public void UpdateCVEs()
{
this.logWriter.WriteText("Beginning CVE updates");
List <KeyValuePair <string, Dictionary <string, object> > > updatesToBePerformed =
new List <KeyValuePair <string, Dictionary <string, object> > >();
foreach (CVEItem cveItem in cveItems)
{
CVE cve = cveItem.cve;
string sql = "insert into cves (cve_id, assigner, data_type, data_format, data_version) values "
+ "(@cveId, @assigner, @dataType, @dataFormat, @dataVersion) on duplicate key update "
+ "cve_id = @cveId, assigner = @assigner, data_type = @dataType, data_format = @dataFormat, "
+ "data_version = @dataVersion";
Dictionary <string, object> bindVars = new Dictionary <string, object>();
bindVars.Add("cveId", cve.cveMetaData.ID);
bindVars.Add("assigner", cve.cveMetaData.assigner);
bindVars.Add("dataType", cve.dataType);
bindVars.Add("dataFormat", cve.dataFormat);
bindVars.Add("dataVersion", cve.dataVersion);
updatesToBePerformed.Add(
new KeyValuePair <string, Dictionary <string, object> >(sql, bindVars)
);
}
int numUpdates = this.databaseUtil.performNonQueries(updatesToBePerformed);
this.logWriter.WriteText("CVE updates completed. Performed " + numUpdates + " updates");
}
public PersistentCVE(CVE cve)
{
if (cve == null)
{
return;
}
this.PersistentComments = new List <PersistentCVEComment>();
if (cve.Comments != null)
{
foreach (CVEComment comment in cve.Comments)
{
this.PersistentComments.Add(new PersistentCVEComment(comment));
}
}
this.Description = cve.Description;
this.Name = cve.Name;
this.PersistentReferences = new List <PersistentCVEReference>();
if (cve.References != null)
{
foreach (CVEReference reference in cve.References)
{
this.PersistentReferences.Add(new PersistentCVEReference(reference));
}
}
}
public async Task ExpiredThresholdCausesRecordUpdate()
{
// Arrange
await using var context = JosekiTestsDb.CreateUniqueContext();
var parser = new ConfigurationParser("config.sample.yaml");
var cveCache = new CveCache(parser, context, new MemoryCache(new MemoryCacheOptions()));
var id = this.GetCveId();
var now = DateTime.UtcNow;
var expirationDate = now.AddDays(-(parser.Get().Cache.CveTtl + 1));
var oldCve = new CveEntity
{
CveId = id,
Severity = joseki.db.entities.CveSeverity.Medium,
PackageName = Guid.NewGuid().ToString(),
Title = Guid.NewGuid().ToString(),
Description = Guid.NewGuid().ToString(),
Remediation = Guid.NewGuid().ToString(),
References = Guid.NewGuid().ToString(),
DateUpdated = expirationDate,
DateCreated = expirationDate,
};
// this is the hack -_-
// Use sync version, because it does not update DateUpdated & DateCreated
context.Cve.Add(oldCve);
context.SaveChanges();
var newCve = new CVE
{
Id = id,
Description = Guid.NewGuid().ToString(),
Remediation = Guid.NewGuid().ToString(),
Severity = CveSeverity.High,
PackageName = Guid.NewGuid().ToString(),
Title = Guid.NewGuid().ToString(),
References = Guid.NewGuid().ToString(),
};
// Act & Assert
context.Cve.Count().Should().Be(1, "context should have the only one record before GetOrAddItem");
await cveCache.GetOrAddItem(id, () => newCve);
var actualEntity = await context.Cve.FirstAsync(i => i.CveId == id);
actualEntity.Description.Should().Be(newCve.Description);
actualEntity.Remediation.Should().Be(newCve.Remediation);
actualEntity.PackageName.Should().Be(newCve.PackageName);
actualEntity.Title.Should().Be(newCve.Title);
actualEntity.References.Should().Be(newCve.References);
actualEntity.Severity.Should().Be(joseki.db.entities.CveSeverity.High);
actualEntity.DateUpdated.Should().BeOnOrAfter(now);
}
/// <summary>
/// Creates CVE entity from internal model.
/// </summary>
/// <param name="cve">Internal CVE model.</param>
/// <returns>Database compatible entity.</returns>
public static CveEntity ToEntity(this CVE cve)
{
return(new CveEntity
{
CveId = cve.Id,
PackageName = cve.PackageName,
Severity = cve.Severity.ToEntity(),
Title = cve.Title,
Description = cve.Description,
Remediation = cve.Remediation,
References = cve.References,
});
}
public async Task GetNotExistingItemAddOneRecordToDb()
{
// Arrange
await using var context = JosekiTestsDb.CreateUniqueContext();
var parser = new ConfigurationParser("config.sample.yaml");
var cveCache = new CveCache(parser, context, new MemoryCache(new MemoryCacheOptions()));
var id = this.GetCveId();
var cve = new CVE {
Id = id, Description = Guid.NewGuid().ToString(),
};
// Act & Assert
context.Cve.Count().Should().Be(0, "context should be empty before GetOrAddItem");
await cveCache.GetOrAddItem(id, () => cve);
context.Cve.Count().Should().Be(1, "context should have a single value after GetOrAddItem");
}
public async Task GetExistingItemDoesNotAddNewRecords()
{
// Arrange
await using var context = JosekiTestsDb.CreateUniqueContext();
var parser = new ConfigurationParser("config.sample.yaml");
var cveCache = new CveCache(parser, context, new MemoryCache(new MemoryCacheOptions()));
var id = this.GetCveId();
var cve = new CVE {
Id = id, Description = Guid.NewGuid().ToString(),
};
context.Cve.Add(cve.ToEntity());
await context.SaveChangesAsync();
// Act & Assert
context.Cve.Count().Should().Be(1, "context should have the only one record before GetOrAddItem");
await cveCache.GetOrAddItem(id, () => cve);
context.Cve.Count().Should().Be(1, "context should still have the only one record after GetOrAddItem");
}
public static List <DebianPackage> ParseDebianJsonFile(FileInfo f)
{
List <DebianPackage> packages = null;;
Stack <IJsonValue> stack = new Stack <IJsonValue>(50);
using (StreamReader sr = new StreamReader(f.FullName))
using (JsonTextReader jr = new JsonTextReader(sr))
{
while (jr.Read())
{
IJsonValue top;
switch (jr.TokenType)
{
case JsonToken.StartObject:
if (stack.Count == 0)
{
stack.Push(new JsonList <DebianPackage>());
break;
}
else
{
top = stack.Peek();
}
if (top.JsonType == "package")
{
JsonList <CVE> c = new JsonList <CVE>();
DebianPackage p = (DebianPackage)top;
p.CVEs = (List <CVE>)c;
stack.Push(c);
}
break;
case JsonToken.PropertyName:
top = stack.Peek();
if (top.JsonType == "package_list")
{
JsonList <DebianPackage> pl = (JsonList <DebianPackage>)top;
DebianPackage p = new DebianPackage()
{
Name = (string)jr.Value
};
pl.Add(p);
stack.Push(p);
}
else if (top.JsonType == "cve_list")
{
JsonList <CVE> cl = (JsonList <CVE>)top;
CVE c = new CVE()
{
Name = (string)jr.Value
};
cl.Add(c);
stack.Push(c);
}
else if (top.JsonType == "cve")
{
CVE cve = (CVE)top;
switch ((string)jr.Value)
{
case "scope":
cve.Scope = jr.ReadAsString();
break;
case "debianbug":
string s = jr.ReadAsString();
int db;
if (Int32.TryParse(s, out db))
{
cve.DebianBug = db;
}
else
{
logger.Warn("Could not parse debianbug property {0} for CVE {1} as int.", s, cve.Name);
}
break;
case "description":
cve.Description = jr.ReadAsString();
break;
case "releases":
JsonList <Release> rl = new JsonList <Release>();
cve.Releases = rl;
stack.Push(rl);
break;
}
}
else if (top.JsonType == "release_list")
{
JsonList <Release> rl = (JsonList <Release>)top;
Release r = new Release()
{
Name = (string)jr.Value
};
rl.Add(r);
stack.Push(r);
}
else if (top.JsonType == "release")
{
Release release = (Release)top;
switch ((string)jr.Value)
{
case "status":
release.Status = jr.ReadAsString();
break;
case "urgency":
release.Urgency = jr.ReadAsString();
break;
case "nodsa":
release.Nodsa = jr.ReadAsString();
break;
case "fixed_version":
release.FixedVersion = jr.ReadAsString();
break;
case "repositories":
JsonList <Repository> rl = new JsonList <Repository>();
release.Repositories = rl;
stack.Push(rl);
break;
}
}
else if (top.JsonType == "repository_list")
{
JsonList <Repository> rl = (JsonList <Repository>)top;
Repository repository = new Repository()
{
Name = (string)jr.Value,
Version = jr.ReadAsString()
};
rl.Add(repository);
}
break;
case JsonToken.EndObject:
top = stack.Peek();
if (top.JsonType == "cve" || top.JsonType == "release" || top.JsonType == "release_list" ||
top.JsonType == "repository" || top.JsonType == "repository_list")
{
stack.Pop();
//logger.Debug("Popped object {0} with name {1} from stack.", top.JsonType, top.Name);
}
if (top.JsonType == "cve_list")
{
stack.Pop();
DebianPackage package = (DebianPackage)stack.Pop(); //cve list end means package end too
logger.Info("Parsed {0} CVEs for package {1}.", package.CVEs.Count, package.Name);
}
break;
default:
Exception e = new Exception(string.Format
("Unexpected Json token in stream: {0} at path {1}, file position {2} with value {3}.", jr.TokenType.ToString(), jr.Path, jr.LinePosition, jr.Value));
logger.Error(e);
throw e;
}
}
}
packages = (List <DebianPackage>)stack.Pop();
logger.Info("Parsed {0} packages, {1} CVEs.", packages.Count, packages.Sum(p => p.CVEs.Count));
return((List <DebianPackage>)packages);
}
