search

muchdogesec / arango_cti_processor

A small script that creates relationships between common CTI knowledge-bases in STIX 2.1 format.
https://www.dogesec.com/
Apache License 2.0
3 stars 0 forks source link

cve-epss mode not returning correct results #31

Closed himynamesdave closed 1 month ago

himynamesdave commented 1 month ago 
 python3 -m unittest tests/test_12_0_cve_epss.py

See 2 Notes created. There should only ever be one note for a CVE, with multiple EPSS scors

e.g.

"x_epss": [
 {
  "score": "0.000450000",
  "percentile": "0.163990000",
  "date": "2024-10-10"
},
 {
  "score": "0.000450000",
  "percentile": "0.163990000",
  "date": "2024-10-11"
}

]

    "external_references": [
      {
        "source_name": "cve",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4165",
        "external_id": "CVE-2024-4165"
      }
    ],

[
  {
    "_key": "note--008cc7df-b92b-5753-9451-62a4588dccc1+2024-10-11T05:17:08.421163Z",
    "_id": "nvd_cve_vertex_collection/note--008cc7df-b92b-5753-9451-62a4588dccc1+2024-10-11T05:17:08.421163Z",
    "_rev": "_ilmAdCS---",
    "type": "note",
    "spec_version": "2.1",
    "id": "note--008cc7df-b92b-5753-9451-62a4588dccc1",
    "created_by_ref": "identity--562918ee-d5da-5579-b6a1-fae50cc6bad3",
    "created": "2024-04-25T12:15:07.540Z",
    "modified": "2024-10-08T00:00:00.000Z",
    "content": "EPSS Score for CVE-2024-4165",
    "object_refs": [
      "vulnerability--008cc7df-b92b-5753-9451-62a4588dccc1"
    ],
    "external_references": [
      {
        "source_name": "cve",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4165",
        "external_id": "CVE-2024-4165"
      }
    ],
    "object_marking_refs": [
      "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
      "marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3"
    ],
    "extensions": {
      "extension-definition--efd26d23-d37d-5cf2-ac95-a101e46ce11d": {
        "extension_type": "toplevel-property-extension"
      }
    },
    "x_epss": {
      "date": "2024-10-08",
      "percentile": "0.163710000",
      "score": "0.000450000"
    },
    "_bundle_id": "bundle--1c60929d-3196-42d9-bf92-e4ea1d4f4c38",
    "_file_name": "epss-cves.json",
    "_stix2arango_note": "test_12_0_cve_epss",
    "_record_md5_hash": "51035a3bfca9aab533e4edea0ee215f0",
    "_is_latest": false,
    "_record_created": "2024-10-11T05:17:08.421163Z",
    "_record_modified": "2024-10-11T05:17:08.421163Z"
  },
  {
    "_key": "note--030ac571-6dab-5214-b0e3-0ee2c09e1ce5+2024-10-11T05:17:08.421187Z",
    "_id": "nvd_cve_vertex_collection/note--030ac571-6dab-5214-b0e3-0ee2c09e1ce5+2024-10-11T05:17:08.421187Z",
    "_rev": "_ilmAdCW---",
    "type": "note",
    "spec_version": "2.1",
    "id": "note--030ac571-6dab-5214-b0e3-0ee2c09e1ce5",
    "created_by_ref": "identity--562918ee-d5da-5579-b6a1-fae50cc6bad3",
    "created": "2024-05-26T18:15:08.547Z",
    "modified": "2024-10-08T00:00:00.000Z",
    "content": "EPSS Score for CVE-2024-5370",
    "object_refs": [
      "vulnerability--030ac571-6dab-5214-b0e3-0ee2c09e1ce5"
    ],
    "external_references": [
      {
        "source_name": "cve",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5370",
        "external_id": "CVE-2024-5370"
      }
    ],
    "object_marking_refs": [
      "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
      "marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3"
    ],
    "extensions": {
      "extension-definition--efd26d23-d37d-5cf2-ac95-a101e46ce11d": {
        "extension_type": "toplevel-property-extension"
      }
    },
    "x_epss": {
      "date": "2024-10-08",
      "percentile": "0.163710000",
      "score": "0.000450000"
    },
    "_bundle_id": "bundle--1c60929d-3196-42d9-bf92-e4ea1d4f4c38",
    "_file_name": "epss-cves.json",
    "_stix2arango_note": "test_12_0_cve_epss",
    "_record_md5_hash": "46bc29abbdc13964302bae7603e679c9",
    "_is_latest": false,
    "_record_created": "2024-10-11T05:17:08.421187Z",
    "_record_modified": "2024-10-11T05:17:08.421187Z"
  },
  {
    "_key": "note--008cc7df-b92b-5753-9451-62a4588dccc1+2024-10-11T05:17:09.915608Z",
    "_id": "nvd_cve_vertex_collection/note--008cc7df-b92b-5753-9451-62a4588dccc1+2024-10-11T05:17:09.915608Z",
    "_rev": "_ilmAdCW--_",
    "type": "note",
    "spec_version": "2.1",
    "id": "note--008cc7df-b92b-5753-9451-62a4588dccc1",
    "created_by_ref": "identity--2e51a631-99d8-52a5-95a6-8314d3f4fbf3",
    "created": "2024-04-25T12:15:07.540Z",
    "modified": "2024-10-10T00:00:00.000Z",
    "content": "EPSS Score for CVE-2024-4165",
    "object_refs": [
      "vulnerability--008cc7df-b92b-5753-9451-62a4588dccc1"
    ],
    "external_references": [
      {
        "source_name": "cve",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4165",
        "external_id": "CVE-2024-4165"
      }
    ],
    "object_marking_refs": [
      "marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3",
      "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
      "marking-definition--2e51a631-99d8-52a5-95a6-8314d3f4fbf3"
    ],
    "extensions": {
      "extension-definition--efd26d23-d37d-5cf2-ac95-a101e46ce11d": {
        "extension_type": "toplevel-property-extension"
      }
    },
    "x_epss": {
      "score": "0.000450000",
      "percentile": "0.163990000",
      "date": "2024-10-10"
    },
    "_arango_cti_processor_note": "cve-epss",
    "_record_md5_hash": "b837e1c1601a5b9c36bbca876b32d5d4",
    "_is_latest": true,
    "_record_created": "2024-10-11T05:17:09.915608Z",
    "_record_modified": "2024-10-11T05:17:09.915608Z"
  },
  {
    "_key": "note--030ac571-6dab-5214-b0e3-0ee2c09e1ce5+2024-10-11T05:17:09.915642Z",
    "_id": "nvd_cve_vertex_collection/note--030ac571-6dab-5214-b0e3-0ee2c09e1ce5+2024-10-11T05:17:09.915642Z",
    "_rev": "_ilmAdCW--A",
    "type": "note",
    "spec_version": "2.1",
    "id": "note--030ac571-6dab-5214-b0e3-0ee2c09e1ce5",
    "created_by_ref": "identity--2e51a631-99d8-52a5-95a6-8314d3f4fbf3",
    "created": "2024-05-26T18:15:08.547Z",
    "modified": "2024-10-10T00:00:00.000Z",
    "content": "EPSS Score for CVE-2024-5370",
    "object_refs": [
      "vulnerability--030ac571-6dab-5214-b0e3-0ee2c09e1ce5"
    ],
    "external_references": [
      {
        "source_name": "cve",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5370",
        "external_id": "CVE-2024-5370"
      }
    ],
    "object_marking_refs": [
      "marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3",
      "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
      "marking-definition--2e51a631-99d8-52a5-95a6-8314d3f4fbf3"
    ],
    "extensions": {
      "extension-definition--efd26d23-d37d-5cf2-ac95-a101e46ce11d": {
        "extension_type": "toplevel-property-extension"
      }
    },
    "x_epss": {
      "score": "0.000450000",
      "percentile": "0.163990000",
      "date": "2024-10-10"
    },
    "_arango_cti_processor_note": "cve-epss",
    "_record_md5_hash": "90e3a22d04e94098c40c5b22389d9413",
    "_is_latest": true,
    "_record_created": "2024-10-11T05:17:09.915642Z",
    "_record_modified": "2024-10-11T05:17:09.915642Z"
  }
]
fqrious commented 1 month ago

arango_cti_processor is not built for this

fqrious commented 1 month ago

this requires structural change

himynamesdave commented 1 month ago

@fqrious can you explain more?

himynamesdave commented 1 month ago 
python3 -m unittest tests/test_12_0_cve_epss.py

see test 03 is failing.

The original date in the note exists, but the EPSS data for today (when test run) is not added to the note as expected

fqrious commented 1 month ago

all the test cases are wrong

test 2

expected = 2 (2 for the CVEs with EPSS, nothing for the CVE with no EPSS)

all three objects have EPSS

test 3

fails because only 2 expected, same as above

test 4

fails because I used acp's identity in created_by_ref