oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: index known CPEs for wordpress plugins and themes (#2963)

Browse Source 
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
This commit is contained in:
Weston Steimel 2024-06-14 14:39:43 +01:00 committed by GitHub
parent 749ccc59c1
commit d5cd5f6091
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 11860 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11605
syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json
View File

File diff suppressed because it is too large Load Diff

46
syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate.go
View File

@ -116,6 +116,15 @@ const (
prefixForPHPPeclHTTP = "http://pecl.php.net/" prefixForPHPPeclHTTP = "http://pecl.php.net/"
prefixForPHPComposer = "https://packagist.org/packages/" prefixForPHPComposer = "https://packagist.org/packages/"
prefixForGoModules = "https://pkg.go.dev/" prefixForGoModules = "https://pkg.go.dev/"
prefixForWordpressPlugins = "https://wordpress.org/plugins/"
prefixForWordpressPluginsTracBrowser = "https://plugins.trac.wordpress.org/browser/"
prefixForWordpressPluginsTracLog = "https://plugins.trac.wordpress.org/log/"
prefixForWordpressPluginsGitHubArchive = "https://github.com/wp-plugins/"
prefixForWordpressPluginsWordfence = "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/"
prefixForWordpressThemes = "https://wordpress.org/themes/"
prefixForWordpressThemesTracBrowser = "https://themes.trac.wordpress.org/browser/"
prefixForWordpressThemesTracLog = "https://themes.trac.wordpress.org/log/"
prefixForWordpressThemesWordfence = "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/"
) )
// indexCPEList creates an index of CPEs by ecosystem. // indexCPEList creates an index of CPEs by ecosystem.
@ -164,6 +173,12 @@ func indexCPEList(list CpeList) *dictionary.Indexed {
case strings.HasPrefix(ref, prefixForGoModules): case strings.HasPrefix(ref, prefixForGoModules):
addEntryForGoModulePackage(indexed, ref, cpeItemName) addEntryForGoModulePackage(indexed, ref, cpeItemName)
case strings.HasPrefix(ref, prefixForWordpressPlugins), strings.HasPrefix(ref, prefixForWordpressPluginsTracBrowser), strings.HasPrefix(ref, prefixForWordpressPluginsTracLog), strings.HasPrefix(ref, prefixForWordpressPluginsGitHubArchive), strings.HasPrefix(ref, prefixForWordpressPluginsWordfence):
addEntryForWordpressPlugin(indexed, ref, cpeItemName)
case strings.HasPrefix(ref, prefixForWordpressThemes), strings.HasPrefix(ref, prefixForWordpressThemesTracBrowser), strings.HasPrefix(ref, prefixForWordpressThemesTracLog), strings.HasPrefix(ref, prefixForWordpressThemesWordfence):
addEntryForWordpressTheme(indexed, ref, cpeItemName)
} }
} }
} }
@ -183,6 +198,37 @@ func updateIndex(indexed *dictionary.Indexed, ecosystem string, pkgName string,
indexed.EcosystemPackages[ecosystem][pkgName].Add(cpe) indexed.EcosystemPackages[ecosystem][pkgName].Add(cpe)
} }
func addEntryForWordpressPlugin(indexed *dictionary.Indexed, ref string, cpeItemName string) {
// Prune off the non-package-name parts of the URL
ref = strings.TrimPrefix(ref, prefixForWordpressPlugins)
ref = strings.TrimPrefix(ref, prefixForWordpressPluginsTracBrowser)
ref = strings.TrimPrefix(ref, prefixForWordpressPluginsTracLog)
ref = strings.TrimPrefix(ref, prefixForWordpressPluginsGitHubArchive)
ref = strings.TrimPrefix(ref, prefixForWordpressPluginsWordfence)
ref = strings.Split(ref, "?")[0]
ref = strings.Split(ref, "/")[0]
if ref == "" {
return
}
updateIndex(indexed, dictionary.EcosystemWordpressPlugins, ref, cpeItemName)
}
func addEntryForWordpressTheme(indexed *dictionary.Indexed, ref string, cpeItemName string) {
// Prune off the non-package-name parts of the URL
ref = strings.TrimPrefix(ref, prefixForWordpressThemes)
ref = strings.TrimPrefix(ref, prefixForWordpressThemesTracBrowser)
ref = strings.TrimPrefix(ref, prefixForWordpressThemesTracLog)
ref = strings.TrimPrefix(ref, prefixForWordpressThemesWordfence)
ref = strings.Split(ref, "?")[0]
ref = strings.Split(ref, "/")[0]
if ref == "" {
return
}
updateIndex(indexed, dictionary.EcosystemWordpressThemes, ref, cpeItemName)
}
func addEntryForRustCrate(indexed *dictionary.Indexed, ref string, cpeItemName string) { func addEntryForRustCrate(indexed *dictionary.Indexed, ref string, cpeItemName string) {
// Prune off the non-package-name parts of the URL // Prune off the non-package-name parts of the URL
ref = strings.TrimPrefix(ref, prefixForRustCrates) ref = strings.TrimPrefix(ref, prefixForRustCrates)

117
syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate_test.go
View File

@ -243,6 +243,123 @@ func Test_addEntryFuncs(t *testing.T) {
}, },
}, },
}, },
{
name: "addEntryForWordpressPlugin",
addEntryFunc: addEntryForWordpressPlugin,
inputRef: "https://wordpress.org/plugins/armadillo/releases",
inputCpeItemName: "cpe:2.3:a:armadillo:armadillo:1.23:*:*:*:*:wordpress:*:*",
expectedIndexed: dictionary.Indexed{
EcosystemPackages: map[string]dictionary.Packages{
dictionary.EcosystemWordpressPlugins: {
"armadillo": dictionary.NewSet("cpe:2.3:a:armadillo:armadillo:1.23:*:*:*:*:wordpress:*:*"),
},
},
},
},
{
name: "addEntryForWordpressPlugin from Trac Browser",
addEntryFunc: addEntryForWordpressPlugin,
inputRef: "https://plugins.trac.wordpress.org/browser/armadillo/something",
inputCpeItemName: "cpe:2.3:a:armadillo:armadillo:1.23:*:*:*:*:wordpress:*:*",
expectedIndexed: dictionary.Indexed{
EcosystemPackages: map[string]dictionary.Packages{
dictionary.EcosystemWordpressPlugins: {
"armadillo": dictionary.NewSet("cpe:2.3:a:armadillo:armadillo:1.23:*:*:*:*:wordpress:*:*"),
},
},
},
},
{
name: "addEntryForWordpressPlugin from Trac Log",
addEntryFunc: addEntryForWordpressPlugin,
inputRef: "https://plugins.trac.wordpress.org/log/armadillo/log",
inputCpeItemName: "cpe:2.3:a:armadillo:armadillo:1.23:*:*:*:*:wordpress:*:*",
expectedIndexed: dictionary.Indexed{
EcosystemPackages: map[string]dictionary.Packages{
dictionary.EcosystemWordpressPlugins: {
"armadillo": dictionary.NewSet("cpe:2.3:a:armadillo:armadillo:1.23:*:*:*:*:wordpress:*:*"),
},
},
},
},
{
name: "addEntryForWordpressPlugin from GitHub wp-plugins archive",
addEntryFunc: addEntryForWordpressPlugin,
inputRef: "https://github.com/wp-plugins/armadillo/something",
inputCpeItemName: "cpe:2.3:a:armadillo:armadillo:1.23:*:*:*:*:wordpress:*:*",
expectedIndexed: dictionary.Indexed{
EcosystemPackages: map[string]dictionary.Packages{
dictionary.EcosystemWordpressPlugins: {
"armadillo": dictionary.NewSet("cpe:2.3:a:armadillo:armadillo:1.23:*:*:*:*:wordpress:*:*"),
},
},
},
},
{
name: "addEntryForWordpressPlugin wordfence",
addEntryFunc: addEntryForWordpressPlugin,
inputRef: "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/armadillo/skjfhskdjhf/12344",
inputCpeItemName: "cpe:2.3:a:armadillo:armadillo:1.23:*:*:*:*:wordpress:*:*",
expectedIndexed: dictionary.Indexed{
EcosystemPackages: map[string]dictionary.Packages{
dictionary.EcosystemWordpressPlugins: {
"armadillo": dictionary.NewSet("cpe:2.3:a:armadillo:armadillo:1.23:*:*:*:*:wordpress:*:*"),
},
},
},
},
{
name: "addEntryForWordpressTheme",
addEntryFunc: addEntryForWordpressTheme,
inputRef: "https://wordpress.org/themes/basic/releases",
inputCpeItemName: "cpe:2.3:a:basic:basic:1.23:*:*:*:*:wordpress:*:*",
expectedIndexed: dictionary.Indexed{
EcosystemPackages: map[string]dictionary.Packages{
dictionary.EcosystemWordpressThemes: {
"basic": dictionary.NewSet("cpe:2.3:a:basic:basic:1.23:*:*:*:*:wordpress:*:*"),
},
},
},
},
{
name: "addEntryForWordpressTheme from Trac Browser",
addEntryFunc: addEntryForWordpressTheme,
inputRef: "https://themes.trac.wordpress.org/browser/basic/something",
inputCpeItemName: "cpe:2.3:a:basic:basic:1.23:*:*:*:*:wordpress:*:*",
expectedIndexed: dictionary.Indexed{
EcosystemPackages: map[string]dictionary.Packages{
dictionary.EcosystemWordpressThemes: {
"basic": dictionary.NewSet("cpe:2.3:a:basic:basic:1.23:*:*:*:*:wordpress:*:*"),
},
},
},
},
{
name: "addEntryForWordpressTheme from Trac Log",
addEntryFunc: addEntryForWordpressTheme,
inputRef: "https://themes.trac.wordpress.org/log/basic/log",
inputCpeItemName: "cpe:2.3:a:basic:basic:1.23:*:*:*:*:wordpress:*:*",
expectedIndexed: dictionary.Indexed{
EcosystemPackages: map[string]dictionary.Packages{
dictionary.EcosystemWordpressThemes: {
"basic": dictionary.NewSet("cpe:2.3:a:basic:basic:1.23:*:*:*:*:wordpress:*:*"),
},
},
},
},
{
name: "addEntryForWordpressTheme wordfence",
addEntryFunc: addEntryForWordpressTheme,
inputRef: "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/basic/skjfhskdjhf/12344",
inputCpeItemName: "cpe:2.3:a:basic:basic:1.23:*:*:*:*:wordpress:*:*",
expectedIndexed: dictionary.Indexed{
EcosystemPackages: map[string]dictionary.Packages{
dictionary.EcosystemWordpressThemes: {
"basic": dictionary.NewSet("cpe:2.3:a:basic:basic:1.23:*:*:*:*:wordpress:*:*"),
},
},
},
},
} }
for _, tt := range tests { for _, tt := range tests {

52
syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/expected-cpe-index.json vendored
View File

@ -106,6 +106,58 @@
"unicycle": [ "unicycle": [
"cpe:2.3:a:unicycle_project:unicycle:*:*:*:*:*:rust:*:*" "cpe:2.3:a:unicycle_project:unicycle:*:*:*:*:*:rust:*:*"
] ]
},
"wordpress_plugins": {
"0mk-shortener": [
"cpe:2.3:a:0mk_shortener_project:0mk_shortener:*:*:*:*:*:wordpress:*:*"
],
"jobboardwp": [
"cpe:2.3:a:ultimatemember:jobboardwp:*:*:*:*:*:wordpress:*:*"
],
"nofollow": [
"cpe:2.3:a:ultimate_nofollow_project:ultimate_nofollow:*:*:*:*:*:wordpress:*:*"
],
"petfinder-listings": [
"cpe:2.3:a:unboxinteractive:petfinder-listings:*:*:*:*:*:wordpress:*:*"
],
"ultimate-instagram-feed": [
"cpe:2.3:a:ultimate_instagram_feed_project:ultimate_instagram_feed:*:*:*:*:*:wordpress:*:*"
],
"ultimate-member": [
"cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:*",
"cpe:2.3:a:ultimatemember:user_profile_\\\u0026_membership:*:*:*:*:*:wordpress:*:*"
],
"ultimate-noindex-nofollow-tool-ii": [
"cpe:2.3:a:ultimate_noindex_nofollow_tool_ii_project:ultimate_noindex_nofollow_tool_ii:*:*:*:*:*:wordpress:*:*"
],
"ultimate-sms-notifications": [
"cpe:2.3:a:ultimatesmsnotifications:ultimate_sms_notifications_for_woocommerce:*:*:*:*:*:wordpress:*:*"
],
"ultimate-weather-plugin": [
"cpe:2.3:a:ultimate-weather_project:ultimate-weather:*:*:*:*:*:wordpress:*:*"
],
"ultimate-wp-query-search-filter": [
"cpe:2.3:a:ultimate_wp_query_search_filter_project:ultimate_wp_query_search_filter:*:*:*:*:*:wordpress:*:*"
],
"uncanny-automator": [
"cpe:2.3:a:uncannyowl:uncanny_automator:*:*:*:*:*:wordpress:*:*"
],
"uncanny-learndash-toolkit": [
"cpe:2.3:a:uncannyowl:uncanny_toolkit_for_learndash:*:*:*:*:*:*:*:*",
"cpe:2.3:a:uncannyowl:uncanny_toolkit_for_learndash:*:*:*:*:*:wordpress:*:*"
],
"unconfirmed": [
"cpe:2.3:a:unconfirmed_project:unconfirmed:*:*:*:*:*:wordpress:*:*"
],
"underconstruction": [
"cpe:2.3:a:underconstruction_project:underconstruction:*:*:*:*:*:wordpress:*:*"
],
"wp-cleanfix": [
"cpe:2.3:a:undolog:wp_cleanfix:*:*:*:*:*:wordpress:*:*"
],
"wp-ultra-simple-paypal-shopping-cart": [
"cpe:2.3:a:ultra-prod:wordpress_ultra_simple_paypal_shopping_cart:*:*:*:*:*:wordpress:*:*"
]
} }
} }
} }

8
syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/official-cpe-dictionary_v2.3.xml vendored
View File

@ -25093,6 +25093,14 @@
</references> </references>
<cpe-23:cpe23-item name="cpe:2.3:a:yaml_project:yaml:2.3.0:*:*:*:*:go:*:*"/> <cpe-23:cpe23-item name="cpe:2.3:a:yaml_project:yaml:2.3.0:*:*:*:*:go:*:*"/>
</cpe-item> </cpe-item>
<cpe-item name="cpe:/a:0mk_shortener_project:0mk_shortener:0.2::~~~wordpress~~">
<title xml:lang="en-US">0mk Shortener Project 0mk Shortener 0.2 for WordPress</title>
<references>
<reference href="https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/0mk-shortener/0mk-shortener-02-cross-site-request-forgery-to-stored-cross-site-scripting">Advisory</reference>
<reference href="https://wordpress.org/plugins/0mk-shortener/">Project</reference>
</references>
<cpe-23:cpe23-item name="cpe:2.3:a:0mk_shortener_project:0mk_shortener:0.2:*:*:*:*:wordpress:*:*"/>
</cpe-item>
</cpe-list> </cpe-list>
</cpe-list> </cpe-list>
</cpe-list> </cpe-list>

2
syft/pkg/cataloger/internal/cpegenerate/dictionary/types.go
View File

@ -17,6 +17,8 @@ const (
EcosystemJenkinsPlugins = "jenkins_plugins" EcosystemJenkinsPlugins = "jenkins_plugins"
EcosystemRustCrates = "rust_crates" EcosystemRustCrates = "rust_crates"
EcosystemGoModules = "go_modules" EcosystemGoModules = "go_modules"
EcosystemWordpressPlugins = "wordpress_plugins"
EcosystemWordpressThemes = "wordpress_themes"
) )
type Indexed struct { type Indexed struct {

7
syft/pkg/cataloger/internal/cpegenerate/generate.go
View File

@ -96,6 +96,13 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) {
case pkg.GoModulePkg: case pkg.GoModulePkg:
cpes, ok = dict.EcosystemPackages[dictionary.EcosystemGoModules][p.Name] cpes, ok = dict.EcosystemPackages[dictionary.EcosystemGoModules][p.Name]
case pkg.WordpressPluginPkg:
metadata, valid := p.Metadata.(pkg.WordpressPluginEntry)
if !valid {
return parsedCPEs, false
}
cpes, ok = dict.EcosystemPackages[dictionary.EcosystemWordpressPlugins][metadata.PluginInstallDirectory]
default: default:
// The dictionary doesn't support this package type yet. // The dictionary doesn't support this package type yet.
return parsedCPEs, false return parsedCPEs, false