diff --git a/bridges/OpenCVEBridge.php b/bridges/OpenCVEBridge.php index b5fc852b..1e528322 100644 --- a/bridges/OpenCVEBridge.php +++ b/bridges/OpenCVEBridge.php @@ -14,8 +14,8 @@ class OpenCVEBridge extends BridgeAbstract 'instance' => [ 'name' => 'OpenCVE Instance', 'required' => true, - 'defaultValue' => 'https://www.opencve.io', - 'exampleValue' => 'https://www.opencve.io' + 'defaultValue' => 'https://app.opencve.io', + 'exampleValue' => 'https://app.opencve.io' ], 'login' => [ 'name' => 'Login', @@ -155,14 +155,14 @@ class OpenCVEBridge extends BridgeAbstract $titlePrefix = '[' . $queryName . '] '; } - foreach (json_decode($response) as $cveItem) { - if (array_key_exists($cveItem->id, $fetchedIds)) { + foreach (json_decode($response)->results as $cveItem) { + if (array_key_exists($cveItem->cve_id, $fetchedIds)) { continue; } - $fetchedIds[$cveItem->id] = true; + $fetchedIds[$cveItem->cve_id] = true; $item = [ - 'uri' => $instance . '/cve/' . $cveItem->id, - 'uid' => $cveItem->id, + 'uri' => $instance . '/cve/' . $cveItem->cve_id, + 'uid' => $cveItem->cve_id, ]; if ($this->getInput('upd_timestamp') == 1) { $item['timestamp'] = strtotime($cveItem->updated_at); @@ -179,7 +179,7 @@ class OpenCVEBridge extends BridgeAbstract $item['content'] = $content; $item['title'] = $title; } else { - $item['content'] = $cveItem->summary . $this->getLinks($cveItem->id); + $item['content'] = $cveItem->description . $this->getLinks($cveItem->cve_id); $item['title'] = $this->getTitle($titlePrefix, $cveItem); } $this->items[] = $item; @@ -193,17 +193,17 @@ class OpenCVEBridge extends BridgeAbstract private function getTitle($titlePrefix, $cveItem) { - $summary = $cveItem->summary; + $summary = $cveItem->description; $limit = $this->getInput('limit'); if ($limit && mb_strlen($summary) > 100) { $summary = mb_substr($summary, 0, $limit) + '...'; } - return $titlePrefix . $cveItem->id . '. ' . $summary; + return $titlePrefix . $cveItem->cve_id . '. ' . $summary; } private function fetchContents($cveItem, $titlePrefix, $instance, $authHeader) { - $url = $instance . '/api/cve/' . $cveItem->id; + $url = $instance . '/api/cve/' . $cveItem->cve_id; $response = getContents($url, [$authHeader]); $datum = json_decode($response); @@ -211,26 +211,36 @@ class OpenCVEBridge extends BridgeAbstract $title = $this->getTitleFromDatum($datum, $titlePrefix); $result = self::CSS; - $result .= '

' . $cveItem->id . '

'; + $result .= '

' . $cveItem->cve_id . '

'; $result .= $this->getCVSSLabels($datum); - $result .= '

' . $datum->summary . '

'; + $result .= '

' . $datum->description . '

'; $result .= <<Information:

EOD; - $result .= $this->getV3Table($datum); - $result .= $this->getV2Table($datum); + if (isset($datum->metrics->cvssV4_0->data->vector)) { + $result .= $this->cvssV4VectorToTable($datum->metrics->cvssV4_0->data->vector); + } - $result .= $this->getLinks($datum->id); - $result .= $this->getReferences($datum); + if (isset($datum->metrics->cvssV3_1->data->vector)) { + $result .= $this->cvssV3VectorToTable($datum->metrics->cvssV3_1->data->vector); + } + if (isset($datum->metrics->cvssV3_0->data->vector)) { + $result .= $this->cvssV3VectorToTable($datum->metrics->cvssV3_0->data->vector); + } + + if (isset($datum->metrics->cvssV2_0->data->vector)) { + $result .= $this->cvssV2VectorToTable($datum->metrics->cvssV2_0->data->vector); + } + + $result .= $this->getLinks($datum->cve_id); $result .= $this->getVendors($datum); return [$result, $title]; @@ -239,14 +249,20 @@ class OpenCVEBridge extends BridgeAbstract private function getTitleFromDatum($datum, $titlePrefix) { $title = $titlePrefix; - if ($datum->cvss->v3) { - $title .= "[v3: {$datum->cvss->v3}] "; + if (isset($datum->metrics->cvssV4_0->data->score)) { + $title .= "[v4: {$datum->metrics->cvssV4_0->data->score}] "; } - if ($datum->cvss->v2) { - $title .= "[v2: {$datum->cvss->v2}] "; + if (isset($datum->metrics->cvssV3_1->data->score)) { + $title .= "[v3.1: {$datum->metrics->cvssV3_1->data->score}] "; } - $title .= $datum->id . '. '; - $titlePostfix = $datum->summary; + if (isset($datum->metrics->cvssV3_0->data->score)) { + $title .= "[v3: {$datum->metrics->cvssV3_0->data->score}] "; + } + if (isset($datum->metrics->cvssV2_0->data->score)) { + $title .= "[v2: {$datum->metrics->cvssV2_0->data->score}] "; + } + $title .= $datum->cve_id . '. '; + $titlePostfix = $datum->description; $limit = $this->getInput('limit'); if ($limit && mb_strlen($titlePostfix) > 100) { $titlePostfix = mb_substr($titlePostfix, 0, $limit) + '...'; @@ -257,64 +273,49 @@ class OpenCVEBridge extends BridgeAbstract private function getCVSSLabels($datum) { - $CVSSv2Text = 'n/a'; - $CVSSv2Class = 'cvss-na-color'; - if ($datum->cvss->v2) { - $importance = ''; - if ($datum->cvss->v2 >= 7) { - $importance = 'HIGH'; - $CVSSv2Class = 'cvss-high-color'; - } else if ($datum->cvss->v2 >= 4) { - $importance = 'MEDIUM'; - $CVSSv2Class = 'cvss-medium-color'; - } else { - $importance = 'LOW'; - $CVSSv2Class = 'cvss-low-color'; - } - $CVSSv2Text = sprintf('[%s] %.1f', $importance, $datum->cvss->v2); + $cvss4 = ''; + $cvss31 = ''; + $cvss3 = ''; + $cvss2 = ''; + if (isset($datum->metrics->cvssV4_0->data->score)) { + $cvss4 = $this->formatCVSSLabel($datum->metrics->cvssV4_0->data->score, '4.0', 9, 7, 4); + } + if (isset($datum->metrics->cvssV3_1->data->score)) { + $cvss31 = $this->formatCVSSLabel($datum->metrics->cvssV3_1->data->score, '3.1', 9, 7, 4); + } + if (isset($datum->metrics->cvssV3_0->data->score)) { + $cvss3 = $this->formatCVSSLabel($datum->metrics->cvssV3_0->data->score, '3.0', 9, 7, 4); + } + if (isset($datum->metrics->cvssV2_0->data->score)) { + $cvss2 = $this->formatCVSSLabel($datum->metrics->cvssV2_0->data->score, '2.0', 99, 7, 4); } - $CVSSv2Item = "
CVSS v2:
{$CVSSv2Text}
"; - $CVSSv3Text = 'n/a'; - $CVSSv3Class = 'cvss-na-color'; - if ($datum->cvss->v3) { - $importance = ''; - if ($datum->cvss->v3 >= 9) { - $importance = 'CRITICAL'; - $CVSSv3Class = 'cvss-crit-color'; - } else if ($datum->cvss->v3 >= 7) { - $importance = 'HIGH'; - $CVSSv3Class = 'cvss-high-color'; - } else if ($datum->cvss->v3 >= 4) { - $importance = 'MEDIUM'; - $CVSSv3Class = 'cvss-medium-color'; - } else { - $importance = 'LOW'; - $CVSSv3Class = 'cvss-low-color'; - } - $CVSSv3Text = sprintf('[%s] %.1f', $importance, $datum->cvss->v3); - } - $CVSSv3Item = "
CVSS v3:
{$CVSSv3Text}
"; - return '
' . $CVSSv3Item . $CVSSv2Item . '
'; + return '
' . $cvss4 . $cvss31 . $cvss3 . $cvss2 . '
'; } - private function getReferences($datum) + private function formatCVSSLabel($score, $version, $critical_thr, $high_thr, $medium_thr) { - if (count($datum->raw_nvd_data->references) == 0) { - return ''; - } - $res = '

References:

'; - return $res; + $item = "
CVSS {$version}:
{$text}
"; + return $item; } private function getLinks($id) @@ -331,84 +332,253 @@ class OpenCVEBridge extends BridgeAbstract EOD; } - private function getV3Table($datum) + private function cvssV3VectorToTable($cvssVector) { - $metrics = $datum->raw_nvd_data->metrics; - if (!isset($metrics->cvssMetricV31) || count($metrics->cvssMetricV31) == 0) { - return ''; + $vectorComponents = []; + $parts = explode('/', $cvssVector); + + if (!preg_match('/^CVSS:3\.[01]/', $parts[0])) { + return 'Error: Not a valid CVSS v3.0 or v3.1 vector'; } - $v3 = $metrics->cvssMetricV31[0]; - $data = $v3->cvssData; - return << + + for ($i = 1; $i < count($parts); $i++) { + $component = explode(':', $parts[$i]); + if (count($component) == 2) { + $vectorComponents[$component[0]] = $component[1]; + } + } + + $readableNames = [ + 'AV' => ['N' => 'Network', 'A' => 'Adjacent', 'L' => 'Local', 'P' => 'Physical'], + 'AC' => ['L' => 'Low', 'H' => 'High'], + 'PR' => ['N' => 'None', 'L' => 'Low', 'H' => 'High'], + 'UI' => ['N' => 'None', 'R' => 'Required'], + 'S' => ['U' => 'Unchanged', 'C' => 'Changed'], + 'C' => ['N' => 'None', 'L' => 'Low', 'H' => 'High'], + 'I' => ['N' => 'None', 'L' => 'Low', 'H' => 'High'], + 'A' => ['N' => 'None', 'L' => 'Low', 'H' => 'High'] + ]; + + $data = new stdClass(); + $data->attackVector = isset($readableNames['AV'][$vectorComponents['AV']]) ? $readableNames['AV'][$vectorComponents['AV']] : 'Unknown'; + $data->attackComplexity = isset($readableNames['AC'][$vectorComponents['AC']]) ? $readableNames['AC'][$vectorComponents['AC']] : 'Unknown'; + $data->privilegesRequired = isset($readableNames['PR'][$vectorComponents['PR']]) ? $readableNames['PR'][$vectorComponents['PR']] : 'Unknown'; + $data->userInteraction = isset($readableNames['UI'][$vectorComponents['UI']]) ? $readableNames['UI'][$vectorComponents['UI']] : 'Unknown'; + $data->scope = isset($readableNames['S'][$vectorComponents['S']]) ? $readableNames['S'][$vectorComponents['S']] : 'Unknown'; + $data->confidentialityImpact = isset($readableNames['C'][$vectorComponents['C']]) ? $readableNames['C'][$vectorComponents['C']] : 'Unknown'; + $data->integrityImpact = isset($readableNames['I'][$vectorComponents['I']]) ? $readableNames['I'][$vectorComponents['I']] : 'Unknown'; + $data->availabilityImpact = isset($readableNames['A'][$vectorComponents['A']]) ? $readableNames['A'][$vectorComponents['A']] : 'Unknown'; + + $html = '

CVSS v3 details

- - + + - - + + - - + + - - - - - - + +
Impact score{$v3->impactScore}Exploitability score{$v3->exploitabilityScore}Attack vector' . $data->attackVector . 'Confidentiality Impact' . $data->confidentialityImpact . '
Attack vector{$data->attackVector}Confidentiality Impact{$data->confidentialityImpact}Attack complexity' . $data->attackComplexity . 'Integrity Impact' . $data->integrityImpact . '
Attack complexity{$data->attackComplexity}Integrity Impact{$data->integrityImpact}Privileges Required' . $data->privilegesRequired . 'Availability Impact' . $data->availabilityImpact . '
Privileges Required{$data->privilegesRequired}Availability Impact{$data->availabilityImpact}
User Interaction{$data->userInteraction}Scope{$data->scope}User Interaction' . $data->userInteraction . 'Scope' . $data->scope . '
-
- EOD; + '; + + return $html; } - private function getV2Table($datum) + private function cvssV2VectorToTable($cvssVector) { - $metrics = $datum->raw_nvd_data->metrics; - if (!isset($metrics->cvssMetricV2) || count($metrics->cvssMetricV2) == 0) { - return ''; + $vectorComponents = []; + $parts = explode('/', $cvssVector); + + foreach ($parts as $part) { + $component = explode(':', $part); + if (count($component) == 2) { + $vectorComponents[$component[0]] = $component[1]; + } } - $v2 = $metrics->cvssMetricV2[0]; - $data = $v2->cvssData; - return << + + $readableNames = [ + 'AV' => ['L' => 'Local', 'A' => 'Adjacent Network', 'N' => 'Network'], + 'AC' => ['H' => 'High', 'M' => 'Medium', 'L' => 'Low'], + 'Au' => ['M' => 'Multiple', 'S' => 'Single', 'N' => 'None'], + 'C' => ['N' => 'None', 'P' => 'Partial', 'C' => 'Complete'], + 'I' => ['N' => 'None', 'P' => 'Partial', 'C' => 'Complete'], + 'A' => ['N' => 'None', 'P' => 'Partial', 'C' => 'Complete'] + ]; + + $metricValues = [ + 'AV' => ['L' => 0.395, 'A' => 0.646, 'N' => 1.0], + 'AC' => ['H' => 0.35, 'M' => 0.61, 'L' => 0.71], + 'Au' => ['M' => 0.45, 'S' => 0.56, 'N' => 0.704], + 'C' => ['N' => 0, 'P' => 0.275, 'C' => 0.660], + 'I' => ['N' => 0, 'P' => 0.275, 'C' => 0.660], + 'A' => ['N' => 0, 'P' => 0.275, 'C' => 0.660] + ]; + + $confImpact = isset($metricValues['C'][$vectorComponents['C']]) ? $metricValues['C'][$vectorComponents['C']] : 0; + $integImpact = isset($metricValues['I'][$vectorComponents['I']]) ? $metricValues['I'][$vectorComponents['I']] : 0; + $availImpact = isset($metricValues['A'][$vectorComponents['A']]) ? $metricValues['A'][$vectorComponents['A']] : 0; + + $impact = 10.41 * (1 - (1 - $confImpact) * (1 - $integImpact) * (1 - $availImpact)); + + $av = isset($metricValues['AV'][$vectorComponents['AV']]) ? $metricValues['AV'][$vectorComponents['AV']] : 0; + $ac = isset($metricValues['AC'][$vectorComponents['AC']]) ? $metricValues['AC'][$vectorComponents['AC']] : 0; + $au = isset($metricValues['Au'][$vectorComponents['Au']]) ? $metricValues['Au'][$vectorComponents['Au']] : 0; + + $exploitability = 20 * $av * $ac * $au; + + $impact = round($impact, 1); + $exploitability = round($exploitability, 1); + + $data = new stdClass(); + $data->accessVector = isset($readableNames['AV'][$vectorComponents['AV']]) ? $readableNames['AV'][$vectorComponents['AV']] : 'Unknown'; + $data->accessComplexity = isset($readableNames['AC'][$vectorComponents['AC']]) ? $readableNames['AC'][$vectorComponents['AC']] : 'Unknown'; + $data->authentication = isset($readableNames['Au'][$vectorComponents['Au']]) ? $readableNames['Au'][$vectorComponents['Au']] : 'Unknown'; + $data->confidentialityImpact = isset($readableNames['C'][$vectorComponents['C']]) ? $readableNames['C'][$vectorComponents['C']] : 'Unknown'; + $data->integrityImpact = isset($readableNames['I'][$vectorComponents['I']]) ? $readableNames['I'][$vectorComponents['I']] : 'Unknown'; + $data->availabilityImpact = isset($readableNames['A'][$vectorComponents['A']]) ? $readableNames['A'][$vectorComponents['A']] : 'Unknown'; + + $v2 = new stdClass(); + $v2->impactScore = $impact; + $v2->exploitabilityScore = $exploitability; + + $html = '

CVSS v2 details

- - + + - - + + - - + + - - + + -
Impact score{$v2->impactScore}Exploitability score{$v2->exploitabilityScore}Impact score' . $v2->impactScore . 'Exploitability score' . $v2->exploitabilityScore . '
Access Vector{$data->accessVector}Confidentiality Impact{$data->confidentialityImpact}Access Vector' . $data->accessVector . 'Confidentiality Impact' . $data->confidentialityImpact . '
Access Complexity{$data->accessComplexity}Integrity Impact{$data->integrityImpact}Access Complexity' . $data->accessComplexity . 'Integrity Impact' . $data->integrityImpact . '
Authentication{$data->authentication}Availability Impact{$data->availabilityImpact}Authentication' . $data->authentication . 'Availability Impact' . $data->availabilityImpact . '
-
- EOD; + '; + + return $html; } + private function cvssV4VectorToTable($cvssVector) + { + $vectorComponents = []; + $parts = explode('/', $cvssVector); + + if (!preg_match('/^CVSS:4\.0/', $parts[0])) { + return 'Error: Not a valid CVSS v4.0 vector'; + } + + for ($i = 1; $i < count($parts); $i++) { + $component = explode(':', $parts[$i]); + if (count($component) == 2) { + $vectorComponents[$component[0]] = $component[1]; + } + } + + $readableNames = [ + 'AV' => ['N' => 'Network', 'A' => 'Adjacent', 'L' => 'Local', 'P' => 'Physical'], + 'AC' => ['L' => 'Low', 'H' => 'High'], + 'AT' => ['N' => 'None', 'P' => 'Present'], + 'PR' => ['N' => 'None', 'L' => 'Low', 'H' => 'High'], + 'UI' => ['N' => 'None', 'P' => 'Passive', 'A' => 'Active'], + 'VC' => ['N' => 'None', 'L' => 'Low', 'H' => 'High'], + 'VI' => ['N' => 'None', 'L' => 'Low', 'H' => 'High'], + 'VA' => ['N' => 'None', 'L' => 'Low', 'H' => 'High'], + 'SC' => ['N' => 'None', 'L' => 'Low', 'H' => 'High'], + 'SI' => ['N' => 'None', 'L' => 'Low', 'H' => 'High'], + 'SA' => ['N' => 'None', 'L' => 'Low', 'H' => 'High'] + ]; + + $data = new stdClass(); + $data->attackVector = isset($readableNames['AV'][$vectorComponents['AV']]) ? $readableNames['AV'][$vectorComponents['AV']] : 'Unknown'; + $data->attackComplexity = isset($readableNames['AC'][$vectorComponents['AC']]) ? $readableNames['AC'][$vectorComponents['AC']] : 'Unknown'; + $data->privilegesRequired = isset($readableNames['PR'][$vectorComponents['PR']]) ? $readableNames['PR'][$vectorComponents['PR']] : 'Unknown'; + $data->attackRequirements = isset($readableNames['AT'][$vectorComponents['AT']]) ? $readableNames['AT'][$vectorComponents['AT']] : 'Unknown'; + $data->userInteraction = isset($readableNames['UI'][$vectorComponents['UI']]) ? $readableNames['UI'][$vectorComponents['UI']] : 'Unknown'; + $data->confidentialityImpact = isset($readableNames['VC'][$vectorComponents['VC']]) ? $readableNames['VC'][$vectorComponents['VC']] : 'Unknown'; + $data->integrityImpact = isset($readableNames['VI'][$vectorComponents['VI']]) ? $readableNames['VI'][$vectorComponents['VI']] : 'Unknown'; + $data->availabilityImpact = isset($readableNames['VA'][$vectorComponents['VA']]) ? $readableNames['VA'][$vectorComponents['VA']] : 'Unknown'; + $data->confidentialityImpactS = isset($readableNames['SC'][$vectorComponents['SC']]) ? $readableNames['SC'][$vectorComponents['SC']] : 'Unknown'; + $data->integrityImpactS = isset($readableNames['SI'][$vectorComponents['SI']]) ? $readableNames['SI'][$vectorComponents['SI']] : 'Unknown'; + $data->availabilityImpactS = isset($readableNames['SA'][$vectorComponents['SA']]) ? $readableNames['SA'][$vectorComponents['SA']] : 'Unknown'; + + $html = '
+

CVSS v4.0 details

+ + + + + + + + + + + + + + + + + + + + + + + + + +
Attack vector' . $data->attackVector . 'Vulnerable System Confidentiality Impact' . $data->confidentialityImpact . '
Attack complexity' . $data->attackComplexity . 'Vulnerable System Integrity Impact' . $data->integrityImpact . '
Privileges Required' . $data->privilegesRequired . 'Vulnerable System Availability Impact' . $data->availabilityImpact . '
Attack Requirements' . $data->attackRequirements . 'Subsequent System Confidentiality Impact' . $data->confidentialityImpactS . '
User Interaction' . $data->userInteraction . 'Subsequent System Integrity Impact' . $data->integrityImpactS . '
Subsequent System Avaliablity Impact' . $data->availabilityImpactS . '
+
'; + + return $html; + } + + private function getVendors($datum) { if (count((array)$datum->vendors) == 0) { return ''; } + + $vendor_data = []; + foreach ($datum->vendors as $vendor_str) { + $pieces = explode('$PRODUCT$', $vendor_str); + if (count($pieces) == 1) { + $vendor = $pieces[0]; + if (!array_key_exists($vendor, $vendor_data)) { + $vendor_data[$vendor] = []; + } + } else { + $vendor = $pieces[0]; + $product = $pieces[1]; + if (!array_key_exists($vendor, $vendor_data)) { + $vendor_data[$vendor] = []; + } + array_push($vendor_data[$vendor], $product); + } + } + $res = '

Affected products

    '; - foreach ($datum->vendors as $vendor => $products) { + foreach ($vendor_data as $vendor => $products) { $res .= "
  • {$vendor}"; if (count($products) > 0) { $res .= '
      '; @@ -420,5 +590,6 @@ class OpenCVEBridge extends BridgeAbstract $res .= ''; } $res .= '

    '; + return $res; } }