Comments (6)
Been thinking about this and the best solution I can think of is adding as many cpes as possible.
Reading about the cpe 2.3 specification: https://cpe.mitre.org/specification/ all that matters is vendor and product name (so we could just save those tbh) and then with whatever version webappanalyzer has detected create the string cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*
(or even just without the version cpe:2.3:a:{vendor}:{product}:*:*:*:*:*:*:*:*
) to find all the cves linked.
For example, lets say we have detected drupal version 5.10, the final string would be cpe:2.3:a:drupal:drupal:5.10:*:*:*:*:*:*:*
which we can search on the nist api and find all linked CVEs: https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:drupal:drupal:5.10:*:*:*:*:*:*:*
and leave that task to whatever implementation is working with this repo, because there is just no way to keep all the updated cves and cwes in real time.
from webappanalyzer.
You said CWE but I think you meant CVE?
lol, yeah. Not enough coffee yet. ☕
from webappanalyzer.
I agree that it would make more sense as an integration alongside (and not in) this package. It is otherwise too different in the nature of how the data is collected and the cadence at which it needs to be collected.
from webappanalyzer.
Or just if the relevant version is no longer supported?
from webappanalyzer.
You said CWE but I think you meant CVE?
from webappanalyzer.
I've thought about this, it would require to constantly check all registered technologies, validate latest versions and search in the NIST API for new vulnerabilities to append to the json, because I guess the idea is to only have vulnerabilities related to the latest tech version, whenever a version gets released, CVEs will need to reset. Not easy to automate since you need to scrape every tech website.
We could report all CVEs found for a single technology name(ignoring the version)?, for example jquery by using the NIST API https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=jquery, this way we would be reporting every single CVE the tech has ever had, which i don't think is a good idea since we would be reporting CVEs your tech version might not have and make the json files be even bigger.
I think this would make way more sense in the python, go, js, etc implementation when they report findings, since you can use the version aswell.
Lets say you find jquery version 1.1 on whatever website you are checking with your js implementation, you could parse the tech + version, get https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=jquery+1.1 and give the user way more specific information about the target.
Other thing i can think of is store the vendor information, so webappanalyzer implementations can query the NIST API based on cpe?, or even use versionStart & versionEnd query parameters.
I've worked with the NIST api before, the version 2 seems better than version 1, it is less chaotic. This is how it would look like with the v1.0 https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=jquery+1.1, not sure if it's deprecated.
NIST api documentation: https://nvd.nist.gov/developers/vulnerabilities
Best practices to avoid request limits: https://nvd.nist.gov/general/news/API-Key-Announcement
from webappanalyzer.
Related Issues (9)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webappanalyzer.