Merge pull request #2213 from greenbone/add-epss-to-vts

Add: EPSS scores from referenced CVEs to VTs
greenbone · Jun 5, 2024 · ba05801 · ba05801
2 parents f834093 + 3151db6
commit ba05801
Show file tree

Hide file tree

Showing 10 changed files with 646 additions and 5 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -101,7 +101,7 @@ include (CPack)
 
 ## Variables
 
-set (GVMD_DATABASE_VERSION 255)
+set (GVMD_DATABASE_VERSION 256)
 
 set (GVMD_SCAP_DATABASE_VERSION 21)
 

diff --git a/src/manage.c b/src/manage.c
@@ -5085,6 +5085,8 @@ manage_sync (sigset_t *sigmask_current,
           wait_for_pid (scap_pid, "SCAP sync");
           wait_for_pid (cert_pid, "CERT sync");
 
+          update_scap_extra ();
+
           lockfile_unlock (&lockfile);
         }
     }
@@ -5977,6 +5979,54 @@ get_nvt_xml (iterator_t *nvts, int details, int pref_count,
           free (default_timeout);
         }
 
+      if (nvt_iterator_epss_cve (nvts))
+        {
+          buffer_xml_append_printf 
+             (buffer,
+              "<epss>"
+              "<max_severity>"
+              "<score>%0.5f</score>"
+              "<percentile>%0.5f</percentile>"
+              "<cve id=\"%s\">",
+              nvt_iterator_epss_score (nvts),
+              nvt_iterator_epss_percentile (nvts),
+              nvt_iterator_epss_cve (nvts));
+
+          if (nvt_iterator_has_epss_severity (nvts))
+            {
+              buffer_xml_append_printf 
+                 (buffer,
+                  "<severity>%0.1f</severity>",
+                  nvt_iterator_epss_severity (nvts));
+            }
+
+          buffer_xml_append_printf
+             (buffer,
+              "</cve>"
+              "</max_severity>"
+              "<max_epss>"
+              "<score>%0.5f</score>"
+              "<percentile>%0.5f</percentile>"
+              "<cve id=\"%s\">",
+              nvt_iterator_max_epss_score (nvts),
+              nvt_iterator_max_epss_percentile (nvts),
+              nvt_iterator_max_epss_cve (nvts));
+
+          if (nvt_iterator_has_max_epss_severity (nvts))
+            {
+              buffer_xml_append_printf 
+                 (buffer,
+                  "<severity>%0.1f</severity>",
+                  nvt_iterator_max_epss_severity (nvts));
+            }
+
+          buffer_xml_append_printf
+             (buffer,
+              "</cve>"
+              "</max_epss>"
+              "</epss>");
+        }
+
       xml_string_append (buffer, close_tag ? "</nvt>" : "");
       msg = g_string_free (buffer, FALSE);
     }

diff --git a/src/manage.h b/src/manage.h
@@ -1982,6 +1982,36 @@ nvt_iterator_solution_type (iterator_t*);
 const char*
 nvt_iterator_solution_method (iterator_t*);
 
+double
+nvt_iterator_epss_score (iterator_t*);
+
+double
+nvt_iterator_epss_percentile (iterator_t*);
+
+const char*
+nvt_iterator_epss_cve (iterator_t*);
+
+double
+nvt_iterator_epss_severity (iterator_t*);
+
+gboolean
+nvt_iterator_has_epss_severity (iterator_t*);
+
+double
+nvt_iterator_max_epss_score (iterator_t*);
+
+double
+nvt_iterator_max_epss_percentile (iterator_t*);
+
+const char*
+nvt_iterator_max_epss_cve (iterator_t*);
+
+double
+nvt_iterator_max_epss_severity (iterator_t*);
+
+gboolean
+nvt_iterator_has_max_epss_severity (iterator_t*);
+
 char*
 nvt_default_timeout (const char *);
 

diff --git a/src/manage_migrators.c b/src/manage_migrators.c
@@ -3176,6 +3176,46 @@ migrate_254_to_255 ()
   return 0;
 }
 
+/**
+ * @brief Migrate the database from version 255 to version 256.
+ *
+ * @return 0 success, -1 error.
+ */
+int
+migrate_255_to_256 ()
+{
+  sql_begin_immediate ();
+
+  /* Ensure that the database is currently version 255. */
+
+  if (manage_db_version () != 255)
+    {
+      sql_rollback ();
+      return -1;
+    }
+
+  /* Update the database. */
+
+  // Add new columns
+
+  sql ("ALTER TABLE nvts ADD COLUMN epss_cve TEXT;");
+  sql ("ALTER TABLE nvts ADD COLUMN epss_score DOUBLE PRECISION;");
+  sql ("ALTER TABLE nvts ADD COLUMN epss_percentile DOUBLE PRECISION;");
+  sql ("ALTER TABLE nvts ADD COLUMN epss_severity DOUBLE PRECISION;");
+  sql ("ALTER TABLE nvts ADD COLUMN max_epss_cve TEXT;");
+  sql ("ALTER TABLE nvts ADD COLUMN max_epss_score DOUBLE PRECISION;");
+  sql ("ALTER TABLE nvts ADD COLUMN max_epss_percentile DOUBLE PRECISION;");
+  sql ("ALTER TABLE nvts ADD COLUMN max_epss_severity DOUBLE PRECISION;");
+
+  /* Set the database version to 256. */
+
+  set_db_version (256);
+
+  sql_commit ();
+
+  return 0;
+}
+
 #undef UPDATE_DASHBOARD_SETTINGS
 
 /**
@@ -3237,6 +3277,7 @@ static migrator_t database_migrators[] = {
   {253, migrate_252_to_253},
   {254, migrate_253_to_254},
   {255, migrate_254_to_255},
+  {256, migrate_255_to_256},
   /* End marker. */
   {-1, NULL}};
 

diff --git a/src/manage_pg.c b/src/manage_pg.c
@@ -1868,7 +1868,16 @@ create_tables_nvt (const gchar *suffix)
        "  solution_method text,"
        "  detection text,"
        "  qod integer,"
-       "  qod_type text);",
+       "  qod_type text,"
+       "  epss_cve TEXT,"
+       "  epss_score DOUBLE PRECISION,"
+       "  epss_percentile DOUBLE PRECISION,"
+       "  epss_severity DOUBLE PRECISION,"
+       "  max_epss_cve TEXT,"
+       "  max_epss_score DOUBLE PRECISION,"
+       "  max_epss_percentile DOUBLE PRECISION,"
+       "  max_epss_severity DOUBLE PRECISION"
+       ");",
        suffix);
 }
 

diff --git a/src/manage_sql_nvts.c b/src/manage_sql_nvts.c
@@ -41,6 +41,7 @@
 #include "manage_preferences.h"
 #include "manage_sql.h"
 #include "manage_sql_configs.h"
+#include "manage_sql_secinfo.h"
 #include "sql.h"
 #include "utils.h"
 
@@ -1214,6 +1215,153 @@ DEF_ACCESS (nvt_iterator_detection, GET_ITERATOR_COLUMN_COUNT + 19);
  */
 DEF_ACCESS (nvt_iterator_solution_method, GET_ITERATOR_COLUMN_COUNT + 20);
 
+/**
+ * @brief Get the EPSS score selected by severity from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return The EPSS score.
+ */
+double
+nvt_iterator_epss_score (iterator_t* iterator)
+{
+  double ret;
+  if (iterator->done) return -1;
+  ret = iterator_double (iterator, GET_ITERATOR_COLUMN_COUNT + 21);
+  return ret;
+}
+
+/**
+ * @brief Get the EPSS percentile selected by severity from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return The EPSS percentile.
+ */
+double
+nvt_iterator_epss_percentile (iterator_t* iterator)
+{
+  double ret;
+  if (iterator->done) return -1;
+  ret = iterator_double (iterator, GET_ITERATOR_COLUMN_COUNT + 22);
+  return ret;
+}
+
+/**
+ * @brief Get the CVE of the EPSS score by severity from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return CVE-ID of the EPSS score, or NULL if iteration is complete.
+ *         Freed by cleanup_iterator.
+ */
+DEF_ACCESS (nvt_iterator_epss_cve, GET_ITERATOR_COLUMN_COUNT + 23);
+
+/**
+ * @brief Get the maximum severity of CVEs with EPSS info from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return The severity score.
+ */
+double
+nvt_iterator_epss_severity (iterator_t* iterator)
+{
+  double ret;
+  if (iterator->done) return -1;
+  ret = iterator_double (iterator, GET_ITERATOR_COLUMN_COUNT + 24);
+  return ret;
+}
+
+/**
+ * @brief Get whether the NVT has a severity for the max severity EPSS score.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return Whether the severity exists.
+ */
+gboolean
+nvt_iterator_has_epss_severity (iterator_t* iterator)
+{
+  gboolean ret;
+  if (iterator->done) return -1;
+  ret = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 24) != NULL;
+  return ret;
+}
+
+/**
+ * @brief Get the maximum EPSS score from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return The maximum EPSS score.
+ */
+double
+nvt_iterator_max_epss_score (iterator_t* iterator)
+{
+  double ret;
+  if (iterator->done) return -1;
+  ret = iterator_double (iterator, GET_ITERATOR_COLUMN_COUNT + 25);
+  return ret;
+}
+
+/**
+ * @brief Get the maximum EPSS percentile from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return The maximum EPSS percentile.
+ */
+double
+nvt_iterator_max_epss_percentile (iterator_t* iterator)
+{
+  double ret;
+  if (iterator->done) return -1;
+  ret = iterator_double (iterator, GET_ITERATOR_COLUMN_COUNT + 26);
+  return ret;
+}
+
+/**
+ * @brief Get the CVE of the maximum EPSS score from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return CVE-ID of the maximum EPSS score, or NULL if iteration is complete.
+ *         Freed by cleanup_iterator.
+ */
+DEF_ACCESS (nvt_iterator_max_epss_cve, GET_ITERATOR_COLUMN_COUNT + 27);
+
+/**
+ * @brief Get the severity of the maximum EPSS score from an NVT iterator.
+ * @param[in]  iterator  Iterator.
+ *
+ * @return The severity score.
+ */
+double
+nvt_iterator_max_epss_severity (iterator_t* iterator)
+{
+  double ret;
+  if (iterator->done) return -1;
+  ret = iterator_double (iterator, GET_ITERATOR_COLUMN_COUNT + 28);
+  return ret;
+}
+
+/**
+ * @brief Get whether the NVT has a severity for the max EPSS score.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return Whether the severity exists.
+ */
+gboolean
+nvt_iterator_has_max_epss_severity (iterator_t* iterator)
+{
+  gboolean ret;
+  if (iterator->done) return -1;
+  ret = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 28) != NULL;
+  return ret;
+}
+
 /**
  * @brief Get the default timeout of an NVT.
  *
@@ -2532,6 +2680,9 @@ manage_rebuild (GSList *log_config, const db_conn_info_t *database)
         break;
     }
 
+  if (ret == 0)
+    update_scap_extra ();
+
   feed_lockfile_unlock (&lockfile);
   manage_option_cleanup ();