Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Show more CVE data when performing searches without --extract-cves #17

Closed
ryran opened this issue Oct 31, 2016 · 3 comments
Closed

Show more CVE data when performing searches without --extract-cves #17

ryran opened this issue Oct 31, 2016 · 3 comments
Assignees
@ryran
Labels
enhancement

Comments

@ryran
Copy link
Collaborator

ryran commented Oct 31, 2016
edited
Loading

So if I do a search like this:

$ rhsecapi --q-after 2016-06-01 --q-before 2016-09-01 --q-severity critical --count
CVEs found: 102

The above data was generated by a single http request and altogether it took less than a second for rhsecapi to finish. As things stand now, if I want to print details about those CVEs, I need to use -s/--extract-search which will then kick off 102 additional http API requests. Thanks to multithreading, that doesn't need to take too long ... on my 4-core system with the default settings, I get:

$ time rhsecapi --q-after 2016-06-01 --q-before 2016-09-01 --q-severity critical --count --extract-search
CVEs found: 102
Valid Red Hat CVE results retrieved: 102 of 102

real	0m5.819s
user	0m1.775s
sys	0m0.099s

That said, it's still kind of wasteful when you realize that a lot of that data was already gathered (and discarded) in the very first http request. For example, here's the raw json (--json) returned for one of the CVEs -- i.e., this was returned with the very first request and then discarded after extracting only the CVE number:

  {
    "CVE": "CVE-2016-2819", 
    "CWE": null, 
    "advisories": [
      "RHSA-2016:1217"
    ], 
    "affected_packages": [
      "firefox-45.2.0-1.el5_11", 
      "firefox-45.2.0-1.el6_8", 
      "firefox-45.2.0-1.el7_2"
    ], 
    "bugzilla": "1342891", 
    "cvss_score": 6.8, 
    "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", 
    "public_date": "2016-06-08T00:00:00+00:00", 
    "resource_url": "https://access.redhat.com/labs/securitydataapi/cve/CVE-2016-2819.json", 
    "severity": "critical"
  },

That's quite a lot of info we could use. Here's what we'd get if we did a full CVE lookup instead of a search:

$ rhsecapi CVE-2016-2819 --json
Valid Red Hat CVE results retrieved: 1 of 1

{
  "acknowledgement": "\nRed Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges firehack as the original reporter.\n    ", 
  "affected_release": [
    {
      "advisory": "RHSA-2016:1217", 
      "cpe": "cpe:/o:redhat:enterprise_linux:5", 
      "package": "firefox-45.2.0-1.el5_11", 
      "product_name": "Red Hat Enterprise Linux 5", 
      "release_date": "2016-06-08T00:00:00"
    }, 
    {
      "advisory": "RHSA-2016:1217", 
      "cpe": "cpe:/o:redhat:enterprise_linux:6", 
      "package": "firefox-45.2.0-1.el6_8", 
      "product_name": "Red Hat Enterprise Linux 6", 
      "release_date": "2016-06-08T00:00:00"
    }, 
    {
      "advisory": "RHSA-2016:1217", 
      "cpe": "cpe:/o:redhat:enterprise_linux:7", 
      "package": "firefox-45.2.0-1.el7_2", 
      "product_name": "Red Hat Enterprise Linux 7", 
      "release_date": "2016-06-08T00:00:00"
    }
  ], 
  "bugzilla": {
    "description": "\nCVE-2016-2819 Mozilla: Buffer overflow parsing HTML5 fragments (MFSA 2016-50)\n    ", 
    "id": "1342891", 
    "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1342891"
  }, 
  "cvss": {
    "cvss_base_score": "6.8", 
    "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", 
    "status": "verified"
  }, 
  "details": "\nHeap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allows remote attackers to execute arbitrary code via foreign-context HTML5 fragments, as demonstrated by fragments within an SVG element.\n    ", 
  "document_distribution": "Copyright \u00a9 2016 Red Hat, Inc. All rights reserved.", 
  "name": "CVE-2016-2819", 
  "package_state": [
    {
      "cpe": "cpe:/o:redhat:enterprise_linux:5", 
      "fix_state": "Not affected", 
      "package_name": "thunderbird", 
      "product_name": "Red Hat Enterprise Linux 5"
    }, 
    {
      "cpe": "cpe:/o:redhat:enterprise_linux:6", 
      "fix_state": "Not affected", 
      "package_name": "thunderbird", 
      "product_name": "Red Hat Enterprise Linux 6"
    }, 
    {
      "cpe": "cpe:/o:redhat:enterprise_linux:7", 
      "fix_state": "Not affected", 
      "package_name": "thunderbird", 
      "product_name": "Red Hat Enterprise Linux 7"
    }
  ], 
  "public_date": "2016-06-08T00:00:00", 
  "references": "\nhttps://www.mozilla.org/security/announce/2016/mfsa2016-50.html\n    ", 
  "threat_severity": "Critical"
}

So the question is really ... whether it makes sense to do anything with the search-result output even tho it's not the full picture. I mean the default IMHO should clearly be to ONLY print CVE numbers when doing searches, but we could give the option to print some extra minimal info ... but then from a usability standpoint, I'm not quite sure how to communicate that ... I feel like it could get confusing for users.

Hmmm. Have to ponder on this. And of course I welcome feedback.
@ryran ryran self-assigned this Oct 31, 2016
@ryran
Copy link
Collaborator Author

ryran commented Oct 31, 2016

I think maybe I'll add an option that does something like (mockup):

$ rhsecapi --q-after 2016-06-01 --q-before 2016-09-01 --q-severity critical --show-extra-search-results-data
CVEs found: 102
CVE-2016-2819 | 2016-06-08 | critical | bz#1342891 | RHSA-2016:1217
CVE-2016-2815 | 2016-06-07 | critical | bz#1342890 | none
CVE-2016-4142 | 2016-06-14 | critical | bz#1346665 | RHSA-2016:1238
CVE-2016-2818 | 2016-06-08 | critical | bz#1342887 | RHSA-2016:1217, RHSA-2016:1392
...

@ryran ryran changed the title When performing searches, should we give the option of printing CVE data without taking the separate step of full CVE retrieval? Show more CVE data when performing searches without --extract-search Nov 29, 2016
@ryran
Copy link
Collaborator Author

ryran commented Nov 29, 2016

Here's what I came up with:

$ rhsecapi --q-empty --q-pagesize 20 --q-pagenum 20
[NOTICE ] rhsda: 20 CVEs found with search query

CVE ID         PUB DATE    BUGZILLA  SEVERITY   CVSS2  CVSS3  RHSAS  PKGS
CVE-2016-5278  2016-09-20  1377549   critical   6.8    7.3     1      3  
CVE-2016-5277  2016-09-20  1377559   important  5.1    5.6     1      3  
CVE-2016-5276  2016-09-20  1377557   important  5.1    5.6     1      3  
CVE-2016-5279  2016-09-20  1377673   moderate   5.1    5.6     0      0  
CVE-2016-5282  2016-09-20  1377675   moderate   5.1    5.6     0      0  
CVE-2016-5273  2016-09-20  1377669   important  5.1    5.6     0      0  
CVE-2016-5274  2016-09-20  1377558   important  5.1    5.6     1      3  
CVE-2016-5272  2016-09-20  1377554   important  5.1    5.6     1      3  
CVE-2016-5270  2016-09-20  1377552   important  5.1    5.6     1      3  
CVE-2016-5261  2016-09-20  1361986   important  5.1    5.6     1      3  
CVE-2016-5250  2016-09-20  1361998   moderate   4.3    5.3     1      3  
CVE-2016-5275  2016-09-20  1377667   critical   6.8    7.3     0      0  
CVE-2016-5271  2016-09-20  1377661   low        5.1    5.6     0      0  
CVE-2016-2827  2016-09-20  1377660   low        5.1    5.6     0      0  
CVE-2016-5284  2016-09-20  1377565   important  5.1    5.6     1      3  
CVE-2016-7994  2016-09-19  1382666   low        2.3    3.0     0      0  
CVE-2016-7798  2016-09-19  1381526   moderate   4.3    3.7     0      0  
CVE-2016-7511  2016-09-18  1379624   low        4.3    3.3     0      0  
CVE-2016-7510  2016-09-17  1378718   low        1.9    3.3     0      0  
CVE-2016-7543  2016-09-16  1379630   moderate   6.9    7.0     0      0

And urls:

$ rhsecapi --q-empty --q-pagesize 20 --q-pagenum 20 --urls 
[NOTICE ] rhsda: 20 CVEs found with search query

CVE ID                                                PUB DATE    BUGZILLA                                             SEVERITY   CVSS2  CVSS3  RHSAS  PKGS
https://access.redhat.com/security/cve/CVE-2016-5278  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1377549  critical   6.8    7.3     1      3  
https://access.redhat.com/security/cve/CVE-2016-5277  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1377559  important  5.1    5.6     1      3  
https://access.redhat.com/security/cve/CVE-2016-5276  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1377557  important  5.1    5.6     1      3  
https://access.redhat.com/security/cve/CVE-2016-5279  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1377673  moderate   5.1    5.6     0      0  
https://access.redhat.com/security/cve/CVE-2016-5282  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1377675  moderate   5.1    5.6     0      0  
https://access.redhat.com/security/cve/CVE-2016-5273  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1377669  important  5.1    5.6     0      0  
https://access.redhat.com/security/cve/CVE-2016-5274  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1377558  important  5.1    5.6     1      3  
https://access.redhat.com/security/cve/CVE-2016-5272  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1377554  important  5.1    5.6     1      3  
https://access.redhat.com/security/cve/CVE-2016-5270  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1377552  important  5.1    5.6     1      3  
https://access.redhat.com/security/cve/CVE-2016-5261  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1361986  important  5.1    5.6     1      3  
https://access.redhat.com/security/cve/CVE-2016-5250  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1361998  moderate   4.3    5.3     1      3  
https://access.redhat.com/security/cve/CVE-2016-5275  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1377667  critical   6.8    7.3     0      0  
https://access.redhat.com/security/cve/CVE-2016-5271  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1377661  low        5.1    5.6     0      0  
https://access.redhat.com/security/cve/CVE-2016-2827  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1377660  low        5.1    5.6     0      0  
https://access.redhat.com/security/cve/CVE-2016-5284  2016-09-20  https://bugzilla.redhat.com/show_bug.cgi?id=1377565  important  5.1    5.6     1      3  
https://access.redhat.com/security/cve/CVE-2016-7994  2016-09-19  https://bugzilla.redhat.com/show_bug.cgi?id=1382666  low        2.3    3.0     0      0  
https://access.redhat.com/security/cve/CVE-2016-7798  2016-09-19  https://bugzilla.redhat.com/show_bug.cgi?id=1381526  moderate   4.3    3.7     0      0  
https://access.redhat.com/security/cve/CVE-2016-7511  2016-09-18  https://bugzilla.redhat.com/show_bug.cgi?id=1379624  low        4.3    3.3     0      0  
https://access.redhat.com/security/cve/CVE-2016-7510  2016-09-17  https://bugzilla.redhat.com/show_bug.cgi?id=1378718  low        1.9    3.3     0      0  
https://access.redhat.com/security/cve/CVE-2016-7543  2016-09-16  https://bugzilla.redhat.com/show_bug.cgi?id=1379630  moderate   6.9    7.0     0      0

ryran added a commit that referenced this issue Nov 29, 2016
@ryran
implement #17; various cleanups in rhsecapi.main()
768ec65
@ryran ryran mentioned this issue Nov 30, 2016
Merged
@ryran ryran changed the title Show more CVE data when performing searches without --extract-search Show more CVE data when performing searches without --extract-cves Dec 1, 2016
@ryran
Copy link
Collaborator Author

ryran commented Dec 1, 2016

Fixed in rc8

@ryran ryran closed this as completed Dec 1, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ryran ryran

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ryran