From f84a0a3cffefb2da6d79f9e4cad3bd53f9582fe9 Mon Sep 17 00:00:00 2001 From: Coopermassaki <1277145053@qq.com> Date: Thu, 18 Jul 2024 20:30:47 +0800 Subject: [PATCH 1/5] determine whether the issue vector and score are consistent --- cve-vulner-manager/conf/app.conf | 31 +++++- cve-vulner-manager/conf/product_app.conf | 31 +++++- cve-vulner-manager/controllers/hook.go | 7 ++ cve-vulner-manager/cve-ddd/app/coldpatch.go | 11 ++- cve-vulner-manager/cve-ddd/domain/collect.go | 1 + .../infrastructure/repositoryimpl/impl.go | 1 + cve-vulner-manager/util/calculator.go | 95 +++++++++++++++++++ 7 files changed, 174 insertions(+), 3 deletions(-) create mode 100644 cve-vulner-manager/util/calculator.go diff --git a/cve-vulner-manager/conf/app.conf b/cve-vulner-manager/conf/app.conf index a55be14..7e68e84 100644 --- a/cve-vulner-manager/conf/app.conf +++ b/cve-vulner-manager/conf/app.conf @@ -285,4 +285,33 @@ git_openlookeng_token = "${GITEE_OPENLOOKENG_TOKEN||xxx}" openlookeng_version = "master" [majun] -token = "${GITEE_MAJUN_TOKEN||xxx}" \ No newline at end of file +token = "${GITEE_MAJUN_TOKEN||xxx}" + +[metrics] +AVN = 0.85 +AVA = 0.62 +AVL = 0.55 +AVP = 0.20 +ACL = 0.77 +ACH = 0.44 +UIN = 0.85 +UIR = 0.62 +CN = 0 +CL = 0.22 +CH = 0.56 +IN = 0 +IL = 0.22 +IH = 0.56 +AN = 0 +AL = 0.22 +AH = 0.56 + +[changedpr] +PRN = 0.85 +PRL = 0.68 +PRH = 0.50 + +[unchangedpr] +PRN = 0.85 +PRL = 0.62 +PRH = 0.27 \ No newline at end of file diff --git a/cve-vulner-manager/conf/product_app.conf b/cve-vulner-manager/conf/product_app.conf index 52dfc21..c3cf125 100644 --- a/cve-vulner-manager/conf/product_app.conf +++ b/cve-vulner-manager/conf/product_app.conf @@ -282,4 +282,33 @@ openlookeng_version = "master" token = "${GITEE_MAJUN_TOKEN||xxx}" api_token = "${MAJUN_API_TOKEN||xxx}" app_id = "${MAJUN_APP_ID||xxx}" -secret_key = "${MAJUN_SECRET_KEY||xxx}" \ No newline at end of file +secret_key = "${MAJUN_SECRET_KEY||xxx}" + +[metrics] +AVN = 0.85 +AVA = 0.62 +AVL = 0.55 +AVP = 0.20 +ACL = 0.77 +ACH = 0.44 +UIN = 0.85 +UIR = 0.62 +CN = 0 +CL = 0.22 +CH = 0.56 +IN = 0 +IL = 0.22 +IH = 0.56 +AN = 0 +AL = 0.22 +AH = 0.56 + +[changedpr] +PRN = 0.85 +PRL = 0.68 +PRH = 0.50 + +[unchangedpr] +PRN = 0.85 +PRL = 0.62 +PRH = 0.27 \ No newline at end of file diff --git a/cve-vulner-manager/controllers/hook.go b/cve-vulner-manager/controllers/hook.go index fce3df2..7120f5f 100644 --- a/cve-vulner-manager/controllers/hook.go +++ b/cve-vulner-manager/controllers/hook.go @@ -1863,6 +1863,13 @@ func analysisComment(owner, accessToken, path string, cuAccount string, cBody st issueTmp.IssueStatus = 3 //2. Are the cvsScore and openEuler score equal .If not equal, notify the auditor to review . var na string + + if util.CalculateCVSSV3BaseScore(issueTmp.OpenEulerVector) != issueTmp.OpenEulerScore { + cc := fmt.Sprintf("@%v CVSS评分和矢量值不一致,请修改至矢量值和CVSS评分一致!", issueTmp.Assignee) + taskhandler.AddCommentToIssue(cc, issueTmp.IssueNum, owner, path, accessToken) + return + } + if issueTmp.OpenEulerScore != issueTmp.NVDScore && issueTmp.OpenEulerScore > 0 && issueTmp.NVDScore > 0 && issueTmp.OpAuditFlag == 0 { na = "\n**因OpenEulerScore与NvdScore不一致,分析内容需审核,请等待安全组审核!**" diff --git a/cve-vulner-manager/cve-ddd/app/coldpatch.go b/cve-vulner-manager/cve-ddd/app/coldpatch.go index d6a30d5..5db034e 100644 --- a/cve-vulner-manager/cve-ddd/app/coldpatch.go +++ b/cve-vulner-manager/cve-ddd/app/coldpatch.go @@ -22,6 +22,7 @@ import ( "cvevulner/cve-ddd/domain/obs" "cvevulner/cve-ddd/domain/repository" "cvevulner/cve-ddd/domain/updateinfo" + vulnerutils "cvevulner/util" ) const ( @@ -207,7 +208,15 @@ func (c *coldPatchService) collectAllData() (map[string]domain.CollectedDataSlic concurrencyInstance := NewConcurrency(c, issueData, sets.New(allPackage...), sets.New(handleBranch...)) filteredData := concurrencyInstance.handleFilterData() - return filteredData.GroupByBranch(handleBranch), nil + // calculate whether vector and score are consistent + var calculatedData domain.CollectedDataSlice + for _, data := range filteredData { + if vulnerutils.CalculateCVSSV3BaseScore(data.Vector) == data.Score { + calculatedData = append(calculatedData, data) + } + } + + return calculatedData.GroupByBranch(handleBranch), nil } func (c *coldPatchService) generateCollectFilePath() string { diff --git a/cve-vulner-manager/cve-ddd/domain/collect.go b/cve-vulner-manager/cve-ddd/domain/collect.go index f30b347..dad2183 100644 --- a/cve-vulner-manager/cve-ddd/domain/collect.go +++ b/cve-vulner-manager/cve-ddd/domain/collect.go @@ -12,6 +12,7 @@ type CollectedData struct { Id int64 CveNum string Score float64 + Vector string Version string AffectedProduct []string CreateTime time.Time diff --git a/cve-vulner-manager/cve-ddd/infrastructure/repositoryimpl/impl.go b/cve-vulner-manager/cve-ddd/infrastructure/repositoryimpl/impl.go index c5ac2d5..24e77d8 100644 --- a/cve-vulner-manager/cve-ddd/infrastructure/repositoryimpl/impl.go +++ b/cve-vulner-manager/cve-ddd/infrastructure/repositoryimpl/impl.go @@ -154,6 +154,7 @@ func (impl repositoryImpl) GetAllIssue() (data domain.CollectedDataSlice, err er Id: v.TemplateId, CveNum: v.CveNum, Score: v.OpenEulerScore, + Vector: v.OpenEulerVector, Version: v.OwnedVersion, AffectedProduct: strings.Split(v.AffectProduct, "/"), CreateTime: v.CreateTime, diff --git a/cve-vulner-manager/util/calculator.go b/cve-vulner-manager/util/calculator.go new file mode 100644 index 0000000..59d9cd7 --- /dev/null +++ b/cve-vulner-manager/util/calculator.go @@ -0,0 +1,95 @@ +package util + +import ( + "fmt" + "math" + "strings" + + "github.com/astaxie/beego" +) + +const ( + defaultBaseScore = 0 + unChangedScope = "SU" + changedScope = "SC" + maxScore = 10 + baseFactor = 1.08 + unchangeImpactFactor = 6.42 + changeImpactFactor1 = 7.52 + changeImpactFactor2 = 0.029 + changeImpactFactor3 = 3.25 + changeImpactFactor4 = 0.02 + changeImpactFactor5 = 15 + iscFactor = 1 + exFactor = 8.22 +) + +// Calculate CVSS v3 basescore based on vector +func CalculateCVSSV3BaseScore(vector string) float64 { + vectors := strings.Split(vector, "/") + var dealVectors []string + for _, v := range vectors { + dv := strings.ReplaceAll(v, ":", "") + dealVectors = append(dealVectors, dv) + } + + scope := dealVectors[4] + + avScore := beego.AppConfig.DefaultFloat(fmt.Sprintf("metrics::%s", dealVectors[0]), defaultBaseScore) + + acScore := beego.AppConfig.DefaultFloat(fmt.Sprintf("metrics::%s", dealVectors[1]), defaultBaseScore) + + uiScore := beego.AppConfig.DefaultFloat(fmt.Sprintf("metrics::%s", dealVectors[3]), defaultBaseScore) + + cScore := beego.AppConfig.DefaultFloat(fmt.Sprintf("metrics::%s", dealVectors[5]), defaultBaseScore) + + iScore := beego.AppConfig.DefaultFloat(fmt.Sprintf("metrics::%s", dealVectors[6]), defaultBaseScore) + + aScore := beego.AppConfig.DefaultFloat(fmt.Sprintf("metrics::%s", dealVectors[7]), defaultBaseScore) + + iscBase := iscFactor - ((iscFactor - cScore) * (1 - iScore) * (1 - aScore)) + + if scope == unChangedScope { + prScore := beego.AppConfig.DefaultFloat(fmt.Sprintf("unchangedpr::%s", dealVectors[2]), defaultBaseScore) + exploitabilitySubScore := exFactor * avScore * acScore * prScore * uiScore + impactSubScore := unchangeImpactFactor * iscBase + if impactSubScore <= 0 { + return defaultBaseScore + } + + miniNum := Minimum(exploitabilitySubScore+impactSubScore, maxScore) + + baseScore := Roundup(miniNum) + + return baseScore + } else if scope == changedScope { + prScore := beego.AppConfig.DefaultFloat(fmt.Sprintf("changedpr::%s", dealVectors[2]), defaultBaseScore) + exploitabilitySubScore := exFactor * avScore * acScore * prScore * uiScore + + res := math.Pow(iscBase-changeImpactFactor4, float64(changeImpactFactor5)) + imapctSubScore := changeImpactFactor1*(iscBase-changeImpactFactor2) - changeImpactFactor3*res + if imapctSubScore <= 0 { + return defaultBaseScore + } + + miniNum := Minimum(baseFactor*(exploitabilitySubScore+imapctSubScore), maxScore) + + baseScore := Roundup(miniNum) + + return baseScore + } + + return defaultBaseScore +} + +func Roundup(value float64) float64 { + roundedValue := math.Ceil(value*10) / 10 + return roundedValue +} + +func Minimum(a, b float64) float64 { + if a < b { + return a + } + return b +} -- Gitee From 7f565b10b840843f48a1a8b8c0d80d1632383531 Mon Sep 17 00:00:00 2001 From: Coopermassaki <1277145053@qq.com> Date: Fri, 19 Jul 2024 09:52:49 +0800 Subject: [PATCH 2/5] determine len of vectors to prevent slice out-of-bounds panic --- cve-vulner-manager/util/calculator.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cve-vulner-manager/util/calculator.go b/cve-vulner-manager/util/calculator.go index 59d9cd7..8a92e8a 100644 --- a/cve-vulner-manager/util/calculator.go +++ b/cve-vulner-manager/util/calculator.go @@ -10,6 +10,7 @@ import ( const ( defaultBaseScore = 0 + vectorLength = 8 unChangedScope = "SU" changedScope = "SC" maxScore = 10 @@ -27,6 +28,10 @@ const ( // Calculate CVSS v3 basescore based on vector func CalculateCVSSV3BaseScore(vector string) float64 { vectors := strings.Split(vector, "/") + if len(vectors) != vectorLength { + return defaultBaseScore + } + var dealVectors []string for _, v := range vectors { dv := strings.ReplaceAll(v, ":", "") -- Gitee From d60aabc448ff1a898b19d99a87023b66c2e81a0d Mon Sep 17 00:00:00 2001 From: Coopermassaki <1277145053@qq.com> Date: Mon, 22 Jul 2024 14:52:15 +0800 Subject: [PATCH 3/5] update cols append --- cve-vulner-manager/controllers/hook.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve-vulner-manager/controllers/hook.go b/cve-vulner-manager/controllers/hook.go index 7120f5f..2b7d1ca 100644 --- a/cve-vulner-manager/controllers/hook.go +++ b/cve-vulner-manager/controllers/hook.go @@ -1764,9 +1764,9 @@ func analysisComment(owner, accessToken, path string, cuAccount string, cBody st cols = append(cols, "op_audit_flag") } issueTmp.OpenEulerScore = fv - cols = append(cols, k) // Dominated by openeuler score, update cve level issueTmp.CveLevel = models.OpenEulerScoreProc(fv) + cols = append(cols, k, "cve_level") } case "openeuler_vector": if v != "" && len(v) > 1 { -- Gitee From 0e8fa9282aa4e08318ce4096584229060ac17013 Mon Sep 17 00:00:00 2001 From: Coopermassaki <1277145053@qq.com> Date: Thu, 25 Jul 2024 16:28:04 +0800 Subject: [PATCH 4/5] cancel the function of handling the cve issue of inconsistent stock scores and vectors --- cve-vulner-manager/cve-ddd/app/coldpatch.go | 11 +---------- cve-vulner-manager/cve-ddd/domain/collect.go | 1 - .../cve-ddd/infrastructure/repositoryimpl/impl.go | 1 - 3 files changed, 1 insertion(+), 12 deletions(-) diff --git a/cve-vulner-manager/cve-ddd/app/coldpatch.go b/cve-vulner-manager/cve-ddd/app/coldpatch.go index 5db034e..d6a30d5 100644 --- a/cve-vulner-manager/cve-ddd/app/coldpatch.go +++ b/cve-vulner-manager/cve-ddd/app/coldpatch.go @@ -22,7 +22,6 @@ import ( "cvevulner/cve-ddd/domain/obs" "cvevulner/cve-ddd/domain/repository" "cvevulner/cve-ddd/domain/updateinfo" - vulnerutils "cvevulner/util" ) const ( @@ -208,15 +207,7 @@ func (c *coldPatchService) collectAllData() (map[string]domain.CollectedDataSlic concurrencyInstance := NewConcurrency(c, issueData, sets.New(allPackage...), sets.New(handleBranch...)) filteredData := concurrencyInstance.handleFilterData() - // calculate whether vector and score are consistent - var calculatedData domain.CollectedDataSlice - for _, data := range filteredData { - if vulnerutils.CalculateCVSSV3BaseScore(data.Vector) == data.Score { - calculatedData = append(calculatedData, data) - } - } - - return calculatedData.GroupByBranch(handleBranch), nil + return filteredData.GroupByBranch(handleBranch), nil } func (c *coldPatchService) generateCollectFilePath() string { diff --git a/cve-vulner-manager/cve-ddd/domain/collect.go b/cve-vulner-manager/cve-ddd/domain/collect.go index dad2183..f30b347 100644 --- a/cve-vulner-manager/cve-ddd/domain/collect.go +++ b/cve-vulner-manager/cve-ddd/domain/collect.go @@ -12,7 +12,6 @@ type CollectedData struct { Id int64 CveNum string Score float64 - Vector string Version string AffectedProduct []string CreateTime time.Time diff --git a/cve-vulner-manager/cve-ddd/infrastructure/repositoryimpl/impl.go b/cve-vulner-manager/cve-ddd/infrastructure/repositoryimpl/impl.go index 24e77d8..c5ac2d5 100644 --- a/cve-vulner-manager/cve-ddd/infrastructure/repositoryimpl/impl.go +++ b/cve-vulner-manager/cve-ddd/infrastructure/repositoryimpl/impl.go @@ -154,7 +154,6 @@ func (impl repositoryImpl) GetAllIssue() (data domain.CollectedDataSlice, err er Id: v.TemplateId, CveNum: v.CveNum, Score: v.OpenEulerScore, - Vector: v.OpenEulerVector, Version: v.OwnedVersion, AffectedProduct: strings.Split(v.AffectProduct, "/"), CreateTime: v.CreateTime, -- Gitee From 3182683e5980b2c7d645a96a63a97478b9e11f86 Mon Sep 17 00:00:00 2001 From: Coopermassaki <1277145053@qq.com> Date: Thu, 25 Jul 2024 16:41:45 +0800 Subject: [PATCH 5/5] delete process hot patch code --- cve-vulner-manager/controllers/file.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/cve-vulner-manager/controllers/file.go b/cve-vulner-manager/controllers/file.go index 5558bfd..3b977d4 100644 --- a/cve-vulner-manager/controllers/file.go +++ b/cve-vulner-manager/controllers/file.go @@ -14,7 +14,6 @@ import ( "time" "cvevulner/common" - "cvevulner/cve-ddd/adapter" "cvevulner/cve-ddd/infrastructure/obsimpl" "cvevulner/models" "cvevulner/taskhandler" @@ -199,8 +198,6 @@ func (f *FileController) TriggerCveData() { // Return the result first, continue processing the data UpdateLimitTriggerSa(nameStr, 1) GenUpdateInfoXmlFile(updateInfoSlice, dir, cves) - // process hot patch - adapter.NewHotPatchAdapter().Process() } // Generate updateinfo xml file -- Gitee