added cmdline program to pull down exploited vulns from msft bulletins

2022-09-20 09:55:47 -05:00 · 2022-09-20 09:55:47 -05:00 · 70840cb272
commit 70840cb272
parent dadf386eb5
3 changed files with 52 additions and 27 deletions
--- a/tools/microsoft/bin/get_cves_and_threat_strings_from_bulletin.rb
+++ b/tools/microsoft/bin/get_cves_and_threat_strings_from_bulletin.rb
@ -1,26 +0,0 @@
-#!/usr/bin/env ruby
-
-require '../microsoft_cvrf_client.rb'
-require 'optparse'
-
-@options = {}
-
-OptionParser.new do |opts|
-  opts.on("-id", "--id", "Bulletin ID") do |id|
-    @options[:id] = id
-  end
-end.parse!
-
-bulletin_id =  @options[:id]
-api_client = MicrosoftCvrfClient.new
-
-bulletin_response = api_client.get_id(bulletin_id)
-
-cves_and_threat_strings = api_client.cves_and_threat_strings(bulletin_response)
-
-cves_and_threat_strings.each do |cve, threat_strings|
-  puts "CVE: #{cve}"
-  puts "-------------------"
-  puts "THREAT_STRINGS: #{threat_strings}"
-  puts "-------------------"
-end
--- a/tools/microsoft/bin/get_exploited_vulns_msft_bulletin.rb
+++ b/tools/microsoft/bin/get_exploited_vulns_msft_bulletin.rb
@ -0,0 +1,20 @@
+#!/usr/bin/env ruby
+
+require '../microsoft_cvrf_client.rb'
+require 'optparse'
+require 'json'
+
+@options = {}
+
+OptionParser.new do |opts|
+  opts.on("-id", "--id", "Bulletin ID") do |id|
+    @options[:id] = id
+  end
+end.parse!
+
+bulletin_id =  @options[:id]
+api_client = MicrosoftCvrfClient.new
+
+#bulletin_response = api_client.get_id(bulletin_id)
+
+puts JSON.pretty_generate(api_client.exploited_vulns_only(bulletin_id))
--- a/tools/microsoft/microsoft_cvrf_client.rb
+++ b/tools/microsoft/microsoft_cvrf_client.rb
@ -45,7 +45,8 @@ class MicrosoftCvrfClient
      threat_str = get_threat_str_for_vuln(vuln)
      split_t_str_arr = split_threat_str(threat_str)
      hashed_t_str = threat_str_arr_to_hash(split_t_str_arr)
-      { vuln.cve => hashed_t_str }
+      vuln_hash = { :cve_id => vuln.cve, :exploitability_info => hashed_t_str }
+      threat_str_hash_to_json(vuln_hash)
    end
  end

@ -67,5 +68,35 @@ class MicrosoftCvrfClient
    arr_of_hash.reduce Hash.new, :merge
  end

+  def threat_str_hash_to_json(threat_str_hash)
+    JSON.parse(threat_str_hash.to_json)
+  end
+
+  def exploited_yes_vulns(bulletin_vuln_json)
+    bulletin_vuln_json.select do |vuln_info|
+      vuln_info["exploitability_info"]["Exploited"] == "Yes"
+    end
+  end
+
+  def exploitation_detected_vulns(bulletin_vuln_json)
+    bulletin_vuln_json.select do |vuln_info|
+      exploit_info = vuln_info['exploitability_info']
+      check_latest = exploit_info["Latest Software Release"] == "Exploitation Detected"
+      check_oldest = exploit_info["Oldest Software Release"] == "Exploitation Detected"
+      check_latest || check_oldest
+    end
+  end
+
+  def exploited_vulns_only(bulletin_id)
+    r = get_id(bulletin_id)
+    vuln = cves_threat_strs(r)
+    exploited_yes = exploited_yes_vulns(vuln)
+    exploitation_detected = exploitation_detected_vulns(vuln)
+    {
+      :bulletin_id => bulletin_id,
+      :exploited_yes_cve => exploited_yes,
+      :exploitation_detected_cve => exploitation_detected
+    }
+  end
 end