Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add: The table scap.affected_products is filled for the new JSON feed. #2311

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add: The table scap.affected_products is filled for the new JSON feed. #2311

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions src/manage_pg.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3513,7 +3513,7 @@
" creation_time integer,"
" modification_time integer,"
" cvss_vector text,"
" products text,"
" products text DEFAULT '',"
" severity DOUBLE PRECISION DEFAULT 0);");

sql ("CREATE TABLE scap2.cpes"
Expand Down Expand Up @@ -3650,11 +3650,12 @@
" ON scap2.cpes (severity);");
sql ("CREATE INDEX cpes_by_uuid"
" ON scap2.cpes (uuid);");

sql ("CREATE INDEX afp_cpe_idx"
" ON scap2.affected_products (cpe);");
sql ("CREATE INDEX afp_cve_idx"
" ON scap2.affected_products (cve);");
sql ("CREATE INDEX cpe_by_pattern_name ON scap2.cpes"

Check warning on line 3657 in src/manage_pg.c

View check run for this annotation

Codecov / codecov/patch

src/manage_pg.c#L3657 

Added line #L3657 was not covered by tests
" USING btree(name text_pattern_ops);");

sql ("CREATE INDEX epss_scores_by_cve"
" ON scap2.epss_scores (cve);");
Expand Down
245 changes: 232 additions & 13 deletions src/manage_sql_secinfo.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@
#include <cjson/cJSON.h>
#include <gvm/base/gvm_sentry.h>
#include <bsd/unistd.h>
#include <gvm/util/compressutils.h>
#include <gvm/util/fileutils.h>
#include <gvm/util/jsonpull.h>
#include <gvm/util/xmlutils.h>
Expand Down Expand Up @@ -79,6 +80,11 @@
*/
#define EPSS_MAX_CHUNK_SIZE 10000

/**
* @brief Maximum number of rows in a affected products INSERT.
*/
#define CVE_AFFECTED_PRODUCTS_MAX_CHUNK_SIZE 10000


/* Headers. */

Expand Down Expand Up @@ -2788,6 +2794,7 @@
version_start_excl,
version_end_incl,
version_end_excl);

g_free (quoted_cpe);
}
}
Expand All @@ -2798,12 +2805,12 @@
*
* @param[in] parent_id The parent_id of the nodes to insert
* (0 for the root node).
* @param[in] cveid The id of the CVE the tree belongs to.
* @param[in] cve_id The id of the CVE the tree belongs to.
* @param[in] nodes The JSON object that contains the rules for a
* specific tree level.
*/
static void
load_nodes (resource_t parent_id, resource_t cveid, cJSON *nodes)
load_nodes (resource_t parent_id, resource_t cve_id, cJSON *nodes)

Check warning on line 2813 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2813 

Added line #L2813 was not covered by tests
{
cJSON *node;
resource_t id;
Expand All @@ -2824,12 +2831,12 @@
{
operator = cJSON_GetObjectItemCaseSensitive(node, "operator");
if (operator)
id = save_node (parent_id, cveid, operator->valuestring);
id = save_node (parent_id, cve_id, operator->valuestring);

Check warning on line 2834 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2834 

Added line #L2834 was not covered by tests
cpe_match_rules = cJSON_GetObjectItemCaseSensitive(node, "cpe_match");
if (cpe_match_rules)
add_cpe_match_rules (id, cpe_match_rules);
child_nodes = cJSON_GetObjectItemCaseSensitive(node, "children");
load_nodes (id, cveid, child_nodes);
load_nodes (id, cve_id, child_nodes);

Check warning on line 2839 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L2839 

Added line #L2839 was not covered by tests
}
}

Expand Down Expand Up @@ -3007,6 +3014,7 @@
g_warning("%s: nodes missing for %s.", __func__, cve_id);
return -1;
}

load_nodes (0, cve_db_id, nodes_json);

return 0;
Expand Down Expand Up @@ -3327,6 +3335,216 @@
return 0;
}

/**
* @brief Adds an affected products entry to an SQL inserts buffer.
*
* @param[in] inserts The SQL inserts buffer to add to.
* @param[in] cve_id The CVE id of the affected products entry.
* @param[in] cpe The CPE of the affected products entry.
*
* @param[in, out] products The list of products that belong to the CVE.
*/
static void
insert_cve_affected_products_entry (inserts_t *inserts, result_t cve_id,

Check warning on line 3348 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3348 

Added line #L3348 was not covered by tests
const char *cpe, GString *products)
{
gchar *quoted_cpe;
result_t cpe_id;
int first = inserts_check_size (inserts);

Check warning on line 3353 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3353 

Added line #L3353 was not covered by tests

quoted_cpe = sql_quote (cpe);
cpe_id = sql_int64_0 ("SELECT id FROM scap2.cpes"

Check warning on line 3356 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3355-L3356 

Added lines #L3355 - L3356 were not covered by tests
" WHERE uuid = '%s';",
cpe);
if (cpe_id <= 0)
return;

Check warning on line 3360 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3360 

Added line #L3360 was not covered by tests

g_string_append_printf (inserts->statement,

Check warning on line 3362 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3362 

Added line #L3362 was not covered by tests
"%s (%llu, %llu)",
first ? "" : ",",
cve_id,
cpe_id);
g_string_append_printf (products, "%s ",

Check warning on line 3367 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3367 

Added line #L3367 was not covered by tests
quoted_cpe);
g_free (quoted_cpe);

Check warning on line 3369 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3369 

Added line #L3369 was not covered by tests

inserts->current_chunk_size++;

Check warning on line 3371 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3371 

Added line #L3371 was not covered by tests
}

/**
* @brief Checks a failure condition for validating EPSS JSON.
*/
#define EPSS_JSON_FAIL_IF(failure_condition, error_message) \
if (failure_condition) { \
g_warning ("%s: %s", __func__, error_message); \
goto fail_insert; \
}

/**
* @brief Updates the affected_products table in the SCAP database.
*
* @return 0 success, -1 error.
*/
static int
update_scap_cve_affected_products ()

Check warning on line 3389 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3389 

Added line #L3389 was not covered by tests
{
gchar *current_json_path;
gchar *error_message = NULL;

Check warning on line 3392 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3392 

Added line #L3392 was not covered by tests
FILE *cve_affected_products_file;
cJSON *cve_entry;
gvm_json_pull_event_t event;
gvm_json_pull_parser_t parser;
inserts_t inserts;

current_json_path = g_build_filename (GVM_SCAP_DATA_DIR,

Check warning on line 3399 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3399 

Added line #L3399 was not covered by tests
"cve_affected_products.json.gz",
NULL);
cve_affected_products_file = gvm_gzip_open_file_reader (current_json_path);

Check warning on line 3402 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3402 

Added line #L3402 was not covered by tests
if (cve_affected_products_file == NULL)
{
g_warning ("%s: Failed to open gzip file: %s",

Check warning on line 3405 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3405 

Added line #L3405 was not covered by tests
__func__,
strerror (errno));
g_free (current_json_path);
return -1;

Check warning on line 3409 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3408-L3409 

Added lines #L3408 - L3409 were not covered by tests
}

g_info ("Updating CVE affected products from %s", current_json_path);
g_free (current_json_path);

Check warning on line 3413 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3412-L3413 

Added lines #L3412 - L3413 were not covered by tests

gvm_json_pull_event_init (&event);
gvm_json_pull_parser_init (&parser, cve_affected_products_file);

Check warning on line 3416 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3415-L3416 

Added lines #L3415 - L3416 were not covered by tests

gvm_json_pull_parser_next (&parser, &event);

Check warning on line 3418 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3418 

Added line #L3418 was not covered by tests

if (event.type == GVM_JSON_PULL_EVENT_OBJECT_START)
{
gboolean cve_affected_products_found = FALSE;

Check warning on line 3422 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3422 

Added line #L3422 was not covered by tests
while (!cve_affected_products_found)
{
gvm_json_pull_parser_next (&parser, &event);
gvm_json_path_elem_t *path_tail = g_queue_peek_tail (event.path);

Check warning on line 3426 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3425-L3426 

Added lines #L3425 - L3426 were not covered by tests
if (event.type == GVM_JSON_PULL_EVENT_OBJECT_START
&& path_tail && strcmp (path_tail->key, "cve_affected_products") == 0)

Check warning on line 3428 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3428 

Added line #L3428 was not covered by tests
{
cve_affected_products_found = TRUE;

Check warning on line 3430 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3430 

Added line #L3430 was not covered by tests
}
else if (event.type == GVM_JSON_PULL_EVENT_ERROR)

Check warning on line 3432 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3432 

Added line #L3432 was not covered by tests
{
g_warning ("%s: Parser error: %s", __func__, event.error_message);
gvm_json_pull_event_cleanup (&event);
gvm_json_pull_parser_cleanup (&parser);
fclose (cve_affected_products_file);
return -1;

Check warning on line 3438 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3434-L3438 

Added lines #L3434 - L3438 were not covered by tests
}
else if (event.type == GVM_JSON_PULL_EVENT_OBJECT_END
&& g_queue_is_empty (event.path))

Check warning on line 3441 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3440-L3441 

Added lines #L3440 - L3441 were not covered by tests
{
g_warning ("%s: Unexpected json object end. Missing CVE affected products field", __func__);
gvm_json_pull_event_cleanup (&event);
gvm_json_pull_parser_cleanup (&parser);
fclose (cve_affected_products_file);
return -1;

Check warning on line 3447 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3443-L3447 

Added lines #L3443 - L3447 were not covered by tests
}
}

sql_begin_immediate ();
inserts_init (&inserts,

Check warning on line 3452 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3451-L3452 

Added lines #L3451 - L3452 were not covered by tests
CVE_AFFECTED_PRODUCTS_MAX_CHUNK_SIZE,
setting_secinfo_sql_buffer_threshold_bytes (),
"INSERT INTO scap2.affected_products"
" (cve, cpe)"
" VALUES ",
" ON CONFLICT (cve, cpe) DO NOTHING");

gvm_json_pull_parser_next (&parser, &event);

Check warning on line 3460 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3460 

Added line #L3460 was not covered by tests
while (event.type == GVM_JSON_PULL_EVENT_ARRAY_START)
{
gchar * quoted_cve;
result_t cve_id;

cve_entry = gvm_json_pull_expand_container (&parser, &error_message);

Check warning on line 3466 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3466 

Added line #L3466 was not covered by tests

if (error_message)
{
g_warning ("%s: Error expanding CVE item: %s", __func__, error_message);
g_free (error_message);
goto fail_insert;

Check warning on line 3472 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3470-L3472 

Added lines #L3470 - L3472 were not covered by tests
}

gvm_json_path_elem_t *tail = g_queue_peek_tail (event.path);

Check warning on line 3475 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3475 

Added line #L3475 was not covered by tests
if (tail->key == NULL)
{
g_warning ("%s: Error in array key of CVE item.", __func__);
goto fail_insert;

Check warning on line 3479 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3478-L3479 

Added lines #L3478 - L3479 were not covered by tests
}

quoted_cve = sql_quote (tail->key);
cve_id = sql_int64_0 ("SELECT id FROM scap2.cves"

Check warning on line 3483 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3482-L3483 

Added lines #L3482 - L3483 were not covered by tests
" WHERE uuid = '%s';",
quoted_cve);
if (cve_id <= 0)
{
g_free (quoted_cve);
gvm_json_pull_parser_next (&parser, &event);
cJSON_Delete (cve_entry);
continue;

Check warning on line 3491 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3488-L3491 

Added lines #L3488 - L3491 were not covered by tests
}

GString *products = g_string_new ("");

Check warning on line 3494 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3494 

Added line #L3494 was not covered by tests
cJSON *affected_cpe;
cJSON_ArrayForEach(affected_cpe, cve_entry)

Check warning on line 3496 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3496 

Added line #L3496 was not covered by tests
{
char *cpe = affected_cpe->valuestring;

Check warning on line 3498 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3498 

Added line #L3498 was not covered by tests
if (cpe != NULL)
insert_cve_affected_products_entry (&inserts,

Check warning on line 3500 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3500 

Added line #L3500 was not covered by tests
cve_id,
cpe,
products);
}
sql ("UPDATE scap2.cves SET products = '%s' where id = %llu;",

Check warning on line 3505 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3505 

Added line #L3505 was not covered by tests
products->str, cve_id);
g_free (quoted_cve);
g_string_free (products, TRUE);

Check warning on line 3508 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3507-L3508 

Added lines #L3507 - L3508 were not covered by tests

gvm_json_pull_parser_next (&parser, &event);
cJSON_Delete (cve_entry);

Check warning on line 3511 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3510-L3511 

Added lines #L3510 - L3511 were not covered by tests
}
}
else if (event.type == GVM_JSON_PULL_EVENT_ERROR)

Check warning on line 3514 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3514 

Added line #L3514 was not covered by tests
{
g_warning ("%s: Parser error: %s", __func__, event.error_message);
gvm_json_pull_event_cleanup (&event);
gvm_json_pull_parser_cleanup (&parser);
fclose (cve_affected_products_file);
return -1;

Check warning on line 3520 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3516-L3520 

Added lines #L3516 - L3520 were not covered by tests
}
else
{
g_warning ("%s: CVE affected products file is not a JSON object.", __func__);
gvm_json_pull_event_cleanup (&event);
gvm_json_pull_parser_cleanup (&parser);
fclose (cve_affected_products_file);
return -1;

Check warning on line 3528 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3524-L3528 

Added lines #L3524 - L3528 were not covered by tests
}

inserts_run (&inserts, TRUE);
sql_commit ();
gvm_json_pull_event_cleanup (&event);
gvm_json_pull_parser_cleanup (&parser);
fclose (cve_affected_products_file);
return 0;

Check warning on line 3536 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3531-L3536 

Added lines #L3531 - L3536 were not covered by tests

fail_insert:
inserts_free (&inserts);
sql_rollback ();
cJSON_Delete (cve_entry);
gvm_json_pull_event_cleanup (&event);
gvm_json_pull_parser_cleanup (&parser);
fclose (cve_affected_products_file);
return -1;

Check warning on line 3545 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3538-L3545 

Added lines #L3538 - L3545 were not covered by tests
}

/**
* @brief Adds a EPSS score entry to an SQL inserts buffer.
*
Expand Down Expand Up @@ -3354,15 +3572,6 @@
inserts->current_chunk_size++;
}

/**
* @brief Checks a failure condition for validating EPSS JSON.
*/
#define EPSS_JSON_FAIL_IF(failure_condition, error_message) \
if (failure_condition) { \
g_warning ("%s: %s", __func__, error_message); \
goto fail_insert; \
}

/**
* @brief Updates the base EPSS scores table in the SCAP database.
*
Expand Down Expand Up @@ -4123,6 +4332,7 @@
/**
* @brief Update SCAP Max CVSS.
*/
// static void
static void
update_scap_cvss ()
{
Expand Down Expand Up @@ -4530,6 +4740,15 @@
return -1;
}

g_debug ("%s: update cve affected products", __func__);
setproctitle ("Syncing SCAP: Updating CVE affected products");

Check warning on line 4744 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L4743-L4744 

Added lines #L4743 - L4744 were not covered by tests

if (update_scap_cve_affected_products () == -1)
{
abort_scap_update ();
return -1;

Check warning on line 4749 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L4748-L4749 

Added lines #L4748 - L4749 were not covered by tests
}

g_debug ("%s: updating user defined data", __func__);

g_debug ("%s: update epss", __func__);
Expand Down
Loading