add key provider

Signed-off-by: Alex Goodman <[email protected]>

schema/vulnerability/known-exploited/README.md

@@ -0,0 +1,16 @@
+# `KnownExploitedVulnerability` JSON Schema
+
+This schema governs the data shape for a single [CISA Known Exploited Vulnerability dataset](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) record.
+
+
+## Updating the schema
+
+Please use the [official schema](https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities_schema.json) as a basis for updating this schema. The main difference between the official schema and this one is that this schema represents a single record instead of the entire catalog.
+
+This schema is being versioned based off of the "SchemaVer" guidelines, which slightly diverges from Semantic Versioning to tailor for the purposes of data models.
+
+Given a version number format `MODEL.REVISION.ADDITION`:
+
+- `MODEL`: increment when you make a breaking schema change which will prevent interaction with any historical data
+- `REVISION`: increment when you make a schema change which may prevent interaction with some historical data
+- `ADDITION`: increment when you make a schema change that is compatible with all historical data

schema/vulnerability/known-exploited/schema-1.0.0.json

@@ -0,0 +1,70 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "title": "CISA Known Exploited Vulnerability entry",
+  "description": "A single entry from the CISA catalog of known exploited vulnerabilities",
+  "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+  "properties": {
+    "cveID": {
+      "description": "The CVE ID of the vulnerability in the format CVE-YYYY-NNNN, note that the number portion can have more than 4 digits",
+      "type": "string",
+      "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
+    },
+    "vendorProject": {
+      "description": "The vendor or project name for the vulnerability",
+      "type": "string"
+    },
+    "product": {
+      "description": "The vulnerability product",
+      "type": "string"
+    },
+    "vulnerabilityName": {
+      "description": "The name of the vulnerability",
+      "type": "string"
+    },
+    "dateAdded": {
+      "description": "The date the vulnerability was added to the catalog in the format YYYY-MM-DD",
+      "type": "string",
+      "format": "date"
+    },
+    "shortDescription": {
+      "description": "A short description of the vulnerability",
+      "type": "string"
+    },
+    "requiredAction": {
+      "description": "The required action to address the vulnerability",
+      "type": "string"
+    },
+    "dueDate": {
+      "description": "The date the required action is due in the format YYYY-MM-DD",
+      "type": "string",
+      "format": "date"
+    },
+    "knownRansomwareCampaignUse": {
+      "description": "'Known' if this vulnerability is known to have been leveraged as part of a ransomware campaign; 'Unknown' if CISA lacks confirmation that the vulnerability has been utilized for ransomware",
+      "type": "string"
+    },
+    "notes": {
+      "description": "Any additional notes about the vulnerability",
+      "type": "string"
+    },
+    "cwes": {
+      "description": "Common Weakness Enumeration (CWE) codes associated with this vulnerability. CWEs are in the format CWE-NNNN; note that the number portion can have any number of digits",
+      "type": "array",
+      "items": {
+        "type": "string",
+        "pattern": "^CWE-([0-9])+$"
+      }
+    }
+  },
+  "required": [
+    "cveID",
+    "vendorProject",
+    "product",
+    "vulnerabilityName",
+    "dateAdded",
+    "shortDescription",
+    "requiredAction",
+    "dueDate"
+  ]
+}

src/vunnel/providers/__init__.py

@@ -10,6 +10,7 @@
     chainguard,
     debian,
     github,
+    kev,
     mariner,
     nvd,
     oracle,
@@ -23,6 +24,7 @@
     from vunnel import provider
 
 _providers: dict[str, type[provider.Provider]] = {
+    # vulnerability providers
     alpine.Provider.name(): alpine.Provider,
     amazon.Provider.name(): amazon.Provider,
     debian.Provider.name(): debian.Provider,
@@ -35,6 +37,8 @@
     ubuntu.Provider.name(): ubuntu.Provider,
     wolfi.Provider.name(): wolfi.Provider,
     chainguard.Provider.name(): chainguard.Provider,
+    # auxiliary vulnerability data (decorates vulnerability entries from providers)
+    kev.Provider.name(): kev.Provider,
 }
 
 

src/vunnel/providers/kev/__init__.py

@@ -0,0 +1,59 @@
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from typing import TYPE_CHECKING
+
+from vunnel import provider, result, schema
+
+from .manager import Manager
+
+if TYPE_CHECKING:
+    import datetime
+
+
+@dataclass
+class Config:
+    url: str = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
+    runtime: provider.RuntimeConfig = field(
+        default_factory=lambda: provider.RuntimeConfig(
+            result_store=result.StoreStrategy.SQLITE,
+            existing_input=provider.InputStatePolicy.DELETE,  # delete the kev.json before running
+            existing_results=result.ResultStatePolicy.DELETE_BEFORE_WRITE,
+        ),
+    )
+    request_timeout: int = 125
+
+
+class Provider(provider.Provider):
+    __schema__ = schema.KnownExploitedVulnerabilitySchema()
+    __distribution_version__ = int(__schema__.major_version)
+
+    def __init__(self, root: str, config: Config | None = None):
+        if not config:
+            config = Config()
+        super().__init__(root, runtime_cfg=config.runtime)
+        self.config = config
+
+        self.logger.debug(f"config: {config}")
+
+        self.manager = Manager(
+            url=self.config.url,
+            workspace=self.workspace,
+            download_timeout=self.config.request_timeout,
+            logger=self.logger,
+        )
+
+    @classmethod
+    def name(cls) -> str:
+        return "kev"
+
+    def update(self, last_updated: datetime.datetime | None) -> tuple[list[str], int]:
+        with self.results_writer() as writer:
+            for vuln_id, record in self.manager.get():
+                writer.write(
+                    identifier=f"kev:{vuln_id.lower()}",
+                    schema=self.__schema__,
+                    payload=record,
+                )
+
+        return self.manager.urls, len(writer)

src/vunnel/providers/kev/manager.py

@@ -0,0 +1,40 @@
+import logging
+import os
+from collections.abc import Generator
+from typing import Any
+
+from vunnel import workspace
+from vunnel.utils import http
+
+
+class Manager:
+    def __init__(self, url: str, workspace: workspace.Workspace, download_timeout: int = 125, logger: logging.Logger | None = None):
+        self.workspace = workspace
+        self.download_timeout = download_timeout
+
+        if not logger:
+            logger = logging.getLogger(self.__class__.__name__)
+        self.logger = logger
+
+        if url:
+            self._kev_url_ = url
+
+    @property
+    def urls(self) -> list[str]:
+        return [self._kev_url_]
+
+    def get(self) -> Generator[tuple[str, dict[str, Any]], Any, None]:
+        data = self._download()
+        yield from self._parse(data)
+
+    def _download(self) -> dict[str, Any]:
+        dest = os.path.join(self.workspace.input_path, "kev.json")
+
+        response = http.get(self._kev_url_, self.logger, timeout=self.download_timeout)
+        with open(dest, "w") as f:
+            f.write(response.text)
+        return response.json()
+
+    def _parse(self, catalog: dict[str, Any]) -> Generator[tuple[str, dict[str, Any]], Any, None]:
+        for record in catalog["vulnerabilities"]:
+            yield record["cveID"], record

src/vunnel/schema.py

@@ -13,6 +13,7 @@
 OS_SCHEMA_VERSION = "1.0.2"
 NVD_SCHEMA_VERSION = "1.0.0"
 OSV_SCHEMA_VERSION = "1.6.1"
+KNOWN_EXPLOITED_VULNERABILITY_SCHEMA_VERSION = "1.0.0"
 
 
 @dataclass(frozen=True)
@@ -84,3 +85,10 @@ def OSVSchema(version: str = OSV_SCHEMA_VERSION) -> Schema:
         version=version,
         url=f"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/osv/schema-{version}.json",
     )
+
+
+def KnownExploitedVulnerabilitySchema(version: str = KNOWN_EXPLOITED_VULNERABILITY_SCHEMA_VERSION) -> Schema:
+    return Schema(
+        version=version,
+        url=f"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/known-exploited/schema-{version}.json",
+    )

tests/unit/providers/kev/test-fixtures/single-entry/example1.json

@@ -0,0 +1,15 @@
+{
+  "cveID": "CVE-2025-0108",
+  "vendorProject": "Palo Alto Networks",
+  "product": "PAN-OS",
+  "vulnerabilityName": "Palo Alto Networks PAN-OS Authentication Bypass Vulnerability",
+  "dateAdded": "2025-02-18",
+  "shortDescription": "Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in its management web interface. This vulnerability allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scripts.",
+  "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
+  "dueDate": "2025-03-11",
+  "knownRansomwareCampaignUse": "Unknown",
+  "notes": "https:\/\/security.paloaltonetworks.com\/CVE-2025-0108 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-0108",
+  "cwes": [
+    "CWE-306"
+  ]
+}

tests/unit/providers/kev/test-fixtures/snapshots/valid-catalog-1/kev:cve-2024-53704.json

@@ -0,0 +1,19 @@
+{
+  "identifier": "kev:cve-2024-53704",
+  "item": {
+    "cveID": "CVE-2024-53704",
+    "cwes": [
+      "CWE-287"
+    ],
+    "dateAdded": "2025-02-18",
+    "dueDate": "2025-03-11",
+    "knownRansomwareCampaignUse": "Unknown",
+    "notes": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003 ; https://nvd.nist.gov/vuln/detail/CVE-2024-53704",
+    "product": "SonicOS",
+    "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
+    "shortDescription": "SonicWall SonicOS contains an improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication.",
+    "vendorProject": "SonicWall",
+    "vulnerabilityName": "SonicWall SonicOS SSLVPN Improper Authentication Vulnerability"
+  },
+  "schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/known-exploited/schema-1.0.0.json"
+}

tests/unit/providers/kev/test-fixtures/snapshots/valid-catalog-1/kev:cve-2024-57727.json

@@ -0,0 +1,19 @@
+{
+  "identifier": "kev:cve-2024-57727",
+  "item": {
+    "cveID": "CVE-2024-57727",
+    "cwes": [
+      "CWE-22"
+    ],
+    "dateAdded": "2025-02-13",
+    "dueDate": "2025-03-06",
+    "knownRansomwareCampaignUse": "Unknown",
+    "notes": "https://simple-help.com/kb---security-vulnerabilities-01-2025 ; https://nvd.nist.gov/vuln/detail/CVE-2024-57727",
+    "product": "SimpleHelp",
+    "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
+    "shortDescription": "SimpleHelp remote support software contains multiple path traversal vulnerabilities that allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files may include server configuration files and hashed user passwords.",
+    "vendorProject": "SimpleHelp ",
+    "vulnerabilityName": "SimpleHelp Path Traversal Vulnerability"
+  },
+  "schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/known-exploited/schema-1.0.0.json"
+}

tests/unit/providers/kev/test-fixtures/snapshots/valid-catalog-1/kev:cve-2025-0108.json

@@ -0,0 +1,19 @@
+{
+  "identifier": "kev:cve-2025-0108",
+  "item": {
+    "cveID": "CVE-2025-0108",
+    "cwes": [
+      "CWE-306"
+    ],
+    "dateAdded": "2025-02-18",
+    "dueDate": "2025-03-11",
+    "knownRansomwareCampaignUse": "Unknown",
+    "notes": "https://security.paloaltonetworks.com/CVE-2025-0108 ; https://nvd.nist.gov/vuln/detail/CVE-2025-0108",
+    "product": "PAN-OS",
+    "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
+    "shortDescription": "Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in its management web interface. This vulnerability allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scripts.",
+    "vendorProject": "Palo Alto Networks",
+    "vulnerabilityName": "Palo Alto Networks PAN-OS Authentication Bypass Vulnerability"
+  },
+  "schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/known-exploited/schema-1.0.0.json"
+}

tests/unit/providers/kev/test-fixtures/valid-catalog-1.json

@@ -0,0 +1,53 @@
+{
+  "title": "CISA Catalog of Known Exploited Vulnerabilities",
+  "catalogVersion": "2025.02.19",
+  "dateReleased": "2025-02-19T14:08:44.5021Z",
+  "count": 1273,
+  "vulnerabilities": [
+    {
+      "cveID": "CVE-2025-0108",
+      "vendorProject": "Palo Alto Networks",
+      "product": "PAN-OS",
+      "vulnerabilityName": "Palo Alto Networks PAN-OS Authentication Bypass Vulnerability",
+      "dateAdded": "2025-02-18",
+      "shortDescription": "Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in its management web interface. This vulnerability allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scripts.",
+      "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
+      "dueDate": "2025-03-11",
+      "knownRansomwareCampaignUse": "Unknown",
+      "notes": "https:\/\/security.paloaltonetworks.com\/CVE-2025-0108 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-0108",
+      "cwes": [
+        "CWE-306"
+      ]
+    },
+    {
+      "cveID": "CVE-2024-53704",
+      "vendorProject": "SonicWall",
+      "product": "SonicOS",
+      "vulnerabilityName": "SonicWall SonicOS SSLVPN Improper Authentication Vulnerability",
+      "dateAdded": "2025-02-18",
+      "shortDescription": "SonicWall SonicOS contains an improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication.",
+      "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
+      "dueDate": "2025-03-11",
+      "knownRansomwareCampaignUse": "Unknown",
+      "notes": "https:\/\/psirt.global.sonicwall.com\/vuln-detail\/SNWLID-2025-0003 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-53704",
+      "cwes": [
+        "CWE-287"
+      ]
+    },
+    {
+      "cveID": "CVE-2024-57727",
+      "vendorProject": "SimpleHelp ",
+      "product": "SimpleHelp",
+      "vulnerabilityName": "SimpleHelp Path Traversal Vulnerability",
+      "dateAdded": "2025-02-13",
+      "shortDescription": "SimpleHelp remote support software contains multiple path traversal vulnerabilities that allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files may include server configuration files and hashed user passwords.",
+      "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
+      "dueDate": "2025-03-06",
+      "knownRansomwareCampaignUse": "Unknown",
+      "notes": "https:\/\/simple-help.com\/kb---security-vulnerabilities-01-2025 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-57727",
+      "cwes": [
+        "CWE-22"
+      ]
+    }
+  ]
+}