File Coverage

blib/lib/NIST/NVD/Query.pm

Criterion	Covered	Total	%
statement	16	42	38.1
branch	1	10	10.0
condition	2	5	40.0
subroutine	5	11	45.4
pod	7	7	100.0
total	31	75	41.3

line	stmt	bran	cond	sub	pod	time	code
1							package NIST::NVD::Query;
2
3	3			3		36030	use warnings;
	3					7
	3					97
4	3			3		16	use strict;
	3					5
	3					92
5	3			3		15	use Carp;
	3					5
	3					1851
6
7							=head1 NAME
8
9							NIST::NVD::Query - Query the NVD database
10
11							=head1 VERSION
12
13							Version 1.00.00
14
15							=cut
16
17							our $VERSION = '1.00.00';
18
19							=head1 SYNOPSIS
20
21							Query vulnerability data in the NVD database
22
23							use NIST::NVD::Query;
24
25							# use convert_nvdcve to generate db files from the XML dumps at
26							# http://nvd.nist.gov/download.cfm
27
28							my( $path_to_db, $path_to_idx_cpe ) = @ARGV;
29
30							my $q = NIST::NVD::Query->new( store => $some_store,
31							%args
32							);
33
34							# Given a Common Platform Enumeration urn, returns a list of known
35							# CVE IDs
36
37							my $cve_id_list = $q->cve_for_cpe( cpe => 'cpe:/a:zaal:tgt:1.0.6' );
38
39							my @entry;
40
41							foreach my $cve_id ( @$cve_id_list ){
42
43							# Given a CVE ID, returns a CVE entry
44
45							my $entry = $q->cve( cve_id => $cve_id );
46							push( @entry, $entry );
47
48							print $entry->{'vuln:summary'};
49							}
50
51							=head1 SUBROUTINES/METHODS
52
53							=head2 new
54
55							=head3 Required arguments:
56
57							database: path to BDB database of NVD entries
58							idx_cpe: path to BDB database of mappings from CPE URNs to CVE IDs
59
60							=head3 Example
61
62							my $q = NIST::NVD::Query->new( database => $path_to_db,
63							idx_cpe => $path_to_idx_cpe,
64							);
65
66							=head3 Return Value
67
68							$q is an object reference of type NIST::NVD::Query
69
70							=cut
71
72							sub new {
73	1			1	1	52	my ( $class, %args ) = @_;
74	1		33			9	$class = ref $class \|\| $class;
75
76	1		50			10	my $store = $args{store} \|\| "DB_File";
77
78	1					3	my $db_class = "NIST::NVD::Store::$store";
79	1			1		93	eval "use $db_class";
	1					739
	0
	0
80
81	1	50				240	croak "unable to use $db_class: $@" if $@;
82
83	0					0	my $db = $db_class->new(
84							$db_class->_get_default_args(),
85							store => $args{store},
86							database => $args{database},
87							);
88	0	0				0	return unless $db;
89
90	0					0	bless { store => $db }, $class;
91							}
92
93							=head2 cve_for_cpe
94
95							Returns a list of CVE IDs for a given CPE URN.
96
97							=head3 Required argument
98
99							cpe: CPE URN Example:
100
101							'cpe:/a:zaal:tgt:1.0.6'
102
103							=head3 Return Value
104
105							Returns a reference to an array of CVE IDs. Example:
106
107							$cve_id_list = [
108							'CVE-1999-1587',
109							'CVE-1999-1588',
110							]
111
112							=head3 Example
113
114							my $cve_id_list = $q->cve_for_cpe( cpe => 'cpe:/a:zaal:tgt:1.0.6' );
115
116							=cut
117
118							sub cve_for_cpe {
119	0			0	1	0	my ( $self, %args ) = @_;
120
121	0	0				0	unless ( exists $args{cpe} ) {
122	0					0	confess qq{"cpe" is a required argument to __PACKAGE__::cve_for_cpe\n};
123							}
124
125	0					0	my $return = $self->{store}->get_cve_for_cpe(%args);
126
127	0					0	return $return;
128							}
129
130							=head2 get_websec_by_cpe
131
132							=head3 Required argument
133
134							cpe: CPE URN Example:
135
136							'cpe:/a:zaal:tgt:1.0.6'
137
138							=head3 Return Value
139
140							Returns a reference to a websec score object
141							$result =
142							{ websec_results => [
143							{ category => 'Other',
144							score => int(rand 10),
145							key => 'A0',
146							},
147							{ category => 'Injection',
148							score => 9.34,
149							key => 'A1',
150							},
151							{ category => 'Cross-Site Scripting (XSS)',
152							score => 8.11,
153							key => 'A2',
154							},
155							{ category =>
156							'Broken Authentication and Session Management',
157							score => 7,
158							key => 'A3',
159							},
160							{ category => 'Insecure Direct Object References',
161							score => 6,
162							key => 'A4',
163							},
164							{ category => 'Cross-Site Request Forgery (CSRF)',
165							score => 5,
166							key => 'A5',
167							},
168							{ category => 'Security Misconfiguration',
169							score => 4,
170							key => 'A6',
171							},
172							{ category => 'Insecure Cryptographic Storage',
173							score => 3,
174							key => 'A7',
175							},
176							{ category => 'Failure to Restrict URL Access',
177							score => 2,
178							key => 'A8',
179							},
180							{ category => 'Insufficient Transport Layer Protection',
181							score => 1,
182							key => 'A9',
183							},
184							{ category => 'Unvalidated Redirects and Forwards',
185							score => 0,
186							key => 'A10',
187							},
188							]
189							}
190
191							=head3 Example
192
193							my $result = $store->get_websec_by_cpe( 'cpe:/a:apache:tomcat:6.0.28' );
194							while( my $websec = shift( @{$result->{websec_results}} ) ){
195							print( "$websec->{key} - $websec->{category}: ".
196							"$websec->{score}\n" );
197							}
198
199							=cut
200
201							sub get_websec_by_cpe {
202	0			0	1	0	my ($self) = @_;
203
204	0					0	my %result = $self->{store}->get_websec_by_cpe(@_);
205
206	0	0				0	return %result if wantarray;
207	0					0	return \%result;
208							}
209
210							=head2 get_cwe_ids
211
212							$result = $self->get_cwe_ids();
213							while( my( $cwe_id, $cwe_pkey_id ) = each %$result ){
214							...
215							}
216
217							=cut
218
219							sub get_cwe_ids {
220	0			0	1	0	my ($self) = @_;
221
222	0					0	my $result = $self->{store}->get_cwe_ids(@_);
223
224	0					0	return $result;
225							}
226
227							=head2 cwe_for_cpe
228
229							Returns a list of CWE IDs for a given CPE URN.
230
231							=head3 Required argument
232
233							cpe: CPE URN Example:
234
235							'cpe:/a:zaal:tgt:1.0.6'
236
237							=head3 Return Value
238
239							Returns a reference to an array of CWE IDs. Example:
240
241							$cwe_id_list = [
242							'CWE-1999-1587',
243							'CWE-1999-1588',
244							]
245
246							=head3 Example
247
248							my $cwe_id_list = $q->cwe_for_cpe( cpe => 'cpe:/a:zaal:tgt:1.0.6' );
249
250							=cut
251
252							sub cwe_for_cpe {
253	0			0	1	0	my ( $self, %args ) = @_;
254
255	0	0				0	unless ( exists $args{cpe} ) {
256	0					0	carp qq{"cpe" is a required argument to __PACKAGE__::cwe_for_cpe\n};
257							}
258
259	0					0	my $return = $self->{store}->get_cwe_for_cpe(%args);
260
261	0					0	return $return;
262							}
263
264							=head2 cve
265
266							Returns a CVE for a given CPE URN.
267
268							=head3 Example
269
270							my $nvd_cve_entry = $q->cve( cve_id => 'CVE-1999-1587' );
271
272							=head3 Required argument
273
274							cve_id: CPE URN Example:
275
276							'CVE-1999-1587'
277
278							=head3 Return Value
279
280							Returns a reference to a hash representing a CVE entry:
281
282							my $nvd_cve_entry = {
283							'vuln:vulnerable-configuration' => [ ... ],
284							'vuln:vulnerable-software-list' => [ ... ],
285							'vuln:cve-id' => 'CVE-1999-1587',
286							'vuln:discovered-datetime' => '...',
287							'vuln:published-datetime' => '...',
288							'vuln:last-modified-datetime' => '...',
289							'vuln:cvss' => {...},
290							'vuln:cwe' => 'CWE-ID',
291							'vuln:references' => [
292							{
293							attr => {...},
294							'vuln:references' => [ {...}, ... ],
295							'vuln:source' => ...,
296							},
297							...
298							],
299							'vuln:summary' => ...,
300							'vuln:security-protection' => ...,
301							'vuln:assessment_check' => {
302							'check0 name' => 'check0 value',
303							...,
304							},
305							'vuln:scanner', => [ {
306							'vuln:definition' => {
307							'vuln attr0 name' => 'vuln attr0 value',
308							...,
309							}
310							}, ..., ],
311							};
312
313							=cut
314
315							sub cve {
316	0			0	1	0	my ( $self, %args ) = @_;
317
318	0					0	return $self->{store}->get_cve( (%args) );
319							}
320
321							=head2 cwe
322
323							Returns a CWE for a given CPE URN.
324
325							=cut
326
327							sub cwe {
328	0			0	1	0	my ( $self, %args ) = @_;
329
330	0					0	return $self->{store}->get_cwe( (%args) );
331							}
332
333							=head1 AUTHOR
334
335							C.J. Adams-Collier, C<< <cjac at f5.com> >>
336
337							=head1 LICENSE AND COPYRIGHT
338
339							Copyright 2011, 2012 F5 Networks, Inc.
340
341							CVE(r) and CWE(tm) are marks of The MITRE Corporation and used here with
342							permission. The information in CVE and CWE are copyright of The MITRE
343							Corporation and also used here with permission.
344
345							Please include links for CVE(r) <http://cve.mitre.org/> and CWE(tm)
346							<http://cwe.mitre.org/> in all reproductions of these materials.
347
348							This program is free software; you can redistribute it and/or modify it
349							under the terms of either: the GNU General Public License as published
350							by the Free Software Foundation; or the Artistic License.
351
352							See http://dev.perl.org/licenses/ for more information.
353
354							=cut
355
356							1; # End of NIST::NVD::Query