Skip to content

Instantly share code, notes, and snippets.

@BuffaloWill

BuffaloWill/import_vulndb_serpico.rb

Last active April 1, 2022 18:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save BuffaloWill/48b9cc74273b266d280e to your computer and use it in GitHub Desktop.
Save BuffaloWill/48b9cc74273b266d280e to your computer and use it in GitHub Desktop.
Download ZIP
Import VulnDB into the Serpico Template Database
Raw
import_vulndb_serpico.rb
# An example script to import VulnDB data into the Serpico Template database
# => Must be run from the Serpico root directory
#
# Serpico: https://github.com/MooseDojo/Serpico
# VulnDB: https://github.com/vulndb/data
# Author: https://github.com/BuffaloWill
require './model/master.rb'
require 'json'
# Directory containing vulndb JSON files
vulndb_dir = "[ADD ME PLS]" # e.g. /Users/username/data/db/
# Simple helper method rather than hand cleaning every string
def c(value)
c_value = value.gsub("\n\n","<paragraph></paragraph>")
c_value = c_value.gsub("`","'")
return c_value
end
# Iterate the VulnDB database
Dir.entries(vulndb_dir).each do |json_file|
next if json_file == "." or json_file == ".."
# Read in the JSON file and store as json obj
file = File.read(vulndb_dir+json_file)
json_data = JSON.parse(file)
#### Change this portion if the VulnDB Schema changes
finding = {}
puts "|+| Importing #{json_data["title"]}"
finding["title"] = c(json_data["title"])
finding["overview"] = "<paragraph>"
finding["overview"] += c(json_data["description"].join(" "))
finding["overview"] += "</paragraph>"
if json_data["fix"]["guidance"].kind_of?(Array)
finding["remediation"] = "<paragraph>"
finding["remediation"] += c(json_data["fix"]["guidance"].join(" "))
finding["remediation"] += "</paragraph>"
else
finding["remediation"] = c(json_data["fix"]["guidance"])
end
finding["references"] = "<paragraph>VulnDB: https://github.com/vulndb/data</paragraph>"
if json_data["references"] != nil
json_data["references"].each do |ref|
finding["references"] += "<paragraph>"+c(ref["url"])+"</paragraph>"
end
end
finding["type"] = "Imported"
finding["approved"] = true
finding["risk"] = 1 if json_data["severity"] == "informational"
finding["risk"] = 2 if json_data["severity"] == "low"
finding["risk"] = 3 if json_data["severity"] == "medium"
finding["risk"] = 4 if json_data["severity"] == "high"
# TODO: add a true DREAD score calculator
finding["damage"] = 1
finding["reproducability"] = 1
finding["exploitability"] = 1
finding["affected_users"] = 1
finding["discoverability"] = 1
finding["dread_total"] = 5
####
# write the database
finding_db = TemplateFindings.create(finding)
finding_db.save
end
@voidnecron
Copy link

Hi,

Question, I keep getting ruby errors while running this script and I can't seem to find what's wrong.
root@box:/opt/Serpico/Serpico# ruby scripts/import_vulndb_serpico.rb /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in require': cannot load such file -- data_mapper (LoadError)
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in require' from /opt/Serpico/Serpico/model/master.rb:2:in <top (required)>'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in require' from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in require'
from scripts/import_vulndb_serpico.rb:8:in <main>'

Can you give me a pointer? I've tried Debian and Ubuntu, both fully updated and ruby-full installed.

Cheers,
/V

@Arfi2017
Copy link

I am facing the same problem as you, I don't know if the problem is in the path, I have already tried the pre-built version, but still can't load any finding from the db.
Regards

@SchellerCyberSecurity
Copy link

I fixed the data_mapper issue but running gem install data_mapper and running the script from the root Serpico directory however now I am getting a different error

/usr/lib/ruby/vendor_ruby/data_objects/pooling.rb:149: warning: constant ::Fixnum is deprecated
|+| Importing Insecure SSL version enabled
Traceback (most recent call last):
2: from scripts/import_vulndb.rb:22:in <main>' 1: from scripts/import_vulndb.rb:22:in each'
scripts/import_vulndb.rb:35:in block in <main>': undefined method join' for {"$ref"=>"#/files/description/66"}:Hash (NoMethodError)

@BuffaloWill
Copy link
Author

@voidnecron/Arfi2017 you are missing the data_mapper gem. Please run bundle install or as @SchellerCyberSecurity said gem install data_mapper

@noahlevinasdf
Copy link

I have run bundle install and gem install data mapper . It does not appear that the problem is in the path. The error I get is

|+| Importing HttpOnly cookie
scripts/import_vulndb.rb:35:in block in <main>': undefined method join' for {"$ref"=>"#/files/description/22"}:Hash (NoMethodError)
Did you mean? JSON
from scripts/import_vulndb.rb:22:in each' from scripts/import_vulndb.rb:22:in

'

@TH3xACE
Copy link

TH3xACE commented May 9, 2020

I am facing the same issue as @noahlevinasdf

|+| Importing HttpOnly cookie
scripts/import_vulndb.rb:35:in block in

': undefined method join' for {"$ref"=>"#/files/description/22"}:Hash (NoMethodError)
Did you mean? JSON
from scripts/import_vulndb.rb:22:in each' from scripts/import_vulndb.rb:22:in

Can you please help with this issue ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment