aquasecurity · rahul2393 · Apr 21, 2021 · Apr 21, 2021 · Apr 22, 2021 · Apr 22, 2021
@@ -95,6 +95,21 @@ type VulnerabilityDetail struct {
 	Description      string     `json:",omitempty"`
 	PublishedDate    *time.Time `json:",omitempty"`
 	LastModifiedDate *time.Time `json:",omitempty"`
+	CPEDetails       CPEDetails `json:",omitempty"`
+}
+
+type CPEDetails struct {
+	CveDataVersion string `json:"CVEDataVersion"`
+	Nodes          []Node `json:"Nodes,omitempty"`
+}
+
+type Node struct {
+	Children            []Node `json:"Children,omitempty"`
+	Operator            string `json:"Operator,omitempty"`
+	CPEMatch            []Node `json:"CpeMatch,omitempty"`
+	Cpe23Uri            string `json:"Cpe23Uri,omitempty"`
+	VersionEndExcluding string `json:"VersionEndExcluding,omitempty"`
+	Vulnerable          *bool  `json:"Vulnerable,omitempty"`
 }
 
 type AdvisoryDetail struct {
@@ -126,6 +141,7 @@ type Vulnerability struct {
 	References       []string       `json:",omitempty"`
 	PublishedDate    *time.Time     `json:",omitempty"`
 	LastModifiedDate *time.Time     `json:",omitempty"`
+	CPEDetails       CPEDetails     `json:",omitempty"`
 }
 
 type VulnSrc interface {

@@ -92,7 +92,6 @@ func (vs VulnSrc) commit(tx *bolt.Tx, items []Item) error {
 
 		publishedDate, _ := time.Parse("2006-01-02T15:04Z", item.PublishedDate)
 		lastModifiedDate, _ := time.Parse("2006-01-02T15:04Z", item.LastModifiedDate)
-
 		vuln := types.VulnerabilityDetail{
 			CvssScore:        item.Impact.BaseMetricV2.CvssV2.BaseScore,
 			CvssVector:       item.Impact.BaseMetricV2.CvssV2.VectorString,
@@ -107,7 +106,9 @@ func (vs VulnSrc) commit(tx *bolt.Tx, items []Item) error {
 			PublishedDate:    &publishedDate,
 			LastModifiedDate: &lastModifiedDate,
 		}
-
+		if item.Configurations.CveDataVersion != "" {
+			mapConfigurationsToCPEDetails(item.Configurations, &vuln.CPEDetails)
+		}
 		if err := vs.dbc.PutVulnerabilityDetail(tx, cveID, vulnerability.Nvd, vuln); err != nil {
 			return err
 		}

@@ -41,6 +41,78 @@ func TestVulnSrc_Update(t *testing.T) {
 				References:       []string{"https://source.android.com/security/bulletin/2020-01-01"},
 				LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"),
 				PublishedDate:    utils.MustTimeParse("2001-01-01T01:01:00Z"),
+				CPEDetails: types.CPEDetails{
+					CveDataVersion: "4.0",
+					Nodes: []types.Node{
+						types.Node{
+							Operator: "OR",
+							CPEMatch: []types.Node{
+								{
+									Cpe23Uri:   "cpe:2.3:o:google:android:8.0:*:*:*:*:*:*:*",
+									Vulnerable: boolptr(true),
+								},
+								{
+									Cpe23Uri:   "cpe:2.3:o:google:android:8.1:*:*:*:*:*:*:*",
+									Vulnerable: boolptr(true),
+								},
+								{
+									Cpe23Uri:   "cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*",
+									Vulnerable: boolptr(true),
+								},
+								{
+									Cpe23Uri:   "cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*",
+									Vulnerable: boolptr(true),
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:  "happy path with CPE detail having children",
+			dir:   "./testdata",
+			cveID: "CVE-2021-0109",
+			want: types.VulnerabilityDetail{
+				Description:      "Insecure inherited permissions for the Intel(R) SOC driver package for STK1A32SC before version 604 may allow an authenticated user to potentially enable escalation of privilege via local access.",
+				CvssScore:        4.6,
+				CvssVector:       "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+				CvssScoreV3:      7.8,
+				CvssVectorV3:     "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+				Severity:         types.SeverityMedium,
+				SeverityV3:       types.SeverityHigh,
+				References:       []string{"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00471.html"},
+				LastModifiedDate: utils.MustTimeParse("2021-02-22T20:23:00Z"),
+				PublishedDate:    utils.MustTimeParse("2021-02-17T14:15:00Z"),
+				CPEDetails: types.CPEDetails{
+					CveDataVersion: "4.0",
+					Nodes: []types.Node{
+						{
+							Operator: "AND",
+							Children: []types.Node{
+								types.Node{
+									Operator: "OR",
+									CPEMatch: []types.Node{
+										types.Node{
+											Cpe23Uri:            "cpe:2.3:o:intel:compute_stick_stk1a32sc_firmware:*:*:*:*:*:*:*:*",
+											VersionEndExcluding: "604",
+											Vulnerable:          boolptr(true),
+										},
+									},
+								},
+								types.Node{
+									Operator: "OR",
+									CPEMatch: []types.Node{
+										types.Node{
+											Cpe23Uri:   "cpe:2.3:h:intel:compute_stick_stk1a32sc:-:*:*:*:*:*:*:*",
+											Vulnerable: boolptr(false),
+										},
+									},
+								},
+							},
+						},
+					},
+				},
 			},
 		},
 		{

@@ -0,0 +1,115 @@
+{
+  "configurations": {
+    "CVE_data_version": "4.0",
+    "nodes": [
+      {
+        "children": [
+          {
+            "cpe_match": [
+              {
+                "cpe23Uri": "cpe:2.3:o:intel:compute_stick_stk1a32sc_firmware:*:*:*:*:*:*:*:*",
+                "versionEndExcluding": "604",
+                "vulnerable": true
+              }
+            ],
+            "operator": "OR"
+          },
+          {
+            "cpe_match": [
+              {
+                "cpe23Uri": "cpe:2.3:h:intel:compute_stick_stk1a32sc:-:*:*:*:*:*:*:*",
+                "vulnerable": false
+              }
+            ],
+            "operator": "OR"
+          }
+        ],
+        "operator": "AND"
+      }
+    ]
+  },
+  "cve": {
+    "CVE_data_meta": {
+      "ASSIGNER": "[email protected]",
+      "ID": "CVE-2021-0109"
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
+    "description": {
+      "description_data": [
+        {
+          "lang": "en",
+          "value": "Insecure inherited permissions for the Intel(R) SOC driver package for STK1A32SC before version 604 may allow an authenticated user to potentially enable escalation of privilege via local access."
+        }
+      ]
+    },
+    "problemtype": {
+      "problemtype_data": [
+        {
+          "description": [
+            {
+              "lang": "en",
+              "value": "NVD-CWE-Other"
+            }
+          ]
+        }
+      ]
+    },
+    "references": {
+      "reference_data": [
+        {
+          "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00471.html",
+          "refsource": "MISC",
+          "tags": [
+            "Vendor Advisory"
+          ],
+          "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00471.html"
+        }
+      ]
+    }
+  },
+  "impact": {
+    "baseMetricV2": {
+      "acInsufInfo": false,
+      "cvssV2": {
+        "accessComplexity": "LOW",
+        "accessVector": "LOCAL",
+        "authentication": "NONE",
+        "availabilityImpact": "PARTIAL",
+        "baseScore": 4.6,
+        "confidentialityImpact": "PARTIAL",
+        "integrityImpact": "PARTIAL",
+        "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+        "version": "2.0"
+      },
+      "exploitabilityScore": 3.9,
+      "impactScore": 6.4,
+      "obtainAllPrivilege": false,
+      "obtainOtherPrivilege": false,
+      "obtainUserPrivilege": false,
+      "severity": "MEDIUM",
+      "userInteractionRequired": false
+    },
+    "baseMetricV3": {
+      "cvssV3": {
+        "attackComplexity": "LOW",
+        "attackVector": "LOCAL",
+        "availabilityImpact": "HIGH",
+        "baseScore": 7.8,
+        "baseSeverity": "HIGH",
+        "confidentialityImpact": "HIGH",
+        "integrityImpact": "HIGH",
+        "privilegesRequired": "LOW",
+        "scope": "UNCHANGED",
+        "userInteraction": "NONE",
+        "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+        "version": "3.1"
+      },
+      "exploitabilityScore": 1.8,
+      "impactScore": 5.9
+    }
+  },
+  "lastModifiedDate": "2021-02-22T20:23Z",
+  "publishedDate": "2021-02-17T14:15Z"
+}
@@ -1,10 +1,15 @@
 package nvd
 
+import (
+	"github.com/aquasecurity/trivy-db/pkg/types"
+)
+
 type NVD struct {
 	CVEItems []Item `json:"CVE_Items"`
 }
 
 type Item struct {
+	Configurations   Configurations
 	Cve              Cve
 	Impact           Impact
 	LastModifiedDate string `json:"lastModifiedDate"`
@@ -77,3 +82,61 @@ type ProblemTypeDataDescription struct {
 	Lang  string
 	Value string
 }
+
+type Configurations struct {
+	CveDataVersion string `json:"CVE_data_version"`
+	Nodes          []Node `json:"nodes,omitempty"`
+}
+
+type Node struct {
+	Children            []Node `json:"children,omitempty"`
+	Operator            string `json:"operator,omitempty"`
+	CPEMatch            []Node `json:"cpe_match,omitempty"`
+	Cpe23Uri            string `json:"cpe23Uri,omitempty"`
+	VersionEndExcluding string `json:"versionEndExcluding,omitempty"`
+	Vulnerable          *bool  `json:"vulnerable,omitempty"`
+}
+
+func mapConfigurationsToCPEDetails(configuration Configurations, cpeDetail *types.CPEDetails) {
+	cpeDetail.CveDataVersion = configuration.CveDataVersion
+	if configuration.Nodes != nil {
+		for _, n := range configuration.Nodes {
+			var cpeNode types.Node
+			mapConfigNodeToCPENode(n, &cpeNode)
+			cpeDetail.Nodes = append(cpeDetail.Nodes, cpeNode)
+		}
+	}
+}
+
+func mapConfigNodeToCPENode(configNode Node, cpeNode *types.Node) {
+	if configNode.Operator != "" {
+		cpeNode.Operator = configNode.Operator
+	}
+	if configNode.Cpe23Uri != "" {
+		cpeNode.Cpe23Uri = configNode.Cpe23Uri
+	}
+	if configNode.VersionEndExcluding != "" {
+		cpeNode.VersionEndExcluding = configNode.VersionEndExcluding
+	}
+	if configNode.Vulnerable != nil {
+		cpeNode.Vulnerable = configNode.Vulnerable
+	}
+	if configNode.Children != nil {
+		for _, n := range configNode.Children {
+			var cpeChildNode types.Node
+			mapConfigNodeToCPENode(n, &cpeChildNode)
+			cpeNode.Children = append(cpeNode.Children, cpeChildNode)
+		}
+	}
+	if configNode.CPEMatch != nil {
+		for _, n := range configNode.CPEMatch {
+			var cpeMatchNode types.Node
+			mapConfigNodeToCPENode(n, &cpeMatchNode)
+			cpeNode.CPEMatch = append(cpeNode.CPEMatch, cpeMatchNode)
+		}
+	}
+}
+
+func boolptr(val bool) *bool {
+	return &val
+}
@@ -46,7 +46,7 @@ func (Vulnerability) IsRejected(details map[string]types.VulnerabilityDetail) bo
 }
 
 func (Vulnerability) Normalize(details map[string]types.VulnerabilityDetail) types.Vulnerability {
-	return types.Vulnerability{
+	vuln := types.Vulnerability{
 		Title:            getTitle(details),
 		Description:      getDescription(details),
 		Severity:         getSeverity(details).String(), // TODO: We have to keep this key until we deprecate
@@ -57,6 +57,10 @@ func (Vulnerability) Normalize(details map[string]types.VulnerabilityDetail) typ
 		PublishedDate:    details[Nvd].PublishedDate,
 		LastModifiedDate: details[Nvd].LastModifiedDate,
 	}
+	if details[Nvd].CPEDetails.CveDataVersion != "" {
+		vuln.CPEDetails = details[Nvd].CPEDetails
+	}
+	return vuln
 }
 
 func (v Vulnerability) SaveAdvisoryDetails(tx *bolt.Tx, cveID string) error {