Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] cpesearch: Use NIST api to filter out deprecated CPEs #2511

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[RFC] cpesearch: Use NIST api to filter out deprecated CPEs #2511

wants to merge 1 commit into from
+12 −6

Conversation

Staudey
Copy link
Member

@Staudey Staudey commented May 9, 2024

Summary

This makes the cpesearch helper function use the NIST website API instead of cve-search.org to enable the filtering out of deprecated CPEs.

Example output:

cpe:2.3:a:steam_group_viewer_project:steam_group_viewer
cpe:2.3:a:valvesoftware:steam_client
cpe:2.3:h:valvesoftware:steam_link
cpe:2.3:o:valvesoftware:steam_link_firmware
cpe:2.3:o:valvesoftware:steamos

Verify successful hits by visiting https://cve.circl.lu/search/$VENDOR/$PRODUCT
- CPE entries for software applications have the form 'cpe:2.3:a:$VENDOR:$PRODUCT'

Old output:

[
  [
    27283,
    "cpe:2.3:a:valve:steam"
  ],
  [
    57210,
    "cpe:2.3:h:valvesoftware:steam_link"
  ],
  [
    88067,
    "cpe:2.3:a:valvesoftware:steam"
  ],
  [
    102861,
    "cpe:2.3:a:steam_group_viewer_project:steam_group_viewer"
  ],
  [
    116769,
    "cpe:2.3:a:valvesoftware:steam_client"
  ],
  [
    119716,
    "cpe:2.3:o:valvesoftware:steam_link_firmware"
  ]
]

Note that cpe:2.3:a:valvesoftware:steam and cpe:2.3:a:valve:steam are deprecated

Considerations:

  • Hardcode ":a:" in cpeMatchString to only match applications?
    I'm not sure if we need e.g. ":h:" in some cases (for drivers?)

  • Also search vendor part of the CPEs?
    This would require a second request as far as I can see

  • Allow matches with a prefix?
    With the current version only suffixes to the searched string are allowed (to catch things like _client and so on). This could be an issue with libraries that may or may not start with lib at times. On the other hand extending the wildcarding so prefixes are allowed produces A LOT of matches at times. I don't think the API itself allows finer-grained controls but additional filtering could be done in jq which has regex support
    Example of searching for steam with prefixes allowed:

cpe:2.3:a:archisteamfarm_project:archisteamfarm
cpe:2.3:a:dalmark:systeam_enterprise_resource_planning
cpe:2.3:a:jenkins:msteams_webhook_trigger
cpe:2.3:a:steam_group_viewer_project:steam_group_viewer
cpe:2.3:a:valvesoftware:steam_client
cpe:2.3:h:valvesoftware:steam_link
cpe:2.3:o:valvesoftware:steam_link_firmware
cpe:2.3:o:valvesoftware:steamos

@Staudey Staudey marked this pull request as draft May 9, 2024 10:13
@Staudey Staudey mentioned this pull request May 9, 2024
Open
@ermo ermo added Type: Feature Something can be enhanced. Topic: Tooling Tools and scripts labels Oct 20, 2024
@ermo ermo added this to the Solus 4.7 milestone Oct 20, 2024
silkeh
silkeh reviewed Oct 20, 2024
View reviewed changes
common/Scripts/helpers.fish
Comment on lines 11 to 20
if test "$argv[1]" = "--help"; or test "$argv[1]" = "-h"; or test (count $argv) -ne 1
echo "usage: cpesearch <package-name>"
else
curl -s -X POST https://cpe-guesser.cve-search.org/search -d "{\"query\": [\"$argv[1]\"]}" | jq .
curl -s "https://services.nvd.nist.gov/rest/json/cpes/2.0?cpeMatchString=cpe:2.3:*:*:$argv[1]*" |\
jq 'del(.products.[] | select(.cpe.deprecated == true))' | jq -r '.products.[].cpe.cpeName' |\
cut -d":" -f1-5 | sort -u

echo "Verify successful hits by visiting https://cve.circl.lu/search/\$VENDOR/\$PRODUCT"
echo -e "\nVerify successful hits by visiting https://cve.circl.lu/search/\$VENDOR/\$PRODUCT"
echo "- CPE entries for software applications have the form 'cpe:2.3:a:\$VENDOR:\$PRODUCT"
end
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like at this point it might be a good idea to consolidate this by moving it to a bash script in common/Scripts and calling that here instead.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it's more of a proof of concept (also it grew a bit more unwieldy than I initially expected ^^)

@ermo
Copy link
Contributor

ermo commented Oct 20, 2024
edited
Loading

@Staudey

For the sake of argument, could we, say, allow allow searches w/prefixes and then filter on 'cpe:2.3:(a|h):' client side for instance?

And, building on Silke's comment above, if this were a python script, would that give us more options re. using it from different shells?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@silkeh silkeh silkeh left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Topic: Tooling Tools and scripts Type: Feature Something can be enhanced.
Projects
Solus
Status: Needs More Info
Tool Maintenance
Status: Todo
Milestone
Solus 4.7 Software Centers, Installer...
Development

Successfully merging this pull request may close these issues.
3 participants
@Staudey @ermo @silkeh