Mercurial > farol > farolluz

comparison farolluz/vulnerability.py @ 26:809db989cac5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Reorganize the code in smaller mpodules
author Benoît Allard <benoit.allard@greenbone.net>
date Fri, 24 Oct 2014 17:01:26 +0200
parents farolluz/cvrf.py@4004b67216a9
children e317097af486
comparison
equal deleted inserted replaced
25:3cab052872f4 26:809db989cac5
1 # -*- coding: utf-8 -*-
2 #
3 # Authors:
4 # BenoƮt Allard <benoit.allard@greenbone.net>
5 #
6 # Copyright:
7 # Copyright (C) 2014 Greenbone Networks GmbH
8 #
9 # This program is free software; you can redistribute it and/or
10 # modify it under the terms of the GNU General Public License
11 # as published by the Free Software Foundation; either version 2
12 # of the License, or (at your option) any later version.
13 #
14 # This program is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 # GNU General Public License for more details.
18 #
19 # You should have received a copy of the GNU General Public License
20 # along with this program; if not, write to the Free Software
21 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
22
23 """\
24 Vulnerability Objects related to CVRF Documents
25 """
26
27 from .common import ValidationError
28 from .document import CVRFPublisher
29
30
31 class CVRFVulnerabilityID(object):
32 def __init__(self, systemname, value):
33 self._systemname = systemname
34 self._value = value
35
36 def validate(self):
37 if not self._systemname:
38 raise ValidationError('A Vulnerability ID must have a System Name')
39 if not self._value:
40 raise ValidationError('A Vulnerability ID must have a value')
41
42
43 class CVRFVulnerability(object):
44 def __init__(self, ordinal):
45 self._ordinal = ordinal
46 self._title = None
47 self._id = None
48 self._notes = []
49 self._discoverydate = None
50 self._releasedate = None
51 self._involvements = []
52 self._cve = None
53 self._cwes = []
54 self._productstatuses = []
55 self._threats = []
56 self._cvsss = []
57 self._remediations = []
58 self._references = []
59 self._acknowledgments = []
60
61 def setTitle(self, title):
62 self._title = title
63
64 def setID(self, _id):
65 self._id = _id
66
67 def addNote(self, note):
68 self._notes.append(note)
69
70 def setDiscoveryDate(self, date):
71 self._discoverydate = date
72
73 def setReleaseDate(self, date):
74 self._releasedate = date
75
76 def addInvolvement(self, involvement):
77 self._involvements.append(involvement)
78
79 def setCVE(self, cve):
80 self._cve = cve
81
82 def addCWE(self, cwe):
83 self._cwes.append(cwe)
84
85 def addProductStatus(self, productstatus):
86 self._productstatuses.append(productstatus)
87
88 def addThreat(self, threat):
89 self._threats.append(threat)
90
91 def addCVSSSet(self, cvss_set):
92 self._cvsss.append(cvss_set)
93
94 def addRemediation(self, remediation):
95 self._remediations.append(remediation)
96
97 def addReference(self, ref):
98 self._references.append(ref)
99
100 def addAcknowledgment(self, ack):
101 self._acknowledgments.append(ack)
102
103 def getTitle(self):
104 """ return something that can be used as a title """
105 if self._title:
106 if self._id:
107 return "%s (%s)" % (self._title, self._id._value)
108 return self._title
109 if self._id:
110 return self._id._value
111 return "#%d" % self._ordinal
112
113 def getNote(self, ordinal):
114 for note in self._notes:
115 if note._ordinal == ordinal:
116 return note
117 return None
118
119 def mentionsProdId(self, productid):
120 """ Returns in which sub element, self is mentioning the productid """
121 for category in (self._productstatuses, self._threats, self._cvsss, self._remediations):
122 for subelem in category:
123 if productid in subelem._productids:
124 yield subelem
125
126 def isMentioningProdId(self, productid):
127 """ Returns if self is mentioning the productid """
128 for e in self.mentionsProdId(productid):
129 # We only need to know if the generator yield at least one elem.
130 return True
131 return False
132
133 def mentionsGroupId(self, groupid):
134 for category in (self._threats, self._remediations):
135 for subelem in category:
136 if groupid in subelem._groupids:
137 yield subelem
138
139 def isMentioningGroupId(self, groupids):
140 """ Make sure you call this with a list (not a generator or a tuple)
141 when wished """
142 if not isinstance(groupids, list):
143 groupids = [groupids]
144 for groupid in groupids:
145 for _ in self.mentionsGroupId(groupid):
146 # We only need to know if the generator yield at least one elem.
147 return True
148 return False
149
150 def validate(self, productids, groupids):
151 if not self._ordinal:
152 raise ValidationError('A Vulnerability must have an ordinal')
153 if self._id is not None:
154 self._id.validate()
155 ordinals = set()
156 for note in self._notes:
157 note.validate()
158 if note._ordinal in ordinals:
159 raise ValidationError('Vulnerability Note Ordinal %d duplicated' % note._ordinal)
160 ordinals.add(note._ordinal)
161 for involvement in self._involvements:
162 involvement.validate()
163 for cwe in self._cwes:
164 cwe.validate()
165 for status in self._productstatuses:
166 status.validate(productids)
167 pids = set()
168 for status in self._productstatuses:
169 for pid in status._productids:
170 if pid in pids:
171 raise ValidationError('ProductID %s mentionned in two different ProductStatuses for Vulnerability %d' % (pid, self._ordinal))
172 pids.add(pid)
173 for threat in self._threats:
174 threat.validate(productids, groupids)
175 for cvss in self._cvsss:
176 cvss.validate(productids)
177 pids = set()
178 for cvss in self._cvsss:
179 for pid in (cvss._productids or productids):
180 if pid in pids:
181 raise ValidationError('ProductID %s mentionned in two different CVSS Score Sets for Vulnerability %d' % (pid, self._ordinal))
182 pids.add(pid)
183 for remediation in self._remediations:
184 remediation.validate(productids, groupids)
185 for reference in self._references:
186 reference.validate()
187 for acknowledgment in self._acknowledgments:
188 acknowledgment.validate()
189
190
191 class CVRFInvolvement(object):
192 PARTIES = CVRFPublisher.TYPES
193 STATUSES = ('Open', 'Disputed', 'In Progress', 'Completed',
194 'Contact Attempted', 'Not Contacted')
195 def __init__(self, party, status):
196 self._party = party
197 self._status = status
198 self._description = None
199
200 def setDescription(self, description):
201 self._description = description
202
203 def getTitle(self):
204 return "From %s: %s" % (self._party, self._status)
205
206 def validate(self):
207 if not self._party:
208 raise ValidationError('An Involvement must have a Party')
209 if self._party not in self.PARTIES:
210 raise ValidationError("An Involvement's Party must be one of %s" % ', '.join(self.PARTIES))
211 if not self._status:
212 raise ValidationError('An Involvement must have a Status')
213 if self._status not in self.STATUSES:
214 raise ValidationError("An Involvement's Status must be one of %s" % ', '.join(self.STATUSES))
215
216
217 class CVRFCWE(object):
218 def __init__(self, _id, value):
219 self._id = _id
220 self._value = value
221
222 def validate(self):
223 if not self._id:
224 raise ValidationError('A CWE must have an ID')
225 if not self._value:
226 raise ValidationError('A CWE must have a description')
227
228
229 class CVRFProductStatus(object):
230 TYPES = ('First Affected', 'Known Affected', 'Known Not Affected',
231 'First Fixed', 'Fixed', 'Recommended', 'Last Affected')
232 NAME = "Product Status"
233 def __init__(self, _type):
234 self._type = _type
235 self._productids = []
236
237 def addProductID(self, productid):
238 self._productids.append(productid)
239
240 def getTitle(self):
241 return "%s: %d products" % (self._type, len(self._productids))
242
243 def validate(self, productids):
244 if not self._type:
245 raise ValidationError('A Product Status must have a Type')
246 if self._type not in self.TYPES:
247 raise ValidationError("A Product Status' Type must be one of %s" % ', '.join(self.TYPES))
248 if len(self._productids) < 1:
249 raise ValidationError('A Product Status must mention at least one Product')
250 for productid in self._productids:
251 if productid not in productids:
252 raise ValidationError('Unknown ProductID: %s' % productid)
253
254
255 class CVRFThreat(object):
256 TYPES = ('Impact', 'Exploit Status', 'Target Set')
257 NAME = "Threat"
258 def __init__(self, _type, description):
259 self._type = _type
260 self._description = description
261 self._date = None
262 self._productids = []
263 self._groupids = []
264
265 def setDate(self, date):
266 self._date = date
267
268 def addProductID(self, productid):
269 self._productids.append(productid)
270
271 def addGroupID(self, groupid):
272 self._groupids.append(groupid)
273
274 def getTitle(self):
275 return self._type
276
277 def validate(self, productids, groupids):
278 if not self._type:
279 raise ValidationError('A Threat must have a Type')
280 if self._type not in self.TYPES:
281 raise ValidationError("A Threat's Type must be one of %s" % ', '.join(self.TYPES))
282 if not self._description:
283 raise ValidationError('A Threat must have a Description')
284 for productid in self._productids:
285 if productid not in productids:
286 raise ValidationError('Unknown ProductID: %s' % productid)
287 for groupid in self._groupids:
288 if groupid not in groupids:
289 raise ValidationError('Unknown GroupID: %s' % groupid)
290
291
292 class CVRFCVSSSet(object):
293 # To determine the base Score
294 VALUES = {'AV': {'L':0.395, 'A':0.646, 'N':1.0},
295 'AC': {'H':0.35, 'M':0.61 ,'L':0.71},
296 'Au': {'M':0.45, 'S':0.56, 'N':0.704},
297 'C': {'N':0.0, 'P':0.275, 'C':0.66},
298 'I': {'N':0.0, 'P':0.275, 'C':0.66},
299 'A': {'N':0.0, 'P':0.275, 'C':0.66}}
300 NAME = "CVSS Score Set"
301 def __init__(self, basescore):
302 self._basescore = basescore
303 self._temporalscore = None
304 self._environmentalscore = None
305 self._vector = None
306 self.vector = None
307 self._productids = []
308
309 def setTemporalScore(self, tempscore):
310 self._temporalscore = tempscore
311
312 def setEnvironmentalScore(self, envscore):
313 self._environmentalscore = envscore
314
315 def setVector(self, vector):
316 self._vector = vector
317 if vector is None:
318 self.vector = vector
319 return
320 try:
321 self.vector = {}
322 for component in vector[:26].split('/'):
323 name, value = component.split(':')
324 self.vector[name] = self.VALUES[name][value]
325 except (KeyError, ValueError):
326 self.vector = None
327
328 def addProductID(self, productid):
329 self._productids.append(productid)
330
331 def baseScore(self):
332 v = self.vector # make an alias for shorter lines
333 exploitability = 20 * v['AV'] * v['AC'] * v['Au']
334 impact = 10.41 * (1 - (1 - v['C']) * (1 - v['I']) * (1 - v['A']))
335 def f(i): return 0 if i == 0 else 1.176
336 return ((0.6 * impact) + (0.4 * exploitability) - 1.5) * f(impact)
337
338 def validate(self, productids):
339 if not self._basescore:
340 raise ValidationError('A CVSS Score Set must have a Base Score')
341 if self._vector and not self.vector:
342 raise ValidationError('Syntax Error in CVSS Vector')
343 if self.vector and (abs(self._basescore - self.baseScore()) >= 0.05):
344 raise ValidationError('Inconsistency in CVSS Score Set between Vector (%f) and Base Score (%f)' % (self.baseScore(), self._basescore))
345 for productid in self._productids:
346 if productid not in productids:
347 raise ValidationError('Unknown ProductID: %s' % productid)
348
349
350 class CVRFRemediation(object):
351 TYPES = ('Workaround', 'Mitigation', 'Vendor Fix', 'None Available',
352 'Will Not Fix')
353 NAME = "Remediation"
354 def __init__(self, _type, description):
355 self._type = _type
356 self._description = description
357 self._date = None
358 self._entitlement = None
359 self._url = None
360 self._productids = []
361 self._groupids = []
362
363 def setDate(self, date):
364 self._date = date
365
366 def setEntitlement(self, entitlement):
367 self._entitlement = entitlement
368
369 def setURL(self, url):
370 self._url = url
371
372 def addProductID(self, productid):
373 self._productids.append(productid)
374
375 def addGroupID(self, groupid):
376 self._groupids.append(groupid)
377
378 def getTitle(self):
379 return self._type
380
381 def validate(self, productids, groupids):
382 if not self._type:
383 raise ValidationError('A Remediation must have a Type')
384 if self._type not in self.TYPES:
385 raise ValidationError("A Remediation's Type must be one of %s" % ', '.join(self.TYPES))
386 if not self._description:
387 raise ValidationError('A Remediation must have a Description')
388 for productid in self._productids:
389 if productid not in productids:
390 raise ValidationError('Unknown ProductID: %s' % productid)
391 for groupid in self._groupids:
392 if groupid not in groupids:
393 raise ValidationError('Unknown GroupID: %s' % groupid)
394
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)