~sthagen/csaf#2: 
Fix the CVSS Keywords in Generated CSAF Documents

Reported by Jacco:

[...] I found that CSAF documents generated with your library did not validate in the "official" validator (https://github.com/csaf-poc/csaf_distribution)

The issue was that CVSS items did not have the correct keywords according to the spec (https://www.first.org/cvss/cvss-v3.1.json)

I made a small patch for csaf and now it works for me. [...]

Status
RESOLVED FIXED
Submitter
~sthagen
Assigned to
Submitted
1 year, 6 months ago
Updated
1 year, 6 months ago
Labels
Bug

~sthagen 1 year, 6 months ago

The use of alias to maintain internal app names (snake_case) while managing the external JSON keys (CamelCase) for in- and output has to be verified.

~sthagen referenced this from #2 1 year, 6 months ago

~sthagen REPORTED FIXED 1 year, 6 months ago*

Fixed the CVSS Keywords in Generated CSAF Documents https://todo.sr.ht/~sthagen/csaf/2 per commit 68acc56. The release 2023.5.6 provides the fixed behavior.

Thanks to jaccol for reporting.

~jaccol 1 year, 6 months ago

Hi sthagen,

I tested the fix, and I still see snake_case keywords in the resulting json. The internal app name has changed to CamelCase, though.

Jacco

~sthagen 1 year, 6 months ago*

Thanks for trying the new version, Jacco.

I cannot reproduce your observations on my side.

Using the basic test scenario in https://git.sr.ht/~sthagen/csaf/tree/default/item/test/test_cvss.py the following interactive session trace may help find the difference:

Python 3.11.2 (main, Mar 20 2023, 06:26:24) [GCC 7.5.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import json
>>> import csaf.cvss as cvss
>>> from csaf import __version__
>>> __version__
'2023.5.6+parent.75eb2ed8'
>>> DATA = {
...     'baseScore': 10.0,
...     'baseSeverity': 'CRITICAL',
...     'vectorString': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H',
...     'version': '3.1',
... }
>>> JSON = json.dumps(DATA)
>>> c31 = cvss.CVSS31.parse_raw(JSON)
>>> c31.vector_string    # internal names are snake case OK
'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'
>>> json_lines = c31.json(indent=2).split('\n')
>>> json_rep_of_vs = [line for line in json_lines if 'vectorString' in line][0]
>>> json_rep_of_vs  # the external keys are camelCase OK
'  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",'

Does the above code work similarly in your environment?

Can you maybe provide a minimal test (some lines of python) that reproduces the defect you observe?

Thanks a lot.

~sthagen referenced this from #2 1 year, 6 months ago

~sthagen 1 year, 6 months ago*

cf. 375939d - Added assertions from https://todo.sr.ht/~sthagen/csaf/2#event-237201 to CVSS test

~jaccol 1 year, 6 months ago

To continue on your example:

>>> vul = Vulnerability(
...     cve="CVE-2000-0001",
...     scores=[Score(cvss_v3=c31, products=["sample"])],
... )
>>> v_json=vul.json(exclude_unset=True, indent=4)
>>> v_json
'{
    "cve": "CVE-2000-0001",
    "scores": [
        {
            "cvss_v3": {
                "version": "3.1",
                "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "base_score": 10.0,
                "base_severity": "CRITICAL"
            },
            "products": [
                "sample"
            ]
        }
    ]
}'

As far as I understand is it this json that will be part of a final CSAF document. Here is the snake_case back ...

~jaccol 1 year, 6 months ago

bummer, I missed the first line while cut-and-pasting:

>>> from csaf.vulnerability import Vulnerability, Score

~sthagen FIXED REPORTED 1 year, 6 months ago

Thank you Jacco, the mix-ins still lose their json specialty with the previous change. Re-open (because I have a fix ;-) ...)

~sthagen referenced this from #2 1 year, 6 months ago

~sthagen REPORTED FIXED 1 year, 6 months ago*

Fixed CVSS camelCase keyword propagation as mix-ins of score and vulnerability objects https://todo.sr.ht/~sthagen/csaf/2#event-237257 per commit 15cbec18. The release 2023.5.8 provides the fixed behavior also for the top level objects.

I will take a look at further mix-in places of our borrowed camels on another day ...

~jaccol 1 year, 6 months ago

Reopening again, because I found another instance of this issue in the code. Please add this patch:

--- a/csaf/csaf.py
+++ b/csaf/csaf.py
@@ -70,6 +70,11 @@ class CSAF(BaseModel):
         ),
     ]
 
+    @no_type_check
+    def json(self, *args, **kwargs):
+        kwargs.setdefault('by_alias', True)
+        return super().json(*args, **kwargs)
+
     @no_type_check
     @validator('vulnerabilities')
     @classmethod

~sthagen FIXED REPORTED 1 year, 6 months ago

I will take a look at further mix-in places of our borrowed camels on another day ...

Preparing the next release ...

~sthagen REPORTED FIXED 1 year, 6 months ago

Fixed top level aggregator to consume and produce camelCase CVSS keys per commit 1b902885. The release 2023.5.9 provides the fixed behavior also for the top level CSAF object (root of the document).

Register here or Log in to comment, or comment via email.