feat: Add CSAF Generation (Fixes intel#2401)

anthonyharrison · anthonyharrison · commit ac1a7e81b46c · 2022-11-28T15:49:49.000Z
diff --git a/README.md b/README.md
@@ -218,6 +218,7 @@ Output:
                         Lists backported fixes if available from Linux distribution
   <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#--affected-versions">--affected-versions</a>   Lists versions of product affected by a given CVE (to facilitate upgrades)
   <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#--vex-vex_file">--vex VEX</a>             Provide vulnerability exchange (vex) filename
+  <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#--csaf-csaf_file">--csaf CSAF</a>           Provide Common Security Advisory Framework (CSAF) filename
 
 Merge Report:
   Arguments related to Intermediate and Merged Reports
diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py
@@ -285,6 +285,13 @@ def main(argv=None):
         default="",
     )
 
+    output_group.add_argument(
+        "--csaf",
+        action="store",
+        help="Provide Common Security Advisory Framework (CSAF) filename",
+        default="",
+    )
+
     parser.add_argument(
         "-e",
         "--exclude",
@@ -828,6 +835,7 @@ def main(argv=None):
             exploits=args["exploits"],
             detailed=args["detailed"],
             vex_filename=args["vex"],
+            csaf_filename=args["csaf"],
         )
 
         if not args["quiet"]:
diff --git a/cve_bin_tool/output_engine/__init__.py b/cve_bin_tool/output_engine/__init__.py
@@ -531,6 +531,7 @@ def __init__(
         all_cve_version_info=None,
         detailed: bool = False,
         vex_filename: str = "",
+        csaf_filename: str = "",
         exploits: bool = False,
         all_product_data=None,
     ):
@@ -551,6 +552,7 @@ def __init__(
         self.all_cve_data = all_cve_data
         self.detailed = detailed
         self.vex_filename = vex_filename
+        self.csaf_filename = csaf_filename
         self.exploits = exploits
         self.all_product_data = all_product_data
 
@@ -627,6 +629,9 @@ def output_cves(self, outfile, output_type="console"):
         if self.vex_filename != "":
             self.generate_vex(self.all_cve_data, self.vex_filename)
 
+        if self.csaf_filename != "":
+            self.generate_csaf(self.all_cve_data, self.csaf_filename)
+
     def generate_vex(self, all_cve_data: Dict[ProductInfo, CVEData], filename: str):
         analysis_state = {
             Remarks.NewFound: "under_review",
@@ -710,6 +715,185 @@ def generate_vex(self, all_cve_data: Dict[ProductInfo, CVEData], filename: str):
         with open(filename, "w") as outfile:
             json.dump(vex_output, outfile, indent="   ")
 
+    def generate_csaf(self, all_cve_data: Dict[ProductInfo, CVEData], filename: str):
+        time_now = datetime.now().strftime("%Y-%m-%dT%H:%M:%SZ")
+        header = dict()
+        header["category"] = "csaf_vex"
+        header["csaf_version"] = "2.0"
+        note_info = dict()
+        note_info["category"] = "summary"
+        note_info["text"] = "Auto generated CSAF document"
+        note_info["title"] = "Summary of identified vulnerabilities."
+        header["notes"] = [note_info]
+        publisher_info = dict()
+        publisher_info["category"] = "other"
+        publisher_info["name"] = "CVE BIN TOOL"
+        publisher_info["namespace"] = "https://github.com/intel/cve-bin-tool"
+        header["publisher"] = publisher_info
+        header["title"] = "CSAF Document - Affected"
+        tracking_info = dict()
+        tracking_info["current_release_date"] = time_now
+        # Tracking id is based on filename, appended with time and date
+        tracking_info["id"] = Path(filename).stem.upper() + datetime.now().strftime(
+            "%Y%m%d%H%M%S"
+        )
+        tracking_info["initial_release_date"] = time_now
+        revision_info = dict()
+        revision_info["date"] = time_now
+        revision_info["number"] = "1"
+        revision_info["summary"] = "Initial version"
+        tracking_info["revision_history"] = [revision_info]
+        tracking_info["status"] = "final"
+        tracking_info["version"] = "1"
+        generator_info = dict()
+        generator_info["date"] = time_now
+        generator_engine = dict()
+        generator_engine["name"] = "cve_bin_tool"
+        generator_engine["version"] = VERSION
+        generator_info["engine"] = generator_engine
+        tracking_info["generator"] = generator_info
+        header["tracking"] = tracking_info
+        header["lang"] = "en-US"
+
+        # Build up a product tree
+
+        product_tree = dict()
+        vendor_info = dict()
+        product_info = dict()
+        vendor_info["branches"] = []
+        product_info["branches"] = []
+        product_tree["branches"] = []
+
+        product_id_list = dict()
+
+        product_id = 0
+
+        for product_info, cve_data in all_cve_data.items():
+            product = product_info.product
+            vendor = product_info.vendor
+            version = product_info.version
+            # Process releases - only a single release for the product
+            version_branch = []
+            version_info = dict()
+            version_info["category"] = "product_version"
+            version_info["name"] = str(version)
+            product_note = dict()
+            product_note["product_id"] = "CSAFPID_" + str(product_id).zfill(4)
+            product_note["name"] = vendor + " " + product + " " + version_info["name"]
+            product_id += 1
+            version_info["product"] = product_note
+            product_id_list[product + "_" + version_info["name"]] = {
+                "name": product_note["name"],
+                "release": version_info["name"],
+                "id": product_note["product_id"],
+            }
+            version_branch.append(version_info)
+            # Then product name
+            product_data = dict()
+            product_data["category"] = "product_name"
+            product_data["name"] = product
+            product_data["branches"] = version_branch
+            # And finally vendor
+            vendor_info = dict()
+            vendor_info["category"] = "vendor"
+            vendor_info["name"] = vendor
+            vendor_info["branches"] = [product_data]
+            product_tree["branches"].append(vendor_info)
+
+        # Vulnerabilities
+        vulnerabilities = []
+
+        for product_info, cve_data in all_cve_data.items():
+            product_name = product_info.product
+            version = product_info.version
+            for cve in cve_data["cves"]:
+                vulnerability = dict()
+                vulnerability["cve"] = cve.cve_number
+                note_info = dict()
+                note_info["category"] = "description"
+                note_info["text"] = cve.description
+                note_info["title"] = "CVE description"
+                vulnerability["notes"] = [note_info]
+                product_data = dict()
+                # At this stage don't know if product is affected
+                product_data["under_investigation"] = []
+                product_id = product_id_list[product_name + "_" + version]["id"]
+                product_data["under_investigation"].append(product_id)
+                vulnerability["product_status"] = product_data
+                remediation_info = dict()
+                # Default remediation. Following triage, the category should be
+                # updated to describe how vulnerability is being handled.
+                remediation_info["category"] = "vendor_fix"
+                remediation_info[
+                    "details"
+                ] = f"Customers should consider updating the version of {product_name} in order to address the identified issue."
+                product_id_info = []
+                product_id_info.append(product_id)
+                remediation_info["product_ids"] = product_id_info
+                vulnerability["remediations"] = [remediation_info]
+                # CSAF only supports CVSS 3 vectors
+                if cve.cvss_version == 3:
+                    score_info = dict()
+                    score_info["products"] = product_id_info
+                    # Ignore first part of the vector string which contains CVSS version
+                    cvss_parameters = cve.cvss_vector.split("/")[1:]
+                    cvss_score = {
+                        "version": cve.cvss_vector.split(":")[1].split("/")[0],
+                        "baseScore": cve.score,
+                        "baseSeverity": cve.severity,
+                        "vectorString": cve.cvss_vector,
+                    }
+                    cvss_vector_names = {
+                        "AV": "attackVector",
+                        "AC": "attackComplexity",
+                        "PR": "privilegesRequired",
+                        "UI": "userInteraction",
+                        "S": "scope",
+                        "C": "confidentialityImpact",
+                        "I": "integrityImpact",
+                        "A": "availabilityImpact",
+                    }
+                    cvss_vector_values = {
+                        "N": "NONE",
+                        "L": "LOW",
+                        "M": "MEDIUM",
+                        "H": "HIGH",
+                        "R": "REQUIRED",
+                        "C": "CHANGED",
+                        "U": "UNCHANGED",
+                    }
+                    cvss_attack_values = {
+                        "N": "NETWORK",
+                        "A": "ADJACENT_NETWORK",
+                        "L": "LOCAL",
+                        "P": "PHYSICAL",
+                    }
+                    # Decode vector string
+                    for params in cvss_parameters:
+                        name = params.split(":")[0]
+                        value = params.split(":")[1]
+                        # Attack Vector string needs specific processing
+                        if name != "AV":
+                            cvss_score[cvss_vector_names[name]] = cvss_vector_values[
+                                value
+                            ]
+                        else:
+                            cvss_score[cvss_vector_names[name]] = cvss_attack_values[
+                                value
+                            ]
+                    score_info["cvss_v3"] = cvss_score
+                    vulnerability["scores"] = [score_info]
+                vulnerabilities.append(vulnerability)
+
+        # Build up CSAF document
+        csaf_document = dict()
+        csaf_document["document"] = header
+        csaf_document["product_tree"] = product_tree
+        csaf_document["vulnerabilities"] = vulnerabilities
+
+        with open(filename, "w") as outfile:
+            json.dump(csaf_document, outfile, indent="   ")
+
     def output_file_wrapper(self, output_types=["console"]):
         for output_type in output_types:
             self.output_file(output_type)
diff --git a/doc/MANUAL.md b/doc/MANUAL.md
@@ -38,6 +38,7 @@
     - [-b [<distro_name>-<distro_version_name>], --backport-fix [<distro_name>-<distro_version_name>]](#-b-distro_name-distro_version_name---backport-fix-distro_name-distro_version_name)
     - [--affected-versions](#--affected-versions)
     - [--vex VEX_FILE](#--vex-vex_file)
+    - [--csaf CSAF_FILE](#--csaf-csaf_file)
     - [Output verbosity](#output-verbosity)
       - [Quiet Mode](#quiet-mode)
       - [Logging modes](#logging-modes)
@@ -126,6 +127,7 @@ which is useful if you're trying the latest code from
                             Lists backported fixes if available from Linux distribution
       --affected-versions   Lists versions of product affected by a given CVE (to facilitate upgrades)
       --vex VEX             Provide vulnerability exchange (vex) filename
+      --csaf CSAF           Provide Common Security Advisory Framework (CSAF) filename 
 
     Merge Report:
       Arguments related to Intermediate and Merged Reports
@@ -902,6 +904,12 @@ file which contains all the reported vulnerabilities detected by the scan. This
 updated (outside of the CVE Binary tool) to record the results of a triage activity
 and can be used as a file with `--input-file` parameter.
 
+### --csaf CSAF_FILE
+
+This option allows you to specify the filename for a [Common Security Advisory Framework (CSAF) v2.0](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=csaf)
+file which contains all the reported vulnerabilities detected by the scan.
+This file is typically updated (outside of the CVE Binary tool) to record the results of a triage activity.
+
 ### Output verbosity
 
 As well as the modes above, there are two other output options to decrease or increase the number of messages printed:
diff --git a/test/test_output_engine.py b/test/test_output_engine.py
