Use the cvss library in hsec-tools

Author: TristanCacqueray

code/cvss/src/Security/CVSS.hs

@@ -42,6 +42,7 @@ data CVSSVersion
       CVSS30
     | -- | Version 2.0: https://www.first.org/cvss/v2/
       CVSS20
+    deriving (Eq)
 
 -- | Parsed CVSS string obtained with 'parseCVSS'.
 data CVSS = CVSS

code/hsec-tools/cabal.project

@@ -1,3 +1,3 @@
-packages: *.cabal
+packages: *.cabal ../cvss/cvss.cabal
 
 package hsec-tools

code/hsec-tools/hsec-tools.cabal

@@ -49,6 +49,7 @@ library
     , commonmark            ^>=0.2.2
     , commonmark-pandoc     >=0.2     && <0.3
     , containers            >=0.6     && <0.7
+    , cvss
     , directory             <2
     , extra                 ^>=1.7.5
     , filepath              >=1.4     && <1.5
@@ -104,6 +105,7 @@ test-suite spec
   build-depends:
     , base           <5
     , Cabal-syntax
+    , cvss
     , directory
     , hsec-tools
     , pretty-simple  <5

code/hsec-tools/src/Security/Advisories/Convert/OSV.hs

@@ -33,7 +33,7 @@ mkAffected aff =
   OSV.Affected
     { OSV.affectedPackage = mkPackage (affectedPackage aff)
     , OSV.affectedRanges = pure $ mkRange (affectedVersions aff)
-    , OSV.affectedSeverity = mkSeverity (affectedCVSS aff)
+    , OSV.affectedSeverity = [OSV.Severity (affectedCVSS aff)]
     , OSV.affectedEcosystemSpecific = Nothing
     , OSV.affectedDatabaseSpecific = Nothing
     }
@@ -45,15 +45,6 @@ mkPackage name = OSV.Package
   , OSV.packagePurl = Nothing
   }
 
--- NOTE: This is unpleasant.  But we will eventually switch to a
--- proper CVSS type and the unpleasantness will go away.
---
-mkSeverity :: T.Text -> [OSV.Severity]
-mkSeverity s = case T.take 6 s of
-  "CVSS:2" -> [OSV.SeverityCvss2 s]
-  "CVSS:3" -> [OSV.SeverityCvss3 s]
-  _        -> []  -- unexpected; don't include severity
-
 mkRange :: [AffectedVersionRange] -> OSV.Range Void
 mkRange ranges =
     OSV.RangeEcosystem (foldMap mkEvs ranges) Nothing

code/hsec-tools/src/Security/Advisories/Definition.hs

@@ -20,6 +20,7 @@ import Distribution.Types.VersionRange (VersionRange)
 import Text.Pandoc.Definition (Pandoc)
 
 import Security.Advisories.HsecId
+import qualified Security.CVSS as CVSS
 import Security.OSV (Reference)
 
 data Advisory = Advisory
@@ -45,7 +46,7 @@ data Advisory = Advisory
 -- mention one or more packages.
 data Affected = Affected
   { affectedPackage :: Text
-  , affectedCVSS :: Text -- TODO refine type
+  , affectedCVSS :: CVSS.CVSS
   , affectedVersions :: [AffectedVersionRange]
   , affectedArchitectures :: Maybe [Architecture]
   , affectedOS :: Maybe [OS]

code/hsec-tools/src/Security/Advisories/Parse.hs

@@ -48,6 +48,7 @@ import Text.Parsec.Pos (sourceLine)
 import Security.Advisories.HsecId
 import Security.Advisories.Definition
 import Security.OSV (Reference(..), referenceTypes)
+import qualified Security.CVSS as CVSS
 
 -- | A source of attributes supplied out of band from the advisory
 -- content.  Values provided out of band are treated according to
@@ -499,6 +500,16 @@ instance Toml.FromValue VersionRange where
 instance Toml.ToValue VersionRange where
   toValue = Toml.toValue . show
 
+instance Toml.FromValue CVSS.CVSS where
+  fromValue v =
+    do s <- Toml.fromValue v
+       case CVSS.parseCVSS s of
+         Left err -> fail ("parse error in cvss: " ++ show err)
+         Right cvss -> pure cvss
+
+instance Toml.ToValue CVSS.CVSS where
+  toValue = Toml.toValue . CVSS.cvssVectorString
+
 mergeOob
   :: MonadFail m
   => AttributeOverridePolicy

code/hsec-tools/src/Security/OSV.hs

@@ -44,6 +44,8 @@ import Data.Time (UTCTime)
 import Data.Time.Format.ISO8601 (iso8601ParseM)
 import Data.Tuple (swap)
 
+import qualified Security.CVSS as CVSS
+
 data Affected dbSpecific ecosystemSpecific rangeDbSpecific = Affected
   { affectedRanges :: [Range rangeDbSpecific]
   , affectedPackage :: Package
@@ -146,27 +148,36 @@ newModel' = newModel defaultSchemaVersion
 -- calculated and compared in a more nuanced way than 'Ord' can provide
 -- for.
 --
-data Severity
-  = SeverityCvss2 Text {- TODO refine -}
-  | SeverityCvss3 Text {- TODO refine -}
-  deriving (Show, Eq)
+newtype Severity = Severity CVSS.CVSS
+  deriving (Show)
+
+instance Eq Severity where
+  Severity s1 == Severity s2 = CVSS.cvssVectorString s1 == CVSS.cvssVectorString s2
 
 instance FromJSON Severity where
   parseJSON = withObject "severity" $ \o -> do
     typ <- o .: "type" :: Parser Text
+    score <- o .: "score" :: Parser Text
+    cvss <- case CVSS.parseCVSS score of
+      Right cvss -> pure cvss
+      Left err ->
+        prependFailure ("unregognised severity score: " <> show err)
+          $ typeMismatch "severity" (Object o)
     case typ of
-      "CVSS_V2" -> SeverityCvss2 <$> o .: "score"
-      "CVSS_V3" -> SeverityCvss3 <$> o .: "score"
+      "CVSS_V2" | CVSS.cvssVersion cvss == CVSS.CVSS20 -> pure $ Severity cvss
+      "CVSS_V3" | CVSS.cvssVersion cvss `elem` [CVSS.CVSS30, CVSS.CVSS31] -> pure $ Severity cvss
       s ->
         prependFailure ("unregognised severity type: " <> show s)
           $ typeMismatch "severity" (Object o)
 
 instance ToJSON Severity where
-  toJSON sev = object $ case sev of
-    SeverityCvss2 score -> [typ "CVSS_V2", "score" .= score]
-    SeverityCvss3 score -> [typ "CVSS_V3", "score" .= score]
+  toJSON (Severity cvss) = object ["type" .= CVSS.cvssVectorString cvss, "score" .= score]
     where
-      typ s = "type" .= (s :: Text)
+      score :: Text
+      score = case CVSS.cvssVersion cvss of
+        CVSS.CVSS31 -> "CVSS_V3"
+        CVSS.CVSS30 -> "CVSS_V3"
+        CVSS.CVSS20 -> "CVSS_V2"
 
 data Package = Package
   { packageName :: Text

code/hsec-tools/test/Spec/QueriesSpec.hs

@@ -4,6 +4,7 @@
 module Spec.QueriesSpec (spec) where
 
 import Data.Bifunctor (first)
+import Data.Either (fromRight)
 import Data.Maybe (fromMaybe)
 import Data.Text (Text)
 import qualified Data.Text as T
@@ -13,6 +14,7 @@ import Distribution.Types.VersionRange (VersionRange, VersionRangeF(..), anyVers
 import Test.Tasty
 import Test.Tasty.HUnit
 
+import Security.CVSS (parseCVSS)
 import Security.Advisories.Definition
 import Security.Advisories.HsecId
 import Security.Advisories.Queries
@@ -113,7 +115,7 @@ mkAdvisory versionRange =
      , advisoryAffected =
          [ Affected
              { affectedPackage = packageName
-             , affectedCVSS = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+             , affectedCVSS = cvss
              , affectedVersions = mkAffectedVersions versionRange
              , affectedArchitectures = Nothing
              , affectedOS = Nothing
@@ -126,6 +128,8 @@ mkAdvisory versionRange =
      , advisorySummary = ""
      , advisoryDetails = ""
      }
+  where
+    cvss = fromRight (error "Cannot parseCVSS") (parseCVSS "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H")
 
 mkAffectedVersions :: VersionRange -> [AffectedVersionRange]
 mkAffectedVersions vr =

code/hsec-tools/test/golden/EXAMPLE_ADVISORY.md.golden

@@ -17,7 +17,7 @@ Right
         , advisoryAffected =
             [ Affected
                 { affectedPackage = "package-name"
-                , affectedCVSS = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                , affectedCVSS = CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                 , affectedVersions =
                     [ AffectedVersionRange
                         { affectedVersionRangeIntroduced = mkVersion