Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add tool for creating CVE JSON messages #9

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 107 additions & 0 deletions tools/jsonCveGenerator.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
#! /usr/bin/python3

from __future__ import absolute_import, division, print_function
import json

class References:
def __init__( self, references ):
assert type( references ) == type( list() ), "references is a list"
assert len( references ) > 0, "references cannot be empty"
assert len( references ) <= 500, "too many referenes"
for elem in references:
assert type( elem ) == type( str() ), "Every elem in references must be a string"
self.references = references

def cveMap( self ):
cveObj = { "reference_data": [], }
for elem in self.references:
cveObj[ "reference_data" ].append( { "url": elem, } )
return cveObj

class ProblemDescription:
def __init__( self, description ):
assert description != "", "description must be set"
self.description = description

def cveMap( self ):
cveObj = { "description_data": [
{ "lang": "eng", "value": self.description, }
], }
return cveObj

class ProblemSummary:
def __init__( self, summary ):
assert summary != "", "Summary must be set"
self.summary = summary

def cveMap( self ):
cveObj = { "problemtype_data": [
{ "description": [
{ "lang": "eng", "value": self.summary, }
], } ], }
return cveObj

class AffectedProduct:
def __init__( self, vendor, productName, affectedVersions ):
assert vendor != "", "Vendor must be set"
self.vendor = vendor
assert productName != "", "productName must be set"
self.productName = productName
assert type( affectedVersions ) == type( list() ), "affectedVersions is a list of versions"
assert len( affectedVersions ) > 0, "affectedVersions cannot be empty"
for elem in affectedVersions:
assert type( elem ) == type( str() ), "Every elem in affectedVersions must be a string"
self.affectedVersions = affectedVersions

def cveMap( self ):
outputMap = {
"vendor_name": self.vendor,
"product": { "product_data": [ { "product_name": self.productName,
"version": { "version_data": [], }
},
], },
}
for elem in self.affectedVersions:
outputMap[ "product" ][ "product_data" ][ 0 ][
"version" ][ "version_data" ].append( { "version_value": elem } )
return outputMap

class CveMeta:
def __init__( self, assigner, cveId ):
self.assigner = assigner
assert cveId != "", "CVE-ID must be set"
self.cveId = cveId

def cveMap( self ):
outputMap = {}
if self.assigner:
outputMap[ "ASSIGNER" ] = self.assigner
outputMap[ "ID" ] = self.cveId
return outputMap

def generateCve( cveMeta, affectedProduct, summary, references, description ):
# TODO: While the spec currently allows for lists of items such as affected products,
# summaries, and descriptions, this tool does not presently support those
cveObj = { "data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
}
cveObj[ "CVE_data_meta" ] = cveMeta.cveMap()
cveObj[ "affects" ] = { "vendor": { "vendor_data": [ affectedProduct.cveMap() ] } }
cveObj[ "problemtype" ] = summary.cveMap()
cveObj[ "references" ] = references.cveMap()
cveObj[ "description" ] = description.cveMap()
return cveObj

if __name__ == "__main__":
print ( "Sample output ----" )
cveMeta = CveMeta( assigner="[email protected]", cveId="CVE-2017-1194" )
affectedProd = AffectedProduct( vendor="IBM",
productName="WebSphere Application Server",
affectedVersions=[ "7.0, 8.0, 8.5, 9.0" ] )
summary = ProblemSummary( summary="Cross-site request forgery" )
refs = References( references=[ "http://www.ibm.com/support/docview.wss?uid=swg22001226", ] )
description = ProblemDescription( description="IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 123669." )
jsonObj = generateCve( cveMeta, affectedProd, summary, refs, description )
jsonPretty = json.dumps( jsonObj, indent=4, sort_keys=True )
print( jsonPretty )