Update VulnDB Import Script to Reflect New Data Format

[y4utj4]

Please fill out the Bug Form or Feature Request Below

---

Bug

Describe the issue and steps to reproduce Import_VulnDB script mentioned from the wiki no longer works as a pointer to the vulnerabilitiy's description is throwing an error "scripts/import_vulndb.rb:35:in block in <main>': undefined methodjoin' for {"$ref"=>"#/files/description/43"}:Hash (NoMethodError)".

It looks as though the VulnDB repository was updated to put descriptions into a folder in preparation for multiple languages and a pointer is used to reference the description instead of the description as well.

1. follow the Serpico wiki video to pull down and configure import_vulndb.rb file
2. run the import_vulndb.rb script

[BuffaloWill]

Thanks @y4utj4, you are correct and the script needs to be updated. You can get around the issue by cloning an older version of VulnDB. From the root directory of vulndb run:

git checkout 59d87559c7cba869dba425cb38da36c25a00fb91

Then re-run the script, it should import fine.

[BuffaloWill]

I'd like to start shipping VulnDB data with Serpico. The licenses are compatible (BSD 3).

The plan:

• import a version of VulnDB data
• Update the scores to be compatible with all scoring types
• Export all findings from Serpico and replace the current json that is imported
• Make it obvious (and give significant props) that the finding came from VulnDB and they are the original authors

[Hax0rG1rl]

Hi @BuffaloWill, this would be a comprehensive steps list to make things working at this stage.

Overall, it would be really nice to have this project updated. I think you did an amazing job, tbh. Thank you!

OS: Ubuntu 18.04

1. sudo apt purge libssl-dev && sudo apt install libssl1.0-dev
2. install and configure rbenv

A possible automated script:

#!/usr/bin/env bash

clear

echo "[*] Configuring rbenv for you...stand by!" 

sudo apt update
sudo apt install git curl libssl-dev libreadline-dev zlib1g-dev autoconf bison build-essential libyaml-dev libreadline-dev libncurses5-dev libffi-dev libgdbm-dev

export PATH="$HOME/.rbenv/bin:$PATH" >> ~/.bashrc
eval "$(rbenv init -)" >> ~/.bashrc
source ~/.bashrc

curl -sL https://github.com/rbenv/rbenv-installer/raw/master/bin/rbenv-installer | bash -

3. rbenv install 2.3.3
4. rbenv global 2.3.3
5. ruby -v
6. wget serpico from the releases section. [https://github.com/SerpicoProject/Serpico/releases/]
7. gdebi the .deb pacakge.
8. cd Serpico
9. gem install bundle
10. bundle install
11. download the import_vulndb_serpico.rb script from your gist
12. git clone vulndb
13. cd vulnd directory
14. git checkout 59d87559c7cba869dba425cb38da36c25a00fb91
15. nano / vim / pico / whatever import_vulndb_serpico.rb and change the location of the vulndb package.
16. cd Serpico/Serpico
17. ruby scripts/import_vulndb_serpico.rb
18. Start the serpico server 19,. Authenticate and check the db to have the new imports displayed and available.

That would be all!