Remove duplicate rows for CVSS

ziadhany · ziadhany · commit df1ea13d7b7c · 2022-10-03T22:01:49.000+02:00
Signed-off-by: ziadhany &lt;ziadhany2016@gmail.com&gt;
diff --git a/setup.cfg b/setup.cfg
@@ -78,6 +78,7 @@ install_requires =
     defusedxml>=0.7.1
     Markdown>=3.3.0
     dateparser>=1.1.1
+    cvss>=2.4
 
     # networking
     GitPython>=3.1.17
diff --git a/vulnerabilities/migrations/0028_vulnerabilityseverity_scoring_elements.py b/vulnerabilities/migrations/0028_vulnerabilityseverity_scoring_elements.py
@@ -0,0 +1,18 @@
+# Generated by Django 4.0.7 on 2022-09-22 21:25
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('vulnerabilities', '0027_alter_vulnerabilityreference_url'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='vulnerabilityseverity',
+            name='scoring_elements',
+            field=models.CharField(help_text='Supporting a scoring elements as a string For example a CVSS vector Important, High, Medium ,Low.Typically used to compute the value', max_length=100, null=True),
+        ),
+    ]
diff --git a/vulnerabilities/migrations/0029_vulnerabilityserverity_compute_score.py b/vulnerabilities/migrations/0029_vulnerabilityserverity_compute_score.py
@@ -0,0 +1,24 @@
+from django.db import migrations
+
+from vulnerabilities.severity_systems import SCORING_SYSTEMS
+
+
+def compute_score(apps, schema_editor):
+    Vuln_severity = apps.get_model('vulnerabilities', 'VulnerabilitySeverity')
+    for vuln_severity in Vuln_severity.objects.all():
+        if vuln_severity.value and not vuln_severity.scoring_elements:
+            try:
+                vuln_severity.scoring_elements = SCORING_SYSTEMS[vuln_severity.scoring_system].as_score(vuln_severity.value)
+                vuln_severity.save()
+            except NotImplementedError:
+                pass
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('vulnerabilities', '0028_vulnerabilityseverity_scoring_elements'),
+    ]
+
+    operations = [
+        migrations.RunPython(compute_score, migrations.RunPython.noop),
+    ]
diff --git a/vulnerabilities/migrations/0030_vulnerabilityseverity _rm_extra_records_swap.py b/vulnerabilities/migrations/0030_vulnerabilityseverity _rm_extra_records_swap.py
@@ -0,0 +1,45 @@
+from django.db import migrations
+
+
+def remove_extra_rows(apps, schema_editor):
+    Vuln_severity = apps.get_model('vulnerabilities', 'VulnerabilitySeverity')
+    duplicates = (
+        Vuln_severity.objects
+        .filter(scoring_system__in=["cvssv2_vector", "cvssv3_vector", "cvssv3.1_vector"])
+    )
+
+    for duplicate in duplicates:
+        (
+            Vuln_severity.objects
+            .filter(reference_id=duplicate.reference_id,
+                    scoring_system__in=["cvssv2", "cvssv3", "cvssv3.1"],
+                    value=duplicate.scoring_elements)
+            .delete()
+        )
+
+
+def swap_scoring_elements_with_value(apps, schema_editor):
+    Vuln_severity = apps.get_model('vulnerabilities', 'VulnerabilitySeverity')
+    for vuln_severity in Vuln_severity.objects.all():
+        cvss_mapper = {
+            "cvssv2_vector": "cvssv2",
+            "cvssv3_vector": "cvssv3",
+            "cvssv3.1_vector": "cvssv3.1",
+        }
+        if vuln_severity.scoring_system in ["cvssv2_vector", "cvssv3_vector", "cvssv3.1_vector"]:
+            vuln_severity.scoring_system = cvss_mapper[vuln_severity.scoring_system]
+            temp = vuln_severity.scoring_elements  # value
+            vuln_severity.scoring_elements = vuln_severity.value
+            vuln_severity.value = temp
+            vuln_severity.save()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('vulnerabilities', '0029_vulnerabilityserverity_compute_score'),
+    ]
+
+    operations = [
+        migrations.RunPython(remove_extra_rows), migrations.RunPython.noop,
+        migrations.RunPython(swap_scoring_elements_with_value, migrations.RunPython.noop),
+    ]
diff --git a/vulnerabilities/models.py b/vulnerabilities/models.py
@@ -278,7 +278,6 @@ def get_absolute_url(self):
 
 
 class PackageRelatedVulnerability(models.Model):
-
     # TODO: Fix related_name
     package = models.ForeignKey(
         Package,
@@ -351,7 +350,6 @@ def update_or_create(self):
 
 
 class VulnerabilitySeverity(models.Model):
-
     reference = models.ForeignKey(VulnerabilityReference, on_delete=models.CASCADE)
 
     scoring_system_choices = tuple(
@@ -371,6 +369,14 @@ class VulnerabilitySeverity(models.Model):
 
     value = models.CharField(max_length=50, help_text="Example: 9.0, Important, High")
 
+    scoring_elements = models.CharField(
+        max_length=100,
+        null=True,
+        help_text="Supporting a scoring elements as a string "
+        "For example a CVSS vector Important, High, Medium ,Low."
+        "Typically used to compute the value",
+    )
+
     class Meta:
         unique_together = ["reference", "scoring_system", "value"]
         ordering = ["reference", "scoring_system", "value"]
diff --git a/vulnerabilities/severity_systems.py b/vulnerabilities/severity_systems.py
@@ -8,6 +8,10 @@
 #
 
 import dataclasses
+from decimal import Decimal
+
+from cvss import CVSS2
+from cvss import CVSS3
 
 """
 Vulnerability scoring systems define scales, values and approach to score a
@@ -17,7 +21,6 @@
 
 @dataclasses.dataclass(order=True)
 class ScoringSystem:
-
     # a short identifier for the scoring system.
     identifier: str
     # a name which represents the scoring system such as `RedHat bug severity`.
@@ -28,13 +31,28 @@ class ScoringSystem:
     # notes about that scoring system
     notes: str = ""
 
-    def as_score(self, value):
+    def as_score(self, value) -> Decimal:
         """
         Return a normalized numeric score for this scoring system  given a raw
         value. For instance this can be used to convert a CVSS vector to a base
         score.
+
+        >>> SCORING_SYSTEMS["cvssv2_vector"].as_score("AV:L/AC:L/Au:M/C:N/I:P/A:C/E:U/RL:W/RC:ND/CDP:L/TD:H/CR:ND/IR:ND/AR:M")
+        Decimal('5.0')
+        >>> SCORING_SYSTEMS["cvssv3_vector"].as_score('CVSS:3.0/S:C/C:H/I:H/A:N/AV:P/AC:H/PR:H/UI:R/E:H/RL:O/RC:R/CR:H/IR:X/AR:X/MAC:H/MPR:X/MUI:X/MC:L/MA:X')
+        Decimal('6.5')
+        >>> SCORING_SYSTEMS["cvssv3.1_vector"].as_score("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H")
+        Decimal('8.6')
         """
-        raise NotImplementedError
+
+        if self.identifier == "cvssv2_vector":
+            c = CVSS2(value)
+            return c.base_score
+        elif self.identifier in ["cvssv3_vector", "cvssv3.1_vector"]:
+            c = CVSS3(value)
+            return c.base_score
+        else:
+            raise NotImplementedError("Can't compute a score")
 
 
 CVSSV2 = ScoringSystem(
