cve_results': {}}
connection = DbConnection(f'sqlite:///{DB_PATH}')
lookup = Lookup(file_object, connection)
lookup = Lookup(file_object, connection, match_any=self.match_any)
for value in file_object.processed_analysis['software_components']['result'].values():
product = value['meta']['software_name']
version = value['meta']['version'][0]
Expand Down
11 changes: 6 additions & 5 deletions src/plugins/analysis/cve_lookup/internal/lookup.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,10 @@


class Lookup:
def __init__(self, file_object: FileObject, connection: DbConnection):
def __init__(self, file_object: FileObject, connection: DbConnection, match_any: bool = False):
self.file_object = file_object
self.db_interface = DbInterface(connection)
self.match_any = match_any

def lookup_vulnerabilities(
self,
Expand All @@ -38,10 +39,8 @@ def lookup_vulnerabilities(
Look up vulnerabilities for a given product and requested version.
"""
vulnerabilities = {}
product_terms, version = (
self._generate_search_terms(product_name),
replace_wildcards([requested_version])[0],
)
product_terms = self._generate_search_terms(product_name)
version = replace_wildcards([requested_version])[0]
cpe_matches = self.db_interface.match_cpes(product_terms)
if len(cpe_matches) == 0:
logging.debug(f'No CPEs were found for product {product_name}')
Expand Down Expand Up @@ -106,6 +105,8 @@ def _version_in_boundaries(self, associations: list[Association], requested_vers
association.version_end_excluding,
]
):
if self.match_any and association.cpe.version == 'ANY':
association_matches.append(association)
continue
if self._is_version_in_boundaries(association, requested_version):
association_matches.append(association)
Expand Down

0 comments on commit 770a7f5

Please sign in to comment.