agh42 / attacksrfc Goto Github PK

The summary search is slow for some CPEs and hangs when a high page number is queried from pagination. Likely cause are characters interpreted as wildcards during search which skip the index and cause a full collection scan.
Example: cpe:2.3:a:adobe:acrobat_reader

Add information from a news and exploit database search for CVEs where applicable

Add tutorial steps on initial page load:

https://www.npmjs.com/package/intro.js-react

Check the following fields which may differ from the old XML feed and may not yet be correctly parsed by cve-search:

• cvssv2, access vector
• cvssv3
• CWE reference, may be free text:

"problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "Difficult to exploit vulnerability allows low privileged attacker having Create Session privilege with network access via multiple protocols to compromise Java VM.  Successful attacks of this vulnerability can result in takeover of Java VM."
                    }
                ]
            }
        ]
    },

• read reference source type (especially exploit):

"references": {
        "reference_data": [
            {
                "url": "https://www.oracle.com/security-alerts/cpujan2020.html",
                "refsource": "MISC",
                "name": "https://www.oracle.com/security-alerts/cpujan2020.html"
            }
        ]
    }

When searching for canonical:ubuntu, the matching CVE's vulnerable configuration link to Intel products which together amount to thousands of variants (see https://nvd.nist.gov/vuln/detail/CVE-2019-0123 for one such CVE).

This cannot be rendered properly. There must be a maximum number of affected CPEs that are displayed for the one CPE under investigation.

A further improvement could be to render collapsed groups that can be expanded for remaining items (i.e. "1023 other products...").

On narrow screen sizes the pagination menu will overflow the parent container.

On narrow screen sizes, the CPEs in the CVE description will overflow the component.

Possibly for other fields as well.

(In CVE details view)

Add slider to specify time range for CVEs.

When a large number of CPE box nodes have to be displayed, they overlap too much. This causes graph rendering to take far too long.
Switch to another node type or change rendering of CPEs, i.e. grouping them by vendor.

When changing the time range slider, the graph will be redrawn but the count of the CVE criticality summary nodes is not updated.

Since they are missing both in the graph view and the list view the root cause may be in the REST client.

Link to twitter feed for site news

Add CVSSv2 metrics from te JSON feed:

impact" : {
"baseMetricV3" : {
"cvssV3" : {
"version" : "3.1",
"vectorString" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"attackVector" : "LOCAL",
"attackComplexity" : "LOW",
"privilegesRequired" : "LOW",
"userInteraction" : "NONE",
"scope" : "UNCHANGED",
"confidentialityImpact" : "HIGH",
"integrityImpact" : "HIGH",
"availabilityImpact" : "HIGH",
"baseScore" : 7.8,
"baseSeverity" : "HIGH"
},
"exploitabilityScore" : 1.8,
"impactScore" : 5.9
},
"baseMetricV2" : {
"cvssV2" : {
"version" : "2.0",
"vectorString" : "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"accessVector" : "LOCAL",
"accessComplexity" : "LOW",
"authentication" : "NONE",
"confidentialityImpact" : "COMPLETE",
"integrityImpact" : "COMPLETE",
"availabilityImpact" : "COMPLETE",
"baseScore" : 7.2
},
"severity" : "HIGH",
"exploitabilityScore" : 3.9,
"impactScore" : 10.0,
"acInsufInfo" : false,
"obtainAllPrivilege" : false,
"obtainUserPrivilege" : false,
"obtainOtherPrivilege" : false,
"userInteractionRequired" : false
}

Use lscache and lz-string to save the selected inventory in local storage. Could also be used for caching the last inventory summary for given timeframes and graph datasets,. Also some user settings, such as hiding the tutorial.
Permanent and cross-browser storage of an inventory will require an account.

Allow searching for a vendor-product combination, i.e. by parsing space in different ways (as part of a single vendor or product, or as a combination of vendor and product). Alternatively allow searching for colon-separated combinations, i.e. "microsoft:windows".

"https://attacksrfc.cstool.io/attacksrfc" is no longer a mapped route.

Show a lock icon on buttons that only work when logged in for improved transparency.

Based on via4cve and/or feed information. Mark exploits, newsworthy and hot topics.

When selecting CPEs like 'Windows RT 8.1' in the graph view, the CPE is not added to the inventory like it should.

Mark CVEs with exploits in the graph display as well.

When clicking on the 'copy to clipboard' button, the user should get visual feedback that the items were indeed copied to the clipboard. (To make clear that it is not necessary to type Ctrl-C.)

Show info, warning and error messages.

Link v2 scores to v2 calculator:
https://github.com/bitsentinel/CVSS2-Calculator

...to make the CPE search box more recognizeable.

Only CPE nodes should change their color - currently also the CVE summary count nodes are colored in teal when selected.

From vulnogram - use Mouseover or display them next to the CWE id.

Add rel="noopener noreferrer" to all links to prevent access to opener by external page.

It should be easier to set a more precise range for say the last two years while all previous dates are less important to differentiate by a couple of days.

For CVE details view, i.e.:

http://cvssjs.github.io/cvssjs/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Add routes to be able to access specific CPEs and CVEs using shared URLs directly.

On state changes, set a placeholder item into the mentioned views to give clear and immediate user feedback.
Replace the placeholders with the loaded content when it is ready.

Currently a wrong clock on the client's side can mean that the server receives timestamps for 'validUntil' that are in the future. These will fail validation and lead to an error message.
Instead be more lenient and let future values mean 'current time' when filtering by time range.

Ensure index exists for ‚Published‘ field.

For all affected products, render them as selected (teal) color when they are currently present in the inventory.
Changes to inventory should update the color of CPE nodes in the graph immediately.

Localhost should not be amongst the hard-coded valid sources.

Make CVEs and CPEs selectable. Show details for CVEs. Add to active inventory for CPEs. Double-click on a CPE should add it to the inventory, then switch the views to that product.
This makes the graph navigable.

The page counter should be reset to '1' when a different CPE is being displayed.

Disable settings button when user is not logged in.

i.e. by modification date (recent activity), publication date, score.

Allow the user to highlight ('star') individual CVEs for further investigation. Allow filtering starred CVEs. Prepare starred CVEs to be used in task generation.

It's still the react default icon.

Get additional fields from github/cvelist. As supported by https://vulnogram.github.io/#editor

Add a cookie consent banner.

There are requests to /%PUBLIC_URL%/... after visiting /homepage.html.

Currently high and critical CVEs both are red in the CVE summary and graph views.

cve-search writes UTC time but it is converted into local time when displayed. So the "UTC" timezone stated is wrong.
Either state correcttimezone or do not convert time and display as UTC.

CVEs from 2020 are missing the detailed CVSS v2 attack vector ratings in the CVE details view.

When using the 'copy to clipboard' button, the summary counts are not visible after pasting them into MS Excel (for example) because the white font is not visible on white background there.