paolo-ahn
commented
9 months ago Hi, there
I don't think it is normal to have multiple identical CVE IDs attached to one "sid" as shown below. "2047954": "CVE-2023-33246 CVE-2023-33246" "2048119": "CVE-2023-30013 CVE-2023-30013" "2048146": "CVE-2023-2868 CVE-2023-2868" "2048259": "CVE-2017-3506 CVE-2017-3506 CVE-2017-3606" "2048317": "CVE-2022-27665 CVE-2022-27665 CVE-2022-27665" "2048365": "CVE-2023-41265 CVE-2023-41265"
Maybe this is correct. "2047954": "CVE-2023-33246" "2048119": "CVE-2023-30013" "2048146": "CVE-2023-2868" "2048259": "CVE-2017-3506 CVE-2017-3606" "2048317": "CVE-2022-27665" "2048365": "CVE-2023-41265"
I suggest the following code change. Can you please review and correct the information? I think we can avoid duplication of CVE IDs by changing the contents of line 20 of /src/gen_cve_map.sh as follows.
Current: myCVE=$(echo $myRULE | grep -o -E "(cve,|CVE-|CAN-)([0-9]{4}-([0-9]{4}|[0-9]{5}))" | tr a-z A-Z | tr ",|-" " " | awk '{ print $1"-"$2"-"$3 }')
After change: myCVE=$(echo $myRULE | grep -o -E "(cve,|CVE-|CAN-)([0-9]{4}-([0-9]{4}|[0-9]{5}))" | tr '[:lower:]_,' '[:upper:]--' | sort -u | tr '\n' ' ' | sed -e 's/ $//')
The file /etc/listbot/cve.yaml, which is downloaded when logstash starts, appears to be extracted from suricata.rules, but is the following duplicate content correct?
■ cve.yaml(Size: 19748, Modify: 2024-01-31 11:08:17) line 15690 ["2047862": "CVE-2023-32315 CVE-2023-32315 CVE-2023-32315 CVE-2023-32315 CVE-2023-32315 CVE-2023-32315"]
Shouldn't it be ["2047862": "CVE-2023-32315"]?