From edf13540f512c0285a7506c8c449c5267c72a940 Mon Sep 17 00:00:00 2001 From: yangwei999 <348134071@qq.com> Date: Thu, 13 Nov 2025 14:39:15 +0800 Subject: [PATCH 1/5] upload cve --- cve-vulner-manager/common/common.go | 35 ++- cve-vulner-manager/models/cve.go | 17 +- cve-vulner-manager/models/modeldb.go | 12 +- cve-vulner-manager/models/uploadcve.go | 78 ++++--- cve-vulner-manager/taskhandler/common.go | 6 +- cve-vulner-manager/taskhandler/cve.go | 260 ++++++----------------- 6 files changed, 151 insertions(+), 257 deletions(-) diff --git a/cve-vulner-manager/common/common.go b/cve-vulner-manager/common/common.go index a9ac833..78f7e5d 100644 --- a/cve-vulner-manager/common/common.go +++ b/cve-vulner-manager/common/common.go @@ -272,33 +272,22 @@ type ImBaseMetricV3 struct { ExploitabilityScore float64 `json:"exploitabilityScore"` } -type BmCvssV2 struct { - VectorString string `json:"vectorString"` - AccessComplexity string `json:"accessComplexity"` - AvailabilityImpact string `json:"availabilityImpact"` - Authentication string `json:"authentication"` - Version string `json:"version"` - BaseScore float64 `json:"baseScore"` - IntegrityImpact string `json:"integrityImpact"` - ConfidentialityImpact string `json:"confidentialityImpact"` - AccessVector string `json:"accessVector"` -} - -type ImBaseMetricV2 struct { - AcInsufInfo string `json:"acInsufInfo"` - CvssV2 BmCvssV2 `json:"cvssV2"` - UserInteractionRequired string `json:"userInteractionRequired"` - Severity string `json:"severity"` - ObtainUserPrivilege string `json:"obtainUserPrivilege"` - ObtainAllPrivilege string `json:"obtainAllPrivilege"` - ImpactScore float64 `json:"impactScore"` - ExploitabilityScore float64 `json:"exploitabilityScore"` - ObtainOtherPrivilege string `json:"obtainOtherPrivilege"` +type MetricV4 struct { + Score float64 `json:"score"` + Vector string `json:"vector"` } type CveImpact struct { BaseMetricV3 ImBaseMetricV3 `json:"baseMetricV3"` - BaseMetricV2 ImBaseMetricV2 `json:"baseMetricV2"` + MetricV4 MetricV4 `json:"metricV4"` +} + +func (i CveImpact) ContainsV3() bool { + return i.BaseMetricV3.CvssV3.BaseScore > 0 +} + +func (i CveImpact) ContainsV4() bool { + return i.MetricV4.Score > 0 } type CvePoc struct { diff --git a/cve-vulner-manager/models/cve.go b/cve-vulner-manager/models/cve.go index 9a3630d..d99c61c 100644 --- a/cve-vulner-manager/models/cve.go +++ b/cve-vulner-manager/models/cve.go @@ -203,8 +203,8 @@ func QueryCveScore(impactId int64, typex string) (OriginUpstreamImpactScore, boo ).QueryRow(&cveScore) } else { err = o.Raw( - "select * from cve_origin_upstream_impact_score where impact_id = ? and base_met_v2=? and cvss_v2=?", - impactId, 1, 1, + "select * from cve_origin_upstream_impact_score where impact_id = ? and cvss_v4=?", + impactId, 1, ).QueryRow(&cveScore) } @@ -242,6 +242,19 @@ func QueryCveCvssV2(scoreId int64) (OriginUpstreamImpactScoreV2, bool) { return cveScoreV2, err == nil } +func QueryCveCvssV4(scoreId int64) (OriginUpstreamImpactScoreV4, bool) { + o := orm.NewOrm() + var cveScoreV4 OriginUpstreamImpactScoreV4 + err := o.Raw( + "select * from cve_origin_upstream_impact_score_v4 where score_id = ?", scoreId, + ).QueryRow(&cveScoreV4) + if err != nil { + logs.Error("QueryCveCvssV4, cve_origin_upstream_impact_score_v4, scoreId: ", scoreId, ", err: ", err) + } + + return cveScoreV4, err == nil +} + func QueryCveByPackName(cveNum, packName string, organizateId int8) (vc []VulnCenter) { o := orm.NewOrm() num, err := o.Raw("select * from cve_vuln_center where cve_num = ? and "+ diff --git a/cve-vulner-manager/models/modeldb.go b/cve-vulner-manager/models/modeldb.go index f61f0b0..737a94c 100644 --- a/cve-vulner-manager/models/modeldb.go +++ b/cve-vulner-manager/models/modeldb.go @@ -454,9 +454,19 @@ type OriginUpstreamImpactScore struct { BaseMetricV2 int8 `orm:"column(base_met_v2);null" description:"v2评分存在为:1; 0:不存在"` CvssV3 int8 `orm:"column(cvss_v3);null" description:"v3评分存在为:1; 0:不存在"` CvssV2 int8 `orm:"column(cvss_v2);null" description:"v2评分存在为:1; 0:不存在"` + CvssV4 int8 `orm:"column(cvss_v4);null" description:"v4评分存在为:1; 0:不存在"` Status int8 `orm:"default(1);column(score_status);null" description:"1:未处理;2:已处理;3:已修改"` } +type OriginUpstreamImpactScoreV4 struct { + Id int64 `orm:"pk;auto;column(id)"` + ScoreId int64 `orm:"index;column(score_id)" description:"OriginUpstreamImpactScore 外键"` + Score float64 `orm:"digits(10);decimals(1);column(score);null" description:"评分"` + Vector string `orm:"size(256);column(vector);null" description:"向量值"` + CreateTime time.Time `orm:"auto_now_add;type(datetime);column(create_time)"` + UpdateTime time.Time `orm:"auto_now;type(datetime);column(update_time)"` +} + type OriginUpstreamImpactScoreV3 struct { V3Id int64 `orm:"pk;auto;column(v3_id)"` ScoreId int64 `orm:"index;column(score_id)" description:"OriginUpstreamImpactScore 外键"` @@ -1142,7 +1152,7 @@ func CreateDb() bool { new(IpWhite), new(OriginUpstream), new(OriginUpstreamDesc), new(OriginUpstreamConfig), new(OriginUpstreamConfigNode), new(OriginUpstreamConfigNodeCpe), new(OriginUpstreamImpact), new(OriginUpstreamImpactScore), - new(OriginUpstreamImpactScoreV3), new(OriginUpstreamImpactScoreV2), + new(OriginUpstreamImpactScoreV3), new(OriginUpstreamImpactScoreV2), new(OriginUpstreamImpactScoreV4), new(OriginUpstreamPoc), new(OriginUpstreamEvent), new(OriginUpstreamReference), new(OriginUpstreamVulType), new(OriginUpstreamFixSuggest), new(OriginUpstreamFixSuggestRefTag), diff --git a/cve-vulner-manager/models/uploadcve.go b/cve-vulner-manager/models/uploadcve.go index 0769e63..a933c56 100644 --- a/cve-vulner-manager/models/uploadcve.go +++ b/cve-vulner-manager/models/uploadcve.go @@ -773,9 +773,9 @@ func clearOldImpact(o orm.Ormer, cveId int64, oldImpact OriginUpstreamImpact) { lousisv3 := OriginUpstreamImpactScoreV3{ScoreId: sis.ScoreId} o.Delete(&lousisv3, "ScoreId") } - if sis.CvssV2 == 1 && sis.BaseMetricV2 == 1 { - lousisv2 := OriginUpstreamImpactScoreV2{ScoreId: sis.ScoreId} - o.Delete(&lousisv2, "ScoreId") + if sis.CvssV4 == 1 { + lousisv4 := OriginUpstreamImpactScoreV4{ScoreId: sis.ScoreId} + o.Delete(&lousisv4, "ScoreId") } } losisx := OriginUpstreamImpactScore{ImpactId: oldImpact.ImpactId} @@ -797,37 +797,59 @@ func saveNewImpact(o orm.Ormer, cveId int64, source string, impact common.CveImp var lousist OriginUpstreamImpactScore lousist.ImpactId = osi.ImpactId - lousist.BaseMetricV3 = 1 - lousist.BaseMetricV2 = 0 - lousist.CvssV3 = 1 - lousist.CvssV2 = 0 lousist.Status = 1 + if impact.ContainsV3() { + lousist.BaseMetricV3 = 1 + lousist.CvssV3 = 1 + } + + if impact.ContainsV4() { + lousist.CvssV4 = 1 + } + if _, err := o.Insert(&lousist); err != nil { logs.Error("CreateOriginCve, insert cve_origin_upstream_impact_score failed ", err) o.Rollback() return err } - var lousisv3 OriginUpstreamImpactScoreV3 - lousisv3.ScoreId = lousist.ScoreId - lousisv3.BaseScore = impact.BaseMetricV3.CvssV3.BaseScore - lousisv3.VectorString = impact.BaseMetricV3.CvssV3.VectorString - lousisv3.AttackComplexity = impact.BaseMetricV3.CvssV3.AttackComplexity - lousisv3.AttackVector = impact.BaseMetricV3.CvssV3.AttackVector - lousisv3.AvailabilityImpact = impact.BaseMetricV3.CvssV3.AvailabilityImpact - lousisv3.BaseSeverity = impact.BaseMetricV3.CvssV3.BaseSeverity - lousisv3.UserInteraction = impact.BaseMetricV3.CvssV3.UserInteraction - lousisv3.PrivilegesRequired = impact.BaseMetricV3.CvssV3.PrivilegesRequired - lousisv3.Version = impact.BaseMetricV3.CvssV3.Version - lousisv3.ConfidentialityImpact = impact.BaseMetricV3.CvssV3.ConfidentialityImpact - lousisv3.IntegrityImpact = impact.BaseMetricV3.CvssV3.IntegrityImpact - lousisv3.Scope = impact.BaseMetricV3.CvssV3.Scope - lousisv3.ImpactScore = impact.BaseMetricV3.ImpactScore - lousisv3.ExploitabilityScore = impact.BaseMetricV3.ExploitabilityScore - lousisv3.CveLevel = OpenEulerScoreProc(impact.BaseMetricV3.CvssV3.BaseScore) - if _, err := o.Insert(&lousisv3); err != nil { - logs.Error("CreateOriginCve, insert cve_origin_upstream_impact_score_v3 failed", err) - o.Rollback() - return err + + if impact.ContainsV3() { + var lousisv3 OriginUpstreamImpactScoreV3 + lousisv3.ScoreId = lousist.ScoreId + lousisv3.BaseScore = impact.BaseMetricV3.CvssV3.BaseScore + lousisv3.VectorString = impact.BaseMetricV3.CvssV3.VectorString + lousisv3.AttackComplexity = impact.BaseMetricV3.CvssV3.AttackComplexity + lousisv3.AttackVector = impact.BaseMetricV3.CvssV3.AttackVector + lousisv3.AvailabilityImpact = impact.BaseMetricV3.CvssV3.AvailabilityImpact + lousisv3.BaseSeverity = impact.BaseMetricV3.CvssV3.BaseSeverity + lousisv3.UserInteraction = impact.BaseMetricV3.CvssV3.UserInteraction + lousisv3.PrivilegesRequired = impact.BaseMetricV3.CvssV3.PrivilegesRequired + lousisv3.Version = impact.BaseMetricV3.CvssV3.Version + lousisv3.ConfidentialityImpact = impact.BaseMetricV3.CvssV3.ConfidentialityImpact + lousisv3.IntegrityImpact = impact.BaseMetricV3.CvssV3.IntegrityImpact + lousisv3.Scope = impact.BaseMetricV3.CvssV3.Scope + lousisv3.ImpactScore = impact.BaseMetricV3.ImpactScore + lousisv3.ExploitabilityScore = impact.BaseMetricV3.ExploitabilityScore + lousisv3.CveLevel = OpenEulerScoreProc(impact.BaseMetricV3.CvssV3.BaseScore) + if _, err := o.Insert(&lousisv3); err != nil { + logs.Error("CreateOriginCve, insert cve_origin_upstream_impact_score_v3 failed", err) + o.Rollback() + return err + } + } + + if impact.ContainsV4() { + lousisv4 := OriginUpstreamImpactScoreV4{ + ScoreId: lousist.ScoreId, + Score: impact.MetricV4.Score, + Vector: impact.MetricV4.Vector, + } + + if _, err := o.Insert(&lousisv4); err != nil { + o.Rollback() + return err + } + } return nil diff --git a/cve-vulner-manager/taskhandler/common.go b/cve-vulner-manager/taskhandler/common.go index 9ff89c3..ef417fa 100644 --- a/cve-vulner-manager/taskhandler/common.go +++ b/cve-vulner-manager/taskhandler/common.go @@ -893,9 +893,9 @@ func CreateIssueBody(accessToken, owner, path, assignee string, its models.IssueTemplate, flag int, issueType, pkgLink string, brandArray []string) string { var issueOption IssueOptions - scoreType := "3.0" - if sc.ScoreType == "v2" { - scoreType = "2.0" + scoreType := "4.0" + if sc.ScoreType == "v3" { + scoreType = "3.x" } nvdType := scoreType diff --git a/cve-vulner-manager/taskhandler/cve.go b/cve-vulner-manager/taskhandler/cve.go index daefeae..e414df9 100644 --- a/cve-vulner-manager/taskhandler/cve.go +++ b/cve-vulner-manager/taskhandler/cve.go @@ -364,7 +364,7 @@ func InsertCveExcelGroups(cveData models.OriginExcel, cveRef, repoName string, o func UpdateCveGroups(cveData models.OriginUpstream, cveRef string, openeulerNum int, CveRes models.VulnCenter, cveDesc models.OriginUpstreamDesc, cveScV3 models.OriginUpstreamImpactScoreV3, goe models.GitPackageInfo, - scopeType string, cveScV2 models.OriginUpstreamImpactScoreV2, pkList []string, organizationID int8) (bool, error) { + scopeType string, cveScV4 models.OriginUpstreamImpactScoreV4, pkList []string, organizationID int8) (bool, error) { var OpenEulId int64 if len(cveDesc.EnDescription) > 2 { CveRes.Description = cveDesc.EnDescription @@ -424,14 +424,7 @@ func UpdateCveGroups(cveData models.OriginUpstream, cveRef string, openeulerNum scoreRes.ScoreType = scopeType vectorString := "" if scopeType == "v3" { - if cveScV3.VectorString != "" && len(cveScV3.VectorString) > 0 { - index := strings.IndexAny(cveScV3.VectorString, "/") - if index > 0 && strings.ToLower(cveScV3.VectorString)[:4] == "cvss" { - vectorString = cveScV3.VectorString[index+1:] - } else { - vectorString = cveScV3.VectorString - } - } + vectorString = trimVector(cveScV3.VectorString) if scoreRes.NVDScore != cveScV3.BaseScore { var scorecode models.ScoreRecord scorecode.NVDScore = cveScV3.BaseScore @@ -458,17 +451,10 @@ func UpdateCveGroups(cveData models.OriginUpstream, cveRef string, openeulerNum scoreRes.Nintegrity = cveScV3.IntegrityImpact scoreRes.Navailability = cveScV3.AvailabilityImpact } else { - if cveScV2.VectorString != "" && len(cveScV2.VectorString) > 0 { - index := strings.IndexAny(cveScV2.VectorString, "/") - if index > 0 && strings.ToLower(cveScV2.VectorString)[:4] == "cvss" { - vectorString = cveScV2.VectorString[index+1:] - } else { - vectorString = cveScV2.VectorString - } - } - if scoreRes.NVDScore != cveScV2.BaseScore { + vectorString = trimVector(cveScV4.Vector) + if scoreRes.NVDScore != cveScV4.Score { var scorecode models.ScoreRecord - scorecode.NVDScore = cveScV2.BaseScore + scorecode.NVDScore = cveScV4.Score scorecode.NvectorVule = vectorString scorecode.Status = 0 scorecode.CveId = CveRes.CveId @@ -479,16 +465,10 @@ func UpdateCveGroups(cveData models.OriginUpstream, cveRef string, openeulerNum return false, errors.New("评分记录数据错误,暂时不处理") } } - scoreRes.NVDScore = cveScV2.BaseScore + scoreRes.NVDScore = cveScV4.Score scoreRes.NvectorVule = vectorString scoreRes.OpenId = OpenEulId scoreRes.Nstatus = 1 - scoreRes.NaccessVector = cveScV2.AccessVector - scoreRes.NaccessComplexity = cveScV2.AccessComplexity - scoreRes.Nconfidentiality = cveScV2.ConfidentialityImpact - scoreRes.Nintegrity = cveScV2.IntegrityImpact - scoreRes.Navailability = cveScV2.AvailabilityImpact - scoreRes.Nauthentication = cveScV2.Authentication } } else { var sc models.Score @@ -501,15 +481,7 @@ func UpdateCveGroups(cveData models.OriginUpstream, cveRef string, openeulerNum if scopeType == "v3" { sc.NVDScore = cveScV3.BaseScore sc.OpenEulerScore = cveScV3.BaseScore - vectorString := "" - if cveScV3.VectorString != "" && len(cveScV3.VectorString) > 0 { - index := strings.IndexAny(cveScV3.VectorString, "/") - if index > 0 && strings.ToLower(cveScV3.VectorString)[:4] == "cvss" { - vectorString = cveScV3.VectorString[index+1:] - } else { - vectorString = cveScV3.VectorString - } - } + vectorString := trimVector(cveScV3.VectorString) sc.NvectorVule = vectorString sc.OvectorVule = vectorString sc.NattackVector = cveScV3.AttackVector @@ -529,31 +501,12 @@ func UpdateCveGroups(cveData models.OriginUpstream, cveRef string, openeulerNum sc.Navailability = cveScV3.AvailabilityImpact sc.Oavailability = cveScV3.AvailabilityImpact } else { - sc.NVDScore = cveScV2.BaseScore - sc.OpenEulerScore = cveScV2.BaseScore - vectorString := "" - if cveScV2.VectorString != "" && len(cveScV2.VectorString) > 0 { - index := strings.IndexAny(cveScV2.VectorString, "/") - if index > 0 && strings.ToLower(cveScV2.VectorString)[:4] == "cvss" { - vectorString = cveScV2.VectorString[index+1:] - } else { - vectorString = cveScV2.VectorString - } - } + sc.NVDScore = cveScV4.Score + sc.OpenEulerScore = cveScV4.Score + vectorString := trimVector(cveScV4.Vector) sc.NvectorVule = vectorString sc.OvectorVule = vectorString - sc.NaccessVector = cveScV2.AccessVector - sc.OaccessVector = cveScV2.AccessVector - sc.NaccessComplexity = cveScV2.AccessComplexity - sc.OaccessComplexity = cveScV2.AccessComplexity - sc.Nauthentication = cveScV2.Authentication - sc.Oauthentication = cveScV2.Authentication - sc.Nconfidentiality = cveScV2.ConfidentialityImpact - sc.Oconfidentiality = cveScV2.ConfidentialityImpact - sc.Nintegrity = cveScV2.IntegrityImpact - sc.Ointegrity = cveScV2.IntegrityImpact - sc.Navailability = cveScV2.AvailabilityImpact - sc.Oavailability = cveScV2.AvailabilityImpact + } scid, scerr := models.CreateScore(&sc) if scerr != nil { @@ -635,10 +588,23 @@ func genSecurityNoticeDescription(goe models.GitPackageInfo, cveDesc models.Orig return "Security Fix(es):" + "\n\n" + cveDesc.EnDescription + "(" + CveRes.CveNum + ")" } +func trimVector(v string) string { + if v == "" { + return v + } + + index := strings.IndexAny(v, "/") + if index > 0 && strings.ToLower(v)[:4] == "cvss" { + return v[index+1:] + } + + return v +} + func InsertCveGroups(cveData models.OriginUpstream, cveRef, repoNme string, openeulerNum int, cveDesc models.OriginUpstreamDesc, cveScV3 models.OriginUpstreamImpactScoreV3, goe models.GitPackageInfo, - scopeType string, cveScV2 models.OriginUpstreamImpactScoreV2, + scopeType string, cveScV4 models.OriginUpstreamImpactScoreV4, pkList []string, organizationID int8) (bool, error) { var vul models.VulnCenter vul.CveNum = cveData.CveNum @@ -691,15 +657,7 @@ func InsertCveGroups(cveData models.OriginUpstream, cveRef, repoNme string, if scopeType == "v3" { sc.NVDScore = cveScV3.BaseScore sc.OpenEulerScore = cveScV3.BaseScore - vectorString := "" - if cveScV3.VectorString != "" && len(cveScV3.VectorString) > 0 { - index := strings.IndexAny(cveScV3.VectorString, "/") - if index > 0 && strings.ToLower(cveScV3.VectorString)[:4] == "cvss" { - vectorString = cveScV3.VectorString[index+1:] - } else { - vectorString = cveScV3.VectorString - } - } + vectorString := trimVector(cveScV3.VectorString) sc.NvectorVule = vectorString sc.OvectorVule = vectorString sc.NattackVector = cveScV3.AttackVector @@ -719,31 +677,11 @@ func InsertCveGroups(cveData models.OriginUpstream, cveRef, repoNme string, sc.Navailability = cveScV3.AvailabilityImpact sc.Oavailability = cveScV3.AvailabilityImpact } else { - sc.NVDScore = cveScV2.BaseScore - sc.OpenEulerScore = cveScV2.BaseScore - vectorString := "" - if cveScV2.VectorString != "" && len(cveScV2.VectorString) > 0 { - index := strings.IndexAny(cveScV2.VectorString, "/") - if index > 0 && strings.ToLower(cveScV2.VectorString)[:4] == "cvss" { - vectorString = cveScV2.VectorString[index+1:] - } else { - vectorString = cveScV2.VectorString - } - } + sc.NVDScore = cveScV4.Score + sc.OpenEulerScore = cveScV4.Score + vectorString := trimVector(cveScV4.Vector) sc.NvectorVule = vectorString sc.OvectorVule = vectorString - sc.NaccessVector = cveScV2.AccessVector - sc.OaccessVector = cveScV2.AccessVector - sc.NaccessComplexity = cveScV2.AccessComplexity - sc.OaccessComplexity = cveScV2.AccessComplexity - sc.Nauthentication = cveScV2.Authentication - sc.Oauthentication = cveScV2.Authentication - sc.Nconfidentiality = cveScV2.ConfidentialityImpact - sc.Oconfidentiality = cveScV2.ConfidentialityImpact - sc.Nintegrity = cveScV2.IntegrityImpact - sc.Ointegrity = cveScV2.IntegrityImpact - sc.Navailability = cveScV2.AvailabilityImpact - sc.Oavailability = cveScV2.AvailabilityImpact } sc.ScoreType = scopeType var opensa models.OpenEulerSA @@ -777,16 +715,16 @@ func InsertCveGroups(cveData models.OriginUpstream, cveRef, repoNme string, return true, nil } -func getScoreV2(impactId int64) models.OriginUpstreamImpactScoreV2 { - cveScore, ok := models.QueryCveScore(impactId, "v2") +func getScoreV4(impactId int64) models.OriginUpstreamImpactScoreV4 { + cveScore, ok := models.QueryCveScore(impactId, "v4") if ok { - scoreV2, ok2 := models.QueryCveCvssV2(cveScore.ScoreId) + scoreV4, ok2 := models.QueryCveCvssV4(cveScore.ScoreId) if ok2 { - return scoreV2 + return scoreV4 } } - return models.OriginUpstreamImpactScoreV2{} + return models.OriginUpstreamImpactScoreV4{} } func getScoreV3(impactId int64) models.OriginUpstreamImpactScoreV3 { @@ -849,9 +787,12 @@ func GenCveVuler(cveData models.OriginUpstream, cveRef string, openeulernum int) } cveImpact, _ := models.QueryCveImpact(cveData.CveId, "nvd") - cveScV2 := getScoreV2(cveImpact.ImpactId) + cveScV4 := getScoreV4(cveImpact.ImpactId) cveScV3 := getScoreV3(cveImpact.ImpactId) - scopeType := "v3" + scoreType := "v4" + if cveScV4.Score == 0 && cveScV3.BaseScore > 0 { + scoreType = "v3" + } packNameMap := map[string]string{} packNameList := []string{} @@ -951,8 +892,8 @@ func GenCveVuler(cveData models.OriginUpstream, cveRef string, openeulernum int) pvList = append(pvList, pv) } failFlag := false - ok, addErr := AddOrSelectToCenter(key, cveRef, scopeType, value, cveData, - pvList, pkList, openeulernum, cveDesc, cveScV3, goe, cveScV2) + ok, addErr := AddOrSelectToCenter(key, cveRef, scoreType, value, cveData, + pvList, pkList, openeulernum, cveDesc, cveScV3, goe, cveScV4) if !ok || addErr != nil { logs.Error("AddOrSelectToCenter, addErr: ", addErr) failFlag = true @@ -974,105 +915,24 @@ func GenCveVuler(cveData models.OriginUpstream, cveRef string, openeulernum int) func AddOrSelectToCenter(packageName, cveRef, scopeType, value string, cveData models.OriginUpstream, pvList []PackageVersion, pkList []string, openeulerNum int, cveDesc models.OriginUpstreamDesc, cveScV3 models.OriginUpstreamImpactScoreV3, goe models.GitPackageInfo, - cveScV2 models.OriginUpstreamImpactScoreV2) (bool, error) { + cveScV4 models.OriginUpstreamImpactScoreV4) (bool, error) { for _, pv := range pvList { organizationID := pv.OrganizationID - if organizationID == 4 { - looKengVersion := pv.VerionList - if len(looKengVersion) > 0 { - looKengMap := make(map[string]string) - for _, ver := range looKengVersion { - olky := models.OpenLookengYaml{PackageName: packageName, Version: ver} - msy, mErr := models.GetOpenLookengYamlAll(&olky) - if len(msy) > 0 { - for _, my := range msy { - if _, ok := looKengMap[my.Repo]; !ok { - looKengMap[my.Repo] = packageName - } - } - } else { - logs.Error("openLooKeng, mErr: ", mErr) - } - } - if len(looKengMap) > 0 { - for repo, _ := range looKengMap { - ok, dErr := AddOrDataToCenter(repo, packageName, cveRef, scopeType, value, cveData, - looKengVersion, pkList, openeulerNum, - cveDesc, cveScV3, goe, cveScV2, pv.OrganizationID) - if !ok { - logs.Error("MindSpore, dErr: ", dErr) - } - } - } - } - } else if organizationID == 3 { - mindSporeVersion := pv.VerionList - if len(pv.ids) > 0 && len(mindSporeVersion) > 0 { - list, err := models.GetMindSporeYamlForids(pv.ids) - mindMap := make(map[string]string) - if err == nil && len(list) > 0 { - for _, my := range list { - if _, ok := mindMap[my.Repo]; !ok { - mindMap[my.Repo] = packageName - } - } - } - if len(mindMap) > 0 { - for repo, _ := range mindMap { - ok, dErr := AddOrDataToCenter(repo, packageName, cveRef, scopeType, value, cveData, - mindSporeVersion, pkList, openeulerNum, - cveDesc, cveScV3, goe, cveScV2, organizationID) - if !ok { - logs.Error("MindSpore, dErr: ", dErr) - } - } - } - } - } else if organizationID == 2 { - openGausVersion := pv.VerionList - if len(openGausVersion) > 0 { - gaussMap := make(map[string]string) - for _, ver := range openGausVersion { - opy := models.OpenGussYaml{PackageName: packageName, Version: ver} - ogy, oErr := models.GetOpengaussYamlAll(&opy) - if len(ogy) > 0 { - for _, gy := range ogy { - if _, ok := gaussMap[gy.Repo]; !ok { - gaussMap[gy.Repo] = packageName - } - } - } else { - logs.Error("openGauss, dErr: ", oErr) - } - } - if len(gaussMap) > 0 { - for repo, _ := range gaussMap { - ok, dErr := AddOrDataToCenter(repo, packageName, cveRef, scopeType, value, cveData, - openGausVersion, pkList, openeulerNum, - cveDesc, cveScV3, goe, cveScV2, organizationID) - if !ok { - logs.Error("openGauss, dErr: ", dErr) - } - } - } - } - } else { - blacklist := beego.AppConfig.String("cve::package_blacklist") - split := strings.Split(blacklist, ",") - blackSets := sets.NewString(split...) - if blackSets.Has(packageName) { - logs.Error(packageName, " is in blacklist") - continue - } - - openEulerVersion := pv.VerionList - ok, dErr := AddOrDataToCenter(packageName, packageName, cveRef, scopeType, value, cveData, - openEulerVersion, pkList, openeulerNum, - cveDesc, cveScV3, goe, cveScV2, organizationID) - if !ok { - logs.Error("openEuler, dErr: ", dErr) - return false, dErr - } + blacklist := beego.AppConfig.String("cve::package_blacklist") + split := strings.Split(blacklist, ",") + blackSets := sets.NewString(split...) + if blackSets.Has(packageName) { + logs.Error(packageName, " is in blacklist") + continue + } + + openEulerVersion := pv.VerionList + ok, dErr := AddOrDataToCenter(packageName, packageName, cveRef, scopeType, value, cveData, + openEulerVersion, pkList, openeulerNum, + cveDesc, cveScV3, goe, cveScV4, organizationID) + if !ok { + logs.Error("openEuler, dErr: ", dErr) + return false, dErr } } return true, nil @@ -1081,7 +941,7 @@ func AddOrSelectToCenter(packageName, cveRef, scopeType, value string, cveData m func AddOrDataToCenter(repoNme, packageName, cveRef, scopeType, value string, cveData models.OriginUpstream, versionList, pkList []string, openeulerNum int, cveDesc models.OriginUpstreamDesc, cveScV3 models.OriginUpstreamImpactScoreV3, goe models.GitPackageInfo, - cveScV2 models.OriginUpstreamImpactScoreV2, organizationID int8) (bool, error) { + cveScV4 models.OriginUpstreamImpactScoreV4, organizationID int8) (bool, error) { if repoNme == "OpenSSL" && organizationID == 1 { return true, nil } @@ -1100,7 +960,7 @@ func AddOrDataToCenter(repoNme, packageName, cveRef, scopeType, value string, cv } lockx.Lock() ok, err := UpdateCveGroups(cveData, cveRef, openeulerNum, CveRes, cveDesc, cveScV3, goe, - scopeType, cveScV2, pkList, organizationID) + scopeType, cveScV4, pkList, organizationID) lockx.Unlock() if !ok { logs.Error("GenCveVuler, UpdateCveGroups, cveData: ", cveData, ", err: ", err) @@ -1116,7 +976,7 @@ func AddOrDataToCenter(repoNme, packageName, cveRef, scopeType, value string, cv } lockx.Lock() ok, err := InsertCveGroups(cveData, cveRef, repoNme, openeulerNum, cveDesc, cveScV3, goe, - scopeType, cveScV2, pkList, organizationID) + scopeType, cveScV4, pkList, organizationID) lockx.Unlock() if !ok { logs.Error("GenCveVuler, InsertCveGroups, cveData: ", cveData, ", err: ", err) -- Gitee From 17eb97e819e347255cffdae23eb4f15d55b030b3 Mon Sep 17 00:00:00 2001 From: yangwei999 <348134071@qq.com> Date: Fri, 14 Nov 2025 16:10:56 +0800 Subject: [PATCH 2/5] comment webhook --- cve-vulner-manager/common/common.go | 2 +- cve-vulner-manager/controllers/hook.go | 83 ------------------------- cve-vulner-manager/go.mod | 1 + cve-vulner-manager/go.sum | 2 + cve-vulner-manager/taskhandler/check.go | 10 ++- cve-vulner-manager/taskhandler/excel.go | 12 ++-- cve-vulner-manager/util/calculator.go | 39 ++++++++++++ cve-vulner-manager/util/parsepayload.go | 14 ++--- 8 files changed, 58 insertions(+), 105 deletions(-) diff --git a/cve-vulner-manager/common/common.go b/cve-vulner-manager/common/common.go index 78f7e5d..4b5984b 100644 --- a/cve-vulner-manager/common/common.go +++ b/cve-vulner-manager/common/common.go @@ -388,7 +388,7 @@ type SbomReq struct { } type UploadData struct { - Token string `json:"Token"` + Token string `json:"token"` Source int `json:"source"` CveData []CveOriginData } diff --git a/cve-vulner-manager/controllers/hook.go b/cve-vulner-manager/controllers/hook.go index f84f12a..3203d50 100644 --- a/cve-vulner-manager/controllers/hook.go +++ b/cve-vulner-manager/controllers/hook.go @@ -1957,89 +1957,6 @@ func saveVectorData(vct string, cveID int64) error { upFields := make([]string, 0) score.OvectorVule = vct upFields = append(upFields, "o_vector_value") - vMap, ok := util.VctToMap(vct) - if !ok { - return errors.New("vector value illegal") - } - if util.RegexpVectorV2.Match([]byte(vct)) { - //update v2 vector - avv := util.ReadVMValueV2(vMap["AV"]) - if avv != "" { - score.OaccessVector = avv - upFields = append(upFields, "o_access_vector") - } - acv := util.ReadVMValueV2(vMap["AC"]) - if acv != "" { - score.OaccessComplexity = acv - upFields = append(upFields, "o_access_complexity") - } - au := util.ReadVMValueV2(vMap["Au"]) - if au != "" { - score.Oauthentication = au - upFields = append(upFields, "o_authentication") - } - cv := util.ReadVMValueV2(vMap["C"]) - if cv != "" { - score.Oconfidentiality = cv - upFields = append(upFields, "o_confidentiality") - } - iv := util.ReadVMValueV2(vMap["I"]) - if iv != "" { - score.Ointegrity = iv - upFields = append(upFields, "o_integrity") - } - av := util.ReadVMValueV2(vMap["A"]) - if av != "" { - score.Oavailability = av - upFields = append(upFields, "o_availability") - } - score.ScoreType = "v2" - upFields = append(upFields, "score_type") - } else { - //update v3 vector - avv := util.ReadVMValue(vMap["AV"]) - if avv != "" { - score.OattackVector = avv - upFields = append(upFields, "o_attack_vector") - } - acv := util.ReadVMValue(vMap["AC"]) - if acv != "" { - score.OattackComplexity = acv - upFields = append(upFields, "o_attack_complexity") - } - prv := util.ReadVMValue(vMap["PR"]) - if prv != "" { - score.OprivilegeRequired = prv - upFields = append(upFields, "o_privilege_required") - } - uiv := util.ReadVMValue(vMap["UI"]) - if uiv != "" { - score.OuserInteraction = uiv - upFields = append(upFields, "o_user_interaction") - } - sv := util.ReadVMValue(vMap["S"]) - if sv != "" { - score.Oscope = sv - upFields = append(upFields, "o_scope") - } - cv := util.ReadVMValue(vMap["C"]) - if cv != "" { - score.Oconfidentiality = cv - upFields = append(upFields, "o_confidentiality") - } - iv := util.ReadVMValue(vMap["I"]) - if iv != "" { - score.Ointegrity = iv - upFields = append(upFields, "o_integrity") - } - av := util.ReadVMValue(vMap["A"]) - if av != "" { - score.Oavailability = av - upFields = append(upFields, "o_availability") - } - score.ScoreType = "v3" - upFields = append(upFields, "score_type") - } if len(upFields) > 0 { //Perform update err = models.UpdateScore(&score, upFields...) diff --git a/cve-vulner-manager/go.mod b/cve-vulner-manager/go.mod index 76cd375..cf90e4b 100644 --- a/cve-vulner-manager/go.mod +++ b/cve-vulner-manager/go.mod @@ -33,6 +33,7 @@ require ( github.com/lib/pq v1.8.0 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect + github.com/pandatix/go-cvss v0.6.2 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/prometheus/client_golang v1.11.1 // indirect github.com/prometheus/client_model v0.3.0 // indirect diff --git a/cve-vulner-manager/go.sum b/cve-vulner-manager/go.sum index db72914..72d6373 100644 --- a/cve-vulner-manager/go.sum +++ b/cve-vulner-manager/go.sum @@ -957,6 +957,8 @@ github.com/opensourceways/robot-gitee-lib v1.0.0 h1:nv8qGg8Ns7yAvvbwwyGMoqJSV3R7 github.com/opensourceways/robot-gitee-lib v1.0.0/go.mod h1:Q4RDKbIhM+mOrXnDkeChGErGsPwhD4rUZkPOv4iX6pc= github.com/opensourceways/server-common-lib v0.0.0-20231027024402-f55c66e6699c h1:atmkPztYx7LFXhwnjrQ6IvgZXmzqFREYzpYA4qfsG9I= github.com/opensourceways/server-common-lib v0.0.0-20231027024402-f55c66e6699c/go.mod h1:1iVJ+C3L9e0GJMUhGfbegH4CecnALntzfTW29GzBGUk= +github.com/pandatix/go-cvss v0.6.2 h1:TFiHlzUkT67s6UkelHmK6s1INKVUG7nlKYiWWDTITGI= +github.com/pandatix/go-cvss v0.6.2/go.mod h1:jDXYlQBZrc8nvrMUVVvTG8PhmuShOnKrxP53nOFkt8Q= github.com/pelletier/go-toml v1.0.1/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/peterh/liner v1.0.1-0.20171122030339-3681c2a91233/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc= diff --git a/cve-vulner-manager/taskhandler/check.go b/cve-vulner-manager/taskhandler/check.go index 363cb62..e1e4924 100644 --- a/cve-vulner-manager/taskhandler/check.go +++ b/cve-vulner-manager/taskhandler/check.go @@ -164,15 +164,13 @@ func itemCheck(item string, branchSets sets.Set[string], resultCheck func(result } func scoreVectorCheck(issueTmp *models.IssueTemplate) string { - score, err := models.QueryIssueScore(issueTmp.CveId) + matched, err := util.ScoreAndVectorCheck(issueTmp.OpenEulerScore, issueTmp.OpenEulerVector) if err != nil { - return "获取cve评分失败" + return err.Error() } - if score.ScoreType == "v3" { - if util.CalculateCVSSV3BaseScore(issueTmp.OpenEulerVector) != issueTmp.OpenEulerScore { - return "CVSS评分和矢量值不一致,请修改至矢量值和CVSS评分一致!" - } + if !matched { + return "CVSS评分和矢量值不一致,请修改至矢量值和CVSS评分一致!" } return "" diff --git a/cve-vulner-manager/taskhandler/excel.go b/cve-vulner-manager/taskhandler/excel.go index 0cc675c..8a5af9b 100644 --- a/cve-vulner-manager/taskhandler/excel.go +++ b/cve-vulner-manager/taskhandler/excel.go @@ -595,14 +595,12 @@ func CheckOpenEulerScoreAndVector(issue *models.IssueTemplate, comment func(cont return false } - score, _ := models.QueryIssueScore(issue.CveId) - if score.ScoreType == "V3" { - if util.CalculateCVSSV3BaseScore(issue.OpenEulerVector) != issue.OpenEulerScore { - cc := fmt.Sprintf("@%v CVSS评分和矢量值不一致,请修改至矢量值和CVSS评分一致!", issue.Assignee) - comment(cc) + matched, _ := util.ScoreAndVectorCheck(issue.OpenEulerScore, issue.OpenEulerVector) + if !matched { + cc := fmt.Sprintf("@%v CVSS评分和矢量值不一致,请修改至矢量值和CVSS评分一致!", issue.Assignee) + comment(cc) - return false - } + return false } return true diff --git a/cve-vulner-manager/util/calculator.go b/cve-vulner-manager/util/calculator.go index d064729..0509bce 100644 --- a/cve-vulner-manager/util/calculator.go +++ b/cve-vulner-manager/util/calculator.go @@ -1,11 +1,15 @@ package util import ( + "errors" "fmt" "math" "strings" "github.com/astaxie/beego" + gocvss20 "github.com/pandatix/go-cvss/20" + gocvss31 "github.com/pandatix/go-cvss/31" + gocvss40 "github.com/pandatix/go-cvss/40" ) const ( @@ -25,8 +29,43 @@ const ( exFactor = 8.22 VectorNone = "None" + + length20 = 26 + length31 = 35 + length40 = 54 + + header20 = "CVSS:2.0/" + header31 = "CVSS:3.1/" + header40 = "CVSS:4.0/" ) +func ScoreAndVectorCheck(score float64, vector string) (bool, error) { + if len(vector) == length20 { + cvss20, err := gocvss20.ParseVector(header20 + vector) + if err != nil { + return false, err + } + + return cvss20.BaseScore() == score, nil + } else if len(vector) == length31 { + cvss31, err := gocvss31.ParseVector(header31 + vector) + if err != nil { + return false, err + } + + return cvss31.BaseScore() == score, nil + } else if len(vector) >= length40 { + cvss40, err := gocvss40.ParseVector(header40 + vector) + if err != nil { + return false, err + } + + return cvss40.Score() == score, nil + } else { + return false, errors.New("invalid vector") + } +} + // Calculate CVSS v3 basescore based on vector func CalculateCVSSV3BaseScore(vector string) float64 { if vector == "" { diff --git a/cve-vulner-manager/util/parsepayload.go b/cve-vulner-manager/util/parsepayload.go index 995c12c..8d45428 100644 --- a/cve-vulner-manager/util/parsepayload.go +++ b/cve-vulner-manager/util/parsepayload.go @@ -1,7 +1,6 @@ package util import ( - "errors" "fmt" "regexp" "sort" @@ -334,6 +333,11 @@ func ExtractVector(body, scoreType string) string { return "" } +func ExtractAllKindVector(body string) string { + index := strings.Index(body, "AV:") + return body[index:] +} + // ReadVMValue get vector v3 value from the vector map by keyword func ReadVMValue(kStr string) (value string) { if kStr == "" { @@ -627,15 +631,9 @@ func ExtractCommentValue(ca CaSlice, keyWord string) (string, bool) { // ExtractCommentOpenEulerScore Extract openEuler score from issue comment func ExtractCommentOpenEulerScore(str string) (score, vector string, err error) { - // AT,VC are specific to CVSS4 - if strings.Contains(str, "AT") && strings.Contains(str, "VC") { - err = errors.New("目前不支持CVSS4.0,请按照cvss3.x的评分格式填写") - return - } - str = TrimString(str) score = ExtractDigital(str) - vector = ExtractVector(str, CvsScoreV3) + vector = ExtractAllKindVector(str) return } -- Gitee From 7174547284bd86fab1e303b4c2a53d83bf795501 Mon Sep 17 00:00:00 2001 From: yangwei999 <348134071@qq.com> Date: Thu, 27 Nov 2025 09:45:34 +0800 Subject: [PATCH 3/5] fix --- cve-vulner-manager/util/parsepayload.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cve-vulner-manager/util/parsepayload.go b/cve-vulner-manager/util/parsepayload.go index 8d45428..8b77bc9 100644 --- a/cve-vulner-manager/util/parsepayload.go +++ b/cve-vulner-manager/util/parsepayload.go @@ -335,6 +335,10 @@ func ExtractVector(body, scoreType string) string { func ExtractAllKindVector(body string) string { index := strings.Index(body, "AV:") + if index < 0 { + return "" + } + return body[index:] } -- Gitee From 1a72fbf48284d6b97e79baa7f641b32d528567e9 Mon Sep 17 00:00:00 2001 From: yangwei999 <348134071@qq.com> Date: Thu, 27 Nov 2025 11:30:24 +0800 Subject: [PATCH 4/5] build cvss header --- cve-vulner-manager/taskhandler/common.go | 24 ++++++++++++------------ cve-vulner-manager/util/calculator.go | 20 ++++++++++++++++---- 2 files changed, 28 insertions(+), 16 deletions(-) diff --git a/cve-vulner-manager/taskhandler/common.go b/cve-vulner-manager/taskhandler/common.go index ef417fa..bf2921e 100644 --- a/cve-vulner-manager/taskhandler/common.go +++ b/cve-vulner-manager/taskhandler/common.go @@ -67,7 +67,7 @@ const bodyTpl = `一、漏洞信息 漏洞归属的版本:%v CVSS V%v分值: BaseScore:%v - Vector:CVSS:%v + Vector:%v 漏洞简述: %v 漏洞公开时间:%v @@ -100,7 +100,7 @@ const bodyUpTpl = `一、漏洞信息 漏洞归属的版本:%v CVSS V%v分值: BaseScore:%v - Vector:CVSS:%v + Vector:%v 漏洞简述: %v 漏洞公开时间:%v @@ -119,7 +119,7 @@ const bodyUpTpl = `一、漏洞信息 %v openEuler评分: %v - Vector:CVSS:%v + Vector:%v 受影响版本排查(受影响/不受影响): %v 修复是否涉及abi变化(是/否): @@ -133,7 +133,7 @@ const bodySecLinkTpl = `一、漏洞信息 漏洞归属的版本:%v CVSS V%v分值: BaseScore:%v - Vector:CVSS:%v + Vector:%v 漏洞简述: %v 漏洞公开时间:%v @@ -152,7 +152,7 @@ const bodySecLinkTpl = `一、漏洞信息 %v openEuler评分: %v - Vector:CVSS:%v + Vector:%v 受影响版本排查(受影响/不受影响): %v 修复是否涉及abi变化(是/否): @@ -1030,8 +1030,8 @@ func CreateIssueBody(accessToken, owner, path, assignee string, if flag == 1 { if floatOpenEulerScore > 0.0 || (its.OpenEulerVector != "" && len(its.OpenEulerVector) > 1) { nveScore := score + " " + cve.CveLevel - nveVector := nvdType + "/" + sc.NvectorVule - oVector := scoreType + "/" + its.OpenEulerVector + nveVector := util.BuildCVSSHeader(sc.NvectorVule) + oVector := util.BuildCVSSHeader(its.OpenEulerVector) body := "" if its.Status == 3 && len(its.SecLink) > 3 && cve.OrganizationID == 1 { body = fmt.Sprintf(bodySecLinkTpl, cveNumber, cvePkg, cve.CveVersion, nvdType, nveScore, nveVector, @@ -1051,7 +1051,7 @@ func CreateIssueBody(accessToken, owner, path, assignee string, issueOption = IssueOptions{Token: accessToken, Repo: path, Title: cve.CveNum, State: StatusName, Body: body, Assignee: assignee, Labels: labels} } else { nveScore := score + " " + cve.CveLevel - nveVector := nvdType + "/" + sc.NvectorVule + nveVector := util.BuildCVSSHeader(sc.NvectorVule) openEulerScore = " " body := "" if cve.OrganizationID == 1 { @@ -1067,7 +1067,7 @@ func CreateIssueBody(accessToken, owner, path, assignee string, } } else if flag == 2 { nveScore := score + " " + cve.CveLevel - nveVector := nvdType + "/" + sc.NvectorVule + nveVector := util.BuildCVSSHeader(sc.NvectorVule) openEulerScore = " " body := "" if cve.OrganizationID == 1 { @@ -1099,8 +1099,8 @@ func CreateIssueBody(accessToken, owner, path, assignee string, } else { if floatOpenEulerScore > 0.0 || (its.OpenEulerVector != "" && len(its.OpenEulerVector) > 1) { nveScore := score + " " + cve.CveLevel - nveVector := nvdType + "/" + its.NVDVector - oVector := scoreType + "/" + its.OpenEulerVector + nveVector := util.BuildCVSSHeader(sc.NvectorVule) + oVector := util.BuildCVSSHeader(its.OpenEulerVector) body := "" if its.Status == 3 && len(its.SecLink) > 3 && cve.OrganizationID == 1 { body = fmt.Sprintf(bodySecLinkTpl, cveNumber, cvePkg, cve.CveVersion, nvdType, nveScore, nveVector, @@ -1121,7 +1121,7 @@ func CreateIssueBody(accessToken, owner, path, assignee string, } else { openEulerScore = " " nveScore := score + " " + cve.CveLevel - nveVector := nvdType + "/" + sc.NvectorVule + nveVector := util.BuildCVSSHeader(sc.NvectorVule) body := "" if cve.OrganizationID == 1 { body = fmt.Sprintf(bodyTplx, cveNumber, cvePkg, cve.CveVersion, nvdType, nveScore, nveVector, diff --git a/cve-vulner-manager/util/calculator.go b/cve-vulner-manager/util/calculator.go index 0509bce..e106613 100644 --- a/cve-vulner-manager/util/calculator.go +++ b/cve-vulner-manager/util/calculator.go @@ -30,15 +30,27 @@ const ( VectorNone = "None" - length20 = 26 - length31 = 35 - length40 = 54 + length20 = 26 + length31 = 35 + length40Min = 54 header20 = "CVSS:2.0/" header31 = "CVSS:3.1/" header40 = "CVSS:4.0/" ) +func BuildCVSSHeader(v string) string { + if v == "" { + return "" + } + + if len(v) >= length40Min { + return header40 + v + } + + return header31 + v +} + func ScoreAndVectorCheck(score float64, vector string) (bool, error) { if len(vector) == length20 { cvss20, err := gocvss20.ParseVector(header20 + vector) @@ -54,7 +66,7 @@ func ScoreAndVectorCheck(score float64, vector string) (bool, error) { } return cvss31.BaseScore() == score, nil - } else if len(vector) >= length40 { + } else if len(vector) >= length40Min { cvss40, err := gocvss40.ParseVector(header40 + vector) if err != nil { return false, err -- Gitee From 565c66d0650dcda152d6a443ad7cfc023dce5fb0 Mon Sep 17 00:00:00 2001 From: yangwei999 <348134071@qq.com> Date: Sat, 29 Nov 2025 09:09:37 +0800 Subject: [PATCH 5/5] fix ci --- cve-vulner-manager/common/common.go | 3 ++ cve-vulner-manager/models/cve.go | 1 + cve-vulner-manager/models/modeldb.go | 1 + cve-vulner-manager/models/uploadcve.go | 71 +++++++++++++++---------- cve-vulner-manager/taskhandler/cve.go | 4 +- cve-vulner-manager/util/calculator.go | 8 +-- cve-vulner-manager/util/parsepayload.go | 1 + 7 files changed, 57 insertions(+), 32 deletions(-) diff --git a/cve-vulner-manager/common/common.go b/cve-vulner-manager/common/common.go index 4b5984b..9f154aa 100644 --- a/cve-vulner-manager/common/common.go +++ b/cve-vulner-manager/common/common.go @@ -272,6 +272,7 @@ type ImBaseMetricV3 struct { ExploitabilityScore float64 `json:"exploitabilityScore"` } +// MetricV4 cvss4.0 type MetricV4 struct { Score float64 `json:"score"` Vector string `json:"vector"` @@ -282,10 +283,12 @@ type CveImpact struct { MetricV4 MetricV4 `json:"metricV4"` } +// ContainsV3 whether cvss3 is valid func (i CveImpact) ContainsV3() bool { return i.BaseMetricV3.CvssV3.BaseScore > 0 } +// ContainsV4 whether cvss4 is valid func (i CveImpact) ContainsV4() bool { return i.MetricV4.Score > 0 } diff --git a/cve-vulner-manager/models/cve.go b/cve-vulner-manager/models/cve.go index d99c61c..21a393b 100644 --- a/cve-vulner-manager/models/cve.go +++ b/cve-vulner-manager/models/cve.go @@ -242,6 +242,7 @@ func QueryCveCvssV2(scoreId int64) (OriginUpstreamImpactScoreV2, bool) { return cveScoreV2, err == nil } +// QueryCveCvssV4 find cvss4 data func QueryCveCvssV4(scoreId int64) (OriginUpstreamImpactScoreV4, bool) { o := orm.NewOrm() var cveScoreV4 OriginUpstreamImpactScoreV4 diff --git a/cve-vulner-manager/models/modeldb.go b/cve-vulner-manager/models/modeldb.go index 737a94c..082879a 100644 --- a/cve-vulner-manager/models/modeldb.go +++ b/cve-vulner-manager/models/modeldb.go @@ -458,6 +458,7 @@ type OriginUpstreamImpactScore struct { Status int8 `orm:"default(1);column(score_status);null" description:"1:未处理;2:已处理;3:已修改"` } +// OriginUpstreamImpactScoreV4 save cvss4 type OriginUpstreamImpactScoreV4 struct { Id int64 `orm:"pk;auto;column(id)"` ScoreId int64 `orm:"index;column(score_id)" description:"OriginUpstreamImpactScore 外键"` diff --git a/cve-vulner-manager/models/uploadcve.go b/cve-vulner-manager/models/uploadcve.go index a933c56..495815d 100644 --- a/cve-vulner-manager/models/uploadcve.go +++ b/cve-vulner-manager/models/uploadcve.go @@ -814,42 +814,57 @@ func saveNewImpact(o orm.Ormer, cveId int64, source string, impact common.CveImp } if impact.ContainsV3() { - var lousisv3 OriginUpstreamImpactScoreV3 - lousisv3.ScoreId = lousist.ScoreId - lousisv3.BaseScore = impact.BaseMetricV3.CvssV3.BaseScore - lousisv3.VectorString = impact.BaseMetricV3.CvssV3.VectorString - lousisv3.AttackComplexity = impact.BaseMetricV3.CvssV3.AttackComplexity - lousisv3.AttackVector = impact.BaseMetricV3.CvssV3.AttackVector - lousisv3.AvailabilityImpact = impact.BaseMetricV3.CvssV3.AvailabilityImpact - lousisv3.BaseSeverity = impact.BaseMetricV3.CvssV3.BaseSeverity - lousisv3.UserInteraction = impact.BaseMetricV3.CvssV3.UserInteraction - lousisv3.PrivilegesRequired = impact.BaseMetricV3.CvssV3.PrivilegesRequired - lousisv3.Version = impact.BaseMetricV3.CvssV3.Version - lousisv3.ConfidentialityImpact = impact.BaseMetricV3.CvssV3.ConfidentialityImpact - lousisv3.IntegrityImpact = impact.BaseMetricV3.CvssV3.IntegrityImpact - lousisv3.Scope = impact.BaseMetricV3.CvssV3.Scope - lousisv3.ImpactScore = impact.BaseMetricV3.ImpactScore - lousisv3.ExploitabilityScore = impact.BaseMetricV3.ExploitabilityScore - lousisv3.CveLevel = OpenEulerScoreProc(impact.BaseMetricV3.CvssV3.BaseScore) - if _, err := o.Insert(&lousisv3); err != nil { - logs.Error("CreateOriginCve, insert cve_origin_upstream_impact_score_v3 failed", err) - o.Rollback() + if err := saveCVSS3(o, lousist.ScoreId, impact); err != nil { return err } } if impact.ContainsV4() { - lousisv4 := OriginUpstreamImpactScoreV4{ - ScoreId: lousist.ScoreId, - Score: impact.MetricV4.Score, - Vector: impact.MetricV4.Vector, - } - - if _, err := o.Insert(&lousisv4); err != nil { - o.Rollback() + if err := saveCVSS4(o, lousist.ScoreId, impact); err != nil { return err } + } + return nil +} + +func saveCVSS3(o orm.Ormer, scoreId int64, impact common.CveImpact) error { + var lousisv3 OriginUpstreamImpactScoreV3 + lousisv3.ScoreId = scoreId + lousisv3.BaseScore = impact.BaseMetricV3.CvssV3.BaseScore + lousisv3.VectorString = impact.BaseMetricV3.CvssV3.VectorString + lousisv3.AttackComplexity = impact.BaseMetricV3.CvssV3.AttackComplexity + lousisv3.AttackVector = impact.BaseMetricV3.CvssV3.AttackVector + lousisv3.AvailabilityImpact = impact.BaseMetricV3.CvssV3.AvailabilityImpact + lousisv3.BaseSeverity = impact.BaseMetricV3.CvssV3.BaseSeverity + lousisv3.UserInteraction = impact.BaseMetricV3.CvssV3.UserInteraction + lousisv3.PrivilegesRequired = impact.BaseMetricV3.CvssV3.PrivilegesRequired + lousisv3.Version = impact.BaseMetricV3.CvssV3.Version + lousisv3.ConfidentialityImpact = impact.BaseMetricV3.CvssV3.ConfidentialityImpact + lousisv3.IntegrityImpact = impact.BaseMetricV3.CvssV3.IntegrityImpact + lousisv3.Scope = impact.BaseMetricV3.CvssV3.Scope + lousisv3.ImpactScore = impact.BaseMetricV3.ImpactScore + lousisv3.ExploitabilityScore = impact.BaseMetricV3.ExploitabilityScore + lousisv3.CveLevel = OpenEulerScoreProc(impact.BaseMetricV3.CvssV3.BaseScore) + if _, err := o.Insert(&lousisv3); err != nil { + logs.Error("CreateOriginCve, insert cve_origin_upstream_impact_score_v3 failed", err) + o.Rollback() + return err + } + + return nil +} + +func saveCVSS4(o orm.Ormer, scoreId int64, impact common.CveImpact) error { + lousisv4 := OriginUpstreamImpactScoreV4{ + ScoreId: scoreId, + Score: impact.MetricV4.Score, + Vector: impact.MetricV4.Vector, + } + + if _, err := o.Insert(&lousisv4); err != nil { + o.Rollback() + return err } return nil diff --git a/cve-vulner-manager/taskhandler/cve.go b/cve-vulner-manager/taskhandler/cve.go index e414df9..bdfb81a 100644 --- a/cve-vulner-manager/taskhandler/cve.go +++ b/cve-vulner-manager/taskhandler/cve.go @@ -589,12 +589,14 @@ func genSecurityNoticeDescription(goe models.GitPackageInfo, cveDesc models.Orig } func trimVector(v string) string { + const headerLength = 4 + if v == "" { return v } index := strings.IndexAny(v, "/") - if index > 0 && strings.ToLower(v)[:4] == "cvss" { + if index > 0 && strings.ToLower(v)[:headerLength] == "cvss" { return v[index+1:] } diff --git a/cve-vulner-manager/util/calculator.go b/cve-vulner-manager/util/calculator.go index e106613..d80c8fc 100644 --- a/cve-vulner-manager/util/calculator.go +++ b/cve-vulner-manager/util/calculator.go @@ -7,9 +7,9 @@ import ( "strings" "github.com/astaxie/beego" - gocvss20 "github.com/pandatix/go-cvss/20" - gocvss31 "github.com/pandatix/go-cvss/31" - gocvss40 "github.com/pandatix/go-cvss/40" + "github.com/pandatix/go-cvss/20" + "github.com/pandatix/go-cvss/31" + "github.com/pandatix/go-cvss/40" ) const ( @@ -39,6 +39,7 @@ const ( header40 = "CVSS:4.0/" ) +// BuildCVSSHeader add header to vector func BuildCVSSHeader(v string) string { if v == "" { return "" @@ -51,6 +52,7 @@ func BuildCVSSHeader(v string) string { return header31 + v } +// ScoreAndVectorCheck check whether score and vector match func ScoreAndVectorCheck(score float64, vector string) (bool, error) { if len(vector) == length20 { cvss20, err := gocvss20.ParseVector(header20 + vector) diff --git a/cve-vulner-manager/util/parsepayload.go b/cve-vulner-manager/util/parsepayload.go index 8b77bc9..a412fc3 100644 --- a/cve-vulner-manager/util/parsepayload.go +++ b/cve-vulner-manager/util/parsepayload.go @@ -333,6 +333,7 @@ func ExtractVector(body, scoreType string) string { return "" } +// ExtractAllKindVector extract v3 and v4 vector func ExtractAllKindVector(body string) string { index := strings.Index(body, "AV:") if index < 0 { -- Gitee