Giters

yesmar / cve

Parse and use CVE identifiers

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

cvegogolang

cve

Package cve provides a consistent mechanism for parsing, storing, and using CVE identifiers as specified by the MITRE Corporation.

This code hit the cutting room floor from one of my private projects, so I thought I'd share.

SPDX short identifier: BSD-3-Clause

Installation

Assuming you have Go installed…

go get github.com/yesmar/cve

Usage

import "github.com/yesmar/cve"

There are two APIs for creating new CVE types:

// New
cve, err := cve.New(2020, 6629)

// Parse
cve, err := cve.Parse("CVE-2020-6629")

Once created, there are several methods you can call on a CVE type:

  • String returns the string reprentation of the receiver.
  • URL returns the NVD URL representation of the receiver.
  • MarkdownLink returns the Markdown link representation of the receiver.

The included sample program illustrates how these APIs can be used:

go run cmd/cve/main.go CVE-2020-6629

There will be no output from the program, but it should open your preferred web browser and point it to the URL for CVE-2020-6629 at NVD.

Implementation details and caveats

Internally, CVE identifiers are stored as a pair of uint types, one for the year part and one for the sequence number. This may seem wasteful, but consider:

  • This code will continue to work in, say, AD 4324534534.
  • This code will survive the initial onslaught of mass CVE filings perpetrated by our (forthcoming) AI overlords. (:

Unfortunately, storing the sequence number as a uint causes the implementation to fail three of MITRE's valid test cases:

  • CVE-2014-1111111111111111111111
  • CVE-2014-11111111111111111111111
  • CVE-2014-111111111111111111111111

These sequence numbers are too large to store in a uint. One solution would be to store the sequence number as a big.Int, but that seems excessive. Alternately, the CVE sequence number could be stored as a string, but that would require more code to achieve the same level of error checking present for the uint sequence number. I'm fine with sequence numbers having Uint.max as an upper bound.

Legal

Copyright © 2020 Ramsey Dow. All rights reserved.

Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.

About

Parse and use CVE identifiers

cvegogolang

License:BSD 3-Clause "New" or "Revised" License

Languages

Language:Go 100.0%