#!/usr/bin/perl -w # dumps all CVSS scores for all released updates into CSV. use strict; use Data::Dumper; my $dn = `dirname $0`;chomp($dn); my $pwd = `pwd`;chomp($pwd); if ($dn !~ /^\//) { $dn = $pwd . "/" . $dn; } push @INC,$dn; require CanDBReader; require CVEListReader; require SMASHData; &SMASHData::read_all_cached_issues(); require UpdateInfoReader; UpdateInfoReader->import_product_updates(); my $sles11 = "SUSE Linux Enterprise Server 11 SP4-LTSS"; #print Dumper($UpdateInfoReader::codestream2product2src2binary{"SUSE:SLE-11-SP4:Update"}); my @all11cs = ( "SUSE:SLE-11:Update", "SUSE:SLE-11-SP1:Update", "SUSE:SLE-11-SP2:Update", "SUSE:SLE-11-SP3:Update", "SUSE:SLE-11-SP4:Update", ); sub get_suse_score($) { my ($cve) = @_; my $basescore = "unknown"; my $basevector = "unknown"; if (defined($SMASHData::cvssv3{$cve})) { my %entry = %{$SMASHData::cvssv3{$cve}}; my %score; my %nvdscore; if (defined($entry{'SUSE'})) { %score = %{$entry{'SUSE'}}; $basescore = $score{'base_score'}; $basevector = $score{'base_vector'}; return $basescore; } } else { return -1; } } sub get_nvd_score($) { my ($cve) = @_; my $nvdbasescore = "unknown"; my $nvdbasevector = "unknown"; if (defined($SMASHData::cvssv3{$cve})) { my %entry = %{$SMASHData::cvssv3{$cve}}; my %score; my %nvdscore; if (defined($entry{'National Vulnerability Database'})) { %nvdscore = %{$entry{'National Vulnerability Database'}}; $nvdbasescore = $nvdscore{'base_score'}; $nvdbasevector = $nvdscore{'base_vector'}; return $nvdbasescore; } } else { return -1; } } print "# first-bug-seen-date,CVE,SUSE-CVSS3-base-score,NVD-CVSS3-base-score,first-bug-with-this-CVE,sourcepackage,URL,Description\n"; foreach my $cve (sort keys %SMASHData::codestreampkgstate) { #foreach my $cve ("CVE-2023-38289") { next unless (defined($SMASHData::codestreampkgstate{$cve})); my @bugs = sort split(/,/,$CanDBReader::bugzillas{$cve}); my $firstbug = $bugs[0]; foreach my $cssp (@all11cs) { next unless (defined($SMASHData::codestreampkgstate{$cve}->{$cssp})); # print STDERR Dumper($SMASHData::codestreampkgstate{$cve}->{$cssp}); foreach my $pkg (keys %{$SMASHData::codestreampkgstate{$cve}->{$cssp}}) { my $state = $SMASHData::codestreampkgstate{$cve}->{$cssp}->{$pkg}; next if ($state eq "Not affected"); if (defined($UpdateInfoReader::codestream2product2src2binary{$cssp}->{$sles11}->{$pkg})) { # 20210715,CVE-2021-32066,7.4,7.4,1188160,ruby,https://www.suse.com/security/cve/CVE-2021-32066,"An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"" my $desc = get_description($cve); $desc =~ s/"/\\"/g; $desc =~ s/\n/ /g; print "$CanDBReader::firstdate{$cve},$cve," . get_suse_score($cve) . "," . get_nvd_score($cve) . ",$firstbug,$pkg,https://www.suse.com/security/cve/$cve,\"$desc\",$state\n"; } } } }