From 70840cb272e1d586723bad4846423333ac97337a Mon Sep 17 00:00:00 2001 From: bpmcdevitt Date: Tue, 20 Sep 2022 09:55:47 -0500 Subject: [PATCH] added cmdline program to pull down exploited vulns from msft bulletins --- ...t_cves_and_threat_strings_from_bulletin.rb | 26 --------------- .../bin/get_exploited_vulns_msft_bulletin.rb | 20 +++++++++++ tools/microsoft/microsoft_cvrf_client.rb | 33 ++++++++++++++++++- 3 files changed, 52 insertions(+), 27 deletions(-) delete mode 100755 tools/microsoft/bin/get_cves_and_threat_strings_from_bulletin.rb create mode 100755 tools/microsoft/bin/get_exploited_vulns_msft_bulletin.rb diff --git a/tools/microsoft/bin/get_cves_and_threat_strings_from_bulletin.rb b/tools/microsoft/bin/get_cves_and_threat_strings_from_bulletin.rb deleted file mode 100755 index c828996..0000000 --- a/tools/microsoft/bin/get_cves_and_threat_strings_from_bulletin.rb +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env ruby - -require '../microsoft_cvrf_client.rb' -require 'optparse' - -@options = {} - -OptionParser.new do |opts| - opts.on("-id", "--id", "Bulletin ID") do |id| - @options[:id] = id - end -end.parse! - -bulletin_id = @options[:id] -api_client = MicrosoftCvrfClient.new - -bulletin_response = api_client.get_id(bulletin_id) - -cves_and_threat_strings = api_client.cves_and_threat_strings(bulletin_response) - -cves_and_threat_strings.each do |cve, threat_strings| - puts "CVE: #{cve}" - puts "-------------------" - puts "THREAT_STRINGS: #{threat_strings}" - puts "-------------------" -end diff --git a/tools/microsoft/bin/get_exploited_vulns_msft_bulletin.rb b/tools/microsoft/bin/get_exploited_vulns_msft_bulletin.rb new file mode 100755 index 0000000..3c66dd0 --- /dev/null +++ b/tools/microsoft/bin/get_exploited_vulns_msft_bulletin.rb @@ -0,0 +1,20 @@ +#!/usr/bin/env ruby + +require '../microsoft_cvrf_client.rb' +require 'optparse' +require 'json' + +@options = {} + +OptionParser.new do |opts| + opts.on("-id", "--id", "Bulletin ID") do |id| + @options[:id] = id + end +end.parse! + +bulletin_id = @options[:id] +api_client = MicrosoftCvrfClient.new + +#bulletin_response = api_client.get_id(bulletin_id) + +puts JSON.pretty_generate(api_client.exploited_vulns_only(bulletin_id)) diff --git a/tools/microsoft/microsoft_cvrf_client.rb b/tools/microsoft/microsoft_cvrf_client.rb index 1aa89c6..3e1889a 100755 --- a/tools/microsoft/microsoft_cvrf_client.rb +++ b/tools/microsoft/microsoft_cvrf_client.rb @@ -45,7 +45,8 @@ class MicrosoftCvrfClient threat_str = get_threat_str_for_vuln(vuln) split_t_str_arr = split_threat_str(threat_str) hashed_t_str = threat_str_arr_to_hash(split_t_str_arr) - { vuln.cve => hashed_t_str } + vuln_hash = { :cve_id => vuln.cve, :exploitability_info => hashed_t_str } + threat_str_hash_to_json(vuln_hash) end end @@ -67,5 +68,35 @@ class MicrosoftCvrfClient arr_of_hash.reduce Hash.new, :merge end + def threat_str_hash_to_json(threat_str_hash) + JSON.parse(threat_str_hash.to_json) + end + + def exploited_yes_vulns(bulletin_vuln_json) + bulletin_vuln_json.select do |vuln_info| + vuln_info["exploitability_info"]["Exploited"] == "Yes" + end + end + + def exploitation_detected_vulns(bulletin_vuln_json) + bulletin_vuln_json.select do |vuln_info| + exploit_info = vuln_info['exploitability_info'] + check_latest = exploit_info["Latest Software Release"] == "Exploitation Detected" + check_oldest = exploit_info["Oldest Software Release"] == "Exploitation Detected" + check_latest || check_oldest + end + end + + def exploited_vulns_only(bulletin_id) + r = get_id(bulletin_id) + vuln = cves_threat_strs(r) + exploited_yes = exploited_yes_vulns(vuln) + exploitation_detected = exploitation_detected_vulns(vuln) + { + :bulletin_id => bulletin_id, + :exploited_yes_cve => exploited_yes, + :exploitation_detected_cve => exploitation_detected + } + end end