File Coverage

blib/lib/NIST/NVD/Store/SQLite3.pm

Criterion	Covered	Total	%
statement	7	9	77.7
branch			n/a
condition			n/a
subroutine	3	3	100.0
pod			n/a
total	10	12	83.3

line	stmt	sub	time	code
1				package NIST::NVD::Store::SQLite3;
2
3	1	1	35020	use strict;
	1		3
	1		42
4	1	1	7	use warnings;
	1		2
	1		32
5
6	1	1	645	use NIST::NVD::Store::Base;
	0
	0
7
8				use base qw{NIST::NVD::Store::Base};
9
10				our @ISA;
11				push @ISA, qw{NIST::NVD::Store::Base};
12
13				use Carp(qw(carp confess cluck));
14
15				use Storable qw(nfreeze thaw);
16				use DBI;
17				use Time::HiRes qw( gettimeofday );
18
19				=head1 NAME
20
21				NIST::NVD::Store::SQLite3 - SQLite3 store for NIST::NVD
22
23				=head1 VERSION
24
25				Version 1.00.00
26
27				=cut
28
29				our $VERSION = '1.00.00';
30
31				my %query = (
32				cpe_create => qq{
33				CREATE TABLE IF NOT EXISTS cpe (
34				id INTEGER PRIMARY KEY AUTOINCREMENT,
35				urn VARCHAR(64) CONSTRAINT uniq_urn UNIQUE ON CONFLICT FAIL,
36
37				part CHAR,
38				vendor VARCHAR(16),
39				product VARCHAR(16),
40				version VARCHAR(16),
41				updt VARCHAR(16),
42				edition VARCHAR(16),
43				language VARCHAR(4)
44				)},
45				cve_create => qq{
46				CREATE TABLE IF NOT EXISTS cve (
47				id INTEGER PRIMARY KEY AUTOINCREMENT,
48				score REAL,
49				cve_id VARCHAR(16) CONSTRAINT uniq_cve_id UNIQUE ON CONFLICT FAIL,
50				cve_dump BLOB
51				)},
52				cwe_create => qq{
53				CREATE TABLE IF NOT EXISTS cwe (
54				id INTEGER PRIMARY KEY AUTOINCREMENT,
55				cwe_id VARCHAR(16) CONSTRAINT uniq_cwe_id UNIQUE ON CONFLICT FAIL,
56				cwe_dump BLOB
57				)},
58				cpe_cve_map_create => qq{
59				CREATE TABLE IF NOT EXISTS cpe_cve_map (
60				id INTEGER PRIMARY KEY AUTOINCREMENT,
61
62				cpe_id INTEGER,
63				cve_id INTEGER,
64				CONSTRAINT uniq_cpe_cve UNIQUE ( cpe_id, cve_id ) ON CONFLICT FAIL
65				)},
66				cpe_cwe_map_create => qq{
67				CREATE TABLE IF NOT EXISTS cpe_cwe_map (
68				id INTEGER PRIMARY KEY AUTOINCREMENT,
69
70				cpe_id INTEGER,
71				cwe_id INTEGER,
72				CONSTRAINT uniq_cpe_cwe UNIQUE ( cpe_id, cwe_id ) ON CONFLICT IGNORE
73				)},
74				cve_cwe_map_create => qq{
75				CREATE TABLE IF NOT EXISTS cve_cwe_map (
76				id INTEGER PRIMARY KEY AUTOINCREMENT,
77
78				cve_id INTEGER,
79				cwe_id VARCHAR(64),
80				CONSTRAINT uniq_cve_cwe UNIQUE ( cve_id, cwe_id ) ON CONFLICT IGNORE
81				)},
82				websec_create => qq{
83				CREATE TABLE IF NOT EXISTS cpe_websec_score (
84				id INTEGER PRIMARY KEY AUTOINCREMENT,
85
86				cpe_urn VARCHAR(64) UNIQUE,
87				cat_a0 REAL,
88				cat_a1 REAL,
89				cat_a2 REAL,
90				cat_a3 REAL,
91				cat_a4 REAL,
92				cat_a5 REAL,
93				cat_a6 REAL,
94				cat_a7 REAL,
95				cat_a8 REAL,
96				cat_a9 REAL,
97				cat_a10 REAL
98
99				)},
100				verify_cwe_pkid => qq{
101				SELECT cwe_id,id FROM cwe WHERE id=?
102				},
103				cve_for_cpe_select => qq{
104				SELECT cve.cve_id
105				FROM cpe_cve_map,cve
106				WHERE cpe_cve_map.cpe_id=?
107				AND cpe_cve_map.cve_id=cve.id
108				ORDER BY cve.cve_id
109				},
110				cwe_for_cpe_select => qq{
111				SELECT cwe.cwe_id
112				FROM cpe_cwe_map,cwe
113				WHERE cpe_cwe_map.cpe_id=?
114				AND cpe_cwe_map.cwe_id=cwe.id
115				ORDER BY cwe.cwe_id
116				},
117				get_cpe_id_select => qq{
118				SELECT id FROM cpe WHERE cpe.urn=?
119				},
120				get_cve_id_select => qq{
121				SELECT id FROM cve WHERE cve.cve_id=?
122				},
123				get_cwe_id_select => qq{
124				SELECT id FROM cwe WHERE cwe.cwe_id=?
125				},
126				get_cve_select => qq{
127				SELECT cve_dump FROM cve WHERE cve.cve_id=?
128				},
129				get_websec_score_select_by_cpe => qq{
130				SELECT cat_a0, cat_a1, cat_a2, cat_a3, cat_a4, cat_a5, cat_a6, cat_a7,
131				cat_a8, cat_a9, cat_a10 FROM cpe_websec_score WHERE cpe_urn=?
132				},
133				get_cve_id_select_by_pkey => qq{
134				SELECT id,cve_id FROM cve WHERE id=?
135				},
136				get_cve_id_select_by_friendly => qq{
137				SELECT id,cve_id FROM cve WHERE cve_id=?
138				},
139				get_cwe_select => qq{
140				SELECT id,cwe_dump FROM cwe WHERE cwe.cwe_id=?
141				},
142				put_cve_idx_cpe_insert => qq{
143				INSERT INTO cpe_cve_map (cpe_id,cve_id)
144				VALUES ( ?, ? )
145				},
146				put_cwe_idx_cpe_insert => qq{
147				INSERT INTO cpe_cwe_map (cpe_id,cwe_id)
148				VALUES ( ?, ? )
149				},
150				put_cwe_idx_cve_insert => qq{
151				INSERT INTO cve_cwe_map (cve_id,cwe_id)
152				VALUES ( ?, ? )
153				},
154				put_cve_insert => qq{
155				INSERT INTO cve ( cve_dump, score, cve_id ) VALUES (?, ?, ?)
156				},
157				put_cve_update => qq{
158				UPDATE cve SET cve_dump=?, score=? WHERE cve.id=?
159				},
160				put_cwe_insert => qq{
161				INSERT INTO cwe ( cwe_dump, cwe_id ) VALUES (?, ?)
162				},
163				put_cwe_update => qq{
164				UPDATE cwe SET cwe_dump=? WHERE cwe.id=?
165				},
166				put_cpe_insert => qq{
167				INSERT INTO cpe ( urn,part,vendor,product,version,updt,edition,language )
168				VALUES( ?,?,?,?,?,?,?,? )
169				}
170
171				);
172
173				my %sth = ();
174
175				=head1 SYNOPSIS
176
177				$q =
178				eval { NIST::NVD::Query->new( store => 'SQLite3', database => $db_file, ); };
179
180
181				=head1 SUBROUTINES/METHODS
182
183				=head2 new
184
185				my $NVD_Storage_SQLite3 = NIST::NVD::Store::SQLite3->new(
186				store => 'SQLite3',
187				database => '/path/to/database.sqlite',
188				);
189
190				=cut
191
192				sub new {
193				my ( $class, %args ) = @_;
194				$class = ref $class \|\| $class;
195
196				# my $self = $class->SUPER::new(%args);
197
198				my $self = bless { store => $args{store} }, $class;
199
200				my $store = $args{store};
201
202				unless ( exists $args{database} && $args{database} ) {
203				confess('database argument is required, but was not passed');
204				return;
205				}
206
207				$self->{$store} = $self->_connect_db( database => $args{database} );
208
209				$self->{sqlite} = $self->{SQLite3};
210
211				$self->{vuln_software} = {};
212
213				foreach my $statement (
214				qw( put_cpe_insert
215				cve_for_cpe_select cwe_for_cpe_select
216				put_cve_idx_cpe_insert
217				put_cwe_idx_cpe_insert
218				put_cwe_idx_cve_insert
219				put_cve_insert put_cve_update
220				put_cwe_insert put_cwe_update
221				get_cpe_id_select
222				get_cve_id_select get_cve_select
223				get_cwe_id_select get_cwe_select
224				get_cve_id_select_by_pkey
225				get_cve_id_select_by_friendly
226				get_websec_score_select_by_cpe
227				)
228				)
229				{
230				$sth{$statement} = $self->{sqlite}->prepare( $query{$statement} )
231				or die "couldn't prepare statement '$statement'";
232				}
233				my $fail = 0;
234
235				return if $fail;
236
237				return $self;
238				}
239
240				sub _connect_db {
241				my ( $self, %args ) = @_;
242
243				my $dbh = DBI->connect( "dbi:SQLite:dbname=$args{database}", "", "" );
244
245				foreach my $statement (
246				qw(
247				cpe_create websec_create
248				cve_cwe_map_create
249				cve_create cpe_cve_map_create
250				cwe_create cpe_cwe_map_create
251				verify_cwe_pkid
252				)
253				)
254				{
255
256				my $query = $query{$statement};
257
258				$sth{$statement} //= $dbh->prepare($query);
259				$sth{$statement}->execute();
260				}
261
262				return $dbh;
263				}
264
265				=head2 get_cve_for_cpe
266
267				=cut
268
269				my $cpe_urn_re = qr{^(cpe:/(.)(:[^:]+){2,6})$};
270
271				sub get_cve_for_cpe {
272				my ( $self, %args ) = @_;
273
274				my $cpe = $args{cpe};
275
276				return unless $cpe;
277
278				my $cpe_pkey_id;
279				if ( $cpe =~ /^\d+$/ ) {
280				$cpe_pkey_id = $cpe;
281				}
282				else {
283				( my ( $cpe, @parts ) ) = ( $args{cpe} =~ $cpe_urn_re );
284				$cpe_pkey_id = $self->_get_cpe_id($cpe);
285				}
286
287				$sth{cve_for_cpe_select}->execute($cpe_pkey_id);
288
289				my $cve_id = [];
290
291				while ( my $row = $sth{cve_for_cpe_select}->fetchrow_hashref() ) {
292				push( @$cve_id, $row->{'cve_id'} );
293				}
294
295				return $cve_id;
296				}
297
298				=head2 get_cwe_for_cpe
299
300				=cut
301
302				sub get_cwe_for_cpe {
303				my ( $self, %args ) = @_;
304
305				my $cpe = $args{cpe};
306
307				return unless $cpe;
308
309				my $cpe_pkey_id;
310				if ( $cpe =~ /^\d+$/ ) {
311				$cpe_pkey_id = $cpe;
312				}
313				else {
314				( my ( $cpe, @parts ) ) = ( $args{cpe} =~ $cpe_urn_re );
315				$cpe_pkey_id = $self->_get_cpe_id($cpe);
316				}
317
318				$sth{cwe_for_cpe_select}->execute($cpe_pkey_id);
319
320				my $cwe_id = [];
321
322				while ( my $row = $sth{cwe_for_cpe_select}->fetchrow_hashref() ) {
323				push( @$cwe_id, $row->{'cwe_id'} );
324				}
325
326				return $cwe_id;
327				}
328
329				my %cve_id_cache;
330
331				sub _get_cve_id {
332				my ( $self, $cve_id ) = @_;
333
334				return @{ $cve_id_cache{$cve_id} } if exists $cve_id_cache{$cve_id};
335
336				my $sth;
337				my $query;
338
339				if ( $cve_id =~ /^\d+$/ ) {
340				$sth = $sth{get_cve_id_select_by_pkey};
341				}
342				elsif ( $cve_id =~ /^CVE-\d+-\d+/ ) {
343				$sth = $sth{get_cve_id_select_by_friendly};
344				}
345				else {
346				confess "cve id malformed\n";
347				die;
348				}
349
350				$sth->execute($cve_id);
351				my $row = $sth->fetchrow_hashref();
352				return unless $row;
353
354				$cve_id_cache{$cve_id} = [ $row->{id}, $row->{cve_id} ];
355
356				return ( $row->{id}, $row->{cve_id} );
357				}
358
359				my %cwe_id_cache;
360
361				sub _get_cwe_id {
362				my ( $self, $cwe_id ) = @_;
363
364				return @{ $cwe_id_cache{$cwe_id} } if exists $cwe_id_cache{$cwe_id};
365
366				my $sth;
367
368				if ( $cwe_id =~ /^\d+$/ ) {
369				$sth = $self->{sqlite}->prepare('SELECT id,cwe_id FROM cwe WHERE id=?');
370
371				}
372				elsif ( $cwe_id =~ /^CWE-\d+/ ) {
373
374				$sth =
375				$self->{sqlite}->prepare('SELECT id,cwe_id FROM cwe WHERE cwe_id=?');
376				}
377				else {
378				cluck "cwe id malformed\n";
379				return;
380				}
381
382				$sth->execute($cwe_id);
383				my $row = $sth->fetchrow_hashref();
384
385				unless ($row) {
386				return;
387				}
388
389				$cwe_id_cache{$cwe_id} = [ $row->{qw{id cwe_id}} ];
390				\
391
392				return ( $row->{qw{id cwe_id}} );
393				}
394
395				sub _get_cpe_id {
396				my ( $self, $cpe_urn ) = @_;
397
398				return $self->{cpe_map}->{$cpe_urn}
399				if ( exists $self->{cpe_map}->{$cpe_urn} );
400
401				$sth{get_cpe_id_select}->execute($cpe_urn);
402
403				# TODO: Assert that this query only returns one result
404				my $rows = 0;
405				while ( my $row = $sth{get_cpe_id_select}->fetchrow_hashref() ) {
406				carp
407				"multiple ($rows) results for value intended to be unique. cpe_urn: [$cpe_urn]\n"
408				if ( $rows != 0 );
409				$self->{cpe_map}->{$cpe_urn} = $row->{id};
410				}
411
412				return $self->{cpe_map}->{$cpe_urn};
413				}
414
415				sub _get_query {
416				my ( $self, $query_name ) = @_;
417
418				return $query{$query_name}
419				if ($query_name);
420
421				return %query if wantarray;
422
423				return \%query;
424				}
425
426				sub _get_sth {
427				my ( $self, $query_name ) = @_;
428
429				return unless exists $query{$query_name};
430
431				if ($query_name) {
432				$sth{$query_name} //= $self->{sqlite}->prepare( $query{$query_name} );
433				return $sth{$query_name};
434				}
435
436				return %sth if wantarray;
437
438				return \%sth;
439				}
440
441				sub _prepare {
442
443				}
444
445				=head2 get_cve
446
447
448				=cut
449
450				sub get_cve {
451				my ( $self, %args ) = @_;
452
453				$sth{get_cve_select}->execute( $args{cve_id} );
454
455				my $row = $sth{get_cve_select}->fetchrow_hashref();
456
457				my $frozen = $row->{cve_dump};
458
459				my $entry = eval { thaw $frozen };
460				if (@$) {
461				carp "Storable::thaw had a major malfunction.";
462				return;
463				}
464
465				return $entry;
466				}
467
468				my %injection = ( OWASP => 'A1', );
469				my %xss = ( OWASP => 'A2', );
470				my %authn_session = ( OWASP => 'A3', );
471
472				my %latest_OWASP_ten = (
473				'A1' => {
474				id => 'CWE-810',
475				members => [ 'CWE-78', 'CWE-88', 'CWE-89', 'CWE-90', 'CWE-91', ],
476				},
477				'A2' => {
478				id => 'CWE-811',
479				members => [ 'CWE-79', ],
480				},
481
482				'A3' => {
483				id => 'CWE-812',
484				members => [ 'CWE-287', 'CWE-306', 'CWE-307', 'CWE-798', 'CWE-798', ],
485				},
486				'A4' => {
487				id => 'CWE-813',
488				members =>
489				[ 'CWE-22', 'CWE-434', 'CWE-639', 'CWE-829', 'CWE-862', 'CWE-863' ]
490				},
491				'A5' => { id => 'CWE-814', members => ['CWE-352'] },
492				'A6' => {
493				id => 'CWE-815',
494				members =>
495				[ 'CWE-209', 'CWE-219', 'CWE-250', 'CWE-538', 'CWE-552', 'CWE-732', ]
496				},
497				'A7' => {
498				id => 'CWE-816',
499				members => [ 'CWE-311', 'CWE-312', 'CWE-326', 'CWE-327', 'CWE-759', ]
500				},
501				'A8' => {
502				id => 'CWE-817',
503				members => [ 'CWE-284', 'CWE-862', 'CWE-863', ]
504				},
505				'A9' => {
506				id => 'CWE-818',
507				members => [ 'CWE-311', 'CWE-319', ]
508				},
509				'A10' => {
510				id => 'CWE-819',
511				members => [ 'CWE-601', ]
512				},
513				);
514
515				my %owasp_idx;
516
517				foreach my $cat (qw( A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 )) {
518				foreach my $cwe_id ( @{ $latest_OWASP_ten{$cat}->{members} } ) {
519				$owasp_idx{$cwe_id} = $cat;
520				}
521				}
522
523				=head2 get_cwe
524
525				my $cwe_dump = $self->get_cwe( id => $cwe_row->{id} );
526				or
527				my $cwe_dump = $self->get_cwe( cwe_id => $cwe_row->{cwe_id} );
528
529				=cut
530
531				sub get_cwe {
532				my ( $self, %args ) = @_;
533
534				my $sth;
535
536				my $arg;
537
538				if ( exists $args{id} ) {
539				die "id [$args{id}] is malformed" unless $args{id} =~ /^\d+$/;
540				$sth = $self->{sqlite}->prepare('SELECT cwe_dump FROM cwe WHERE id=?');
541				$arg = $args{id};
542				}
543				elsif ( exists $args{cwe_id} ) {
544				die "cwe_id [$args{cwe_id}] is malformed"
545				unless $args{cwe_id} =~ /^CWE-\d+/;
546				$sth =
547				$self->{sqlite}->prepare('SELECT cwe_dump FROM cwe WHERE cwe_id=?');
548				$arg = $args{cwe_id};
549				}
550
551				$sth->execute($arg);
552
553				my $frozen = $sth->fetchrow_hashref()->{cwe_dump};
554
555				my $data = eval { thaw $frozen };
556				if (@$) {
557				carp "Storable::thaw had a major malfunction.";
558				return;
559				}
560
561				return $data;
562				}
563
564				=head2 put_cve_idx_cpe
565
566				my %vuln_software = ( $cpe_urn0 => [ $cve_id0,$cve_id42,... ],
567				$cpe_urn1 => [ $cve_id1,$cve_id24,... ],
568				# ...,
569				$cpe_urnN => [ $cve_id2,$cve_id3,... ],
570				);
571				$Updater->put_cve_idx_cpe( \%vuln_software );
572
573				=cut
574
575				my %uniq_cve_idx_cpe;
576
577				sub put_cve_idx_cpe {
578				my ( $self, $vuln_software ) = @_;
579
580				my @params;
581				while ( my ( $cpe_urn, $cve_id ) = ( each %$vuln_software ) ) {
582				my $cpe_pkey_id = $self->_get_cpe_id($cpe_urn);
583
584				foreach my $id (@$cve_id) {
585				my ( $cve_pkey, $cve_friendly ) = $self->_get_cve_id($id);
586				next unless $cve_pkey;
587				next if $uniq_cve_idx_cpe{$cpe_pkey_id}->{$cve_pkey}++;
588				push( @params, [ $cpe_pkey_id, $cve_pkey ] );
589				}
590				}
591
592				$self->{sqlite}->do("BEGIN IMMEDIATE TRANSACTION");
593				$sth{put_cve_idx_cpe_insert}->execute(@$_) foreach (@params);
594				$self->{sqlite}->commit() or die $$self->{sqlite}->errstr;
595				return;
596				}
597
598				=head2 put_cwe_idx_cpe
599
600				my %vuln_software = ( $cpe_urn0 => [ $cwe_id0,$cwe_id42,... ],
601				$cpe_urn1 => [ $cwe_id1,$cwe_id24,... ],
602				# ...,
603				$cpe_urnN => [ $cwe_id2,$cwe_id3,... ],
604				);
605				$Updater->put_cwe_idx_cpe( \%weaknesses );
606
607				=cut
608
609				my %uniq_cwe_idx_cpe;
610
611				sub put_cwe_idx_cpe {
612				my ( $self, $weaknesses ) = @_;
613
614				my $initial_cwe_ids = $self->get_cwe_ids();
615
616				my (%cpe_pkey_id) = map { $_ => $self->_get_cpe_id($_) } keys %$weaknesses;
617
618				my @params;
619				while ( my ( $cpe_urn, $cwe_id ) = ( each %$weaknesses ) ) {
620				my $cpe_pkey_id = $cpe_pkey_id{$cpe_urn};
621
622				foreach my $id (@$cwe_id) {
623				my $cwe_pkey_id = $initial_cwe_ids->{$id};
624
625				unless ($cwe_pkey_id) {
626
627				# print STDERR "no data for [$id]\n";
628				print 'x';
629				next;
630				}
631
632				next if $uniq_cwe_idx_cpe{$cpe_pkey_id}->{$cwe_pkey_id}++;
633				push( @params, [ $cpe_pkey_id, $cwe_pkey_id ] );
634				}
635				}
636
637				$self->{sqlite}->do("BEGIN IMMEDIATE TRANSACTION");
638				$sth{put_cwe_idx_cpe_insert}->execute(@$_) foreach (@params);
639				$self->{sqlite}->commit();
640				return;
641				}
642
643				=head2 update_websec_idx_cpe
644
645				$Updater->update_websec_idx_cpe({ cpe_urn[$i] => [ $cwe_id[20], $cwe_id[7], $cwe_id[235], ... $cwe_id[$n], ],
646				cpe_urn[$j] => [ $cwe_id[42], $cwe_id[$k], $cwe_id[72], ... $cwe_id[$j], ],
647				... => });
648
649				=cut
650
651				sub update_websec_idx_cpe {
652				my ($self) = @_;
653
654				# walk through each cpe urn
655
656				my $dbh = $self->{sqlite};
657
658				my $q = "SELECT id, urn FROM cpe";
659				my $cpe_sth = $dbh->prepare($q);
660
661				$q = "SELECT cve_id FROM cpe_cve_map WHERE cpe_id=?";
662				my $cve_sth = $dbh->prepare($q);
663
664				$q = "SELECT score FROM cve WHERE id=?";
665				my $cve_score_sth = $dbh->prepare($q);
666
667				$q = "SELECT cwe_id FROM cve_cwe_map WHERE cve_id=?";
668				my $cwe_sth = $dbh->prepare($q);
669
670				my $cwe_idx_cpe_sth = $self->_get_sth('put_cwe_idx_cpe_insert');
671
672				$q =
673				( "INSERT INTO cpe_websec_score ("
674				. "cpe_urn,cat_a0,cat_a1,cat_a2,cat_a3,cat_a4,cat_a5,cat_a6,cat_a7,cat_a8,cat_a9,cat_a10"
675				. ") VALUES ("
676				. "?,?,?,?,?,?,?,?,?,?,?,?"
677				. ")" );
678				my $score_sth = $dbh->prepare($q);
679
680				$cpe_sth->execute();
681
682				my @idx_args = ();
683
684				my $websec_score = {};
685
686				while ( my $cpe_row = $cpe_sth->fetchrow_hashref() ) {
687
688				# for each cpe, find all CVEs
689				$cve_sth->execute( $cpe_row->{id} );
690				while ( my $cve_row = $cve_sth->fetchrow_hashref() ) {
691
692				$cve_score_sth->execute( $cve_row->{cve_id} );
693				my $cve_score_row = $cve_score_sth->fetchrow_hashref();
694
695				my $score = $cve_score_row->{score};
696
697				my ( $cve_pkey, $cve_friendly ) =
698				$self->_get_cve_id( $cve_row->{cve_id} );
699
700				# for each CVE, find all CWEs
701				$cwe_sth->execute($cve_friendly);
702
703				while ( my $cwe_row = $cwe_sth->fetchrow_hashref() ) {
704				my $cwe_id = $cwe_row->{cwe_id};
705				push( @idx_args, [ $cpe_row->{id}, $cwe_id ] );
706
707				my $owasp_cat = $owasp_idx{$cwe_id} // 'other';
708
709				push(
710				@{ $websec_score->{ $cpe_row->{urn} }->{$owasp_cat} },
711				{
712				cwe_id => $cwe_id,
713				cve_id => $cve_friendly,
714				score => $score,
715				},
716				);
717				}
718
719				}
720				}
721
722				my @websec_score;
723				foreach my $cpe_urn ( keys %$websec_score ) {
724				my $score = $websec_score->{$cpe_urn};
725				my @score;
726				foreach my $cat (qw( other A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 )) {
727				if ( exists $score->{$cat} ) {
728				my $final = 0;
729				foreach my $s ( @{ $score->{$cat} } ) {
730				$final = $s->{score} if $s->{score} > $final;
731				}
732				push( @score, $final );
733				}
734				else {
735				push( @score, 0 );
736				}
737				}
738				push( @websec_score, [ $cpe_urn, @score ] );
739				}
740
741				$self->{sqlite}->do("BEGIN IMMEDIATE TRANSACTION");
742				$score_sth->execute(@$_) foreach @websec_score;
743				$cwe_idx_cpe_sth->execute(@$_) foreach @idx_args;
744				$self->{sqlite}->commit();
745
746				}
747
748				=head2 put_cpe
749
750
751				=cut
752
753				my %inserted_cpe;
754
755				sub put_cpe {
756				my ( $self, $cpe_urn ) = @_;
757
758				$cpe_urn = [$cpe_urn] unless ( ref $cpe_urn eq 'ARRAY' );
759
760				my %cpe_urn = map { $_ => 1 } @$cpe_urn;
761				my $query = 'SELECT id,urn FROM cpe';
762				my $sth = $self->{sqlite}->prepare($query);
763
764				while ( my $row = $sth->fetchrow_hashref() ) {
765				delete $cpe_urn{ $row->{cpe_urn} }
766				if exists $cpe_urn{ $row->{cpe_urn} };
767				}
768
769				my @params;
770				foreach my $urn ( keys %cpe_urn ) {
771				next if $inserted_cpe{$urn}++;
772
773				my (
774				$prefix, $nada, $part, $vendor, $product,
775				$version, $update, $edition, $language
776				) = split( m{[/:]}, $urn );
777
778				push(
779				@params,
780				[
781				$urn, $part, $vendor, $product,
782				$version, $update, $edition, $language
783				]
784				);
785				}
786
787				$self->{sqlite}->do('BEGIN IMMEDIATE TRANSACTION');
788				$sth{put_cpe_insert}->execute(@$_) foreach @params;
789				$self->{sqlite}->commit();
790				}
791
792				=head2 put_cve
793
794
795				=cut
796
797				sub put_cve {
798
799				}
800
801				=head2 put_nvd_entries
802
803
804				=cut
805
806				sub put_nvd_entries {
807				my ( $self, $entries ) = @_;
808
809				my @insert_args;
810				my @update_args;
811
812				while ( my ( $cve_id, $orig_entry ) = ( each %$entries ) ) {
813				my $entry = {};
814
815				foreach my $preserve ( $self->_important_fields() ) {
816				$entry->{$preserve} = $orig_entry->{$preserve}
817				if exists $orig_entry->{$preserve};
818				}
819
820				my $frozen = nfreeze($entry);
821
822				my $score =
823				$entry->{'vuln:cvss'}->{'cvss:base_metrics'}->{'cvss:score'};
824				my ( $pkey, $friendly ) = $self->_get_cve_id($cve_id);
825				my $sth;
826				my $cve_indexed = 0;
827
828				# If the CVE is already in the database, update the record
829				if ($pkey) {
830				push( @update_args, [ $frozen, $score, $cve_id ] );
831				}
832				else {
833				push( @insert_args, [ $frozen, $score, $cve_id ] );
834				}
835
836				}
837
838				$self->{sqlite}->do("BEGIN IMMEDIATE TRANSACTION");
839				$sth{put_cve_update}->execute(@$_) foreach @update_args;
840				$sth{put_cve_insert}->execute(@$_) foreach @insert_args;
841				$self->{sqlite}->commit();
842
843				}
844
845				=head2 put_cwe
846
847				$result = $self->put_cwe( cwe_id => 'CWE-42',
848				cwe_dump => $cwe_dump );
849
850				=cut
851
852				my $commit_buffer = {};
853
854				sub put_cwe {
855				my ( $self, %args ) = @_;
856
857				my $cwe_id = $args{cwe_id};
858				my $cwe_dump = $args{cwe_dump};
859
860				if ( exists $args{transactional} ) {
861				push( @{ $commit_buffer->{put_cwe_insert} }, [ $cwe_dump, $cwe_id ] );
862				}
863				else {
864				$sth{put_cwe_insert}->execute( $cwe_dump, $cwe_id );
865				}
866
867				return;
868				}
869
870				=head2 put_cwe_idx_cve
871
872				$result = $store->put_cwe_idx_cve({ $cve_id[0] => $entry[0],
873				$cve_id[1] => $entry[1],
874				# ...
875				$cve_id[$n] => $entry[$n],
876				});
877
878				=cut
879
880				sub put_cwe_idx_cve {
881				my ( $self, $entries ) = @_;
882
883				my @cwe_idx_args;
884				my $num_cwes = 0;
885				while ( my ( $cve_id, $entry ) = ( each %$entries ) ) {
886				my ( $pkey, $friendly ) = $self->_get_cve_id($cve_id);
887
888				$num_cwes += scalar @{ $entry->{'vuln:cwe'} }
889				if exists $entry->{'vuln:cwe'};
890
891				# index the cve->cwe relation
892				foreach my $cwe_id ( @{ $entry->{'vuln:cwe'} } ) {
893
894				my ( $cwe_friendly, $cwe_pkey );
895
896				if ( $cwe_id =~ /^CWE-\d+$/ ) {
897				$cwe_friendly = $cwe_id;
898				}
899				else {
900				( $cwe_pkey, $cwe_friendly ) = $self->_get_cwe_id($cwe_id);
901				}
902
903				next unless $cwe_friendly;
904
905				push( @cwe_idx_args, [ $cve_id, $cwe_friendly ] );
906				}
907				}
908
909				$self->{sqlite}->do("BEGIN IMMEDIATE TRANSACTION");
910				$sth{put_cwe_idx_cve_insert}->execute(@$_) foreach @cwe_idx_args;
911				$self->{sqlite}->commit();
912
913				}
914
915				sub _commit {
916				my ( $self, $buffer_name ) = @_;
917
918				$self->{sqlite}->do('BEGIN IMMEDIATE TRANSACTION');
919				foreach my $row ( @{ $commit_buffer->{$buffer_name} } ) {
920				my (@bound) = @$row;
921				$sth{$buffer_name}->execute(@bound);
922				}
923				$self->{sqlite}->commit();
924				delete $commit_buffer->{$buffer_name};
925				}
926
927				=head2 get_websec_by_cpe
928
929				my $result = $store->get_websec_by_cpe( 'cpe:/a:apache:tomcat:6.0.28' );
930				while( my $websec = shift( @{$result->{websec_results}} ) ){
931				print( "$websec->{key} - $websec->{category}: ".
932				"$websec->{score}\n" );
933				}
934
935				=cut
936
937				my %cat_name = (
938				cat_a0 => 'Other',
939				cat_a1 => 'Injection',
940				cat_a2 => 'Cross-Site Scripting (XSS)',
941				cat_a3 => 'Broken Authentication and Session Management',
942				cat_a4 => 'Insecure Direct Object References',
943				cat_a5 => 'Cross-Site Request Forgery (CSRF)',
944				cat_a6 => 'Security Misconfiguration',
945				cat_a7 => 'Insecure Cryptographic Storage',
946				cat_a8 => 'Failure to Restrict URL Access',
947				cat_a9 => 'Insufficient Transport Layer Protection',
948				cat_a10 => 'Unvalidated Redirects and Forwards',
949				);
950
951				sub get_websec_by_cpe {
952				my ( $s, $self, $cpe ) = @_;
953
954				my @websec_results;
955				my %results = ( websec_results => \@websec_results );
956
957				my $sth = $sth{get_websec_score_select_by_cpe};
958
959				$sth->execute($cpe);
960
961				my $row = $sth->fetchrow_hashref();
962
963				foreach my $key (
964				qw(cat_a0 cat_a1 cat_a2 cat_a3 cat_a4
965				cat_a5 cat_a6 cat_a7 cat_a8 cat_a9 cat_a10)
966				)
967				{
968				push(
969				@websec_results,
970				{
971				category => $cat_name{$key},
972				score => $row->{$key},
973				key => $key
974				}
975				);
976				}
977
978				return %results if wantarray;
979
980				return \%results;
981				}
982
983				=head2 get_cwe_ids
984
985				$result = $self->get_cwe_ids();
986				while( my( $cwe_id, $cwe_pkey_id ) = each %$result ){
987				...
988				}
989
990				=cut
991
992				sub get_cwe_ids {
993				my ($self) = @_;
994
995				my $result = {};
996
997				my $sth = $self->{sqlite}->prepare("SELECT cwe_id,id FROM cwe");
998
999				$sth->execute();
1000
1001				while ( my $row = $sth->fetchrow_hashref() ) {
1002				$result->{ $row->{cwe_id} } = $row->{id};
1003				}
1004
1005				return $result;
1006				}
1007
1008				=head2 put_cwe_data
1009
1010				$cwe_data = { View => $view_data,
1011				Category => $category_data,
1012				Weakness => $weakness_data,
1013				Compound_Element => $compound_data,
1014				};
1015
1016				$NVD_Updater->put_cwe_data($cwe_data);
1017
1018				=cut
1019
1020				sub put_cwe_data {
1021				my ( $self, $weakness_data ) = @_;
1022
1023				my @insert_entries;
1024				my @update_entries;
1025
1026				my $insert_sth = $sth{put_cwe_insert};
1027				my $update_sth = $sth{put_cwe_update};
1028
1029				my $initial_cwe_ids = $self->get_cwe_ids();
1030
1031				my $count = 0;
1032				foreach my $element (qw(View Category Weakness Compound_Element)) {
1033				my $data = $weakness_data->{$element};
1034				my %cwe_pkey_id;
1035
1036				while ( my ( $k, $entry ) = ( each %$data ) ) {
1037
1038				my ( $cwe_pkey_id, $cwe_id ) = $self->_get_cwe_id($k);
1039
1040				$self->{cwe_pkey_id}->{$cwe_id} = $cwe_pkey_id if $cwe_id;
1041
1042				my $frozen = nfreeze($entry);
1043
1044				if ($cwe_pkey_id) {
1045				push( @update_entries, [ $frozen, $cwe_pkey_id ] );
1046				}
1047				elsif ( $k =~ /^CWE-\d+$/ ) {
1048				push( @insert_entries, [ $frozen, $cwe_id ] );
1049				}
1050				else {
1051				carp "cwe id [$k] is unrecognized.\n";
1052				}
1053				print STDERR '.' if ( ++$count % 100 == 0 );
1054				}
1055				}
1056
1057				# $self->{sqlite}->do("BEGIN IMMEDIATE TRANSACTION");
1058				# $insert_sth->execute(@$_) foreach @insert_entries;
1059				# $update_sth->execute(@$_) foreach @update_entries;
1060				# $self->{sqlite}->commit();
1061
1062				}
1063
1064				sub _important_fields {
1065				return qw(
1066				vuln:cve-id
1067				vuln:cvss
1068				vuln:cwe
1069				vuln:discovered-datetime
1070				vuln:published-datetime
1071				vuln:discovered-datetime
1072				vuln:last-modified-datetime
1073				vuln:security-protection
1074				vuln:vulnerable-software-list
1075				);
1076
1077				}
1078
1079				=head1 AUTHOR
1080
1081				C.J. Adams-Collier, C<< <cjac at f5.com> >>
1082
1083				=head1 BUGS
1084
1085				Please report any bugs or feature requests to C<bug-nist-nvd-store-sqlite3 at rt.cpan.org>, or through
1086				the web interface at L<http://rt.cpan.org/NoAuth/ReportBug.html?Queue=NIST-NVD-Store-SQLite3>. I will be notified, and then you'll
1087				automatically be notified of progress on your bug as I make changes.
1088
1089
1090
1091
1092				=head1 SUPPORT
1093
1094				You can find documentation for this module with the perldoc command.
1095
1096				perldoc NIST::NVD::Store::SQLite3
1097
1098
1099				You can also look for information at:
1100
1101				=over 4
1102
1103				=item * RT: CPAN's request tracker
1104
1105				L<http://rt.cpan.org/NoAuth/Bugs.html?Dist=NIST-NVD-Store-SQLite3>
1106
1107				=item * AnnoCPAN: Annotated CPAN documentation
1108
1109				L<http://annocpan.org/dist/NIST-NVD-Store-SQLite3>
1110
1111				=item * CPAN Ratings
1112
1113				L<http://cpanratings.perl.org/d/NIST-NVD-Store-SQLite3>
1114
1115				=item * Search CPAN
1116
1117				L<http://search.cpan.org/dist/NIST-NVD-Store-SQLite3/>
1118
1119				=back
1120
1121
1122				=head1 ACKNOWLEDGEMENTS
1123
1124
1125				=head1 LICENSE AND COPYRIGHT
1126
1127				Copyright 2012 F5 Networks, Inc.
1128
1129				CVE(r) and CWE(tm) are marks of The MITRE Corporation and used here with
1130				permission. The information in CVE and CWE are copyright of The MITRE
1131				Corporation and also used here with permission.
1132
1133				Please include links for CVE(r) <http://cve.mitre.org/> and CWE(tm)
1134				<http://cwe.mitre.org/> in all reproductions of these materials.
1135
1136				This program is free software; you can redistribute it and/or modify it
1137				under the terms of either: the GNU General Public License as published
1138				by the Free Software Foundation; or the Artistic License.
1139
1140				See http://dev.perl.org/licenses/ for more information.
1141
1142
1143				=cut
1144
1145				1; # End of NIST::NVD::Store::SQLite3