From 7efb24a4f0c355df6588a8e02619535b2bff5968 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Stucke?= Date: Tue, 10 Dec 2024 12:42:17 +0100 Subject: [PATCH] feat: made the min critial CVE score configurable --- src/config/fact-core-config.toml | 2 ++ src/plugins/analysis/cve_lookup/code/cve_lookup.py | 10 ++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/config/fact-core-config.toml b/src/config/fact-core-config.toml index d114a1821..820a7ec70 100644 --- a/src/config/fact-core-config.toml +++ b/src/config/fact-core-config.toml @@ -110,6 +110,8 @@ processes = 4 [[backend.plugin]] name = "cve_lookup" processes = 4 +# CVE scores greater or equal to this value are shown as "critical" +min-critical-score = 9.0 [[backend.plugin]] name = "cwe_checker" diff --git a/src/plugins/analysis/cve_lookup/code/cve_lookup.py b/src/plugins/analysis/cve_lookup/code/cve_lookup.py index d6e661c17..139b73712 100644 --- a/src/plugins/analysis/cve_lookup/code/cve_lookup.py +++ b/src/plugins/analysis/cve_lookup/code/cve_lookup.py @@ -4,6 +4,7 @@ from pathlib import Path from typing import TYPE_CHECKING +import config from analysis.PluginBase import AnalysisBasePlugin from helperFunctions.tag import TagColor from plugins.mime_blacklists import MIME_BLACKLIST_NON_EXECUTABLE @@ -20,7 +21,6 @@ from lookup import Lookup DB_PATH = str(Path(__file__).parent / '../internal/database/cve_cpe.db') -MINIMUM_CRITICAL_SCORE = 9.0 class AnalysisPlugin(AnalysisBasePlugin): @@ -35,6 +35,9 @@ class AnalysisPlugin(AnalysisBasePlugin): VERSION = '0.2.0' FILE = __file__ + def additional_setup(self): + self.min_crit_score = getattr(config.backend.plugin.get(self.NAME, {}), 'min-critical-score', 9.0) + def process_object(self, file_object: FileObject) -> FileObject: """ Process the given file object and look up vulnerabilities for each software component. @@ -86,9 +89,8 @@ def add_tags(self, cve_results: dict[str, dict[str, dict[str, str]]], file_objec self.add_analysis_tag(file_object, 'CVE', 'critical CVE', TagColor.RED, True) return - @staticmethod - def _entry_has_critical_rating(entry: dict[str, dict[str, str]]) -> bool: + def _entry_has_critical_rating(self, entry: dict[str, dict[str, str]]) -> bool: """ Check if the given entry has a critical rating. """ - return any(value != 'N/A' and float(value) >= MINIMUM_CRITICAL_SCORE for value in entry['scores'].values()) + return any(value != 'N/A' and float(value) >= self.min_crit_score for value in entry['scores'].values())