feat(cwe): update CWE dictionary (#1443)

2022-06-08 21:36:54 +00:00
parent 2477f9a8f8
commit 38b1d622f6
9 changed files with 3379 additions and 1213 deletions
--- a/reporter/slack.go
+++ b/reporter/slack.go
@@ -326,23 +326,19 @@ func (w SlackWriter) attachmentText(vinfo models.VulnInfo, cweDict map[string]mo
 func (w SlackWriter) cweIDs(vinfo models.VulnInfo, osFamily string, cweDict models.CweDict) string {
 	links := []string{}
 	for _, c := range vinfo.CveContents.UniqCweIDs(osFamily) {
-		name, url, top10Rank, top10URL, cweTop25Rank, cweTop25URL, sansTop25Rank, sansTop25URL := cweDict.Get(c.Value, w.lang)
-		line := ""
-		if top10Rank != "" {
-			line = fmt.Sprintf("<%s|[OWASP Top %s]>",
-				top10URL, top10Rank)
+		name, url, owasp, cwe25, sans := cweDict.Get(c.Value, w.lang)
+		line := fmt.Sprintf("<%s|%s>: %s", url, c.Value, name)
+		for year, info := range owasp {
+			links = append(links, fmt.Sprintf("<%s|[OWASP(%s) Top %s]> %s", info.URL, year, info.Rank, line))
 		}
-		if cweTop25Rank != "" {
-			line = fmt.Sprintf("<%s|[CWE Top %s]>",
-				cweTop25URL, cweTop25Rank)
+		for year, info := range cwe25 {
+			links = append(links, fmt.Sprintf("<%s|[CWE(%s) Top %s]> %s", info.URL, year, info.Rank, line))
 		}
-		if sansTop25Rank != "" {
-			line = fmt.Sprintf("<%s|[CWE/SANS Top %s]>",
-				sansTop25URL, sansTop25Rank)
+		for year, info := range sans {
+			links = append(links, fmt.Sprintf("<%s|[CWE/SANS(%s) Top %s]> %s", info.URL, year, info.Rank, line))
 		}
-		if top10Rank == "" && cweTop25Rank == "" && sansTop25Rank == "" {
-			links = append(links, fmt.Sprintf("%s <%s|%s>: %s",
-				line, url, c.Value, name))
+		if len(owasp) == 0 && len(cwe25) == 0 && len(sans) == 0 {
+			links = append(links, line)
 		}
 	}
 	return strings.Join(links, "\n")
--- a/reporter/util.go
+++ b/reporter/util.go
@@ -19,6 +19,7 @@ import (
 	"github.com/future-architect/vuls/models"
 	"github.com/gosuri/uitable"
 	"github.com/olekukonko/tablewriter"
+	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 )

@@ -432,31 +433,42 @@ No CVE-IDs are found in updatable packages.
 			data = append(data, []string{"Confidence", confidence.String()})
 		}

-		cweURLs, top10URLs := []string{}, []string{}
-		cweTop25URLs, sansTop25URLs := []string{}, []string{}
+		cweURLs, top10URLs, cweTop25URLs, sansTop25URLs := []string{}, map[string][]string{}, map[string][]string{}, map[string][]string{}
 		for _, v := range vuln.CveContents.UniqCweIDs(r.Family) {
-			name, url, top10Rank, top10URL, cweTop25Rank, cweTop25URL, sansTop25Rank, sansTop25URL := r.CweDict.Get(v.Value, r.Lang)
-			if top10Rank != "" {
-				data = append(data, []string{"CWE",
-					fmt.Sprintf("[OWASP Top%s] %s: %s (%s)",
-						top10Rank, v.Value, name, v.Type)})
-				top10URLs = append(top10URLs, top10URL)
+			name, url, owasp, cwe25, sans := r.CweDict.Get(v.Value, r.Lang)
+
+			ds := [][]string{}
+			for year, info := range owasp {
+				ds = append(ds, []string{"CWE", fmt.Sprintf("[OWASP(%s) Top%s] %s: %s (%s)", year, info.Rank, v.Value, name, v.Type)})
+				top10URLs[year] = append(top10URLs[year], info.URL)
 			}
-			if cweTop25Rank != "" {
-				data = append(data, []string{"CWE",
-					fmt.Sprintf("[CWE Top%s] %s: %s (%s)",
-						cweTop25Rank, v.Value, name, v.Type)})
-				cweTop25URLs = append(cweTop25URLs, cweTop25URL)
+			slices.SortFunc(ds, func(a, b []string) bool {
+				return a[1] < b[1]
+			})
+			data = append(data, ds...)
+
+			ds = [][]string{}
+			for year, info := range cwe25 {
+				ds = append(ds, []string{"CWE", fmt.Sprintf("[CWE(%s) Top%s] %s: %s (%s)", year, info.Rank, v.Value, name, v.Type)})
+				cweTop25URLs[year] = append(cweTop25URLs[year], info.URL)
 			}
-			if sansTop25Rank != "" {
-				data = append(data, []string{"CWE",
-					fmt.Sprintf("[CWE/SANS Top%s]  %s: %s (%s)",
-						sansTop25Rank, v.Value, name, v.Type)})
-				sansTop25URLs = append(sansTop25URLs, sansTop25URL)
+			slices.SortFunc(ds, func(a, b []string) bool {
+				return a[1] < b[1]
+			})
+			data = append(data, ds...)
+
+			ds = [][]string{}
+			for year, info := range sans {
+				ds = append(ds, []string{"CWE", fmt.Sprintf("[CWE/SANS(%s) Top%s]  %s: %s (%s)", year, info.Rank, v.Value, name, v.Type)})
+				sansTop25URLs[year] = append(sansTop25URLs[year], info.URL)
 			}
-			if top10Rank == "" && cweTop25Rank == "" && sansTop25Rank == "" {
-				data = append(data, []string{"CWE", fmt.Sprintf("%s: %s (%s)",
-					v.Value, name, v.Type)})
+			slices.SortFunc(ds, func(a, b []string) bool {
+				return a[1] < b[1]
+			})
+			data = append(data, ds...)
+
+			if len(owasp) == 0 && len(cwe25) == 0 && len(sans) == 0 {
+				data = append(data, []string{"CWE", fmt.Sprintf("%s: %s (%s)", v.Value, name, v.Type)})
 			}
 			cweURLs = append(cweURLs, url)
 		}
@@ -474,15 +486,34 @@ No CVE-IDs are found in updatable packages.
 			m[exploit.URL] = struct{}{}
 		}

-		for _, url := range top10URLs {
-			data = append(data, []string{"OWASP Top10", url})
+		for year, urls := range top10URLs {
+			ds := [][]string{}
+			for _, url := range urls {
+				ds = append(ds, []string{fmt.Sprintf("OWASP(%s) Top10", year), url})
+			}
+			slices.SortFunc(ds, func(a, b []string) bool {
+				return a[0] < b[0]
+			})
+			data = append(data, ds...)
 		}
-		if len(cweTop25URLs) != 0 {
-			data = append(data, []string{"CWE Top25", cweTop25URLs[0]})
+
+		ds := [][]string{}
+		for year, urls := range cweTop25URLs {
+			ds = append(ds, []string{fmt.Sprintf("CWE(%s) Top25", year), urls[0]})
 		}
-		if len(sansTop25URLs) != 0 {
-			data = append(data, []string{"SANS/CWE Top25", sansTop25URLs[0]})
+		slices.SortFunc(ds, func(a, b []string) bool {
+			return a[0] < b[0]
+		})
+		data = append(data, ds...)
+
+		ds = [][]string{}
+		for year, urls := range sansTop25URLs {
+			ds = append(ds, []string{fmt.Sprintf("SANS/CWE(%s) Top25", year), urls[0]})
 		}
+		slices.SortFunc(ds, func(a, b []string) bool {
+			return a[0] < b[0]
+		})
+		data = append(data, ds...)

 		for _, alert := range vuln.AlertDict.CISA {
 			data = append(data, []string{"CISA Alert", alert.URL})