Release 1.6.5 (#293)

* Fix vulnerabilities in third party libraries (#289)

* Upgrade dependencies

* Upgrade package-lock.json too

* Migrate NVD NIST API calls to API version 2.0 (#292)

* Migrate NVD NIST API calls to API version 2.0

* Fix mock data

* Debug error in unit test

* Debug error in unit test

* Fix error in unit test

* Upgrade workflow for releasing Desktop version and upgrade Rekono version to 1.6.5 (#294)

.github/workflows/desktop.yml

@@ -46,11 +46,8 @@ jobs:
     runs-on: ubuntu-latest
     environment: gitlab
     needs: docker-image
-    env:
-      GL_REKONO_ID: 45783845
-      GL_KALI_ID: 48406619
     steps:
-      - name: Checkout Rekono repository from GitLab
+      - name: Checkout GitLab repository
         run: git clone https://gitlab.com/pablosnt/rekono.git rekono-deb
 
       - name: Update debian/changelog
@@ -64,11 +61,11 @@ jobs:
           tz = pytz.timezone('Europe/Madrid')
           d = tz.localize(datetime.now())
           change_time = d.strftime('%a, %d %b %Y %H:%M:%S %z')
-          new_changes = f'rekono-kbx (${{ github.event.release.name }}) kali-dev; urgency=medium\n\n  * Update Rekono version to ${{ github.event.release.name }}.\n\n -- Pablo Santiago López <${{ secrets.GITLAB_EMAIL }}>  {change_time}\n\n'
+          new_changes = f'rekono (${{ github.event.release.name }}) kali-dev; urgency=medium\n\n  * Update Rekono version to ${{ github.event.release.name }}.\n\n -- Pablo Santiago López <${{ secrets.GITLAB_EMAIL }}>  {change_time}\n\n'
           with open('changelog', 'w') as changelog:
             changelog.write(new_changes + old_changes)
       
-      - name: Commit changes to Rekono repository in GitLab
+      - name: Commit changes to GitLab
         working-directory: rekono-deb
         run: |
           git config user.name 'Pablo Santiago'
@@ -79,32 +76,29 @@ jobs:
           git config credential.helper '!f() { sleep 1; echo "username=${{ secrets.GITLAB_USER }}"; echo "password=${{ secrets.GITLAB_TOKEN }}"; }; f'
           git push --set-upstream origin release/${{ github.event.release.name }}
       
-      - name: Create merge request on Rekono repository in GitLab
-        id: gitlab-merge-request
+      - name: GitLab merge request
         shell: python
+        env:
+          GITLAB_PROJECT_ID: 45783845
         run: |
           import requests
-          from pathlib import Path
           headers = {
             'PRIVATE-TOKEN': '${{ secrets.GITLAB_TOKEN }}'
           }
           data = {
             'title': 'Update Rekono version to ${{ github.event.release.name }}',
-            'source_project_id': ${{ env.GL_REKONO_ID }},
             'source_branch': 'release/${{ github.event.release.name }}',
-            'target_project_id': ${{ env.GL_REKONO_ID }},
-            'target_branch': 'kali/master'
+            'target_branch': 'kali/master',
           }
-          response = requests.post('https://gitlab.com/api/v4/projects/${{ env.GL_REKONO_ID }}/merge_requests', data=data, headers=headers)
+          response = requests.post('https://gitlab.com/api/v4/projects/${{ env.GITLAB_PROJECT_ID }}/merge_requests', data=data, headers=headers)
+          if response.status_code != 201:
+            print(response.text)
           response.raise_for_status()
-          response_data = response.json()
-          if response_data and response_data.get('web_url'):
-            with Path(os.getenv('GITHUB_OUTPUT')).open('a') as github_output:
-              github_output.write(f'url={response_data.get("web_url")}\n')
-            print(response_data.get('web_url'))
 
-      - name: Create issue on Kali Linux repository in GitLab
+      - name: GitLab issue in Kali Linux repository
         shell: python
+        env:
+          GITLAB_PROJECT_ID: 48406619
         run: |
           import requests
           headers = {
@@ -113,20 +107,14 @@ jobs:
           data = {
             'title': 'New Rekono version ${{ github.event.release.name }}',
             'description': '''Please, upgrade the `rekono-kbx` Kali Linux package to the latest version `${{ github.event.release.name }}`.
-            
-            It's needed to upgrade the version references to `${{ github.event.release.name }}` in the files:
-            - [debian/changelog](https://gitlab.com/kalilinux/packages/rekono-kbx/-/blob/kali/master/debian/changelog)
 
             New version details:
-            - [Rekono package MR](${{ steps.gitlab-merge-request.outputs.url }})
             - [GitHub release](https://github.com/pablosnt/rekono/releases/tag/${{ github.event.release.name }})
             - [Rekono changelog](https://github.com/pablosnt/rekono/blob/main/CHANGELOG.md)
 
             Thank you very much!
             ''',
           }
-          response = requests.post('https://gitlab.com/api/v4/projects/${{ env.GL_KALI_ID }}/issues', data=data, headers=headers)
+          response = requests.post('https://gitlab.com/api/v4/projects/${{ env.GITLAB_PROJECT_ID }}/issues', data=data, headers=headers)
           response.raise_for_status()
-          response_data = response.json()
-          if response_data and response_data.get('web_url'):
-            print(response_data.get('web_url'))
+        

CHANGELOG.md

@@ -4,6 +4,19 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 
+## [1.6.5] - 2024-03-29
+
+### Fixed
+
+- Upgrade NVD NIST API version to 2.0 after [decommissioning of version 1.0](https://nvd.nist.gov/general/news/api-20-announcements) (https://github.com/pablosnt/rekono/issues/287)
+
+### Security
+
+- Upgrade `Django` version to `3.2.25` (https://github.com/pablosnt/rekono/issues/286)
+- Upgrade `pycryptodome` version to `3.19.1` (https://github.com/pablosnt/rekono/issues/286)
+- Upgrade `axios` version to `0.28.0` (https://github.com/pablosnt/rekono/issues/286)
+
+
 ## [1.6.4] - 2023-11-07
 
 ### Security

README.md

@@ -68,7 +68,7 @@ apt install rekono-kbx
 If you are using **Parrot OS**, you can download the Debian package from the Rekono release:
 
 ```bash
-wget https://github.com/pablosnt/rekono/releases/download/1.6.4/rekono-kbx_1.6.4_amd64.deb && dpkg -i rekono-kbx_1.6.4_amd64.deb || apt -f install -y
+wget https://github.com/pablosnt/rekono/releases/download/1.6.5/rekono-kbx_1.6.5_amd64.deb && dpkg -i rekono-kbx_1.6.5_amd64.deb || apt -f install -y
 ```
 
 > Default credentials are `rekono:rekono`. For security reasons, **password should be changed** the first time you access the account

rekono/findings/nvd_nist.py

@@ -2,9 +2,8 @@
 from urllib.parse import urlparse
 
 import requests
-from requests.adapters import HTTPAdapter, Retry
-
 from findings.enums import Severity
+from requests.adapters import HTTPAdapter, Retry
 
 # Mapping between severity values and CVSS values
 CVSS_RANGES = {
@@ -21,7 +20,7 @@
 class NvdNist:
     '''NVD NIST API handler to get information for a CVE code.'''
 
-    api_url_pattern = 'https://services.nvd.nist.gov/rest/json/cve/1.0/{cve}'   # API Rest URL
+    api_url_pattern = 'https://services.nvd.nist.gov/rest/json/cves/2.0?cveId={cve}'   # API Rest URL
     cve_reference_pattern = 'https://nvd.nist.gov/vuln/detail/{cve}'            # CVE reference format
 
     def __init__(self, cve: str) -> None:
@@ -55,15 +54,15 @@ def request(self) -> dict:
         except requests.exceptions.ConnectionError:
             response = session.get(self.api_url_pattern.format(cve=self.cve))
         logger.info(f'[NVD NIST] GET {self.cve} > HTTP {response.status_code}')
-        return response.json()['result']['CVE_Items'][0] if response.status_code == 200 else {}
+        return response.json().get("vulnerabilities")[0].get("cve", {}) if response.status_code == 200 else {}
 
     def parse_description(self) -> str:
         '''Get description from raw CVE information.
 
         Returns:
             str: CVE description
         '''
-        for d in self.raw_cve_info['cve']['description']['description_data'] or []:
+        for d in self.raw_cve_info.get("descriptions", []) or []:
             if d.get('lang') == 'en':
                 return d.get('value')
         return ''
@@ -74,15 +73,12 @@ def parse_cwe(self) -> str:
         Returns:
             str: CWE code
         '''
-        for item in self.raw_cve_info['cve']['problemtype']['problemtype_data'] or []:
-            descriptions = item.get('description')
-            if descriptions:
-                for desc in descriptions:
-                    cwe = desc.get('value')
-                    if not cwe:
-                        continue
-                    if cwe.lower().startswith('cwe-'):
-                        return cwe
+        for item in self.raw_cve_info.get("weaknesses", []) or []:
+            if item.get("type") != "Primary":
+                continue
+            for desc in item.get("description") or []:
+                if desc.get('value', '').lower().startswith('cwe-'):
+                    return desc.get('value')
         return ''
 
     def parse_severity(self) -> str:
@@ -92,12 +88,30 @@ def parse_severity(self) -> str:
             Optional[str]: Severity value
         '''
         score = 5                                                               # Score by default: MEDIUM
-        if 'baseMetricV3' in self.raw_cve_info['impact']:
-            # Get CVSS version 3 if exists
-            score = self.raw_cve_info['impact']['baseMetricV3']['cvssV3']['baseScore']
-        elif 'baseMetricV2' in self.raw_cve_info['impact']:
-            # Get CVSS version 2 if version 3 not found
-            score = self.raw_cve_info['impact']['baseMetricV2']['cvssV2']['baseScore']
+        score_assigned = False
+        cvss_metrics = self.raw_cve_info.get("metrics", {}) or {}
+        for field in [
+            "cvssMetricV31",
+            "cvssMetricV30",
+            "cvssMetricV3",
+            "cvssMetricV2",
+        ]:
+            for cvss in cvss_metrics.get(field) or sum(
+                [
+                    list(items)
+                    for key, items in cvss_metrics.items()
+                    if key.lower().startswith(field)
+                ],
+                []
+            ):
+                if cvss.get("type") == "Primary":
+                    base_score = cvss.get("cvssData", {}).get("baseScore")
+                    if base_score:
+                        score = base_score
+                        score_assigned = True
+                        break
+            if score_assigned:
+                break
         for severity in CVSS_RANGES.keys():
             down, up = CVSS_RANGES[severity]
             # Search severity value based on CVSS ranges

rekono/frontend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rekono",
-  "version": "1.6.4",
+  "version": "1.6.5",
   "description": "Automation platform that combines different hacking tools to complete pentesting processes",
   "author": "Pablo Santiago López <rekono.project@gmail.com>",
   "homepage": "https://github.com/pablosnt/rekono",
@@ -16,7 +16,7 @@
   },
   "main": "background.js",
   "dependencies": {
-    "axios": "^0.27.2",
+    "axios": "^0.28.0",
     "bootstrap": "^4.5.3",
     "bootstrap-vue": "^2.21.2",
     "chart.js": "^2.9.4",

rekono/rekono/settings.py

@@ -24,23 +24,37 @@
 from tools.enums import IntensityRank
 
 from rekono.config import RekonoConfigLoader
-from rekono.environment import (ENV_REKONO_HOME, RKN_ALLOWED_HOSTS,
-                                RKN_CMSEEK_RESULTS, RKN_DB_HOST, RKN_DB_NAME,
-                                RKN_DB_PASSWORD, RKN_DB_PORT, RKN_DB_USER,
-                                RKN_EMAIL_HOST, RKN_EMAIL_PASSWORD,
-                                RKN_EMAIL_PORT, RKN_EMAIL_USER,
-                                RKN_FRONTEND_URL, RKN_GITTOOLS_DIR,
-                                RKN_LOG4J_SCAN_DIR, RKN_ROOT_PATH, RKN_RQ_HOST,
-                                RKN_RQ_PORT, RKN_SECRET_KEY,
-                                RKN_SPRING4SHELL_SCAN_DIR, RKN_TRUSTED_PROXY)
+from rekono.environment import (
+    ENV_REKONO_HOME,
+    RKN_ALLOWED_HOSTS,
+    RKN_CMSEEK_RESULTS,
+    RKN_DB_HOST,
+    RKN_DB_NAME,
+    RKN_DB_PASSWORD,
+    RKN_DB_PORT,
+    RKN_DB_USER,
+    RKN_EMAIL_HOST,
+    RKN_EMAIL_PASSWORD,
+    RKN_EMAIL_PORT,
+    RKN_EMAIL_USER,
+    RKN_FRONTEND_URL,
+    RKN_GITTOOLS_DIR,
+    RKN_LOG4J_SCAN_DIR,
+    RKN_ROOT_PATH,
+    RKN_RQ_HOST,
+    RKN_RQ_PORT,
+    RKN_SECRET_KEY,
+    RKN_SPRING4SHELL_SCAN_DIR,
+    RKN_TRUSTED_PROXY,
+)
 
 ################################################################################
 # Rekono basic information                                                     #
 ################################################################################
 
 # Rekono description
 DESCRIPTION = 'Automation platform that combines different hacking tools to complete pentesting processes'
-VERSION = '1.6.4'                                                               # Rekono version
+VERSION = '1.6.5'                                                               # Rekono version
 TESTING = 'test' in sys.argv                                                    # Tests execution
 
 ################################################################################