JSON unmarshaling error on field "cvss_v2_base" when using Intel.GetVulnerabilities()

[jeFF0Falltrades]

I am attempting to utilize Intel.GetVulnerabilities() to query a vulnerability by CVE ID and retrieve intelligence on that vulnerability, similar to the example shown in the "Vulnerability Intelligence APIs" documentation, but using gofalcon.

Every request appears to return an unmarshaling error due to the type of DomainVulnerability.resources.cvss_v2_base, as seen in this simple example:

ids := models.MsaIdsRequest{Ids: []string{"CVE-2017-5638"}}
response, err := client.Intel.GetVulnerabilities(&intel.GetVulnerabilitiesParams{
    Context: context.Background(),
    Body:    &ids,
})
if err != nil {
    return nil, err
}

json: cannot unmarshal object into Go struct field DomainVulnerability.resources.cvss_v2_base of type string

I confirmed the same API call using curl returns the expected output:

 "resources": [
  {
   "cve": "CVE-2017-5638",
   ...
   ],
   "cvss_v2_base": {
    "access_vector": "Network",
    "access_complexity": "Low",
    "authentication": "None",
    "confidentiality_impact": "Complete",
    "integrity_impact": "Complete",
    "availability_impact": "Complete",
    "score": 10,
    "severity": "HIGH"
   },
   ...
}

Since cvss_v2_base appears to be a JSON object, I'm wondering if somewhere it's being incorrectly labeled/unmarshaled as a string object.

Interestingly, if I use the latest commit in the repo instead of the published v0.6.0 release, the call is successful, and returns a DomainVulnerability object:

[
    {
        "evaluatedAffectedAssetsCount": null,
        "exploitStatus": null,
        "exprt_rating": null,
        "totalAffectedAssets": null
    }
]

But that doesn't appear to be the desired output I want if I am POST'ing to /intel/entities/vulnerabilities/GET/v1 - According to the API documentation, it should be more like the above output which includes general intelligence on that CVE, not anything about impacted assets.

Perhaps there is a model-mismatch somewhere that is causing issues with Swagger?

[jeFF0Falltrades]

Some additional context:

It looks like the model was revised in the latest spec update and significantly reduced, which explains the second output using the latest commit I posted above:

https://github.com/CrowdStrike/gofalcon/blob/4e4a34717bcb0f8d91c5ca7b61301e5620e4d9b6/falcon/models/domain_vulnerability.go

The root cause in release v0.6.0 is captured in this commit:

https://github.com/CrowdStrike/gofalcon/blob/97a91119047afa8f3c6f71f4b0506a63d2a2ba1d/falcon/models/domain_vulnerability.go#L33-L37

where it appears the 2 CVSS base fields are both labeled as string types, when they should ostensibly be some kind of struct/object.

[ffalor]

@jeFF0Falltrades good catch and you're absolutely correct. It looks like the model for this is probably being defined by two different endpoints and causing a mismatch similar to #425 the actual model defined in the api spec could also be wrong which is why v0.6.0 is incorrect.

I'll need some time to dig into this and figure out what exactly is happening. Thank you for reporting the issue!

[jeFF0Falltrades]

Thanks so much for the confirmation and quick response @ffalor ! Best of luck in the fix

[ffalor]

hey @jeFF0Falltrades this should be fixed in v0.9.0 thanks for your help on this!

[jeFF0Falltrades]

hey @jeFF0Falltrades this should be fixed in v0.9.0 thanks for your help on this!

You did all the hard work - Thank you!!