cve_lookup: cvss v4 test fixes

fkie-cad · Nov 27, 2024 · 24dbdcb · 24dbdcb
1 parent 24bdc3e
commit 24dbdcb
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 39 deletions.
diff --git a/src/plugins/analysis/cve_lookup/internal/data_parsing.py b/src/plugins/analysis/cve_lookup/internal/data_parsing.py
@@ -49,10 +49,9 @@ def extract_cve_impact(metrics: dict) -> dict[str, str]:
             # V30 / V31 / V40 -> V3.0 / V3.1 / V4.0
             key = f'{key[:2]}.{key[2:]}'
         for cvss_dict in cvss_data:
-            if cvss_dict['type'] == 'Primary':
-                impact.setdefault(key, cvss_dict['cvssData']['baseScore'])
-            elif key not in impact:
-                impact[key] = cvss_dict['cvssData']['baseScore']
+            score = str(cvss_dict['cvssData']['baseScore'])
+            if cvss_dict['type'] == 'Primary' or key not in impact:
+                impact[key] = score
     return impact
 
 

diff --git a/src/plugins/analysis/cve_lookup/test/test_busybox_cve_filter.py b/src/plugins/analysis/cve_lookup/test/test_busybox_cve_filter.py
@@ -11,8 +11,7 @@
             "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when "
             'processing a crafted awk pattern in the evaluate function'
         ),
-        cvss_v2_score='6.5',
-        cvss_v3_score='7.2',
+        cvss_score={'V2': '6.5', 'V3.0': '7.2'},
     ),
     'CVE-2021-42379': Cve(
         cve_id='CVE-2021-42379',
@@ -21,8 +20,7 @@
             "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when "
             ' processing a crafted awk pattern in the next_input_file function'
         ),
-        cvss_v2_score='6.5',
-        cvss_v3_score='7.2',
+        cvss_score={'V2': '6.5', 'V3.0': '7.2'},
     ),
     'CVE-2021-42381': Cve(
         cve_id='CVE-2021-42381',
@@ -31,8 +29,7 @@
             "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when "
             'processing a crafted awk pattern in the hash_init function'
         ),
-        cvss_v2_score='6.5',
-        cvss_v3_score='7.2',
+        cvss_score={'V2': '6.5', 'V3.0': '7.2'},
     ),
     'CVE-2021-28831': Cve(
         cve_id='CVE-2021-28831',
@@ -41,8 +38,7 @@
             'decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, '
             'with a resultant invalid free or segmentation fault, via malformed gzip data.'
         ),
-        cvss_v2_score='5.0',
-        cvss_v3_score='7.5',
+        cvss_score={'V2': '5.0', 'V3.0': '7.5'},
     ),
     'CVE-2021-42386': Cve(
         cve_id='CVE-2021-42386',
@@ -51,8 +47,7 @@
             "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when "
             'processing a crafted awk pattern in the nvalloc function'
         ),
-        cvss_v2_score='6.5',
-        cvss_v3_score='7.2',
+        cvss_score={'V2': '6.5', 'V3.0': '7.2'},
     ),
     'CVE-2021-42380': Cve(
         cve_id='CVE-2021-42380',
@@ -61,8 +56,7 @@
             "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when "
             'processing a crafted awk pattern in the clrvar function'
         ),
-        cvss_v2_score='6.5',
-        cvss_v3_score='7.2',
+        cvss_score={'V2': '6.5', 'V3.0': '7.2'},
     ),
     'CVE-2021-42376': Cve(
         cve_id='CVE-2021-42376',
@@ -72,8 +66,7 @@
             'crafted shell command, due to missing validation after a \\x03 delimiter character. This may be used '
             'for DoS under very rare conditions of filtered command input.'
         ),
-        cvss_v2_score='1.9',
-        cvss_v3_score='5.5',
+        cvss_score={'V2': '1.9', 'V3.0': '5.5'},
     ),
     'CVE-2022-28391': Cve(
         cve_id='CVE-2022-28391',
@@ -83,8 +76,7 @@
             "DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change "
             "the terminal's colors."
         ),
-        cvss_v2_score='6.8',
-        cvss_v3_score='8.8',
+        cvss_score={'V2': '6.8', 'V3.0': '8.8'},
     ),
     'CVE-2021-42384': Cve(
         cve_id='CVE-2021-42384',
@@ -93,8 +85,7 @@
             "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when "
             'processing a crafted awk pattern in the handle_special function'
         ),
-        cvss_v2_score='6.5',
-        cvss_v3_score='7.2',
+        cvss_score={'V2': '6.5', 'V3.0': '7.2'},
     ),
     'CVE-2021-42374': Cve(
         cve_id='CVE-2021-42374',
@@ -104,8 +95,7 @@
             'when crafted LZMA-compressed input is decompressed. This can be triggered by any '
             'applet/format that'
         ),
-        cvss_v2_score='3.3',
-        cvss_v3_score='5.3',
+        cvss_score={'V2': '3.3', 'V3.0': '5.3'},
     ),
     'CVE-2021-42378': Cve(
         cve_id='CVE-2021-42378',
@@ -114,8 +104,7 @@
             "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when "
             'processing a crafted awk pattern in the getvar_i function'
         ),
-        cvss_v2_score='6.5',
-        cvss_v3_score='7.2',
+        cvss_score={'V2': '6.5', 'V3.0': '7.2'},
     ),
     'CVE-2021-42382': Cve(
         cve_id='CVE-2021-42382',
@@ -124,8 +113,7 @@
             "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when "
             'processing a crafted awk pattern in the getvar_s function'
         ),
-        cvss_v2_score='6.5',
-        cvss_v3_score='7.2',
+        cvss_score={'V2': '6.5', 'V3.0': '7.2'},
     ),
     'CVE-2022-30065': Cve(
         cve_id='CVE-2022-30065',
@@ -134,8 +122,7 @@
             "A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution "
             'when processing a crafted awk pattern in the copyvar function.'
         ),
-        cvss_v2_score='6.8',
-        cvss_v3_score='7.8',
+        cvss_score={'V2': '6.8', 'V3.0': '7.8'},
     ),
 }
 

diff --git a/src/plugins/analysis/cve_lookup/test/test_cve_lookup.py b/src/plugins/analysis/cve_lookup/test/test_cve_lookup.py
@@ -82,7 +82,7 @@ def test_process_object(self, analysis_plugin):
     @pytest.mark.parametrize(('cve_score', 'should_be_tagged'), [('9.9', True), ('5.5', False)])
     def test_add_tags(self, analysis_plugin, cve_score, should_be_tagged):
         TEST_FW.processed_analysis['cve_lookup'] = {}
-        cve_results = {'component': {'cve_id': {'score2': cve_score, 'score3': 'N/A'}}}
+        cve_results = {'component': {'cve_id': {'scores': {'V2': cve_score, 'V3.1': 'N/A'}}}}
         analysis_plugin.add_tags(cve_results, TEST_FW)
         if should_be_tagged:
             assert 'tags' in TEST_FW.processed_analysis['cve_lookup']
@@ -96,13 +96,13 @@ def test_add_tags(self, analysis_plugin, cve_score, should_be_tagged):
         ('cve_results_dict', 'expected_output'),
         [
             ({}, []),
-            ({'component': {'cve_id': {'score2': '6.4', 'score3': 'N/A'}}}, ['component']),
-            ({'component': {'cve_id': {'score2': '9.4', 'score3': 'N/A'}}}, ['component (CRITICAL)']),
+            ({'component': {'cve_id': {'scores': {'V2': '6.4', 'V3.1': 'N/A'}}}}, ['component']),
+            ({'component': {'cve_id': {'scores': {'V2': '9.4', 'V3.1': 'N/A'}}}}, ['component (CRITICAL)']),
             (
                 {
                     'component': {
-                        'cve_id': {'score2': '1.1', 'score3': '9.9'},
-                        'cve_id2': {'score2': '1.1', 'score3': '0.0'},
+                        'cve_id': {'scores': {'V2': '1.1', 'V3.1': '9.9'}},
+                        'cve_id2': {'scores': {'V2': '1.1', 'V3.1': '0.0'}},
                     }
                 },
                 ['component (CRITICAL)'],

diff --git a/src/plugins/analysis/cve_lookup/test/test_data_parsing.py b/src/plugins/analysis/cve_lookup/test/test_data_parsing.py
@@ -10,7 +10,7 @@
 CVE_ENTRY = CveEntry(
     cve_id='CVE-2012-0010',
     summary='Microsoft Internet Explorer 6 through 9 does not properly perform copy-and-paste operations, which allows user-assisted remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Copy and Paste Information Disclosure Vulnerability."',  # noqa: E501
-    impact={'cvssMetricV2': 4.3},
+    impact={'V2': '4.3'},
     cpe_entries=[
         ('cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*', '', '', '', ''),
         ('cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*', '', '', '', ''),

diff --git a/src/plugins/analysis/cve_lookup/test/test_db_setup.py b/src/plugins/analysis/cve_lookup/test/test_db_setup.py
@@ -6,7 +6,7 @@
 CPE_ID = 'cpe:2.3:o:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other'
 CVE_ENTRY = CveEntry(
     cve_id='CVE-2023-1234',
-    impact={'cvssMetricV2': '5.0', 'cvssMetricV30': '6.0', 'cvssMetricV31': '7.0'},
+    impact={'V2': '5.0', 'V3.0': '6.0', 'V3.1': '7.0'},
     summary='This is a test CVE',
     cpe_entries=[
         (
@@ -35,8 +35,7 @@ def test_create_cve(self):
         assert cve.cve_id == 'CVE-2023-1234'
         assert cve.year == '2023'
         assert cve.summary == 'This is a test CVE'
-        assert cve.cvss_v2_score == '5.0'
-        assert cve.cvss_v3_score == '7.0'
+        assert cve.cvss_score == {'V2': '5.0', 'V3.0': '6.0', 'V3.1': '7.0'}
 
     def test_create_cpe(self):
         cpe_id = CPE_ID