CVE Provider¶

This provider allows access to CVEs associated with a project. It relies on a hook to know what CVEs belong to that project and uses heuristics to determine which revision fixed a certain CVE.

Module for the CVEProvider.

class varats.provider.cve.cve_provider.CVEProviderHook(*args, **kwargs)[source]¶

Bases: Protocol

Gives the CVEProvider the necessary information how to find CVEs and CWEs for a project.

This class should be inherited by projects.

classmethod get_cve_product_info()[source]¶

Get information on how to find CVEs for a project.

Return type:: List[Tuple[str, str]]
Returns:: a tuple (vendor, product)

class varats.provider.cve.cve_provider.CVEProvider(project)[source]¶

Bases: Provider

Provides CVE and CWE information for a project.

classmethod create_provider_for_project(project)[source]¶

Creates a provider instance for the given project if possible.

Return type:: Optional[CVEProvider]
Returns:: a provider instance for the given project if possible, otherwise, None

classmethod create_default_provider(project)[source]¶

Creates a default provider instance that can be used with any project.

Return type:: CVEProvider
Returns:: a default provider instance

get_revision_cve_tuples()[source]¶

Get all CVEs associated with this provider’s project along with the fixing commits/versions.

Return type:: Set[Tuple[FullCommitHash, FrozenSet[CVE]]]
Returns:: a set of tuples of commit hash and cves

class varats.provider.cve.cve_provider.CVEDefaultProvider(project)[source]¶

Bases: CVEProvider

Default implementation of the CVE provider for projects that do not (yet) support CVEs.

get_revision_cve_tuples()[source]¶

Get all CVEs associated with this provider’s project along with the fixing commits/versions.

Return type:: Set[Tuple[FullCommitHash, FrozenSet[CVE]]]
Returns:: a set of tuples of commit hash and cves

Helper to search, retrieve and parse CVE’s and CWE’s.

Example

CVE.find_all_cve(‘vim’, ‘vim’) CVE.find_cve(‘CVE-2019-20079’) CWE.find_all_cwe()

class varats.provider.cve.cve.CVE(cve_id, score, published, vector, references, summary, vulnerable_versions)[source]¶

Bases: object

CVE representation with the major fields.

Mainly a data object to store everything. Uses the API at https://cve.circl.lu/api/search/ to find entries.

property cve_id: str¶: The CVE ID.

property score: float¶: The score of this CVE.

property published: datetime¶: The date when this CVE was published.

property vector: FrozenSet[str]¶: The CVE vector.

property references: FrozenSet[str]¶: A set of external references/urls.

property summary: str¶: The summary of the CVE.

property vulnerable_versions: FrozenSet[Version]¶: The set of vulnerable version numbers.

property url: str¶: The URL to the Mitre entry.

class varats.provider.cve.cve.CWE(cwe_id, name, description)[source]¶

Bases: object

CWE representation with the major fields.

Mainly a data object to store everything.

property cwe_id: str¶: The CWE ID.

property name: str¶: The name of this CWE.

property description: str¶: The CWE description.

property url: str¶: The URL to the Mitre entry.

varats.provider.cve.cve.find_all_cve(vendor, product)[source]¶

Find all CVE’s for a given vendor and product combination.

Parameters:

vendor (str) – vendor to search for
product (str) – product to search for

Return type:

FrozenSet[CVE]

Returns:

a set of CVE objects.

varats.provider.cve.cve.find_cve(cve_id)[source]¶

Find a CVE by its ID (CVE-YYYY-XXXXX).

Parameters:: cve_id (str) – CVE id to search for
Return type:: CVE
Returns:: a CVE object

varats.provider.cve.cve.find_all_cwe()[source]¶

Create a set of all CWE’s. The set with CWE numbers is downloaded from.

@https://cwe.mitre.org/data/downloads.html.

Return type:: FrozenSet[CWE]
Returns:: a set of CWE objects

varats.provider.cve.cve.find_cwe(cwe_id='', cwe_name='', cwe_description='')[source]¶

Find a CWE by its attributes (ID (CWE-XXX), name, description).

Parameters:

cwe_id (str) – the ID of the CWE to search for
cwe_name (str) – the name of the CWE to search for
cwe_description (str) – the description of the CWE to search for

Return type:

CWE

Returns:

a CWE if one is found, otherwise raise a ValueError

Map commits with resolved CVE’s and CWE’s based on multiple strategies.

Example Calls:

generate_security_commit_map(
    path=Path('/home/vara/repos/vim'),
    vendor='vim',
    product='vim'
)
generate_security_commit_map(
    path=Path('/home/vara/repos/tensorflow'),
    vendor='google',
    product='tensorflow'
)

Example Output:

{
    799: {
        'commit': '76b92b2830841fd4e05006cc3cad1d8f0bc8101b',
        'cve': [CVE-2008-3432],
        'cwe': []
    },
    [..]
}

class varats.provider.cve.cve_map.CVEDictEntry[source]¶

Bases: TypedDict

cve: Set[CVE]¶

cwe: Set[CWE]¶

varats.provider.cve.cve_map.generate_cve_map(repo, products, end='HEAD', start=None, only_precise=True)[source]¶

Generate a commit map for a repository including the commits ]start..end] if they contain a fix for a CVE or CWE.

Commands to grep commit messages for CVE’s/CWE’s:

git --no-pager log --all --pretty=format:'%H %d %s' --grep="CVE-"
git --no-pager log --all --pretty=format:'%H %d %s' --grep="CWE-"
git --no-pager log --all --tags --pretty="%H %d %s"

But since this does not work in all projects, also look in the CVE/CWE database for matching entries.

Parameters:

path – path to the git repo of the project to get the map for
products (List[Tuple[str, str]]) – a list of tuples used for querying the CVE database
end (str) – newest revision to consider
start (Optional[str]) – oldest revision to consider
only_precise (bool) – only include CVEs where an exact fixing commit can be identified

Return type:

Dict[FullCommitHash, CVEDictEntry]

Returns:

a map revision -> set of CVEs fixed by that revision