commit: c310e75682f40296035713d367b5d05c07af7d25
parent d8aae578e0468a0fbb1fbc13a707a2e6288072b7
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Tue, 14 May 2024 17:43:39 +0200
Support for CVE 5.1 record format
Diffstat:
5 files changed, 65 insertions(+), 8 deletions(-)
diff --git a/MANIFEST b/MANIFEST
@@ -9,3 +9,6 @@ README.md
t/cve_schema50.CVE-2022-24903.json
t/cve_schema50.CVE-2022-24903.txt
t/cve_schema50.t
+t/cve_schema51.CVE-2024-4761.json
+t/cve_schema51.CVE-2024-4761.txt
+t/cve_schema51.t
diff --git a/lib/App/CveClient.pm b/lib/App/CveClient.pm
@@ -20,10 +20,10 @@ sub print_cve {
die "Error ($object->{'error'}): $object->{'message'}\n";
}
- if ($object->{'dataVersion'} == "5.0") {
- print_cve50($object, $cve_id, $format);
+ if ($object->{'dataVersion'} =~ /5\./) {
+ print_cve5($object, $cve_id, $format);
} elsif ($object->{'data_version'} == "4.0") {
- print_cve40($object, $cve_id, $format);
+ print_cve4($object, $cve_id, $format);
} else {
print STDERR "Error: unknown CVE format:\n";
print STDERR "- data_version: ", $object->{'data_version'}, "\n"
@@ -34,7 +34,7 @@ sub print_cve {
}
# https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/
-sub print_cve50 {
+sub print_cve5 {
my ($object, $cve_id, $format) = @_;
if ($object->{'cveMetadata'}->{'cveId'} ne $cve_id) {
@@ -70,9 +70,6 @@ sub print_cve50 {
print "Notice: unhandled metrics (CVSS) data\n";
}
}
- } else {
- print STDERR
-"Warning: No CVE metrics (CVSS) could be found! (as required by the spec)\n";
}
print "\n";
@@ -104,7 +101,7 @@ sub print_cve50 {
}
# https://github.com/CVEProject/cve-schema/blob/master/schema/v4.0/
-sub print_cve40 {
+sub print_cve4 {
my ($object, $cve_id, $format) = @_;
if ($object->{'CVE_data_meta'}->{'ID'} ne $cve_id) {
diff --git a/t/cve_schema51.CVE-2024-4761.json b/t/cve_schema51.CVE-2024-4761.json
@@ -0,0 +1 @@
+{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-4761","assignerOrgId":"ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28","state":"PUBLISHED","assignerShortName":"Chrome","dateReserved":"2024-05-10T15:52:59.148Z","datePublished":"2024-05-14T02:09:53.698Z","dateUpdated":"2024-05-14T02:09:53.698Z"},"containers":{"cna":{"affected":[{"vendor":"Google","product":"Chrome","versions":[{"version":"124.0.6367.207","status":"affected","lessThan":"124.0.6367.207","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)"}],"problemTypes":[{"descriptions":[{"lang":"en","description":"Out of bounds write"}]}],"providerMetadata":{"orgId":"ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28","shortName":"Chrome","dateUpdated":"2024-05-14T02:09:53.698Z"},"references":[{"url":"https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html"},{"url":"https://issues.chromium.org/issues/339458194"}]}}}
+\ No newline at end of file
diff --git a/t/cve_schema51.CVE-2024-4761.txt b/t/cve_schema51.CVE-2024-4761.txt
@@ -0,0 +1,14 @@
+CVE ID: CVE-2024-4761
+Vendor Name: Google
+Product Name: Chrome
+- affected: 124.0.6367.207
+
+
+Description Language: en
+Description:
+Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
+
+
+References:
+=> https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html
+=> https://issues.chromium.org/issues/339458194
diff --git a/t/cve_schema51.t b/t/cve_schema51.t
@@ -0,0 +1,41 @@
+#!/usr/bin/env perl
+# CVE-Client: CLI-based client / toolbox for CVE.org
+# Copyright © 2021-2023 CVE-Client Authors <https://hacktivis.me/git/cve-client/>
+# SPDX-License-Identifier: AGPL-3.0-only
+use strict;
+use utf8;
+
+use Test::More tests => 2;
+use Test::Output;
+
+use JSON::MaybeXS;
+
+use App::CveClient qw(print_cve);
+
+my $json = JSON::MaybeXS->new(utf8 => 1);
+
+open(CVE_IN, '<', 't/cve_schema51.CVE-2024-4761.json') or die "$!";
+open(CVE_OUT, '<', 't/cve_schema51.CVE-2024-4761.txt') or die "$!";
+
+my $object = $json->decode(<CVE_IN>) or die "$!";
+
+# Read whole files
+undef $/;
+
+output_is { print_cve($object, 'CVE-2024-4761') } <CVE_OUT>, '',
+ 'Test printing CVE-2024-4761';
+
+output_is { print_cve($object, 'CVE-224-4761') } <CVE_OUT>,
+ "Warning: Got <CVE-2024-4761> instead of <CVE-224-4761>\n",
+ 'XTest printing CVE-2024-4761 with cve_id being CVE-224-4761';
+
+close(CVE_IN);
+close(CVE_OUT);
+
+# TODO: Figure out how to test fails properly
+#
+#my $nx_object = $json->decode('{"error":"CVE_RECORD_DNE","message":"The cve record for the cve id does not exist."}');
+#
+#output_is { print_cve($nx_object, 'CVE-1995-24903') } '', 'Error (CVE_RECORD_DNE): The cve record for the cve id does not exist.', 'Test printing non-existant CVE-1995-24903';
+
+done_testing;
