Allow creation of a definitions file that contains 'recent' vulnerabilities rather than 'everything'

Question

Allow creation of a definitions file that contains 'recent' vulnerabilities rather than 'everything'

nrathaus opened this issue 5 years ago · 8 comments

I think the project would benefit from having the ability to create a vulnerability definitions file that is just for the "last 5 years" of vulnerabilities rather than dating back to 2003, as it is unlikely that you are running a system that has vulnerabilities from 17 years ago

At the moment the definitions file you create for Windows is 80mb+ while I am estimating that having it show just the last 5 years would reduce it by more than half that size

I tried to modify the code to support 'submitted_after' / 'submitted_before' parameters, but I am not seeing where this is being evaluated

Some pointers to the code changes needed and I will submit a pull request with this improvement.

Answer 1 · 2020-06-03T13:40:27.000Z

Hi Noam,

build_all_oval_definitions.py includes a --from YYYYMMDD filter argument that enables you to include elements revised on or an arbitrary date, so you could call something like:

build_oval_definitions.py -o recent.windows.cve.xml --class vulnerability --family windows --from 20150603

Is that what you're looking for?

As a side note, we strongly recommend that you filter packages by OS version. Not all definitions are written to provide accurate results if they are run against OS versions they were not written for. For example, the above command line will create a package for all Windows OS versions. We would recommend against using this. Instead, create a package for each target OS version (i.e. Windows 10, Windows Server 2012 R2, etc.). That will further reduce the file size.

-David

Answer 2 · 2020-06-03T13:58:56.000Z

from refers to the revisions, not to when it was submitted

I better example, for family of 'windows' there a 12545 definitions (at the moment)

If we decide to remove all those that were older than 5 years - i.e. vulnerabilities submitted more than 5 years ago, we go down by more than 1/2 which affects the collection (probe) time and the reporting time, and of course the final report will contain a lot less 'false'/'unknown' state for those tests

I don't see that 'from' allows this cut of date, as its not looking at submitted specifically, am I wrong?

Answer 3 · 2020-06-03T14:02:47.000Z

I will try your suggested command line and let you know

You probably mean build_oval_definitions_file.py and not build_all_oval_definitions.py which has no command line parameters

Answer 4 · 2020-06-03T14:45:46.000Z

Hi Noam,

Yes, --from is not based on submission date alone; it looks for any change (submission, revision, etc.). This seemed to be the safest/simplest approach for most use cases. I think that on occasion, old CVEs are found to be exposed in recent products and, since the CVE OVAL definitions are organized by CVE, the old one may be updated to add coverage for the new issue. If that's true, then filtering to anything submitted or revised in the last 5 years might be what you want.

We could add new filters --submitted_from and --submitted_to that would only filter on the initial submission date. Do you think that would be useful?

Also, I don't think you should need to run anything like 12k definitions on any specific platform. I just ran these commands and got the following results:

# Windows 10 CVEs in last 5 years: 3990 definitions, 35mb of XML (2.6mb compressed)
python build_oval_definitions_file.py -o cve.oval.win10.xml --class vulnerability --family windows --platform "Microsoft Windows 10" --from 20150601

# Windows 7 CVEs in last 5 years: 4247 definitions, 37mb of XML (3mb compressed)
python build_oval_definitions_file.py -o cve.oval.win7.xml --class vulnerability --family windows --platform "Microsoft Windows 7" --from 20150601

# Windows 7 CVEs all time (this should be biggest): 8926 definitions, 69mb of XML (6.5mb compressed) 
python build_oval_definitions_file.py -o cve.oval.win7.xml --class vulnerability --family windows --platform "Microsoft Windows 7"

-David

Answer 5 · 2020-06-04T05:40:58.000Z

If you don't limit it to a specific Windows OS (i.e. windows in general) you get:
INFO: Found 5297 matching OVAL definitions

That is quite a reduction in size from the full list

Answer 6 · 2020-06-04T16:33:34.000Z

Yes, that is a major reduction. Do you think we should close this issue or do we need an additional filter / capability?

Answer 7 · 2020-06-04T17:48:20.000Z

Hi I think if we could make the from just look at the submitted, the value of the filter would be much better, from can catch also old tests that had some link modified in them because Microsoft or similar updated their web site How easy would it be to make from just look at the submitted value?

On Thu, 4 Jun 2020 at 19:33, David E. Ries ***@***.***> wrote: Yes, that is a major reduction. Do you think we should close this issue or do we need an additional filter / capability? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1827 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAPQE3UN325QA7DRVGAMQU3RU7EG3ANCNFSM4NRNIKPA> .

-- Thanks, Noam Rathaus

Answer 8 · 2020-06-04T19:58:31.000Z

I looked to see how easy it was and it turned out to be easier to be trivial so I just did it. Pls review and let me know if this works. I didn't want to change the behavior of the current parameters so I added a new one.