aquasecurity / vuln-list-update

Apache License 2.0
173 stars 99 forks source link

SUSE: cvrf format has been changed to support cvss 2 and 3 #87

Open froh opened 3 years ago

froh commented 3 years ago

Hi,

the SUSE CVRF files contain cvss2 and cvss3 scores.

cvrf-opensuse-su-2015:0225-1.xml

    <CVSSScoreSets>
      <ScoreSetV2>
        <BaseScoreV2>4</BaseScoreV2>
        <VectorV2>AV:L/AC:L/Au:M/C:P/I:P/A:P</VectorV2>
      </ScoreSetV2>
    </CVSSScoreSets>

cvrf-opensuse-su-2020:1236-1.xml

    <CVSSScoreSets>
      <ScoreSetV2>
        <BaseScoreV2>4.3</BaseScoreV2>
        <VectorV2>AV:N/AC:M/Au:N/C:P/I:N/A:N</VectorV2>
      </ScoreSetV2>
      <ScoreSetV3>
        <BaseScoreV3>5.9</BaseScoreV3>
        <VectorV3>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</VectorV3>
      </ScoreSetV3>
    </CVSSScoreSets>

The current handling in suse/cvrf/types.go does not handle this and drops the SUSE score sets.

froh commented 3 years ago

oh. this basically comes from the transition from cvrf 1.1 to cvrf 1.2: https://www.suse.com/support/security/cvrf/

the reference parser contains schema definitions for both, 1.1 and 1.2. they indeed only differ in allowing for cvss v3 scores, as shown above:

git clone https://github.com/oasis-open/csaf-parser
cd csaf-parser
for d in common/ cvrf/ prod/ vuln/
do
    emacsclient -e " ( ediff-directories \"$d/1.1\" \"$d/1.2\" \".*\" ) " 
done