Skip to content

Instantly share code, notes, and snippets.

@sayanchowdhury

sayanchowdhury/README.md

Forked from tormath1/README.md
Last active May 2, 2021 11:56
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save sayanchowdhury/41da6f95a0fc13ecc379c895989c3593 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save sayanchowdhury/41da6f95a0fc13ecc379c895989c3593 to your computer and use it in GitHub Desktop.
Download ZIP
generateCVE summary from a CVE list
Raw
README.md

DISCLAIMER: The CVE listed in the example is just for example purpose and might not be related to the package.

Usage example:

Output JSON

$ go run ./main.go -cvefile ./cves.txt -json | jq

{
  "Golang": [
    {
      "id": "CVE-2021-28038",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28038",
      "score": 6.5,
      "severity": "Medium",
      "package": "Golang",
      "description": "An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931."
    }
  ],
  "Linux": [
    {
      "id": "CVE-2020-25683",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25683",
      "score": 5.9,
      "severity": "Medium",
      "package": "Linux",
      "description": "A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability."
    },
    {
      "id": "CVE-2021-27365",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27365",
      "score": 7.8,
      "severity": "High",
      "package": "Linux",
      "description": "An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message."
    }
  ],
  "systemd": [
    {
      "id": "CVE-2021-27364",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27364",
      "score": 7.1,
      "severity": "High",
      "package": "systemd",
      "description": "An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages."
    },
    {
      "id": "CVE-2021-27363",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27363",
      "score": 4.4,
      "severity": "Medium",
      "package": "systemd",
      "description": "An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables."
    }
  ]
}

Output Markdown

$ go run ./main.go -cvefile ./cves.txt -md


* Golang
  * [CVE-2021-28038](https://nvd.nist.gov/vuln/detail/CVE-2021-28038) CVSSv3 score: 6.5(Medium)  
    An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.

* Linux
  * [CVE-2020-25683](https://nvd.nist.gov/vuln/detail/CVE-2020-25683) CVSSv3 score: 5.9(Medium)  
    A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
  * [CVE-2021-27365](https://nvd.nist.gov/vuln/detail/CVE-2021-27365) CVSSv3 score: 7.8(High)  
    An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.

* systemd
  * [CVE-2021-27364](https://nvd.nist.gov/vuln/detail/CVE-2021-27364) CVSSv3 score: 7.1(High)  
    An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
  * [CVE-2021-27363](https://nvd.nist.gov/vuln/detail/CVE-2021-27363) CVSSv3 score: 4.4(Medium)  
    An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables.

Using with Mardown output with Pandoc

$ go run ./main.go -cvefile ./cves.txt -md > /tmp/hello.md && pandoc --from=markdown --to=docx /tmp/hello.md -o /tmp/hello.docx
Raw
cves.txt
Linux
CVE-2020-25683
CVE-2021-27365
systemd
CVE-2021-27364
CVE-2021-27363
Golang
CVE-2021-28038
Raw
main.go
package main
import (
"bufio"
"encoding/json"
"flag"
"fmt"
"html/template"
"net/http"
"net/url"
"os"
"strconv"
"strings"
"golang.org/x/net/html"
)
const (
// baseURL is the base NIST URL to which we
// concatenate CVE id
baseURL = "https://nvd.nist.gov/vuln/detail"
)
var (
// CVELink is the URL links to the CVE
// on the NIST website
CVELink string
// CVEFile is the path of the file containing
// CVEs
CVEFile string
// CVEPackage is the name of the package the CVE
// is associated with
CVEPackage string
// CVEMarkdown is the bool to output markdown output
CVEMarkdown bool
// CVEJson is the bool to output the json output
CVEJson bool
// walk is the function walking recursively into
// the HTML tree
walk func(*html.Node, *CVE) error
)
// CVE holds the CVE information
// we want to extract
type CVE struct {
// CVE Id
Id string `json:"id"`
// CVE URL
Url string `json:"url"`
// Score is the CVE score
Score float64 `json:"score"`
// Severity is the severity of the CVE (based on score)
Severity string `json:"severity"`
// Name of the Pakcage associated with the CVE
Package string `json:"package"`
// Description is the current description of the CVE
Description string `json:"description"`
}
type CVESet map[string][]CVE
func init() {
flag.StringVar(&CVELink, "cvelink", "", "NIST URL of the CVE")
flag.StringVar(&CVEFile, "cvefile", "", "file containtaing CVEs NIST URL")
flag.BoolVar(&CVEJson, "json", false, "Output in JSON")
flag.BoolVar(&CVEMarkdown, "md", false, "Output in Markdown")
}
// fetchCVE download the NIST webpage of the CVE
func fetchCVE(id string) (*html.Node, error) {
resp, err := http.Get(id)
if err != nil {
return nil, fmt.Errorf("unable to get CVE webpage: %w", err)
}
defer resp.Body.Close()
page, err := html.Parse(resp.Body)
if err != nil {
return nil, fmt.Errorf("unable to parse CVE webpage: %w", err)
}
return page, nil
}
// extractCVE extracts CVE information from a NIST webpage
func extractCVE(n *html.Node) (*CVE, error) {
walk = func(n *html.Node, c *CVE) error {
if n.Type == html.ElementNode && n.Data == "a" {
for _, a := range n.Attr {
if a.Key == "id" && a.Val == "Cvss3NistCalculatorAnchor" {
child := n.FirstChild
if child.Type == html.TextNode {
// child.Data looks like something
// like "6.7 MEDIUM"
data := strings.Split(child.Data, " ")
if len(data) < 2 {
return fmt.Errorf("CVE score should be composed by score and severity (e.g 6.7 MEDIUM)")
}
score, err := strconv.ParseFloat(data[0], 64)
if err != nil {
return fmt.Errorf("unable to convert score to int: %w", err)
}
c.Score = score
c.Severity = strings.Title(strings.ToLower(data[1]))
return nil
}
}
}
}
if n.Type == html.ElementNode && n.Data == "p" {
for _, a := range n.Attr {
if a.Key == "data-testid" && a.Val == "vuln-description" {
child := n.FirstChild
if child.Type == html.TextNode {
c.Description = child.Data
return nil
}
}
}
}
for child := n.FirstChild; child != nil; child = child.NextSibling {
if err := walk(child, c); err != nil {
return err
}
}
return nil
}
var c CVE
if err := walk(n, &c); err != nil {
return nil, fmt.Errorf("unable to walk into CVE parsed HTML: %w", err)
}
return &c, nil
}
// getCVE calls the fetch and the extract methods to get a CVE
// from a NIST URL
func getCVE(id string) (*CVE, error) {
u := fmt.Sprintf("%s/%s", baseURL, id)
if _, err := url.Parse(u); err != nil {
return nil, fmt.Errorf("unable to parse URL: %w", err)
}
page, err := fetchCVE(u)
if err != nil {
return nil, fmt.Errorf("unable to fetch CVE: %w", err)
}
cve, err := extractCVE(page)
if err != nil {
return nil, fmt.Errorf("unable to extract CVE: %w", err)
}
cve.Id = id
cve.Url = u
cve.Package = CVEPackage
return cve, nil
}
// generateMarkdown generates the markdown output, which can be later
// consumed by pandoc
func generateMarkdown(cveItems CVESet) error {
tpl := `
{{ range $package, $cvePayload := . }}
* {{ $package }}{{ range $cvePayload }}
* [{{ .Id }}]({{.Url}}) CVSSv3 score: {{ .Score }}({{.Severity}})
{{ .Description }}{{ end }}
{{ end }}`
t, err := template.New("t").Parse(tpl)
if err != nil {
return err
}
err = t.Execute(os.Stdout, cveItems)
if err != nil {
return err
}
return nil
}
func main() {
flag.Parse()
if CVEJson == false && CVEMarkdown == false {
fmt.Fprintf(os.Stderr, "Please use either -json or -md flag\n")
os.Exit(1)
}
if CVEJson == true && CVEMarkdown == true {
fmt.Fprintf(os.Stderr, "Please avoid using both -json or -md flag\n")
os.Exit(1)
}
if len(CVELink) != 0 {
cve, err := getCVE(CVELink)
if err != nil {
fmt.Fprintf(os.Stderr, "unable to get CVE: %v\n", err)
os.Exit(1)
}
res, err := json.Marshal(cve)
if err != nil {
fmt.Fprintf(os.Stderr, "unable to convert CVE to JSON: %v\n", err)
os.Exit(1)
}
fmt.Println(string(res))
}
if len(CVEFile) != 0 {
if _, err := os.Stat(CVEFile); os.IsNotExist(err) {
fmt.Fprint(os.Stderr, "CVE file does not exist\n")
os.Exit(1)
}
file, err := os.Open(CVEFile)
if err != nil {
fmt.Fprintf(os.Stderr, "unable to open CVE file: %v\n", err)
os.Exit(1)
}
defer file.Close()
scanner := bufio.NewScanner(file)
cves := make(CVESet)
for scanner.Scan() {
url := scanner.Text()
if !strings.HasPrefix(url, "CVE") {
CVEPackage = url
continue
}
cve, err := getCVE(url)
if err != nil {
fmt.Fprintf(os.Stderr, "unable to get CVE: %v\n", err)
continue
}
cves[CVEPackage] = append(cves[CVEPackage], *cve)
}
if err := scanner.Err(); err != nil {
fmt.Fprintf(os.Stderr, "unable to scan file: %v\n", err)
}
if CVEJson {
res, err := json.Marshal(cves)
if err != nil {
fmt.Fprintf(os.Stderr, "unable to convert CVE list to JSON: %v\n", err)
os.Exit(1)
}
fmt.Println(string(res))
}
if CVEMarkdown {
generateMarkdown(cves)
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment