Closed WestFarmer closed 2 weeks ago
You would be able to add it with an additional analyzer.
The primary extremely difficult task, based on what you quote here would be linking a given library and its version to the free text 'product' of the CNNVD data.
For some basic references see https://jeremylong.github.io/DependencyCheck/dependency-check-plugin/index.html for the project-starter (maven-archetype) for a DependencyCheck plugin library project in case you build with Maven.
And see the wiki for a quick intro into creating your own analyzer: https://github.com/jeremylong/DependencyCheck/wiki/Making-a-new-Analyzer (you can also cross-reference the various analyzers of the project at https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/java/org/owasp/dependencycheck/analyzer
You would likely need something similar to https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java in order to somehow decide on the 'Product(s)' of CNNVD that should be associated to a discovered library (if any) as well as an analyzer similar to NVDAnalyzer or OssIndexAnalyzer to resolve all the vulnerabilities registered against the identified product.
Given the very informal text-based 'product' attribution of affected products in CNNVD I do not see a benefit on adding it in the core (it's likely to either cause even more false-positive product-matches that our current logic that attempts to link to the known products (CPEs) of the NVD or have a high risk of false negatives (if matching is so strict (to avoid false positives) that true matches also don't match in various cases))
Also note that 'router manufacturers' would for this project in any case be irrelevant, as those concern hardware device vulnerabilities and this project only scans for vulnerabilities in software dependencies (it also skips any CPEs in the NVD data that do not denote an application (it filters that data to only use the CPEs having an 'a' (Applications) for 'part' (skipping 'h' (Hardware devices) and 'o' (Operating systems))
Also note that 'router manufacturers' would for this project in any case be irrelevant, as those concern hardware device vulnerabilities and this project only scans for vulnerabilities in software dependencies (it also skips any CPEs in the NVD data that do not denote an application (it filters that data to only use the CPEs having an 'a' (Applications) for 'part' (skipping 'h' (Hardware devices) and 'o' (Operating systems))
maybe it's just a bad example, there are also many domestic software vendors.
to my little understanding, I feel a bit confused that the start point you mentioned was "additional analyzer".
basically CNNVD is NVD + China domestic data, so I was thinking the best way is to add the extra data from CNNVD to dependency-check's database and lucence index, then anything else should work as is.
to make this work, I need:
@aikebah need more comments from you.
You're likely misunderstanding 'the CVE DB' as 'the source from which ODC gets its vulenrabilities'. Now in the distant past that would've been true, as NVD back then was the only source of vulnerability information. But conceptually the database is 'simply' a cache for the NVD data (besides a few pieces of meta-information).
Nowadays we have multiple vulnerability repositories, each with their own caching mechanisms:
Each of the mentioned analyzers is responsible for determining which (if any) registered vulnerabilities in its backing repository are relevant to a dependencies being analysed. And each analyzer specializes in building the correct representation of the software libraries being analyzed targeted at getting the data from that vulnerabilities repository in the best possible way (based on how software components are identified in the given repository).
You also appear to misunderstand the role of the NVD with respect to the CVE process by stating that CNNVD is NVD plus some more. The CNNVD is not 'the NVD + China domestic' but ,similar to OSSINDEX, 'CVE list public vulnerabilities + own research/reporting without CVEs' (the NVD is listing only 'public CVE list vulnerabilities').
The CVEs as such are not what the NVD holds, those are under the governance of the CVE program (https://www.cve.org/) and governed by MITRE corporation. The NVD holds the enrichment of the published CVEs with affected configuration coordinates using the NIST-governed Common Platform Enumeration and the NVD reviewed/validated (potentially adjusted from the original reported vector) CVSS scoring.
Besides the Analyzer you may also want to add a CachedWebDataSource to cache information from the CNNVD locally in some form
thanks, that's very helpful.
If the anwser is NO. What's the basic steps to implement it myself ?
here is a sample CNNVD data: