Skip to content

Latest commit

 

History

History
128 lines (100 loc) · 6.71 KB

README.md

File metadata and controls

128 lines (100 loc) · 6.71 KB

Victims CVE Database Database Validation Status

This database contains information regarding CVE(s) that affect various language modules. We currently store version information corresponding to respective modules as understood by select sources.

Language Module Type Metadata
Python PyPi Package name, version
Java Maven Artifact groupId, artifactId, version

This project is inspired by the great work done by the people at RubySec.

Notes on CVE(s)

If you already have a CVE assigned to your project and would like us to create an entry for it with the correct coordinates, you can send us a pull request or create an issue here with CVE details and affected components. For more details refer to the Contributing section of this document.

If you are a project owner/maintainer wanting to request for a CVE, a good resource regarding this is available here.

Contributing

We are always looking for contributors. If you would like to submit a new entry or make an update to an existing entry, feel free to send a pull request or create an issue here on GitHub.

Please do refer to the Database Internals section when making contributions.

Validating changes/submissions

You can validate your commits on your branch or local repository by:

# Validates all changes *.yaml files in database compared to upstream/master
bash validation/git-change-validate.sh

If you just want to validate a YAML file, you can run the provided python script:

# This requires PyYAML, all requirements are listed in validation/requirements.txt
# pip install -r validation/requirements.txt

# The validation script
python validation/validate_yaml.py <language> file1 [file2 ... fileN]

Database Internals

Each CVE entry in the database is stored as a YAML file.

Database File Storage Structure

The following structure is employed to store entries:

victims-cve-db/database/<language>/<year>/<cve-id>.yaml

As an example, the entry for CVE-2012-1150 would be:

victims-cve-db/database/python/2012/1150.yaml

The YAML Document

The document requires all required fields in the Common Content Schema.

Common Content Schema

Field Requirement Type Description
cve required string:YYYY-[0-9]* The CVE ID identifying the security flaw.
title required string The flaw's title or short summary.
description optional text Long description of the flaw.
cvss_v2 optional float The CVSS v2 score for the flaw.
references optional list:url Reference url(s) for the flaw.
affected required list:language-module Affected language modules.
hash added later string Hash of the overall package.
file_hashes added later list: dict of hash and name Hashes for specific files in the package
package_urls required list List of urls pointing to known vulnerable packages. Used for hashing.

package_url

The package_url field currently supports a templated http string. There will be future supported added for real package-urls. In the meantime the template string supports a few fields which are generated from the victims-cve-db entry itself:

Name Description
name The name of the artifact
version The version number of the artifact

Example package_url templates include:

http://repo.maven.apache.org/maven2/HTTPClient/HTTPClient/{version}/HTTPClient-{version}.jar
http://repo.spring.io/release/org/aspectj/{name}/{version}/{name}-{version}.jar  

This will be expanded when doing package hashing for each affected version in the victims-cve-db entry. As an example if http://example.org/{name}-{version}.jar had a name of test a single affected of <=2.18.2,2.18 the hashing would expand to pull down

You can generate package-urls using a legacy victims-cve-db formatted yaml. The legacy format did not contain package-urls, and only contained version-string. Use the victims-db-builder project to generate package-urls.

Note: Java archives will have their name pulled from artifactId.

version-string: common

The version strings across all languages are expecte to match the regex:

^(?P<condition>[><=]=)(?P<version>[^, ]+)(?:,(?P<series>[^, ]+)){0,1}$

Examples: <=2.6.1,2.6, ==2.7.0, >=1.0.1_Beta

Which enforces the format <condition><version>[,<series>]. Commas (,) and spaces ( ) are considered illegal in <version> and <series> strings.

The <series> string is optional and only used to set boundaries for version ranges. For example, in <=2.6.1,2.6, the series is 2.6 and indicates that only versions in the 2.6.x series with x<=1 is captured.

language-module: python

Field Requirement Type Description
name required string Affected package name. Use PyPi name where possible.
version required list:version-string Versions that are vulnerable to this CVE.
fixedin optional list:version-string Versions that contain a fix for this CVE.
unaffected optional list:version-string Versions that are not vulnerable to this CVE, this excludes the versions that are in fixedin.

language-module: java

Field Requirement Type Description
groupId required string Maven groupId of the affected artifact.
artifactId required string Maven artifactId of the affected artifact.
version required list:version-string Versions that are vulnerable to this CVE.
fixedin optional list:version-string Versions that contain a fix for this CVE.
unaffected optional list:version-string Versions that are not vulnerable to this CVE, this excludes the versions that are in fixedin.