[Question] Can we support CNNVD ?

[WestFarmer]

CNNVD is China's National Information Security Vulnerability Database [3], full name as "China National Vulnerability Database of Information Security", hereinafter referred to as "CNNVD", China's Information Security evaluation center is to earnestly implement the functions of Vulnerability collection and risk assessment, and responsible for the construction of National Information Security Vulnerability Database operations, providing the basic services to Information Security in China.

CNNVD is larger and more comprehensive, and many CVE does not cover several domestic manufacturers in China. For example, many Chinese router manufacturers do not have contact information on CVE, which means the loopholes they encountered are very less likely to be included in CVE. Most of the medium and small business would choose to report to CNNVD oftentimes. China has developed rapidly in the field of information security, and the number of enterprises engaged in network, information and technology has been surging. The influence of them cannot be overlooked. Therefore, a more comprehensive conclusion can be obtained by combining the two databases for analysis.

If the anwser is NO. What's the basic steps to implement it myself ?

here is a sample CNNVD data:

<vulnerability>
<number>CNVD-2024-37348</number>
<cves>
<cve>
<cveNumber>CVE-2022-33869</cveNumber>
<cveUrl>https://nvd.nist.gov/vuln/detail/CVE-2022-33869</cveUrl>
</cve>
</cves>
<title>Fortinet FortiWAN操作系统命令注入漏洞（CNVD-2024-37348）</title>
<serverity>高</serverity>
<products>
<product>Fortinet FortiWAN 4.5.0</product>
<product>Fortinet FortiWAN  4.4.0</product>
<product>Fortinet FortiWAN  4.3.0</product>
<product>Fortinet FortiWAN  4.2.5</product>
<product>Fortinet FortiWAN  4.2.1</product>
<product>Fortinet FortiWAN  4.1.1</product>
<product>Fortinet FortiWAN  4.0.0</product>
<product>Fortinet FortiWAN &gt;=4.0.0，&lt;=4.0.6</product>
<product>Fortinet FortiWAN &gt;=4.5.0，&lt;4.5.10</product>
</products>
<isEvent>通用软硬件漏洞</isEvent>
<submitTime>2023-02-20</submitTime>
<openTime>2024-09-04</openTime>
<referenceLink>https://nvd.nist.gov/vuln/detail/CVE-2022-33869</referenceLink>
<formalWay>厂商已发布了漏洞修复程序，请及时关注更新：&#xD;https://www.fortiguard.com/psirt/FG-IR-22-157</formalWay>
<description>Fortinet FortiWAN是美国飞塔（Fortinet）公司的一个用于在不同网络之间执行负载平衡和容错的网络设备。Fortinet FortiWAN存在安全漏洞，远程攻击者可以利用该漏洞提交特殊的请求，可以应用程序上下文执行任意命令。</description>
<patchName>Fortinet FortiWAN操作系统命令注入漏洞（CNVD-2024-37348）的补丁</patchName>
<patchDescription>Fortinet FortiWAN是美国飞塔（Fortinet）公司的一个用于在不同网络之间执行负载平衡和容错的网络设备。&#xD;
&#xD;
Fortinet FortiWAN存在安全漏洞，远程攻击者可以利用该漏洞提交特殊的请求，可以应用程序上下文执行任意命令。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。</patchDescription>
</vulnerability>

[aikebah]

You would be able to add it with an additional analyzer.

The primary extremely difficult task, based on what you quote here would be linking a given library and its version to the free text 'product' of the CNNVD data.

For some basic references see https://jeremylong.github.io/DependencyCheck/dependency-check-plugin/index.html for the project-starter (maven-archetype) for a DependencyCheck plugin library project in case you build with Maven.

And see the wiki for a quick intro into creating your own analyzer: https://github.com/jeremylong/DependencyCheck/wiki/Making-a-new-Analyzer (you can also cross-reference the various analyzers of the project at https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/java/org/owasp/dependencycheck/analyzer

You would likely need something similar to https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java in order to somehow decide on the 'Product(s)' of CNNVD that should be associated to a discovered library (if any) as well as an analyzer similar to NVDAnalyzer or OssIndexAnalyzer to resolve all the vulnerabilities registered against the identified product.

Given the very informal text-based 'product' attribution of affected products in CNNVD I do not see a benefit on adding it in the core (it's likely to either cause even more false-positive product-matches that our current logic that attempts to link to the known products (CPEs) of the NVD or have a high risk of false negatives (if matching is so strict (to avoid false positives) that true matches also don't match in various cases))

[aikebah]

Also note that 'router manufacturers' would for this project in any case be irrelevant, as those concern hardware device vulnerabilities and this project only scans for vulnerabilities in software dependencies (it also skips any CPEs in the NVD data that do not denote an application (it filters that data to only use the CPEs having an 'a' (Applications) for 'part' (skipping 'h' (Hardware devices) and 'o' (Operating systems))

[WestFarmer]

Also note that 'router manufacturers' would for this project in any case be irrelevant, as those concern hardware device vulnerabilities and this project only scans for vulnerabilities in software dependencies (it also skips any CPEs in the NVD data that do not denote an application (it filters that data to only use the CPEs having an 'a' (Applications) for 'part' (skipping 'h' (Hardware devices) and 'o' (Operating systems))

maybe it's just a bad example, there are also many domestic software vendors.

[WestFarmer]

to my little understanding, I feel a bit confused that the start point you mentioned was "additional analyzer".

basically CNNVD is NVD + China domestic data, so I was thinking the best way is to add the extra data from CNNVD to dependency-check's database and lucence index, then anything else should work as is.

to make this work, I need:

1. identify overlaps between NVD and CNNVD, and exclude them
2. exclude irrelevant data, such as hardware vulnerabilities
3. load filtered CNNVD data into dependency-check's database

@aikebah need more comments from you.

[aikebah]

You're likely misunderstanding 'the CVE DB' as 'the source from which ODC gets its vulenrabilities'. Now in the distant past that would've been true, as NVD back then was the only source of vulnerability information. But conceptually the database is 'simply' a cache for the NVD data (besides a few pieces of meta-information).

Nowadays we have multiple vulnerability repositories, each with their own caching mechanisms:

• NPM (NodeAuditAnalyzer, NodePackageAnalyzer, PnpmAuditAnalyzer, YarnAuditAnalyzer) - uses the Node Audit API
• RetireJS (RetireJsAnalyzer) - uses a locally cached RetireJS.json
• OSSIndex (OssIndexAnalyzer) - uses the OSSIndex provided client library with caching function
• Ruby Advisory Database (RubyBundleAuditAnalyzer) - uses the ruby bundler audit command
• NVD (NVDCveAnalyzer, with some preparatory work by the CPEAnalyzer to massage the raw evidences into CPEs) - lookups are done at the local cache of the NVD API data which is cached in the CveDB database.

Each of the mentioned analyzers is responsible for determining which (if any) registered vulnerabilities in its backing repository are relevant to a dependencies being analysed. And each analyzer specializes in building the correct representation of the software libraries being analyzed targeted at getting the data from that vulnerabilities repository in the best possible way (based on how software components are identified in the given repository).

You also appear to misunderstand the role of the NVD with respect to the CVE process by stating that CNNVD is NVD plus some more. The CNNVD is not 'the NVD + China domestic' but ,similar to OSSINDEX, 'CVE list public vulnerabilities + own research/reporting without CVEs' (the NVD is listing only 'public CVE list vulnerabilities').

The CVEs as such are not what the NVD holds, those are under the governance of the CVE program (https://www.cve.org/) and governed by MITRE corporation. The NVD holds the enrichment of the published CVEs with affected configuration coordinates using the NIST-governed Common Platform Enumeration and the NVD reviewed/validated (potentially adjusted from the original reported vector) CVSS scoring.

[aikebah]

Besides the Analyzer you may also want to add a CachedWebDataSource to cache information from the CNNVD locally in some form

[WestFarmer]

thanks, that's very helpful.