search

RedHatProductSecurity / cvelib

A Python library and command line interface for CVE Services.
MIT License
52 stars 24 forks source link

BUG: cve show -r --raw output is not formatted accooring to the schema #44

Closed MrSeccubus closed 1 year ago

MrSeccubus commented 1 year ago

Command: cve show -r --raw

Expected:

{
    "cveMetadata" : {
        "cve_id": "CVE-2022-36249",
        "cve_year": "2022",
        "owning_cna": "DIVD",
        "requested_by": {
            "cna": "DIVD",
            "user": "f.breedijk@divd.nl"
        },
        "reserved": "2022-11-07T11:55:12.047Z",
        "state": "PUBLISHED",
        "time": {
            "created": "2022-11-07T11:55:12.049Z",
            "modified": "2022-11-07T16:03:20.456Z"
        }
    },
    "containers": {
        "cna": {
            "affected": [
                {
<snip>

Got:

[
    {
        "cve_id": "CVE-2022-36249",
        "cve_year": "2022",
        "owning_cna": "DIVD",
        "requested_by": {
            "cna": "DIVD",
            "user": "f.breedijk@divd.nl"
        },
        "reserved": "2022-11-07T11:55:12.047Z",
        "state": "PUBLISHED",
        "time": {
            "created": "2022-11-07T11:55:12.049Z",
            "modified": "2022-11-07T16:03:20.456Z"
        }
    },
    {
        "containers": {
            "cna": {
                "affected": [
                    {
<snip>
mprpic commented 1 year ago

@MrSeccubus That's because it's the output of two different API calls, one to get the object representing the CVE ID reservation, and the other is the CVE record object. We chose to put them in as two items of an array to still have a valid JSON object as a result.

The CVE record object (the second item in the array) is a full record that is valid against the 5.0 schema; you'll notice it has the cveMetadata object within itself. The CVE ID reservation object is not the part of the schema under cveMetadata. In the actual schema, that object looks like this:

"cveMetadata": {
            "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "assignerShortName": "redhat",
            "cveId": "CVE-2021-20311",
            "datePublished": "2021-05-11T22:30:47",
            "dateReserved": "2020-12-17T00:00:00",
            "dateUpdated": "2021-05-11T22:30:47",
            "state": "PUBLISHED"
        },

which is different from what the API returns:

{
        "cve_id": "CVE-2022-36249",
        "cve_year": "2022",
        "owning_cna": "TEST",
        "requested_by": {
            "cna": "TEST",
            "user": "TEST_USER"
        },
        "reserved": "2022-11-07T11:55:12.047Z",
        "state": "PUBLISHED",
        "time": {
            "created": "2022-11-07T11:55:12.049Z",
            "modified": "2022-11-07T16:03:20.456Z"
        }
    }

If you're parsing the JSON output, and want the record only, you could simply use the second item in the array. If you have any ideas on how to improve this, do let us know :wink:.

MrSeccubus commented 1 year ago

Damn! I see what you mean and my PR #45 then doesn't fix this either :-(

I think the help test of cve show -h is misleading.

Options:
  -r, --show-record  Show full CVE record in JSON v5 format.
  --raw              Print response JSON.
  -h, --help         Show this message and exit.

It says that with -r it should return a full cve record.

But, if I take the output of cve show -r --raw CVE-2022-36249 and validate it against the schema, it simply doesn't validate because you are not showing the full record, you are showing an array with the full record and the data of the reservation.

In my opnion -r should show the full record and the full record only.

I have updated PR #45 to change this.

MrSeccubus commented 1 year ago

What I was looking for is a cve command to run that would return the full record to me so I could send it to a json file. cve show -r --raw CVE-2022-36249 >CVE-2022-36249.json doesn't produce a json file with a cve record in it cve show -r CVE-2022-36249 >CVE-2022-36249.json doesn't produce a valid json file with a cve record in it because it has this header cve show -r CVE-2022-36249 |jq .[1]>CVE-2022-36249.json might do the trick, but it is not obvious from the docs that this is what you need to do.

mprpic commented 1 year ago

Agreed, I guess showing the full record only when the option is specified is the less surprising and would make your first command work as you'd expect.