Skip to content

Instantly share code, notes, and snippets.

@sei-vsarvepalli

sei-vsarvepalli/CVE Affected Products Viewer.md

Last active August 12, 2022 17:22
Show Gist options
  • Save sei-vsarvepalli/59ba1474c1b224823a5b39d5ccb6217d to your computer and use it in GitHub Desktop.
Save sei-vsarvepalli/59ba1474c1b224823a5b39d5ccb6217d to your computer and use it in GitHub Desktop.
Download ZIP
Friendly display of CVE 5 Affected Products information
Raw
CVE Affected Products Viewer.md

CVE QWG Affected Products Viewer

Description

CVE Quality Working Group(QWG) has been working to support CVE Website project to display Affected Products section of a CVE5 JSON record.

The files here display.html and pv.js attempts to do so. You can see a live demo of how this will work at https://democert.org/vulnogram/pview/

Please contribute comment or help create a better user experiene for people who will visit CVE's new website that is set to launch Q4 2022.

References

https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/docs/versions.md#source-control-versions https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json https://www.cve.org/Resources/General/Key-Details-Phrasing.pdf https://github.com/Vulnogram/seaview CVEProject/cve-website#782 https://github.com/Vulnogram/seaview

Some interesting CVE's to check out

https://democert.org/vulnogram/pview/#CVE-2020-1010 https://democert.org/vulnogram/pview/#CVE-2019-7590 https://democert.org/vulnogram/pview/#CVE-2019-15001

Raw
display.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<meta content="width=device-width, initial-scale=1.0" name="viewport" />
<title> CVE Product viewer </title>
<link rel="stylesheet"
href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css"
integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T"
crossorigin="anonymous">
<script src="https://code.jquery.com/jquery-3.5.1.min.js"
integrity="sha384-ZvpUoO/+PpLXR1lu4jmpXWu80pZlYUAfxl5NsBMWOEPSjUn/6Z/hRTt8+pR6L4N2"
crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js"
integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1"
crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js"
integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM"
crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/d3/3.5.17/d3.min.js" async defer
integrity="sha384-N8EP0Yml0jN7e0DcXlZ6rt+iqKU9Ck6f1ZQ+j2puxatnBq4k9E8Q6vqBcY34LNbn"
crossorigin="anonymous"></script>
</head>
<body class="text-center">
<div class="cover-container d-flex h-100 p-3 mx-auto flex-column">
<header class="top-container" style="margin-bottom: auto!important; visibility:hidden">
<div class="inner">
<h3 class="brand">
<a class="wordmark" href="https://www.cmu.edu">
<img src="/cmu-logo.png"/>
</a>
</h3>
<nav class="nav nav-head justify-content-center">
<span style="padding-left: 2rem"></span>
<a class="nav-link active" href="https://democert.org/">Home</a>
<span style="padding-left: 2rem"></span>
<a class="nav-link" href="https://kb.cert.org/">Vuls KB</a>
<span style="padding-left: 2rem"></span>
<a class="nav-link" href="https://github.com/CERTCC/PoC-Exploits">Software</a>
<span style="padding-left: 2rem"></span>
<a class="nav-link" href="https://www.sei.cmu.edu/contact-us/">Contact</a>
<span style="padding-left: 2rem"></span>
</nav>
</div>
<style>
strong.status {
background: #eee;
padding: 2px;
border: 1px solid white;
border-radius: 5px;
}
li.products {
list-style: none;
}
blockquote.vendorproductstatus {
padding-left: 4px;
border-left: 2px solid grey;
margin-left: 6px;
}
</style>
</header>
<div class="container">
<div class="row">
<h4> CVE Product viewer </h4>
<h6>
A simple product viewer that represents CVE5 JSON to prose simple text
for ease of reading impacted products from a CVE record.
</h6>
</div>
<div class="row">
<div class="col-sm">
<div class="input-group input-group-lg">
<input type="text" class="form-control" id="cve" placeholder="Load CVE#"/>
<button class="btn btn-primary" onclick="update()">Go</button>
</div>
<textarea class="form-control" placeholder="Add JSON" id="tjson">
</textarea>
</div>
<div class="col-sm">
<div id="pv">
</div>
</div>
</div>
</div>
<footer class="mastfoot mt-auto">
<div class="inner shift-top">
<div id="sponsorbar">
<div class="row bottom-space justify-content-between">
<div class="large-12 medium-12 columns" style="visibility:hidden">
<p>Sponsored by
<a href="https://www.cisa.gov/cybersecurity"
target="_blank" rel="noopener">CISA.</a> </p>
</div>
<div class="float-right" style="display:none">
Explore other &nbsp;
<a href="https://www.ntia.gov/SBOM" target="_blank"
class="float-right">
NTIA SBOM Efforts</a>
</div>
</div>
</div>
</div>
</footer>
</div>
<script>
$.getScript("pv.js").fail(function() {
console.log(arguments);
});
</script>
</body>
</html>
Raw
pv.js
let init = {
"containers": {
"cna": {
"affected": [
{
"product": "Product 1",
"vendor": "Vendor 1",
"defaultStatus": "Unknown",
"versions": [
{
"version": "2.0.0",
"versionType": "semver",
"lessThan": "2.*",
"status": "affected",
"changes": [
{
"at": "2.5.2",
"status": "unaffected"
},
{
"at": "2.6.0",
"status": "affected"
},
{
"at": "2.6.3",
"status": "unaffected"
}
]
}
]
},
{
"product": "Product 2",
"vendor": "Vendor 1",
"defaultStatus": "Affected",
"versions": [
{
"version": "0",
"versionType": "git",
"lessThan": "*",
"repo": "https://github.com/example/test",
"status": "unaffected",
"changes": [
{
"at": "123abc...",
"status": "affected"
},
{
"at": "234bcd...",
"status": "unaffected"
},
{
"at": "567ef0...",
"status": "unaffected"
}
]
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Sample from CVE Project"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Elevation of Privilege",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2100-06-17T00:00:00",
"orgId": "f38d0000-7300-4000-92c1-6c4a2c647800",
"shortName": "cveproject"
},
"references": [
{
"tags": [
"related",
"x_refsource_MISC"
],
"url": "https://mitre.org"
}
],
"state": "PUBLISHED",
"cveId": "CVE-2100-1000",
"dateUpdated": "2100-06-17T00:00:00",
"shortName": "cveproject",
"cvssList": []
}
},
"cveMetadata": {
"assignerOrgId": "f38d0000-7300-4000-92c1-6c4a2c647800",
"assignerShortName": "cveproject",
"cveId": "CVE-2100-1000",
"dateUpdated": "2100-06-17T00:00:00",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}
function loadCVE(value) {
var realId = value.toUpperCase().match(/(CVE-(\d{4})-(\d{1,12})(\d{3}))/);
if (realId) {
$('#cve').val(value.toUpperCase());
var id = realId[1];
var year = realId[2];
var bucket = realId[3];
var jsonURL = 'https://github.com/CVEProject/cvelistV5/tree/master/review_set/' + year + '/' + bucket + 'xxx/' + id + '.json'
fetch('https://raw.githubusercontent.com/CVEProject/cvelistV5/master/review_set/' + year + '/' + bucket + 'xxx/' + id + '.json', {
method: 'GET',
credentials: 'omit',
headers: {
'Accept': 'application/json, text/plain, */*'
},
redirect: 'error'
})
.then(function (response) {
if (!response.ok) {
throw Error(id + ' ' + response.statusText);
}
return response.json();
})
.then(function (res) {
if (res.containers) {
update(res);
} else {
alert("CVE does not have correct information");
}
})
.catch(function (error) {
alert("Error in collecting CVE record for " + error.message);
})
} else {
alert("CVE number is invalid "+value);
}
return false;
}
function vparse(cve) {
var rstring = '<div><ul>'
for(var i=0; i<cve.containers.cna.affected.length; i++) {
var p = cve.containers.cna.affected[i];
rstring += '<li class="products text-left"> ';
rstring += '<strong class="vendor">' + p.vendor + '</strong> - ';
rstring += '&nbsp; ';
rstring += '<strong class="product">' + p.product + '</strong>';
rstring += '<blockquote class="vendorproductstatus">';
rstring += '<div class="defaultStatus">Default Status: '
rstring += '<strong class="status"> ' +
('defaultStatus' in p ? p.defaultStatus : 'Unknown') +
'</strong> </div>'
if(p.versions) {
var rows = {
affected: [],
unaffected: [],
unknown: []
};
for(v of p.versions) {
if(v.lessThan) {
rows[v.status].push('<code class="versionnumber">' + v.version + '</code> before <code class="versionnumber">' + v.lessThan + '</code>');
} else if(v.lessThanOrEqual) {
rows[v.status].push('<code class="versionnumber"> ' + v.version + '</code> through <code class="versionnumber">' + v.lessThanOrEqual + '</code>');
} else {
rows[v.status].push('<code class="versionnumber">' + v.version + '</code>');
}
if (v.version) {
if(v.changes) {
for(c of v.changes) {
rows[c.status].push('from <code class="versionnumber">' + c.at + '</code>');
}
}
}
}
for(r in rows) {
if(rows[r].length) {
rstring += '<strong class="status">' + r + '</strong> <ul>';
for(l in rows[r]) {
rstring += '<li class="statusrow">' + rows[r][l] + '</li>';
}
rstring += "</ul>";
}
}
rstring += '</blockquote>';
} else {
console.log(p);
rstring += 'No versions listed';
}
rstring += '</li>'
}
return rstring + '</ul></div>';
}
$('#tjson').on("change",function() {
this.style.height = "";
this.style.height = this.scrollHeight + "px";
});
$('#tjson').val(JSON.stringify(init,null,3)).trigger('change');
function update(p) {
if(!p) {
if($('#cve').val())
return loadCVE($('#cve').val());
else
p = JSON.parse($('#tjson').val());
}
if('containers' in p)
$('#pv').html(vparse(p));
$('#tjson').val(JSON.stringify(p,null,3)).trigger('change');
}
if(location.hash)
loadCVE(location.hash.substr(1))
else
update(init);
Raw
sample-cve.json
{
"containers": {
"cna": {
"affected": [
{
"product": "Product 1",
"vendor": "Vendor 1",
"versions": [
{
"version": "2.0.0",
"versionType": "semver",
"lessThan": "2.*",
"status": "affected",
"changes": [
{
"at": "2.5.2",
"status": "unaffected"
},
{
"at": "2.6.0",
"status": "affected"
},
{
"at": "2.6.3",
"status": "unaffected"
}
]
}
]
},
{
"product": "Product 2",
"vendor": "Vendor 1",
"versions": [
{
"version": "0",
"versionType": "git",
"lessThan": "*",
"repo": "https://github.com/example/test",
"status": "unaffected",
"changes": [
{
"at": "123abc...",
"status": "affected"
},
{
"at": "234bcd...",
"status": "unaffected"
},
{
"at": "567ef0...",
"status": "unaffected"
}
]
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Sample from CVE Project"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Elevation of Privilege",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2100-06-17T00:00:00",
"orgId": "f38d0000-7300-4000-92c1-6c4a2c647800",
"shortName": "cveproject"
},
"references": [
{
"tags": [
"related",
"x_refsource_MISC"
],
"url": "https://mitre.org"
}
],
"state": "PUBLISHED",
"cveId": "CVE-2100-1000",
"dateUpdated": "2100-06-17T00:00:00",
"shortName": "cveproject",
"cvssList": []
}
},
"cveMetadata": {
"assignerOrgId": "f38d0000-7300-4000-92c1-6c4a2c647800",
"assignerShortName": "cveproject",
"cveId": "CVE-2100-1000",
"dateUpdated": "2100-06-17T00:00:00",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment