Remove cveId

Normation · Jan 22, 2024 · 1c7c12b · 1c7c12b
1 parent 2be4a93
commit 1c7c12b
Show file tree

Hide file tree

Showing 6 changed files with 3 additions and 295 deletions.
diff --git a/detector/detector.go b/detector/detector.go
@@ -15,7 +15,6 @@ import (
 	"github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/constant"
 	"github.com/future-architect/vuls/contrib/owasp-dependency-check/parser"
-	"github.com/future-architect/vuls/cwe"
 	"github.com/future-architect/vuls/gost"
 	"github.com/future-architect/vuls/logging"
 	"github.com/future-architect/vuls/models"
@@ -228,8 +227,6 @@ func Detect(rs []models.ScanResult, dir string) ([]models.ScanResult, error) {
 			return nil, xerrors.Errorf("Failed to fill with Cyber Threat Intelligences: %w", err)
 		}
 
-		FillCweDict(&r)
-
 		r.ReportedBy, _ = os.Hostname()
 		r.Lang = config.Conf.Lang
 		r.ReportedAt = reportedAt
@@ -700,68 +697,3 @@ func getMaxConfidence(detail cvemodels.CveDetail) (max models.Confidence) {
 
 	return max
 }
-
-// FillCweDict fills CWE
-func FillCweDict(r *models.ScanResult) {
-	uniqCweIDMap := map[string]bool{}
-	for _, vinfo := range r.ScannedCves {
-		for _, conts := range vinfo.CveContents {
-			for _, cont := range conts {
-				for _, id := range cont.CweIDs {
-					if strings.HasPrefix(id, "CWE-") {
-						id = strings.TrimPrefix(id, "CWE-")
-						uniqCweIDMap[id] = true
-					}
-				}
-			}
-		}
-	}
-
-	dict := map[string]models.CweDictEntry{}
-	for id := range uniqCweIDMap {
-		entry := models.CweDictEntry{
-			OwaspTopTens:       map[string]string{},
-			CweTopTwentyfives:  map[string]string{},
-			SansTopTwentyfives: map[string]string{},
-		}
-		if e, ok := cwe.CweDictEn[id]; ok {
-			fillCweRank(&entry, id)
-			entry.En = &e
-		} else {
-			logging.Log.Debugf("CWE-ID %s is not found in English CWE Dict", id)
-			entry.En = &cwe.Cwe{CweID: id}
-		}
-
-		if r.Lang == "ja" {
-			if e, ok := cwe.CweDictJa[id]; ok {
-				fillCweRank(&entry, id)
-				entry.Ja = &e
-			} else {
-				logging.Log.Debugf("CWE-ID %s is not found in Japanese CWE Dict", id)
-				entry.Ja = &cwe.Cwe{CweID: id}
-			}
-		}
-
-		dict[id] = entry
-	}
-	r.CweDict = dict
-	return
-}
-
-func fillCweRank(entry *models.CweDictEntry, id string) {
-	for year, ranks := range cwe.OwaspTopTens {
-		if rank, ok := ranks[id]; ok {
-			entry.OwaspTopTens[year] = rank
-		}
-	}
-	for year, ranks := range cwe.CweTopTwentyfives {
-		if rank, ok := ranks[id]; ok {
-			entry.CweTopTwentyfives[year] = rank
-		}
-	}
-	for year, ranks := range cwe.SansTopTwentyfives {
-		if rank, ok := ranks[id]; ok {
-			entry.SansTopTwentyfives[year] = rank
-		}
-	}
-}
diff --git a/models/scanresults.go b/models/scanresults.go
@@ -10,7 +10,6 @@ import (
 
 	"github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/constant"
-	"github.com/future-architect/vuls/cwe"
 	"github.com/future-architect/vuls/logging"
 )
 
@@ -54,7 +53,6 @@ type ScanResult struct {
 	GitHubManifests   DependencyGraphManifests `json:"gitHubManifests,omitempty"`
 	LibraryScanners   LibraryScanners          `json:"libraries,omitempty"`
 	WindowsKB         *WindowsKB               `json:"windowsKB,omitempty"`
-	CweDict           CweDict                  `json:"cweDict,omitempty"`
 	Optional          map[string]interface{}   `json:",omitempty"`
 	Config            struct {
 		Scan   config.Config `json:"scan"`
@@ -441,85 +439,8 @@ func (r *ScanResult) SortForJSONOutput() {
 	}
 }
 
-// CweDict is a dictionary for CWE
-type CweDict map[string]CweDictEntry
-
 // AttentionCWE has OWASP TOP10, CWE TOP25, CWE/SANS TOP25 rank and url
 type AttentionCWE struct {
 	Rank string
 	URL  string
 }
-
-// Get the name, url, top10URL for the specified cweID, lang
-func (c CweDict) Get(cweID, lang string) (name, url string, owasp, cwe25, sans map[string]AttentionCWE) {
-	cweNum := strings.TrimPrefix(cweID, "CWE-")
-	dict, ok := c[cweNum]
-	if !ok {
-		return
-	}
-
-	owasp, cwe25, sans = fillAttentionCwe(dict, lang)
-	switch lang {
-	case "ja":
-		if dict, ok := cwe.CweDictJa[cweNum]; ok {
-			name = dict.Name
-			url = fmt.Sprintf("http://jvndb.jvn.jp/ja/cwe/%s.html", cweID)
-		} else {
-			if dict, ok := cwe.CweDictEn[cweNum]; ok {
-				name = dict.Name
-			}
-			url = fmt.Sprintf("https://cwe.mitre.org/data/definitions/%s.html", cweID)
-		}
-	default:
-		url = fmt.Sprintf("https://cwe.mitre.org/data/definitions/%s.html", cweID)
-		if dict, ok := cwe.CweDictEn[cweNum]; ok {
-			name = dict.Name
-		}
-	}
-	return
-}
-
-func fillAttentionCwe(dict CweDictEntry, lang string) (owasp, cwe25, sans map[string]AttentionCWE) {
-	owasp, cwe25, sans = map[string]AttentionCWE{}, map[string]AttentionCWE{}, map[string]AttentionCWE{}
-	switch lang {
-	case "ja":
-		for year, rank := range dict.OwaspTopTens {
-			owasp[year] = AttentionCWE{
-				Rank: rank,
-				URL:  cwe.OwaspTopTenURLsJa[year][rank],
-			}
-		}
-	default:
-		for year, rank := range dict.OwaspTopTens {
-			owasp[year] = AttentionCWE{
-				Rank: rank,
-				URL:  cwe.OwaspTopTenURLsEn[year][rank],
-			}
-		}
-	}
-
-	for year, rank := range dict.CweTopTwentyfives {
-		cwe25[year] = AttentionCWE{
-			Rank: rank,
-			URL:  cwe.CweTopTwentyfiveURLs[year],
-		}
-	}
-
-	for year, rank := range dict.SansTopTwentyfives {
-		sans[year] = AttentionCWE{
-			Rank: rank,
-			URL:  cwe.SansTopTwentyfiveURLs[year],
-		}
-	}
-
-	return
-}
-
-// CweDictEntry is a entry of CWE
-type CweDictEntry struct {
-	En                 *cwe.Cwe          `json:"en,omitempty"`
-	Ja                 *cwe.Cwe          `json:"ja,omitempty"`
-	OwaspTopTens       map[string]string `json:"owaspTopTens"`
-	CweTopTwentyfives  map[string]string `json:"cweTopTwentyfives"`
-	SansTopTwentyfives map[string]string `json:"sansTopTwentyfives"`
-}
diff --git a/reporter/slack.go b/reporter/slack.go
@@ -213,7 +213,7 @@ func (w SlackWriter) toSlackAttachments(r models.ScanResult) (attaches []slack.A
 		a := slack.Attachment{
 			Title:      vinfo.CveIDDiffFormat(),
 			TitleLink:  "https://nvd.nist.gov/vuln/detail/" + vinfo.CveID,
-			Text:       w.attachmentText(vinfo, r.CweDict, r.Packages),
+			Text:       w.attachmentText(vinfo, r.Packages),
 			MarkdownIn: []string{"text", "pretext"},
 			Fields: []slack.AttachmentField{
 				{
@@ -249,7 +249,7 @@ func cvssColor(cvssScore float64) string {
 	}
 }
 
-func (w SlackWriter) attachmentText(vinfo models.VulnInfo, cweDict map[string]models.CweDictEntry, packs models.Packages) string {
+func (w SlackWriter) attachmentText(vinfo models.VulnInfo, packs models.Packages) string {
 	maxCvss := vinfo.MaxCvssScore()
 	vectors := []string{}
 
@@ -312,39 +312,17 @@ func (w SlackWriter) attachmentText(vinfo models.VulnInfo, cweDict map[string]mo
 		mitigation = fmt.Sprintf("\nMitigation:\n<%s|%s>", m.URL, m.CveContentType)
 	}
 
-	return fmt.Sprintf("*%4.1f (%s)* %s %s\n%s\n```\n%s\n```%s\n%s\n",
+	return fmt.Sprintf("*%4.1f (%s)* %s %s\n%s\n```\n%s\n```%s\n",
 		maxCvss.Value.Score,
 		severity,
 		nwvec,
 		vinfo.PatchStatus(packs),
 		strings.Join(vectors, "\n"),
 		vinfo.Summaries(w.lang, w.osFamily)[0].Value,
 		mitigation,
-		w.cweIDs(vinfo, w.osFamily, cweDict),
 	)
 }
 
-func (w SlackWriter) cweIDs(vinfo models.VulnInfo, osFamily string, cweDict models.CweDict) string {
-	links := []string{}
-	for _, c := range vinfo.CveContents.UniqCweIDs(osFamily) {
-		name, url, owasp, cwe25, sans := cweDict.Get(c.Value, w.lang)
-		line := fmt.Sprintf("<%s|%s>: %s", url, c.Value, name)
-		for year, info := range owasp {
-			links = append(links, fmt.Sprintf("<%s|[OWASP(%s) Top %s]> %s", info.URL, year, info.Rank, line))
-		}
-		for year, info := range cwe25 {
-			links = append(links, fmt.Sprintf("<%s|[CWE(%s) Top %s]> %s", info.URL, year, info.Rank, line))
-		}
-		for year, info := range sans {
-			links = append(links, fmt.Sprintf("<%s|[CWE/SANS(%s) Top %s]> %s", info.URL, year, info.Rank, line))
-		}
-		if len(owasp) == 0 && len(cwe25) == 0 && len(sans) == 0 {
-			links = append(links, line)
-		}
-	}
-	return strings.Join(links, "\n")
-}
-
 // See testcase
 func (w SlackWriter) getNotifyUsers(notifyUsers []string) string {
 	slackStyleTexts := []string{}

diff --git a/reporter/util.go b/reporter/util.go
@@ -439,68 +439,6 @@ No CVE-IDs are found in updatable packages.
 			data = append(data, []string{"Confidence", confidence.String()})
 		}
 
-		cweURLs, top10URLs, cweTop25URLs, sansTop25URLs := []string{}, map[string][]string{}, map[string][]string{}, map[string][]string{}
-		for _, v := range vuln.CveContents.UniqCweIDs(r.Family) {
-			name, url, owasp, cwe25, sans := r.CweDict.Get(v.Value, r.Lang)
-
-			ds := [][]string{}
-			for year, info := range owasp {
-				ds = append(ds, []string{"CWE", fmt.Sprintf("[OWASP(%s) Top%s] %s: %s (%s)", year, info.Rank, v.Value, name, v.Type)})
-				top10URLs[year] = append(top10URLs[year], info.URL)
-			}
-			slices.SortFunc(ds, func(a, b []string) int {
-				if a[1] < b[1] {
-					return -1
-				}
-				if a[1] > b[1] {
-					return +1
-				}
-				return 0
-			})
-			data = append(data, ds...)
-
-			ds = [][]string{}
-			for year, info := range cwe25 {
-				ds = append(ds, []string{"CWE", fmt.Sprintf("[CWE(%s) Top%s] %s: %s (%s)", year, info.Rank, v.Value, name, v.Type)})
-				cweTop25URLs[year] = append(cweTop25URLs[year], info.URL)
-			}
-			slices.SortFunc(ds, func(a, b []string) int {
-				if a[1] < b[1] {
-					return -1
-				}
-				if a[1] > b[1] {
-					return +1
-				}
-				return 0
-			})
-			data = append(data, ds...)
-
-			ds = [][]string{}
-			for year, info := range sans {
-				ds = append(ds, []string{"CWE", fmt.Sprintf("[CWE/SANS(%s) Top%s]  %s: %s (%s)", year, info.Rank, v.Value, name, v.Type)})
-				sansTop25URLs[year] = append(sansTop25URLs[year], info.URL)
-			}
-			slices.SortFunc(ds, func(a, b []string) int {
-				if a[1] < b[1] {
-					return -1
-				}
-				if a[1] > b[1] {
-					return +1
-				}
-				return 0
-			})
-			data = append(data, ds...)
-
-			if len(owasp) == 0 && len(cwe25) == 0 && len(sans) == 0 {
-				data = append(data, []string{"CWE", fmt.Sprintf("%s: %s (%s)", v.Value, name, v.Type)})
-			}
-			cweURLs = append(cweURLs, url)
-		}
-
-		for _, url := range cweURLs {
-			data = append(data, []string{"CWE", url})
-		}
-
 		m := map[string]struct{}{}
 		for _, exploit := range vuln.Exploits {
 			if _, ok := m[exploit.URL]; ok {
@@ -510,53 +448,6 @@ No CVE-IDs are found in updatable packages.
 			m[exploit.URL] = struct{}{}
 		}
 
-		for year, urls := range top10URLs {
-			ds := [][]string{}
-			for _, url := range urls {
-				ds = append(ds, []string{fmt.Sprintf("OWASP(%s) Top10", year), url})
-			}
-			slices.SortFunc(ds, func(a, b []string) int {
-				if a[0] < b[0] {
-					return -1
-				}
-				if a[0] > b[0] {
-					return +1
-				}
-				return 0
-			})
-			data = append(data, ds...)
-		}
-
-		ds := [][]string{}
-		for year, urls := range cweTop25URLs {
-			ds = append(ds, []string{fmt.Sprintf("CWE(%s) Top25", year), urls[0]})
-		}
-		slices.SortFunc(ds, func(a, b []string) int {
-			if a[0] < b[0] {
-				return -1
-			}
-			if a[0] > b[0] {
-				return +1
-			}
-			return 0
-		})
-		data = append(data, ds...)
-
-		ds = [][]string{}
-		for year, urls := range sansTop25URLs {
-			ds = append(ds, []string{fmt.Sprintf("SANS/CWE(%s) Top25", year), urls[0]})
-		}
-		slices.SortFunc(ds, func(a, b []string) int {
-			if a[0] < b[0] {
-				return -1
-			}
-			if a[0] > b[0] {
-				return +1
-			}
-			return 0
-		})
-		data = append(data, ds...)
-
 		for _, alert := range vuln.AlertDict.CISA {
 			data = append(data, []string{"CISA Alert", alert.URL})
 		}

diff --git a/server/server.go b/server/server.go
@@ -105,8 +105,6 @@ func (h VulsHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		http.Error(w, err.Error(), http.StatusServiceUnavailable)
 	}
 
-	detector.FillCweDict(&r)
-
 	// set ReportedAt to current time when it's set to the epoch, ensures that ReportedAt will be set
 	// properly for scans sent to vuls when running in server mode
 	if r.ReportedAt.IsZero() {