Add support for Calculating Risk in VulnerableCode

Signed-off-by: ziadhany <[email protected]>

Author: ziadhany

vulnerabilities/improvers/valid_versions.py

@@ -31,6 +31,7 @@
 from vulnerabilities.importers.debian import DebianImporter
 from vulnerabilities.importers.debian_oval import DebianOvalImporter
 from vulnerabilities.importers.elixir_security import ElixirSecurityImporter
+from vulnerabilities.importers.epss import EPSSImporter
 from vulnerabilities.importers.github import GitHubAPIImporter
 from vulnerabilities.importers.github_osv import GithubOSVImporter
 from vulnerabilities.importers.gitlab import GitLabAPIImporter
@@ -472,3 +473,8 @@ class RubyImprover(ValidVersionImprover):
 class GithubOSVImprover(ValidVersionImprover):
     importer = GithubOSVImporter
     ignorable_versions = []
+
+
+class EPSSImprover(ValidVersionImprover):
+    importer = EPSSImporter
+    ignorable_versions = []

vulnerabilities/risk.py

@@ -0,0 +1,102 @@
+import os
+from typing import List
+
+from vulnerabilities.models import Exploit
+from vulnerabilities.models import Package
+from vulnerabilities.models import PackageRelatedVulnerability
+from vulnerabilities.models import Vulnerability
+from vulnerabilities.models import VulnerabilityReference
+from vulnerabilities.models import VulnerabilityRelatedReference
+from vulnerabilities.models import VulnerabilitySeverity
+from vulnerabilities.utils import load_json
+
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+
+
+def get_weighted_severity(references: List[VulnerabilityReference]):
+    """
+    Weighted Severity is the maximum value obtained when each Severity is multiplied
+    by its associated Weight/10.
+    Example of Weighted Severity: max(7*(10/10), 8*(3/10), 6*(8/10)) = 7
+    """
+    weight_config_path = os.path.join(BASE_DIR, "..", "weight_config.json")
+    weight_config = load_json(weight_config_path)
+
+    score_map = {
+        "low": 3,
+        "moderate": 6.9,
+        "medium": 6.9,
+        "high": 8.9,
+        "important": 8.9,
+        "critical": 10.0,
+        "urgent": 10.0,
+    }
+
+    score_list = []
+    for reference in references:
+        weight = weight_config.get(reference.url)  # TODO use regular expression
+        vul_severities = VulnerabilitySeverity.objects.filter(reference=reference)
+        for vul_severity in vul_severities:
+            vul_score = vul_severity.value
+
+            try:
+                vul_score = float(vul_score)
+                vul_score_value = vul_score * weight
+            except ValueError:
+                vul_score = vul_score.lower()
+                vul_score_value = score_map.get(vul_score, 0) * weight
+
+            score_list.append(vul_score_value)
+    return max(score_list)
+
+
+def get_exploitability_level(vulnerability: Vulnerability):
+    """
+    Exploitability refers to the potential or
+    probability of a software package vulnerability being exploited by
+    malicious actors to compromise systems, applications, or networks.
+    It is determined automatically by discovery of exploits.
+    """
+    # no exploit known ( default )
+    exploit_level = 0.5
+
+    exploits = Exploit.objects.filter(vulnerability=vulnerability)
+
+    ref = VulnerabilityRelatedReference.objects.filter(
+        reference__reference_type=VulnerabilityReference.EXPLOIT, vulnerability=vulnerability
+    )
+
+    if exploits:
+        # Automatable Exploit with PoC script published OR known exploits (KEV) in the wild OR known ransomware OR high EPSS.
+
+        # TODO: Fix EPSS
+        exploit_level = 2
+
+    elif ref:
+        # PoC/Exploit script published
+        exploit_level = 1
+
+    return exploit_level
+
+
+def calculate_vulnerability_risk(vulnerability: Vulnerability):
+    """
+    Risk may be expressed as a number ranging from 0 to 10.
+    Risk is calculated from weighted severity and exploitability values.
+    It is the maximum value of (the weighted severity multiplied by its exploitability) or 10
+
+    Risk = min(weighted severity * exploitability, 10)
+    """
+    refs = vulnerability.references.all()
+    weighted_severity = get_weighted_severity(refs)
+    exploitability = get_exploitability_level(vulnerability)
+    return min(weighted_severity * exploitability, 10)
+
+
+def calculate_pkg_risk(package: Package):
+    """ """
+    result = []
+    for pkg_related_vul in PackageRelatedVulnerability.objects.filter(package=package, fix=False):
+        risk = calculate_vulnerability_risk(pkg_related_vul.val)
+        result.append(risk)
+    return result

vulnerabilities/tests/test_risk.py

@@ -0,0 +1,108 @@
+import pytest
+
+from vulnerabilities.models import Exploit
+from vulnerabilities.models import Vulnerability
+from vulnerabilities.models import VulnerabilityReference
+from vulnerabilities.models import VulnerabilityRelatedReference
+from vulnerabilities.models import VulnerabilitySeverity
+from vulnerabilities.models import Weakness
+from vulnerabilities.risk import calculate_vulnerability_risk
+from vulnerabilities.risk import get_exploitability_level
+from vulnerabilities.risk import get_weighted_severity
+from vulnerabilities.severity_systems import CVSSV3
+from vulnerabilities.severity_systems import GENERIC
+
+
+@pytest.fixture
+@pytest.mark.django_db
+def vulnerability():
+    vul = Vulnerability(vulnerability_id="VCID-Existing")
+    vul.save()
+
+    reference1 = VulnerabilityReference.objects.create(
+        reference_id="",
+        url="https://nvd.nist.gov/*",
+    )
+
+    VulnerabilitySeverity.objects.create(
+        reference=reference1,
+        scoring_system=CVSSV3.identifier,
+        scoring_elements="CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N/E:H/RL:O/RC:R/CR:H/MAC:H/MC:L",
+        value="6.5",
+    )
+
+    VulnerabilitySeverity.objects.create(
+        reference=reference1,
+        scoring_system=GENERIC.identifier,
+        value="MODERATE",  # 6.9
+    )
+
+    VulnerabilityRelatedReference.objects.create(reference=reference1, vulnerability=vul)
+
+    weaknesses = Weakness.objects.create(cwe_id=119)
+    vul.weaknesses.add(weaknesses)
+    return vul
+
+
+@pytest.mark.django_db
+def test_get_weighted_severity(vulnerability):
+    refs = vulnerability.references.all()
+    assert get_weighted_severity(refs) == 4.83  # max([6.5*.7, 6.9*.7])
+
+    reference2 = VulnerabilityReference.objects.create(
+        reference_id="",
+        url="https://www.debian.org/security/*",
+    )
+
+    VulnerabilitySeverity.objects.create(
+        reference=reference2,
+        scoring_system=GENERIC.identifier,
+        value="CRITICAL",
+    )
+
+    VulnerabilityRelatedReference.objects.create(reference=reference2, vulnerability=vulnerability)
+
+    refs = vulnerability.references.all()
+    assert get_weighted_severity(refs) == 8.0
+
+
+@pytest.fixture
+@pytest.mark.django_db
+def vulnerability_with_exploit():
+    vul = Vulnerability(vulnerability_id="VCID-Exploit")
+    vul.save()
+
+    Exploit.objects.create(vulnerability=vul, description="exploit description")
+    return vul
+
+
+@pytest.fixture
+@pytest.mark.django_db
+def vulnerability_with_exploit_ref():
+    vul = Vulnerability(vulnerability_id="VCID-Exploit-Ref")
+    vul.save()
+
+    reference_exploit = VulnerabilityReference.objects.create(
+        reference_id="",
+        reference_type=VulnerabilityReference.EXPLOIT,
+        url="https://...",
+    )
+
+    VulnerabilityRelatedReference.objects.create(reference=reference_exploit, vulnerability=vul)
+    return vul
+
+
+@pytest.mark.django_db
+def test_exploitability_level(
+    vulnerability_with_exploit, vulnerability_with_exploit_ref, vulnerability
+):
+    assert get_exploitability_level(vulnerability_with_exploit) == 2
+
+    assert get_exploitability_level(vulnerability_with_exploit_ref) == 1
+
+    assert get_exploitability_level(vulnerability) == 0.5
+
+
+@pytest.mark.django_db
+def test_calculate_vulnerability_risk(vulnerability):
+    assert calculate_vulnerability_risk(vulnerability) == 2.415

weight_config.json

@@ -0,0 +1,5 @@
+{
+  "https://nvd.nist.gov/*": 0.7,
+  "https://www.debian.org/security/*": 0.8,
+  "https://github.com/nexB/vulnerablecode/*": 1
+}