Add: nasl-cli notus update subcommand

Load up Notus Advisories into redis. It performs the signature check, the hashsum check and the upload. Signature check is optional. It must be enabled with the command line option but also the environment variable to the gnupg keyring must be set. Usage: `GPGHOME=/path/to/.gnupg nasl-cli notus update --path <path-to-the-advisories> --signature-check`
greenbone · Jan 17, 2024 · 7cb3e7b · 7cb3e7b
1 parent e2a5c9d
commit 7cb3e7b
Show file tree

Hide file tree

Showing 23 changed files with 811 additions and 26 deletions.
diff --git a/rust/Cargo.lock b/rust/Cargo.lock
diff --git a/rust/feed/src/update/mod.rs b/rust/feed/src/update/mod.rs
@@ -14,7 +14,7 @@ use nasl_interpreter::{
 };
 use storage::{nvt::NVTField, Dispatcher, NoOpRetriever};
 
-use crate::verify::{self, SignatureChecker, HashSumFileItem};
+use crate::verify::{self, HashSumFileItem, SignatureChecker};
 
 pub use self::error::ErrorKind;
 
@@ -69,16 +69,16 @@ pub fn feed_version<K: Default + AsRef<str>>(
     Ok(feed_version)
 }
 
-
 impl<'a, R, S, L, V, K> SignatureChecker for Update<S, L, V, K>
 where
     S: Sync + Send + Dispatcher<K>,
     K: AsRef<str> + Display + Default + From<String>,
     L: Sync + Send + Loader + AsBufReader<File>,
     V: Iterator<Item = Result<HashSumFileItem<'a, R>, verify::Error>>,
     R: Read + 'a,
-{}
-
+{
+}
+
 impl<'a, S, L, V, K, R> Update<S, L, V, K>
 where
     S: Sync + Send + Dispatcher<K>,

diff --git a/rust/models/src/advisories.rs b/rust/models/src/advisories.rs
@@ -0,0 +1,240 @@
+// SPDX-FileCopyrightText: 2023 Greenbone AG
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+
+use std::collections::HashMap;
+
+/// Represents an advisory json file for notus product.
+#[cfg_attr(feature = "serde_support", derive(serde::Deserialize))]
+#[derive(Debug, Clone)]
+pub struct ProductsAdivisories {
+    /// Version of the advisory file
+    pub version: String,
+    /// SPDX license identifier
+    #[cfg_attr(feature = "serde_support", serde(rename = "spdx-license-identifier"))]
+    pub license_identifier: String,
+    /// Copyright
+    pub copyright: String,
+    /// Vulnerability Family
+    pub family: String,
+    /// List of Advisories
+    #[cfg_attr(feature = "serde_support", serde(default))]
+    pub advisories: Vec<Advisories>,
+}
+
+/// Represents an advisory json file for notus product.
+#[derive(Default, Debug, Clone, PartialEq, Eq)]
+#[cfg_attr(
+    feature = "serde_support",
+    derive(serde::Serialize, serde::Deserialize)
+)]
+pub struct Advisories {
+    /// The advisory's title.
+    pub title: String,
+    /// The advisory's ID.
+    pub oid: String,
+    /// Creation Date
+    pub creation_date: u64,
+    /// Last modification date
+    pub last_modification: u64,
+    /// Advisory ID
+    pub advisory_id: String,
+    /// Advisory xref
+    pub advisory_xref: String,
+    /// List of cves
+    #[cfg_attr(feature = "serde_support", serde(default))]
+    pub cves: Vec<String>,
+    /// Summary
+    pub summary: String,
+    /// Insight
+    #[cfg_attr(feature = "serde_support", serde(default))]
+    pub insight: String,
+    /// Affected
+    pub affected: String,
+    /// Listo of xrefs
+    #[cfg_attr(feature = "serde_support", serde(default))]
+    pub xrefs: Vec<String>,
+    /// Quality of detection
+    pub qod_type: String,
+    /// Severity
+    pub severity: Severity,
+}
+
+/// A single vulnerability from an advisory file to be stored
+#[cfg_attr(
+    feature = "serde_support",
+    derive(serde::Serialize, serde::Deserialize)
+)]
+#[derive(Default, Debug, Clone, PartialEq, Eq)]
+pub struct Vulnerability {
+    /// VT Parameters
+    pub vt_params: Vec<String>,
+    /// Creation Date
+    pub creation_date: u64,
+    /// Last modification date
+    pub last_modification: u64,
+    /// Summary
+    pub summary: String,
+    /// Impact
+    pub impact: String,
+    /// Affected
+    pub affected: String,
+    /// Insight
+    pub insight: String,
+    /// Solution
+    pub solution: String,
+    /// Solution Type
+    pub solution_type: String,
+    /// Vuldetect
+    pub vuldeterct: String,
+    /// Quality of detection
+    pub qod_type: String,
+    /// Severity vector
+    pub severity_vector: String,
+    /// File name
+    pub filename: String,
+    /// All references: xrefs, cves, xrefs, advisory xrefs and advisory id.
+    pub refs: HashMap<String, Vec<String>>,
+    /// Vulnerability Family
+    pub family: String,
+    /// Title
+    pub name: String,
+    /// Category
+    pub category: String,
+}
+
+/// Severity
+#[cfg_attr(
+    feature = "serde_support",
+    derive(serde::Serialize, serde::Deserialize)
+)]
+#[derive(Default, Debug, Clone, PartialEq, Eq)]
+pub struct Severity {
+    /// Origin of the severity
+    pub origin: String,
+    /// severity date
+    pub date: u64,
+    /// Cvss version v2
+    #[cfg_attr(
+        feature = "serde_support",
+        serde(skip_serializing_if = "Option::is_none")
+    )]
+    pub cvss_v2: Option<String>,
+    /// cvss vector v3
+    #[cfg_attr(
+        feature = "serde_support",
+        serde(skip_serializing_if = "Option::is_none")
+    )]
+    pub cvss_v3: Option<String>,
+}
+
+pub struct ProductsAdivisoriesIterator<'a> {
+    products_advisories: &'a ProductsAdivisories,
+    index: usize,
+}
+
+impl<'a> Iterator for ProductsAdivisoriesIterator<'a> {
+    type Item = &'a Advisories;
+
+    fn next(&mut self) -> Option<&'a Advisories> {
+        if self.index < self.products_advisories.advisories.len() {
+            let result = Some(&self.products_advisories.advisories[self.index]);
+            self.index += 1;
+            result
+        } else {
+            None
+        }
+    }
+}
+
+impl ProductsAdivisories {
+    pub fn iter(&self) -> ProductsAdivisoriesIterator {
+        ProductsAdivisoriesIterator {
+            products_advisories: self,
+            index: 0,
+        }
+    }
+}
+
+pub struct VulnerabilityData<'a> {
+    pub adv: &'a Advisories,
+    pub product_data: &'a ProductsAdivisories,
+    pub filename: &'a String,
+}
+
+impl<'a> From<&VulnerabilityData<'a>> for Vulnerability {
+    fn from(data: &VulnerabilityData<'a>) -> Self {
+        let sv = match &data.adv.severity.cvss_v2 {
+            Some(cvss) => cvss,
+            None => match &data.adv.severity.cvss_v3 {
+                Some(cvss) => cvss,
+                None => "",
+            },
+        };
+
+        let refs = HashMap::new();
+        Self {
+            vt_params: Vec::new(),
+            creation_date: data.adv.creation_date,
+            last_modification: data.adv.last_modification,
+            summary: data.adv.summary.to_owned(),
+            impact: "".to_string(),
+            affected: data.adv.affected.to_owned(),
+            insight: data.adv.insight.to_owned(),
+            solution: "Please install the updated package(s).".to_string(),
+            solution_type: "VendorFix".to_string(),
+            vuldeterct: "Checks if a vulnerable package version is present on the target host."
+                .to_string(),
+            qod_type: data.adv.qod_type.to_owned(),
+            severity_vector: sv.to_string(),
+            filename: data.filename.to_string(),
+            refs,
+            family: data.product_data.family.to_owned(),
+            name: data.adv.title.to_owned(),
+            category: "3".to_string(),
+        }
+    }
+}
+
+//impl Vulnerability {
+//
+//    fn serialize<S> (&self, serializer: S) -> std::result::Result<Vec<<S as Serializer>::SerializeStruct>, S::Error>
+//    where
+//        S: Serializer,
+//    {
+//        let mut advisories: Vec<<S as Serializer>::SerializeStruct> = Vec::new();
+//        for advisory in self.advisories.iter() {
+//
+//            let mut adv = serializer.serialize_struct("ProductAdvisories", 5)?;
+//
+//            adv.serialize_field("vt_params", "[]")?;
+//            adv.serialize_field("creation_date", &advisory.creation_date)?;
+//            adv.serialize_field("last_modification", &advisory.last_modification)?;
+//            adv.serialize_field("summary", &advisory.summary)?;
+//            adv.serialize_field("impact", "")?;
+//            adv.serialize_field("affected", &advisory.affected)?;
+//            adv.serialize_field("insight", &advisory.insight)?;
+//            adv.serialize_field("solution", "Please install the updated package(s).")?;
+//            adv.serialize_field("solution_type", "VendorFix")?;
+//            adv.serialize_field("vuldetect", "Checks if a vulnerable package version is present on the target host.")?;
+//            adv.serialize_field("qod_type", &advisory.qod_type)?;
+//            match &advisory.severity.cvss_v2 {
+//                Some (cvss) => adv.serialize_field("severity_vector", cvss)?,
+//                None =>  match &advisory.severity.cvss_v3
+//                {
+//                    Some (cvss) => adv.serialize_field("severity_vector", cvss)?,
+//                    None => adv.serialize_field("severity_vector", "")?,
+//                }
+//            };
+//            adv.serialize_field("severity_vector", &advisory.severity)?;
+//            adv.serialize_field("filename", &self.filename)?;
+//            adv.serialize_field("family", &self.family)?;
+//
+//
+//        }
+//
+//        Ok(advisories)
+//
+//
+//    }
+//}
diff --git a/rust/models/src/lib.rs b/rust/models/src/lib.rs
@@ -2,6 +2,7 @@
 //
 // SPDX-License-Identifier: GPL-2.0-or-later
 
+mod advisories;
 mod credential;
 mod host_info;
 mod parameter;
@@ -15,6 +16,7 @@ mod status;
 mod target;
 mod vt;
 
+pub use advisories::*;
 pub use credential::*;
 pub use host_info::*;
 pub use parameter::*;

diff --git a/rust/nasl-builtin-knowledge-base/src/lib.rs b/rust/nasl-builtin-knowledge-base/src/lib.rs
@@ -54,6 +54,7 @@ fn get_kb_item<K>(register: &Register, c: &Context<K>) -> Result<NaslValue, Func
             .map(|r| {
                 r.into_iter().find_map(|x| match x {
                     Field::NVT(_) => None,
+                    Field::NOTUS(_) => None,
                     Field::KB(kb) => kb.value.into(),
                 })
             })

diff --git a/rust/nasl-cli/Cargo.toml b/rust/nasl-cli/Cargo.toml
@@ -27,6 +27,7 @@ tracing-subscriber = { version = "0.3.17" }
 serde_json = "1.0.96"
 toml = "0.8.6"
 serde = "1.0.190"
+notus = { version = "0.1.0", path = "../notus" }
 
 
 [features]

diff --git a/rust/nasl-cli/README.md b/rust/nasl-cli/README.md
@@ -38,6 +38,24 @@ Hello, world!
 
 Usage: `nasl-cli execute [OPTIONS] [-t HOST] <script>`
 
+### notus
+Load up Notus Advisories into redis.
+It performs the signature check, the hashsum check and the upload.
+
+Signature check is optional. It must be enabled with the command line option but also the environment variable `GPGHOME` to the gnupg keyring must be set.
+
+Usage:
+`GPGHOME=/path/to/.gnupg nasl-cli notus update --path <path-to-the-advisories> --signature-check`
+#### update
+Updates notus data into redis
+
+Usage: nasl-cli notus update [OPTIONS] --path <FILE>
+
+Options:
+  -p, --path <directory>      Path to the notus advisories.
+  -x, --signature-check  Enable NASL signature check.
+  -r, --redis <VALUE>    Redis url. Must either start `unix://` or `redis://`.
+  -h, --help             Print help
 
 ### feed
 

diff --git a/rust/nasl-cli/src/feed/mod.rs b/rust/nasl-cli/src/feed/mod.rs
@@ -4,6 +4,9 @@ use std::{io, path::PathBuf};
 use clap::{arg, value_parser, ArgAction, Command};
 // re-export to work around name conflict
 
+
+use redis_storage::FEEDUPDATE_SELECTOR;
+
 use storage::StorageError;
 
 use crate::{get_path_from_openvas, read_openvas_config, CliError, CliErrorKind};
@@ -72,12 +75,13 @@ pub fn run(root: &clap::ArgMatches) -> Option<Result<(), CliError>> {
                 .cloned()
                 .unwrap_or(false);
 
-            let dispatcher = redis_storage::NvtDispatcher::as_dispatcher(&redis)
-                .map_err(StorageError::from)
-                .map_err(|e| CliError {
-                    kind: e.into(),
-                    filename: format!("{path:?}"),
-                });
+            let dispatcher =
+                redis_storage::NvtDispatcher::as_dispatcher(&redis, FEEDUPDATE_SELECTOR)
+                    .map_err(StorageError::from)
+                    .map_err(|e| CliError {
+                        kind: e.into(),
+                        filename: format!("{path:?}"),
+                    });
             Some(dispatcher.and_then(|dispatcher| update::run(dispatcher, path, signature_check)))
         }
         Some(("transform", args)) => {

diff --git a/rust/nasl-cli/src/interpret/mod.rs b/rust/nasl-cli/src/interpret/mod.rs
@@ -9,6 +9,7 @@ use nasl_interpreter::{
     load_non_utf8_path, logger::DefaultLogger, logger::NaslLogger, ContextBuilder, FSPluginLoader,
     Interpreter, KeyDispatcherSet, LoadError, Loader, NaslValue, NoOpLoader, RegisterBuilder,
 };
+use redis_storage::FEEDUPDATE_SELECTOR;
 use storage::{DefaultDispatcher, Dispatcher, Retriever};
 
 use crate::{CliError, CliErrorKind, Db};
@@ -26,7 +27,9 @@ impl Run<String> {
             Db::InMemory => ContextBuilder::new(key, Box::<DefaultDispatcher<String>>::default()),
             Db::Redis(url) => ContextBuilder::new(
                 key,
-                Box::new(redis_storage::NvtDispatcher::as_dispatcher(url).unwrap()),
+                Box::new(
+                    redis_storage::NvtDispatcher::as_dispatcher(url, FEEDUPDATE_SELECTOR).unwrap(),
+                ),
             ),
         };