From cebb93fd14dc67080e17c8dbb65755fe95648212 Mon Sep 17 00:00:00 2001 From: Jan-Oliver Wagner Date: Sun, 26 Jan 2020 20:20:29 +0100 Subject: [PATCH 1/7] Adjust parsing severities from OSP. This adapts to the new XML structure of the severities in OSP. It reads only a single severity at this point. --- src/manage_sql_nvts.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/src/manage_sql_nvts.c b/src/manage_sql_nvts.c index 26907729c..52998edc3 100644 --- a/src/manage_sql_nvts.c +++ b/src/manage_sql_nvts.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2009-2019 Greenbone Networks GmbH +/* Copyright (C) 2009-2020 Greenbone Networks GmbH * * SPDX-License-Identifier: AGPL-3.0-or-later * @@ -1339,14 +1339,23 @@ nvti_from_vt (entity_t vt) "cvss_base_v2") == 0)) { - gchar * cvss_base; + entity_t value; - nvti_add_tag (nvti, "cvss_base_vector", entity_text (severity)); + value = entity_child (severity, "value"); - cvss_base = g_strdup_printf ("%.1f", - get_cvss_score_from_base_metrics (entity_text (severity))); - nvti_set_cvss_base (nvti, cvss_base); - g_free (cvss_base); + if (!value) + g_warning ("%s: no severity value", __func__); + else + { + gchar * cvss_base; + + nvti_add_tag (nvti, "cvss_base_vector", entity_text (value)); + + cvss_base = g_strdup_printf ("%.1f", + get_cvss_score_from_base_metrics (entity_text (value))); + nvti_set_cvss_base (nvti, cvss_base); + g_free (cvss_base); + } } else g_warning ("%s: no severity", __func__); From fa6d1ade3c40d1837d1af0e293358faa29c82162 Mon Sep 17 00:00:00 2001 From: Jan-Oliver Wagner Date: Sun, 26 Jan 2020 20:56:09 +0100 Subject: [PATCH 2/7] Create vt_severities table. --- src/manage_pg.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/manage_pg.c b/src/manage_pg.c index 02c35b449..081417b77 100644 --- a/src/manage_pg.c +++ b/src/manage_pg.c @@ -2499,6 +2499,15 @@ create_tables () " ref_id text NOT NULL," " ref_text text);"); + sql ("CREATE TABLE IF NOT EXISTS vt_severities" + " (id SERIAL PRIMARY KEY," + " vt_oid text NOT NULL," + " type text NOT NULL," + " origin text," + " date integer," + " score integer," + " value text);"); + sql ("CREATE TABLE IF NOT EXISTS nvt_preferences" " (id SERIAL PRIMARY KEY," " name text UNIQUE NOT NULL," From fc6509ec21fb3f6374d90807c8a7b20c768dbbdf Mon Sep 17 00:00:00 2001 From: Jan-Oliver Wagner Date: Sun, 26 Jan 2020 21:03:09 +0100 Subject: [PATCH 3/7] Fill the vt_severities table. --- src/manage_sql_nvts.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/manage_sql_nvts.c b/src/manage_sql_nvts.c index 52998edc3..7c5c730b0 100644 --- a/src/manage_sql_nvts.c +++ b/src/manage_sql_nvts.c @@ -341,6 +341,13 @@ insert_nvt (const nvti_t *nvti) g_free (quoted_text); } + sql ("DELETE FROM vt_severities where vt_oid = '%s';", nvti_oid (nvti)); + + sql ("INSERT into vt_severities (vt_oid, type, origin, date, score, value)" + " VALUES ('%s', '%s', '%s', '%i', '%i', '%s');", + nvti_oid (nvti), "cvss_base_v2", "", nvti_creation_time (nvti), + (int)(atof (nvti_cvss_base (nvti)) * 10), quoted_cvss_base); + g_free (quoted_name); g_free (quoted_summary); g_free (quoted_insight); From 7d756737b9b540bb2305a10513a6dcb817745fa8 Mon Sep 17 00:00:00 2001 From: Jan-Oliver Wagner Date: Sun, 16 Feb 2020 23:30:11 +0100 Subject: [PATCH 4/7] Read multiple VT severities via OSP. Also add these to the vt_severities table. --- src/manage_sql_nvts.c | 122 ++++++++++++++++++++++++++++-------------- 1 file changed, 81 insertions(+), 41 deletions(-) diff --git a/src/manage_sql_nvts.c b/src/manage_sql_nvts.c index 7c5c730b0..850b02f4c 100644 --- a/src/manage_sql_nvts.c +++ b/src/manage_sql_nvts.c @@ -343,10 +343,26 @@ insert_nvt (const nvti_t *nvti) sql ("DELETE FROM vt_severities where vt_oid = '%s';", nvti_oid (nvti)); - sql ("INSERT into vt_severities (vt_oid, type, origin, date, score, value)" - " VALUES ('%s', '%s', '%s', '%i', '%i', '%s');", - nvti_oid (nvti), "cvss_base_v2", "", nvti_creation_time (nvti), - (int)(atof (nvti_cvss_base (nvti)) * 10), quoted_cvss_base); + for (i = 0; i < nvti_vtseverities_len (nvti); i++) + { + vtseverity_t *severity; + gchar *quoted_origin, *quoted_value; + + severity = nvti_vtseverity (nvti, i); + quoted_origin = sql_quote (vtseverity_origin (severity) ? + vtseverity_origin (severity) : ""); + quoted_value = sql_quote (vtseverity_value (severity) ? + vtseverity_value (severity) : ""); + + sql ("INSERT into vt_severities (vt_oid, type, origin, date, score, value)" + " VALUES ('%s', '%s', '%s', '%i', '%i', '%s');", + nvti_oid (nvti), vtseverity_type (severity), + quoted_origin, vtseverity_date (severity), + vtseverity_score (severity), quoted_value); + + g_free (quoted_origin); + g_free (quoted_value); + } g_free (quoted_name); g_free (quoted_summary); @@ -1214,7 +1230,7 @@ nvti_from_vt (entity_t vt) entity_t name, summary, insight, affected, impact, detection, solution; entity_t creation_time, modification_time; entity_t refs, ref, custom, family, category; - entity_t severities; + entity_t severities, severity; entities_t children; @@ -1294,6 +1310,66 @@ nvti_from_vt (entity_t vt) nvti_set_solution_method (nvti, method); } + severities = entity_child (vt, "severities"); + if (severities == NULL) + { + g_warning ("%s: VT missing SEVERITIES", __func__); + nvti_free (nvti); + return NULL; + } + + children = severities->entities; + while ((severity = first_entity (children))) + { + const gchar *severity_type; + + severity_type = entity_attribute (severity, "type"); + + if (severity_type == NULL) + { + GString *debug = g_string_new (""); + g_warning ("%s: SEVERITY missing type attribute", __func__); + print_entity_to_string (severity, debug); + g_warning ("%s: severity: %s", __func__, debug->str); + g_string_free (debug, TRUE); + } + else + { + entity_t value; + + value = entity_child (severity, "value"); + + if (!value) + { + GString *debug = g_string_new (""); + g_warning ("%s: SEVERITY missing value element", __func__); + print_entity_to_string (severity, debug); + g_warning ("%s: severity: %s", __func__, debug->str); + g_string_free (debug, TRUE); + } + else + { + gchar * cvss_base; + + nvti_add_vtseverity (nvti, + vtseverity_new (severity_type, + NULL /* origin */, + nvti_modification_time (nvti), + get_cvss_score_from_base_metrics (entity_text (value)) * 10, + entity_text (value))); + + nvti_add_tag (nvti, "cvss_base_vector", entity_text (value)); + + cvss_base = g_strdup_printf ("%.1f", + get_cvss_score_from_base_metrics (entity_text (value))); + nvti_set_cvss_base (nvti, cvss_base); + g_free (cvss_base); + } + } + + children = next_entities (children); + } + refs = entity_child (vt, "refs"); if (refs) { @@ -1334,42 +1410,6 @@ nvti_from_vt (entity_t vt) } } - severities = entity_child (vt, "severities"); - if (severities) - { - entity_t severity; - - severity = entity_child (severities, "severity"); - if (severity - && entity_attribute (severity, "type") - && (strcmp (entity_attribute (severity, "type"), - "cvss_base_v2") - == 0)) - { - entity_t value; - - value = entity_child (severity, "value"); - - if (!value) - g_warning ("%s: no severity value", __func__); - else - { - gchar * cvss_base; - - nvti_add_tag (nvti, "cvss_base_vector", entity_text (value)); - - cvss_base = g_strdup_printf ("%.1f", - get_cvss_score_from_base_metrics (entity_text (value))); - nvti_set_cvss_base (nvti, cvss_base); - g_free (cvss_base); - } - } - else - g_warning ("%s: no severity", __func__); - } - else - g_warning ("%s: no severities", __func__); - custom = entity_child (vt, "custom"); if (custom == NULL) { From f28c45ccb8ba7b9fa073332a4bcaa1fb0b607088 Mon Sep 17 00:00:00 2001 From: Jan-Oliver Wagner Date: Sun, 23 Feb 2020 19:56:17 +0100 Subject: [PATCH 5/7] Remove unused macro CVSS_BASE_SQL. --- src/manage_sql.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/manage_sql.c b/src/manage_sql.c index 5c32a91b5..a35402793 100644 --- a/src/manage_sql.c +++ b/src/manage_sql.c @@ -21277,12 +21277,6 @@ where_qod (int min_qod) return qod_sql; } -/** - * @brief SQL for retrieving CVSS base. - */ -#define CVSS_BASE_SQL \ - "(SELECT cvss_base FROM nvts WHERE nvts.oid = results.nvt)" - /** * @brief Filter columns for result iterator. */ From 7e8665c9fc5c1dd3b20cadf810e051ae5010292e Mon Sep 17 00:00:00 2001 From: Matt Mundell Date: Tue, 13 Oct 2020 16:55:19 +0200 Subject: [PATCH 6/7] Add index vt_severities_by_vt_oid --- src/manage_pg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/manage_pg.c b/src/manage_pg.c index 081417b77..0c64d5bbc 100644 --- a/src/manage_pg.c +++ b/src/manage_pg.c @@ -2828,6 +2828,8 @@ create_tables () sql ("SELECT create_index ('vt_refs_by_vt_oid'," " 'vt_refs', 'vt_oid');"); + sql ("SELECT create_index ('vt_severities_by_vt_oid'," + " 'vt_severities', 'vt_oid');"); #if 0 /* TODO The value column can be bigger than 8191, the maximum size that From e72a2b1369010e01776ce2fea309c195ff130e9e Mon Sep 17 00:00:00 2001 From: Matt Mundell Date: Tue, 13 Oct 2020 17:11:23 +0200 Subject: [PATCH 7/7] Remove quotes from integer columns --- src/manage_sql_nvts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manage_sql_nvts.c b/src/manage_sql_nvts.c index 850b02f4c..a541d77f4 100644 --- a/src/manage_sql_nvts.c +++ b/src/manage_sql_nvts.c @@ -355,7 +355,7 @@ insert_nvt (const nvti_t *nvti) vtseverity_value (severity) : ""); sql ("INSERT into vt_severities (vt_oid, type, origin, date, score, value)" - " VALUES ('%s', '%s', '%s', '%i', '%i', '%s');", + " VALUES ('%s', '%s', '%s', %i, %i, '%s');", nvti_oid (nvti), vtseverity_type (severity), quoted_origin, vtseverity_date (severity), vtseverity_score (severity), quoted_value);