Add vulnerable CPE data to indicator objects
Closed this issue · 11 comments
himynamesdave commented
We currently create a pattern of CPEs from the node values in the response (and after calling the match criteria API)
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2024-08-15T12:18:08.343",
"vulnerabilities": [
{
"cve": {
"id": "CVE-2019-18939",
"sourceIdentifier": "cve@mitre.org",
"published": "2019-11-14T19:15:13.410",
"lastModified": "2021-07-21T11:39:23.747",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the HM-Print AddOn through 1.2a installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi and exec1.cgi scripts, which execute TCL script content from an HTTP POST request."
},
{
"lang": "es",
"value": "eQ-3 Homematic CCU2 versión 2.47.20 y CCU3 versión 3.47.18 con el AddOn HM-Print instalado versiones hasta 1.2a, permite la Ejecución de Código Remota por parte de atacantes no autenticados con acceso a la interfaz web por medio de los scripts exec.cgi y exec1.cgi, que ejecutan un contenido de script TCL desde una petición POST de HTTP."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
],
"cvssMetricV2": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5
},
"baseSeverity": "HIGH",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-306"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "AND",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:hm-print_project:hm-print:1.2a:*:*:*:*:*:*:*",
"matchCriteriaId": "286DA904-5631-4AAF-86DE-97C23982D2C5"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:eq-3:homematic_ccu2:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9C2CF19C-7EDE-4E3C-A736-E6736FF03FDC"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.47.20:*:*:*:*:*:*:*",
"matchCriteriaId": "38BE17DA-7C5E-427E-B824-151EB27CFF26"
}
]
}
]
},
However, we don't track what cpe is vulnerable.
e.g. Microsoft Word when running on Windows.
Here word is vulnerable, windows is not.
You can see this in the vulnerable property on the node.
Unfortunately there is not value in a STIX indicator to easily track this info.
So the recommended approach is to, after match criteria API call has been run, is to put all CPE IDs where "vulnerable": true into external_references as follows;
```json
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--<SAME UUID AS VULNERABILITY SDO>",
"created_by_ref": "<IMPORTED IDENTITY OBJECT>",
"created": "<vulnerabilities.cve.published>",
"modified": "<vulnerabilities.cve.lastModifiedDate>",
"indicator_types": [
"compromised"
],
"name": "<vulnerability.id>",
"description": "vulnerabilities.cve.description.description_data.value> (if multiple, where lan = en, else first result)",
"pattern": "(<CPE PATTERN [1]>) OR (<CPE PATTERN [N]>)",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "<vulnerabilities.cve.publishedDate>",
"external_references": [
{
"source_name": "cve",
"external_id": "<vulnerabilities.cve.id>",
"url": "https://nvd.nist.gov/vuln/detail/<vulnerabilities.cve.id>"
},
{
"source_name": "vulnerable_cpe",
"external_id": "<cpe_id>",
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"<IMPORTED MARKING DEFINTION OBJECT>"
]
}
with one for vulnerable_cpe per vulnerable cpe
himynamesdave commented
@fqrious it is currently printing the response from the NVD CVE API.
It needs to print the expanded CPE IDs obtained via the match criteria API which list specific cpes (this is the same way we generate the CPE IDs for the pattern)
himynamesdave commented
still not correct, @fqrious
you need to print seperate entires,
current
{
"source_name": "vulnerable_cpe",
"external_id": "(software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.0.2:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.1.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.2.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.2.2:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.2.3:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.3.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.4.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.5.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.6.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.6.3:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.6.4:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.6.5:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.6.6:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:18.6.0006.0:*:*:*:*:*:*:*')"
},
{
"source_name": "vulnerable_cpe",
"external_id": "(software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:19.0.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:19.1.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:19.2.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:19.3.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:19.3.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:ole_db_driver_for_sql_server:19.3.0001.0:*:*:*:*:*:*:*')"
},
{
"source_name": "vulnerable_cpe",
"external_id": "(software:cpe='cpe:2.3:a:microsoft:sql_server_2019:15.0.2000.5:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2019:15.0.2070.41:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2019:15.0.2080.9:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2019:15.0.2095.3:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2019:15.0.2101.7:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2019:15.0.2104.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2019:15.0.2110.4:*:*:*:*:*:*:*')"
},
{
"source_name": "vulnerable_cpe",
"external_id": "(software:cpe='cpe:2.3:a:microsoft:sql_server_2019:15.0.4375.4:*:*:*:*:*:*:*')"
},
{
"source_name": "vulnerable_cpe",
"external_id": "(software:cpe='cpe:2.3:a:microsoft:sql_server_2022:16.0.1000.6:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2022:16.0.1050.5:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2022:16.0.1105.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2022:16.0.1110.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2022:16.0.1115.1:*:*:*:*:*:*:*')"
},
{
"source_name": "vulnerable_cpe",
"external_id": "(software:cpe='cpe:2.3:a:microsoft:sql_server_2022:16.0.4125.3:*:*:*:*:*:*:*')"
}
but this is wrong
"external_id": "(software:cpe='cpe:2.3:a:microsoft:sql_server_2022:16.0.1000.6:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2022:16.0.1050.5:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2022:16.0.1105.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2022:16.0.1110.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:microsoft:sql_server_2022:16.0.1115.1:*:*:*:*:*:*:*')"
should be 5 seperate entries
fqrious commented
what cve is this generated from? are you sure all 6 entries above have vulnerable=true?
himynamesdave commented
try @fqrious
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fdbf7d82-4195-5bdb-a8e1-6e32299b2e69",
"created_by_ref": "identity--562918ee-d5da-5579-b6a1-fae50cc6bad3",
"created": "2024-08-13T17:15:24.013Z",
"modified": "2024-08-14T18:14:16.073Z",
"name": "CVE-2024-41614",
"description": "symphonycms <=2.7.10 is vulnerable to Cross Site Scripting (XSS) in the Comment component for articles.",
"indicator_types": [
"compromised"
],
"pattern": "([(software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.0.3:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.0.4:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.0.5:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.0.6:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.0.7:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.1.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.1.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.3.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.3.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.3.2:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.6.2:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.6.3:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.6.7:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.6.8:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.6.9:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.6.11:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.2:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.3:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.4:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.5:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.6:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.8:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.9:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.10:*:*:*:*:*:*:*')])",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-08-13T17:15:24.013Z",
"external_references": [
{
"source_name": "cve",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41614",
"external_id": "CVE-2024-41614"
},
{
"source_name": "vulnerable_cpe",
"external_id": "(software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.0.3:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.0.4:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.0.5:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.0.6:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.0.7:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.1.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.1.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.3.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.3.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.3.2:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.6.2:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.6.3:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.6.7:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.6.8:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.6.9:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.6.11:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.0:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.2:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.3:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.4:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.5:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.6:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.8:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.9:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:symphony-cms:symphony_cms:2.7.10:*:*:*:*:*:*:*')"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3"
]
},
and yes, all are vulnerable
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:symphony-cms:symphony_cms:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.7.10",
"matchCriteriaId": "B2ED4D75-613C-4EAD-8875-48FB7FA47CA4"
}
]
}
]
}
],
so would expect many vulnerable_cpe entries
I can dig out more examples where "vulnerable": false, if you want?
fqrious commented
Only one item here, provide the cve from above...
himynamesdave commented
@fqrious the match criteria api shows many results
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CPEMatchString",
"version": "2.0",
"timestamp": "2024-08-17T11:14:30.680",
"matchStrings": [
{
"matchString": {
"matchCriteriaId": "B2ED4D75-613C-4EAD-8875-48FB7FA47CA4",
"criteria": "cpe:2.3:a:symphony-cms:symphony_cms:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.7.10",
"lastModified": "2024-08-14T13:58:34.497",
"cpeLastModified": "2024-08-14T13:58:34.497",
"created": "2024-08-14T13:58:34.497",
"status": "Active",
"matches": [
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.0:*:*:*:*:*:*:*",
"cpeNameId": "019EE156-3FE4-449F-B692-B4EA53A684B1"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.0.3:*:*:*:*:*:*:*",
"cpeNameId": "C9BD2D1E-9CB7-45CB-8E3F-F21037CBC7EA"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.0.4:*:*:*:*:*:*:*",
"cpeNameId": "14DF0986-9B5E-4C67-B958-CCACD34EF037"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.0.5:*:*:*:*:*:*:*",
"cpeNameId": "B4622411-731E-4898-89DA-D759E230D22E"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.0.6:*:*:*:*:*:*:*",
"cpeNameId": "3FD8C3A6-B1B1-4718-97C2-0422600339AA"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.0.7:*:*:*:*:*:*:*",
"cpeNameId": "93653A2B-60D1-4440-8369-1B5DAC684F10"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.1.0:*:*:*:*:*:*:*",
"cpeNameId": "FED679C4-562F-487B-8C6E-CDDACB3F9638"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.1.1:*:*:*:*:*:*:*",
"cpeNameId": "0B3716F1-DE45-4EC2-9DA2-5BF4A3A85616"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.3.0:*:*:*:*:*:*:*",
"cpeNameId": "81A933EB-9DE2-4D5E-90EA-4563C6C29117"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.3.1:*:*:*:*:*:*:*",
"cpeNameId": "F241C6DF-94D9-4FB3-BF13-5ADAAA65EBAF"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.3.2:*:*:*:*:*:*:*",
"cpeNameId": "A36A4810-6AB0-4569-BC4F-FCE65A47BF47"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.6.2:*:*:*:*:*:*:*",
"cpeNameId": "3A01590C-2A34-41F5-B03C-DABE462494AC"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.6.3:*:*:*:*:*:*:*",
"cpeNameId": "5B38F31C-3BF7-4A3B-B8D9-AED3B0F3E9CB"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.6.7:*:*:*:*:*:*:*",
"cpeNameId": "E83A86C3-7C62-4062-B9EE-DE4BAE286D53"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.6.8:*:*:*:*:*:*:*",
"cpeNameId": "07396D22-CFFE-4A38-A5F6-6134718BA3BF"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.6.9:*:*:*:*:*:*:*",
"cpeNameId": "A5399258-7299-4952-AF0F-C478A3365550"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.6.11:*:*:*:*:*:*:*",
"cpeNameId": "44E9E61C-0FE9-4B10-A555-659EF7C95F0F"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.7.0:*:*:*:*:*:*:*",
"cpeNameId": "E16D1650-214F-4BA8-88A6-1AE7EA806672"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.7.1:*:*:*:*:*:*:*",
"cpeNameId": "8CBB2446-C5B8-4443-82B6-F7E7B5EFA7DF"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.7.2:*:*:*:*:*:*:*",
"cpeNameId": "D2322C88-0AE6-4FA6-95D7-012D4F5CE3DE"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.7.3:*:*:*:*:*:*:*",
"cpeNameId": "2FBB10A6-5677-4165-A7D9-BFCE8B166F84"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.7.4:*:*:*:*:*:*:*",
"cpeNameId": "B69A4BC2-BE8F-4799-8454-2DA228C2CCA7"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.7.5:*:*:*:*:*:*:*",
"cpeNameId": "C535044F-92FB-4A7D-97AB-C9A6682F9C79"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.7.6:*:*:*:*:*:*:*",
"cpeNameId": "6DC54ABC-40A5-4AEF-952D-04A8C6206708"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.7.8:*:*:*:*:*:*:*",
"cpeNameId": "DD181605-A394-476B-A8A2-29BA2DE30699"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.7.9:*:*:*:*:*:*:*",
"cpeNameId": "C353EE82-4641-45DD-9543-40AE95022DAD"
},
{
"cpeName": "cpe:2.3:a:symphony-cms:symphony_cms:2.7.10:*:*:*:*:*:*:*",
"cpeNameId": "3821F432-3539-45D5-813F-04B60C7C5AEF"
}
]
}
}
]
}
himynamesdave commented
Ok, so 2 things;
1. move vulnerable CPEs into custom property of the indicator
as per: muchdogesec/stix2extensions#2
2. let me explain the full flow now
I'll explain through step-by-step of what should happen to create this data
- get cve (functionality working)
- get cpes in node (working)
- convert cpes in node to full cpes using match criteira api (working)
- rebuild cpe pattern using data from step 3 (working)
- identity vulnerable cpes from step 4, and vulnerable = true from step 2 (working)
- print the list of vulnerable cpes in custom property
fqrious commented
I still don't get it, if you want built cpe pattern in vulnerable_cpe, that's already the case... Is it that you want each cpeName as vulnerable_cpe instead?
himynamesdave commented
Is it that you want each cpeName as vulnerable_cpe instead?
Yes, exactly that.
The reason is, the pattern property shows the combination of products that need to exist for a vuln to occur. BUT there is no way to identify exactly which is vulnerable.
This, we need a separate property to record this info
fqrious commented
I understand now
himynamesdave commented
@fqrious can you update it to include non-vulnerable cpes please, as shown here