#!/usr/bin/env python3 # SPDX-License-Identifier: GPL-2.0-or-later # # Enriches the input CycloneDX SBOM with vulnerability information from the NVD # database. # # The NVD database is cloned using a mirror of it and the content is compared # locally. # # Example usage: # $ make show-info | utils/generate-cyclonedx | support/script/cve-check --nvd-path dl/buildroot-nvd/ from collections import defaultdict from pathlib import Path from typing import TypedDict import argparse import sys import json import cve as cvecheck class Options(TypedDict, total=True): include_resolved: bool DESCRIPTION = """ Enriches the input CycloneDX SBOM with vulnerability information from the NVD database. The NVD database is cloned using a mirror of it and the content is compared locally. """ brpath = Path(__file__).parent.parent.parent def cve_api_get_lang_from_list(values, lang="en") -> (str | None): for x in values: if x.get("lang") == lang: return x.get("value") return None def nvd_cve_weaknesses_to_cdx(weaknesses) -> list[int]: """ See the CycloneDX specification for 'cwes' [1] [1] https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_cwes """ res = [] for node in weaknesses: value = cve_api_get_lang_from_list(node.get("description", [])) if value is None: continue cwe = value.replace("CWE-", "") if not cwe.isnumeric(): continue res.append(int(cwe)) return res def nvd_cve_cvss_to_cdx(metrics): """ See the CycloneDX specification for 'ratings' [1] [1] https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_ratings """ KEY_METHOD_DICT = { "cvssMetricV40": "CVSSv4", "cvssMetricV31": "CVSSv31", "cvssMetricV3": "CVSSv3", "cvssMetricV2": "CVSSv2" } res = [] for key, values in metrics.items(): for value in values: data = value.get("cvssData", {}) res.append({ "method": KEY_METHOD_DICT.get(key, "other"), **({ "score": data["baseScore"], } if "baseScore" in data else {}), **({ "severity": data["baseSeverity"].lower(), } if "baseSeverity" in data else {}), **({ "vector": data["vectorString"], } if "vectorString" in data else {}), }) return res def nvd_cve_references_to_cdx(references): advisories = [] for ref in references: if not {"url", "tags"}.issubset(ref): continue tags = ref["tags"] if not isinstance(tags, list) or len(tags) == 0: continue advisories.append({ "title": next((t for t in tags if "Advisory" not in t), tags[0]), "url": ref["url"] }) return advisories def nvd_cve_to_cdx_vulnerability(nvd_cve): """ Turns the CVE object fetched from the NVD API into a CycloneDX vulnerability that fits the spec (see [1]). [1] https://cyclonedx.org/docs/1.6/json/#vulnerabilities """ vulnerability = { "bom-ref": nvd_cve["id"], "id": nvd_cve["id"], "description": cve_api_get_lang_from_list(nvd_cve.get("descriptions", [])) or "", "source": { "name": "NVD", "url": "https://nvd.nist.gov/" }, **({ "published": nvd_cve["published"], } if "published" in nvd_cve else {}), **({ "updated": nvd_cve["lastModified"], } if "lastModified" in nvd_cve else {}), **({ "cwes": nvd_cve_weaknesses_to_cdx(nvd_cve["weaknesses"]), } if "weaknesses" in nvd_cve else {}), **({ "ratings": nvd_cve_cvss_to_cdx(nvd_cve["metrics"]), } if "metrics" in nvd_cve else {}), **({ "advisories": nvd_cve_references_to_cdx(nvd_cve["references"]), } if "references" in nvd_cve else {}), } return vulnerability def vuln_append_or_update_affects_if_exists(vulnerabilities, vulnerability): """ Append 'vulnerability' passed as argument to the 'vulnerabilities' argument if an entry with the same 'id' doesn't exist yet. If the vulnerability already exists, the input reference is added to the 'affects' list of the existing entry. Args: vulnerabilities (list): The vulnerabilities array reference retrieved from the input CycloneDX SBOM vulnerability (dict): Vulnerability to add to the 'vulnerabilities' list. """ # Search if a vulnerability with the same identifier already exists in the # SBOM vulnerability list. matching_vuln = next( (vuln for vuln in vulnerabilities if vuln.get("id") == vulnerability["id"]), None ) # bom-ref to the component is passed to the affects of the vulnerability # passed as argument bom_ref = next((a["ref"] for a in vulnerability.get("affects", [])), None) if matching_vuln is not None: # Remove the affect to not use it while updating matching vuln. if "affects" in vulnerability: del vulnerability["affects"] if matching_vuln.get("analysis") is not None and "analysis" in vulnerability: # We don't update vulnerabilities that already have an # 'analysis'. # Buildroot ignored vulnerabilities will already have # an analysis and need to remain as such. del vulnerability["analysis"] affects = matching_vuln.setdefault("affects", []) if bom_ref is not None: ref = next((a["ref"] for a in affects if a["ref"] == bom_ref), None) if ref is None: # Add a 'ref' (bom reference) to the component if not # already present in the 'affects' list. affects.append({ "ref": bom_ref }) # Update the metadata of the vulnerability with the one # downloaded from the database. matching_vuln.update(vulnerability) else: vulnerabilities.append(vulnerability) def check_package_cve_affects(cve: cvecheck.CVE, cpe_product_pkgs, sbom, opt: Options): vulnerabilities = sbom.setdefault("vulnerabilities", []) for product in cve.affected_products: for comp in cpe_product_pkgs.get(product, []): cve_status = cve.affects(comp["name"], comp["version"], comp["cpe"]) if cve_status == cve.CVE_UNKNOWN: continue if cve_status == cve.CVE_DOESNT_AFFECT and not opt["include_resolved"]: continue vulnerability = nvd_cve_to_cdx_vulnerability(cve.nvd_cve) vulnerability["analysis"] = { "state": "exploitable" if cve_status == cve.CVE_AFFECTS else "resolved" } vulnerability["affects"] = [{ "ref": comp["bom-ref"] }] vuln_append_or_update_affects_if_exists(vulnerabilities, vulnerability) def check_package_cves(nvd_path: Path, sbom, opt: Options): """ Iterate over every entry of the NVD API mirror. Each vulnerability is compared to the set of components passed as argument in the 'sbom'. The vulnerabilities set of that 'sbom' argument is enriched with analysis of vulnerabilities that match that set of components. Args: nvd_path (Path): Path of the mirror of the NVD API. sbom (dict): Input SBOM containing a set of vulnerabilities that will be enriched. opt (Options): Options for the analysis. """ cpe_product_pkgs = defaultdict(list) for comp in sbom.get("components", []): if comp.get("cpe") and comp.get("version"): cpe_product = cvecheck.CPE(comp["cpe"]).product cpe_product_pkgs[cpe_product].append(comp) for cve in cvecheck.CVE.read_nvd_dir(nvd_path): check_package_cve_affects(cve, cpe_product_pkgs, sbom, opt) def enrich_vulnerabilities(nvd_path: Path, sbom): """ Iterate over the vulnerabilities present in the 'sbom' passed as arguments and enrich the vulnerability with content from the NVD API mirror. Args: nvd_path (Path): Path of the mirror of the NVD API. sbom (dict): Input SBOM containing a set of vulnerabilities that will be enriched. """ vulnerabilities = sbom.setdefault("vulnerabilities", []) for vuln in vulnerabilities: vuln_id = vuln.get("id") if vuln_id is None or not vuln_id.upper().startswith("CVE-"): continue cve = cvecheck.CVE.read_nvd_entry(nvd_path, vuln_id) if cve is None: print(f"Warning: '{vuln_id}' doesn't exist in NVD database.", file=sys.stderr) continue vulnerability = nvd_cve_to_cdx_vulnerability(cve.nvd_cve) vuln_append_or_update_affects_if_exists(vulnerabilities, vulnerability) def main(): parser = argparse.ArgumentParser(description=DESCRIPTION) parser.add_argument("-i", "--in-file", nargs="?", type=argparse.FileType("r"), default=(None if sys.stdin.isatty() else sys.stdin)) parser.add_argument("-o", "--out-file", nargs="?", type=argparse.FileType("w"), default=sys.stdout) parser.add_argument('--nvd-path', dest='nvd_path', default=brpath / 'dl' / 'buildroot-nvd', help='Path to the local NVD database', type=lambda p: Path(p).expanduser().resolve()) parser.add_argument("--enrich-only", default=False, action='store_true', help="Only update metadata for the vulnerabilities currently present " + "in the input CycloneDX SBOM. Don't do an analysis.") parser.add_argument("--include-resolved", default=False, action='store_true', help="Add vulnerabilities already 'resolved' that don't affect a " + "component to the output CycloneDX vulnerabilities analysis.") parser.add_argument("--no-nvd-update", default=False, action='store_true', help="Doesn't update the NVD database.") args = parser.parse_args() if args.in_file is None or args.nvd_path is None: parser.print_help() sys.exit(1) sbom = json.load(args.in_file) opt = Options( include_resolved=args.include_resolved, ) args.nvd_path.mkdir(parents=True, exist_ok=True) if not args.no_nvd_update: cvecheck.CVE.download_nvd(args.nvd_path) if args.enrich_only: enrich_vulnerabilities(args.nvd_path, sbom) else: check_package_cves(args.nvd_path, sbom, opt) args.out_file.write(json.dumps(sbom, indent=2)) args.out_file.write('\n') if __name__ == "__main__": main()