From 770a7f59fa3524f665ed174389aa4719226905f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Stucke?= Date: Mon, 11 Nov 2024 16:13:11 +0100 Subject: [PATCH] feat: added config option to allow CVE matches without version constraints --- src/config/fact-core-config.toml | 2 ++ src/plugins/analysis/cve_lookup/code/cve_lookup.py | 3 ++- src/plugins/analysis/cve_lookup/internal/lookup.py | 11 ++++++----- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/src/config/fact-core-config.toml b/src/config/fact-core-config.toml index 820a7ec70..6766169dd 100644 --- a/src/config/fact-core-config.toml +++ b/src/config/fact-core-config.toml @@ -112,6 +112,8 @@ name = "cve_lookup" processes = 4 # CVE scores greater or equal to this value are shown as "critical" min-critical-score = 9.0 +# match CVE entries without versions constraints (`false` by default due to the high risk of false positives) +match-any = false [[backend.plugin]] name = "cwe_checker" diff --git a/src/plugins/analysis/cve_lookup/code/cve_lookup.py b/src/plugins/analysis/cve_lookup/code/cve_lookup.py index 139b73712..61fca583e 100644 --- a/src/plugins/analysis/cve_lookup/code/cve_lookup.py +++ b/src/plugins/analysis/cve_lookup/code/cve_lookup.py @@ -37,6 +37,7 @@ class AnalysisPlugin(AnalysisBasePlugin): def additional_setup(self): self.min_crit_score = getattr(config.backend.plugin.get(self.NAME, {}), 'min-critical-score', 9.0) + self.match_any = getattr(config.backend.plugin.get(self.NAME, {}), 'match-any', False) def process_object(self, file_object: FileObject) -> FileObject: """ @@ -44,7 +45,7 @@ def process_object(self, file_object: FileObject) -> FileObject: """ cves = {'cve_results': {}} connection = DbConnection(f'sqlite:///{DB_PATH}') - lookup = Lookup(file_object, connection) + lookup = Lookup(file_object, connection, match_any=self.match_any) for value in file_object.processed_analysis['software_components']['result'].values(): product = value['meta']['software_name'] version = value['meta']['version'][0] diff --git a/src/plugins/analysis/cve_lookup/internal/lookup.py b/src/plugins/analysis/cve_lookup/internal/lookup.py index cbc6f609e..399b5c6bf 100644 --- a/src/plugins/analysis/cve_lookup/internal/lookup.py +++ b/src/plugins/analysis/cve_lookup/internal/lookup.py @@ -25,9 +25,10 @@ class Lookup: - def __init__(self, file_object: FileObject, connection: DbConnection): + def __init__(self, file_object: FileObject, connection: DbConnection, match_any: bool = False): self.file_object = file_object self.db_interface = DbInterface(connection) + self.match_any = match_any def lookup_vulnerabilities( self, @@ -38,10 +39,8 @@ def lookup_vulnerabilities( Look up vulnerabilities for a given product and requested version. """ vulnerabilities = {} - product_terms, version = ( - self._generate_search_terms(product_name), - replace_wildcards([requested_version])[0], - ) + product_terms = self._generate_search_terms(product_name) + version = replace_wildcards([requested_version])[0] cpe_matches = self.db_interface.match_cpes(product_terms) if len(cpe_matches) == 0: logging.debug(f'No CPEs were found for product {product_name}') @@ -106,6 +105,8 @@ def _version_in_boundaries(self, associations: list[Association], requested_vers association.version_end_excluding, ] ): + if self.match_any and association.cpe.version == 'ANY': + association_matches.append(association) continue if self._is_version_in_boundaries(association, requested_version): association_matches.append(association)