Add: EPSS scores from referenced CVEs to VTs

The VTs can now contain the maximum EPSS scores of the referenced CVE(s) with the highest severity and of any referenced EPSS score. This will provide an estimation of how likely a vulnerability detected by a VT is to be exploited.
greenbone · May 31, 2024 · d748db4 · d748db4
1 parent 9308240
commit d748db4
Show file tree

Hide file tree

Showing 10 changed files with 650 additions and 3 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -101,7 +101,7 @@ include (CPack)
 
 ## Variables
 
-set (GVMD_DATABASE_VERSION 255)
+set (GVMD_DATABASE_VERSION 256)
 
 set (GVMD_SCAP_DATABASE_VERSION 21)
 

diff --git a/src/manage.c b/src/manage.c
@@ -5085,6 +5085,8 @@ manage_sync (sigset_t *sigmask_current,
           wait_for_pid (scap_pid, "SCAP sync");
           wait_for_pid (cert_pid, "CERT sync");
 
+          update_scap_extra ();
+
           lockfile_unlock (&lockfile);
         }
     }
@@ -5977,6 +5979,54 @@ get_nvt_xml (iterator_t *nvts, int details, int pref_count,
           free (default_timeout);
         }
 
+      if (nvt_iterator_epss_cve (nvts))
+        {
+          buffer_xml_append_printf 
+             (buffer,
+              "<epss>"
+              "<max_severity>"
+              "<score>%0.5f</score>"
+              "<percentile>%0.5f</percentile>"
+              "<cve id=\"%s\">",
+              nvt_iterator_epss_score (nvts),
+              nvt_iterator_epss_percentile (nvts),
+              nvt_iterator_epss_cve (nvts));
+
+          if (nvt_iterator_has_epss_severity (nvts))
+            {
+              buffer_xml_append_printf 
+                 (buffer,
+                  "<severity>%0.1f</severity>",
+                  nvt_iterator_epss_severity (nvts));
+            }
+
+          buffer_xml_append_printf
+             (buffer,
+              "</cve>"
+              "</max_severity>"
+              "<max_epss>"
+              "<score>%0.5f</score>"
+              "<percentile>%0.5f</percentile>"
+              "<cve id=\"%s\">",
+              nvt_iterator_max_epss_score (nvts),
+              nvt_iterator_max_epss_percentile (nvts),
+              nvt_iterator_max_epss_cve (nvts));
+
+          if (nvt_iterator_has_max_epss_severity (nvts))
+            {
+              buffer_xml_append_printf 
+                 (buffer,
+                  "<severity>%0.1f</severity>",
+                  nvt_iterator_max_epss_severity (nvts));
+            }
+
+          buffer_xml_append_printf
+             (buffer,
+              "</cve>"
+              "</max_epss>"
+              "</epss>");
+        }
+
       xml_string_append (buffer, close_tag ? "</nvt>" : "");
       msg = g_string_free (buffer, FALSE);
     }

diff --git a/src/manage.h b/src/manage.h
@@ -1982,6 +1982,36 @@ nvt_iterator_solution_type (iterator_t*);
 const char*
 nvt_iterator_solution_method (iterator_t*);
 
+double
+nvt_iterator_epss_score (iterator_t*);
+
+double
+nvt_iterator_epss_percentile (iterator_t*);
+
+const char*
+nvt_iterator_epss_cve (iterator_t*);
+
+double
+nvt_iterator_epss_severity (iterator_t*);
+
+gboolean
+nvt_iterator_has_epss_severity (iterator_t*);
+
+double
+nvt_iterator_max_epss_score (iterator_t*);
+
+double
+nvt_iterator_max_epss_percentile (iterator_t*);
+
+const char*
+nvt_iterator_max_epss_cve (iterator_t*);
+
+double
+nvt_iterator_max_epss_severity (iterator_t*);
+
+gboolean
+nvt_iterator_has_max_epss_severity (iterator_t*);
+
 char*
 nvt_default_timeout (const char *);
 

diff --git a/src/manage_migrators.c b/src/manage_migrators.c
@@ -3176,6 +3176,46 @@ migrate_254_to_255 ()
   return 0;
 }
 
+/**
+ * @brief Migrate the database from version 255 to version 256.
+ *
+ * @return 0 success, -1 error.
+ */
+int
+migrate_255_to_256 ()
+{
+  sql_begin_immediate ();
+
+  /* Ensure that the database is currently version 255. */
+
+  if (manage_db_version () != 255)
+    {
+      sql_rollback ();
+      return -1;
+    }
+
+  /* Update the database. */
+
+  // Add new columns
+
+  sql ("ALTER TABLE nvts ADD COLUMN epss_cve TEXT;");
+  sql ("ALTER TABLE nvts ADD COLUMN epss_score DOUBLE PRECISION;");
+  sql ("ALTER TABLE nvts ADD COLUMN epss_percentile DOUBLE PRECISION;");
+  sql ("ALTER TABLE nvts ADD COLUMN epss_severity DOUBLE PRECISION;");
+  sql ("ALTER TABLE nvts ADD COLUMN max_epss_cve TEXT;");
+  sql ("ALTER TABLE nvts ADD COLUMN max_epss_score DOUBLE PRECISION;");
+  sql ("ALTER TABLE nvts ADD COLUMN max_epss_percentile DOUBLE PRECISION;");
+  sql ("ALTER TABLE nvts ADD COLUMN max_epss_severity DOUBLE PRECISION;");
+
+  /* Set the database version to 256. */
+
+  set_db_version (256);
+
+  sql_commit ();
+
+  return 0;
+}
+
 #undef UPDATE_DASHBOARD_SETTINGS
 
 /**
@@ -3237,6 +3277,7 @@ static migrator_t database_migrators[] = {
   {253, migrate_252_to_253},
   {254, migrate_253_to_254},
   {255, migrate_254_to_255},
+  {256, migrate_255_to_256},
   /* End marker. */
   {-1, NULL}};
 

diff --git a/src/manage_pg.c b/src/manage_pg.c
@@ -1868,7 +1868,16 @@ create_tables_nvt (const gchar *suffix)
        "  solution_method text,"
        "  detection text,"
        "  qod integer,"
-       "  qod_type text);",
+       "  qod_type text,"
+       "  epss_cve TEXT,"
+       "  epss_score DOUBLE PRECISION,"
+       "  epss_percentile DOUBLE PRECISION,"
+       "  epss_severity DOUBLE PRECISION,"
+       "  max_epss_cve TEXT,"
+       "  max_epss_score DOUBLE PRECISION,"
+       "  max_epss_percentile DOUBLE PRECISION,"
+       "  max_epss_severity DOUBLE PRECISION"
+       ");",
        suffix);
 }
 

diff --git a/src/manage_sql_nvts.c b/src/manage_sql_nvts.c
@@ -41,6 +41,7 @@
 #include "manage_preferences.h"
 #include "manage_sql.h"
 #include "manage_sql_configs.h"
+#include "manage_sql_secinfo.h"
 #include "sql.h"
 #include "utils.h"
 
@@ -1214,6 +1215,153 @@ DEF_ACCESS (nvt_iterator_detection, GET_ITERATOR_COLUMN_COUNT + 19);
  */
 DEF_ACCESS (nvt_iterator_solution_method, GET_ITERATOR_COLUMN_COUNT + 20);
 
+/**
+ * @brief Get the EPSS score selected by severity from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return The EPSS score.
+ */
+double
+nvt_iterator_epss_score (iterator_t* iterator)
+{
+  double ret;
+  if (iterator->done) return -1;
+  ret = iterator_double (iterator, GET_ITERATOR_COLUMN_COUNT + 21);
+  return ret;
+}
+
+/**
+ * @brief Get the EPSS percentile selected by severity from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return The EPSS percentile.
+ */
+double
+nvt_iterator_epss_percentile (iterator_t* iterator)
+{
+  double ret;
+  if (iterator->done) return -1;
+  ret = iterator_double (iterator, GET_ITERATOR_COLUMN_COUNT + 22);
+  return ret;
+}
+
+/**
+ * @brief Get the CVE of the EPSS score by severity from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return CVE-ID of the EPSS score, or NULL if iteration is complete.
+ *         Freed by cleanup_iterator.
+ */
+DEF_ACCESS (nvt_iterator_epss_cve, GET_ITERATOR_COLUMN_COUNT + 23);
+
+/**
+ * @brief Get the maximum severity of CVEs with EPSS info from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return The severity score.
+ */
+double
+nvt_iterator_epss_severity (iterator_t* iterator)
+{
+  double ret;
+  if (iterator->done) return -1;
+  ret = iterator_double (iterator, GET_ITERATOR_COLUMN_COUNT + 24);
+  return ret;
+}
+
+/**
+ * @brief Get whether the NVT has a severity for the max severity EPSS score.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return Whether the severity exists.
+ */
+gboolean
+nvt_iterator_has_epss_severity (iterator_t* iterator)
+{
+  gboolean ret;
+  if (iterator->done) return -1;
+  ret = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 24) != NULL;
+  return ret;
+}
+
+/**
+ * @brief Get the maximum EPSS score from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return The maximum EPSS score.
+ */
+double
+nvt_iterator_max_epss_score (iterator_t* iterator)
+{
+  double ret;
+  if (iterator->done) return -1;
+  ret = iterator_double (iterator, GET_ITERATOR_COLUMN_COUNT + 25);
+  return ret;
+}
+
+/**
+ * @brief Get the maximum EPSS percentile from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return The maximum EPSS percentile.
+ */
+double
+nvt_iterator_max_epss_percentile (iterator_t* iterator)
+{
+  double ret;
+  if (iterator->done) return -1;
+  ret = iterator_double (iterator, GET_ITERATOR_COLUMN_COUNT + 26);
+  return ret;
+}
+
+/**
+ * @brief Get the CVE of the maximum EPSS score from an NVT iterator.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return CVE-ID of the maximum EPSS score, or NULL if iteration is complete.
+ *         Freed by cleanup_iterator.
+ */
+DEF_ACCESS (nvt_iterator_max_epss_cve, GET_ITERATOR_COLUMN_COUNT + 27);
+
+/**
+ * @brief Get the severity of the maximum EPSS score from an NVT iterator.
+ * @param[in]  iterator  Iterator.
+ *
+ * @return The severity score.
+ */
+double
+nvt_iterator_max_epss_severity (iterator_t* iterator)
+{
+  double ret;
+  if (iterator->done) return -1;
+  ret = iterator_double (iterator, GET_ITERATOR_COLUMN_COUNT + 28);
+  return ret;
+}
+
+/**
+ * @brief Get whether the NVT has a severity for the max EPSS score.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return Whether the severity exists.
+ */
+gboolean
+nvt_iterator_has_max_epss_severity (iterator_t* iterator)
+{
+  gboolean ret;
+  if (iterator->done) return -1;
+  ret = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 28) != NULL;
+  return ret;
+}
+
 /**
  * @brief Get the default timeout of an NVT.
  *
@@ -2532,6 +2680,9 @@ manage_rebuild (GSList *log_config, const db_conn_info_t *database)
         break;
     }
 
+  if (ret == 0)
+    ret = update_scap_extra ();
+
   feed_lockfile_unlock (&lockfile);
   manage_option_cleanup ();