Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding the new NIST CVE Tracking feature for 3.x release. #365

Open
wants to merge 15 commits into
base: next3.0
Choose a base branch
from

Conversation

bminnix
Copy link

@bminnix bminnix commented Aug 8, 2024

Closes: #80

This issue was marked as closed, but then briefly discussed in #81 that is open regarding last_modified_date (or similar). See summary below.

What's Changed

Summary:

New "NIST - Software CVE Search" Job

image

Job Results

image

@bminnix bminnix force-pushed the app-nist-cve-sync3.0 branch 3 times, most recently from 9e9de39 to 7cf3d04 Compare August 10, 2024 06:31
@bminnix bminnix changed the title Adding the new NIST CVE Tracking feature to the next3.0 base. Adding the new NIST CVE Tracking feature for 3.x release. Aug 10, 2024
@bminnix bminnix force-pushed the app-nist-cve-sync3.0 branch 2 times, most recently from 3dfb613 to 1d7f8bd Compare August 12, 2024 17:40
nautobot_device_lifecycle_mgmt/jobs/cve_tracking.py Outdated Show resolved Hide resolved
nautobot_device_lifecycle_mgmt/jobs/cve_tracking.py Outdated Show resolved Hide resolved
nautobot_device_lifecycle_mgmt/jobs/cve_tracking.py Outdated Show resolved Hide resolved
nautobot_device_lifecycle_mgmt/jobs/cve_tracking.py Outdated Show resolved Hide resolved
nautobot_device_lifecycle_mgmt/jobs/cve_tracking.py Outdated Show resolved Hide resolved
nautobot_device_lifecycle_mgmt/jobs/cve_tracking.py Outdated Show resolved Hide resolved
"""Converts CVE info into DLC Model compatibility."""
cve = cve_json

# cve_base = cve["vulnerabilities"][0]['cve']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this still needed?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the last commit resolved this.

nautobot_device_lifecycle_mgmt/jobs/cve_tracking.py Outdated Show resolved Hide resolved
def __init__(self):
"""Initializing job with extra options."""
super().__init__()
self.nist_api_key = getenv("NAUTOBOT_DLM_NIST_API_KEY")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking about this again. We should move this to the plugin config and set the default in app init. Then we can do:

self.nist_api_key = PLUGIN_CFG["NAUTOBOT_DLM_NIST_API_KEY"]

Also, we should guard for this being empty and return early with error.

nautobot_device_lifecycle_mgmt/jobs/cve_tracking.py Outdated Show resolved Hide resolved
Comment on lines 176 to 177
@staticmethod
def create_cpe_software_search_urls(vendor: str, platform: str, version: str) -> list:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this method is needed. We are making call to the external code, we could move it to the caller method.

self.associate_software_to_cve(software.id, matching_dlc_cve.id)
if str(cve_info["modified_date"][0:10]) != str(matching_dlc_cve.last_modified_date):
self.update_cve(matching_dlc_cve, cve_info)
continue
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not needed.

Suggested change
continue

Comment on lines +161 to +164
def associate_software_to_cve(self, software_id, cve_id):
"""A function to associate software to a CVE."""
cve = CVELCM.objects.get(id=cve_id)
software = SoftwareVersion.objects.get(id=software_id)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have those objects in the method that's calling this one. Perhaps we could get rid of this method and do the association directly in the calling method.


self.logger.info("Created New CVEs.", extra={"grouping": "CVE Creation"})

def get_cve_info(self, cpe_software_search_urls: list, software_id=None) -> dict:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have SoftwareVersion object in the calling method so it's probably better to use that instead of passing software_id around.

extra={"object": SoftwareVersion.objects.get(id=software_id), "grouping": "CVE Creation"},
)
cve_list = [cve["cve"] for cve in result["vulnerabilities"]]
dlc_cves = [cve.name for cve in CVELCM.objects.all()]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
dlc_cves = [cve.name for cve in CVELCM.objects.all()]
dlc_cves = CVELCM.objects.values_list("name", flat=True)

Comment on lines +253 to +264
if cve_list:
for cve in cve_list:
cve_name = cve["id"]
if cve_name.startswith("CVE"):
if cve_name not in dlc_cves:
processed_cve_info["new"].update({cve_name: self.prep_cve_for_dlc(cve)})
else:
processed_cve_info["existing"].update({cve_name: self.prep_cve_for_dlc(cve)})
self.logger.info(
"Prepared %s CVE for creation." % len(processed_cve_info["new"]),
extra={"object": SoftwareVersion.objects.get(id=software_id), "grouping": "CVE Creation"},
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if cve_list:
for cve in cve_list:
cve_name = cve["id"]
if cve_name.startswith("CVE"):
if cve_name not in dlc_cves:
processed_cve_info["new"].update({cve_name: self.prep_cve_for_dlc(cve)})
else:
processed_cve_info["existing"].update({cve_name: self.prep_cve_for_dlc(cve)})
self.logger.info(
"Prepared %s CVE for creation." % len(processed_cve_info["new"]),
extra={"object": SoftwareVersion.objects.get(id=software_id), "grouping": "CVE Creation"},
)
if not cve_list:
return processed_cve_info
for cve in cve_list:
cve_name = cve["id"]
if not cve_name.startswith("CVE"):
continue
if cve_name not in dlc_cves:
processed_cve_info["new"].update({cve_name: self.prep_cve_for_dlc(cve)})
else:
processed_cve_info["existing"].update({cve_name: self.prep_cve_for_dlc(cve)})
self.logger.info(
"Prepared %s CVE for creation." % len(processed_cve_info["new"]),
extra={"object": SoftwareVersion.objects.get(id=software_id), "grouping": "CVE Creation"},
)

dict: Dictionary of returned results if successful.
"""
try:
result = self.session.get(url, headers=self.headers)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll set headers when we init session.

Suggested change
result = self.session.get(url, headers=self.headers)
result = self.session.get(url)

"The NIST Service is currently unavailable. Status Code: %s. Try running the job again later.", code
)

return result.json()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need try..except in case JSON decoding fails?

bminnix and others added 8 commits November 14, 2024 12:23
Creating a batched commit with several of the syntax update recommendations.

Co-authored-by: Przemek Rogala <progala@progala.net>
Creating a batched commit with several of the syntax update recommendations.

Co-authored-by: Przemek Rogala <progala@progala.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants