I imported cve2stix data into ArangoDB using stix2arango
python3 utilities/arango_cti_processor/insert_archive_cve.py \
--database forum_demo
I want to filter CVEs to only those that contain a certain maker of product name.
For example, only show CVEs that impact Cisco devices.
Yep it’s possible using the Indicator objects created by cve2stix.
e.g.
{
"created": "2024-07-24T14:15:04.867Z",
"created_by_ref": "identity--562918ee-d5da-5579-b6a1-fae50cc6bad3",
"description": "Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.",
"extensions": {
"extension-definition--ad995824-2901-5f6e-890b-561130a239d4": {
"extension_type": "toplevel-property-extension"
}
},
"external_references": [
{
"source_name": "cve",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45249",
"external_id": "CVE-2023-45249"
}
],
"id": "indicator--9e789ed4-1bba-54a2-8b50-72f7abbee92c",
"indicator_types": [
"compromised"
],
"modified": "2024-07-30T14:34:18.393Z",
"name": "CVE-2023-45249",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3"
],
"pattern": "([software:cpe='cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*'])",
"pattern_type": "stix",
"pattern_version": "2.1",
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2024-07-24T14:15:04.867Z",
"x_cpes": {
"not_vulnerable": [],
"vulnerable": [
{
"criteria": "cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1A50BD85-127D-48B6-BEDE-00CA3BAFCBAD"
},
{
"criteria": "cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E5337751-14F1-4E10-80F3-EF7ED6D4B2B1"
},
{
"criteria": "cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29CDCE6A-0B62-4FE6-8033-0C790B81BF6A"
},
{
"criteria": "cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6125F2EC-7736-4088-AA1F-3017713AB03E"
},
{
"criteria": "cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC427A5A-F1D5-4DEA-A005-BC4676668571"
}
]
}
}
Here we can see all the CPE Match Strings found in the pattern that are vulnerable (x_cpes.vulnerable) (all of them in this case) and not vulnerable (x_cpes.not_vulnerable)
So to get CVEs affecting specific vendors we can write a search to look for :cisco: in the vulnerable.criteria property
FOR doc in nvd_cve_vertex_collection
FILTER doc.type == "indicator"
FILTER LENGTH(
FOR item IN doc.x_cpes.vulnerable
FILTER CONTAINS(item.criteria, ":cisco:")
RETURN 1
) > 0
RETURN [{ name: doc.name, id: doc.id, pattern: doc.pattern }]
Which returns results like
[
[
{
"name": "CVE-1999-0161",
"id": "indicator--0d50ac18-250d-59bb-b11f-8ace08834b4f",
"pattern": "([software:cpe='cpe:2.3:o:cisco:ios:10.3(3.4):*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:o:cisco:ios:10.3(4.2):*:*:*:*:*:*:*'])"
}
],
[
{
"name": "CVE-2002-0241",
"id": "indicator--652abd0a-3567-5fe3-abce-2da0b89a2eef",
"pattern": "([software:cpe='cpe:2.3:a:cisco:secure_access_control_server:3.0.1:*:windows_nt:*:*:*:*:*'])"
}
],
The vulnerability objects for the CVE have the same UUID part so CVE-1999-0161 has indicator--0d50ac18-250d-59bb-b11f-8ace08834b4f and vulnerability--0d50ac18-250d-59bb-b11f-8ace08834b4f
So we can search for the full CVE information as follows;
FOR doc in nvd_cve_vertex_collection
FILTER doc.id == "vulnerability--0d50ac18-250d-59bb-b11f-8ace08834b4f"
RETURN [doc]
[
[
{
"_key": "vulnerability--0d50ac18-250d-59bb-b11f-8ace08834b4f+2024-09-04T14:04:23.065238Z",
"_id": "nvd_cve_vertex_collection/vulnerability--0d50ac18-250d-59bb-b11f-8ace08834b4f+2024-09-04T14:04:23.065238Z",
"_rev": "_iZzX0zy--L",
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--0d50ac18-250d-59bb-b11f-8ace08834b4f",
"created_by_ref": "identity--562918ee-d5da-5579-b6a1-fae50cc6bad3",
"created": "1995-07-31T04:00:00.000Z",
"modified": "2008-09-09T12:33:53.290Z",
"name": "CVE-1999-0161",
"description": "In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering.",
"external_references": [
{
"source_name": "cve",
"url": "https://nvd.nist.gov/vuln/detail/CVE-1999-0161",
"external_id": "CVE-1999-0161"
},
{
"source_name": "cve@mitre.org",
"description": "",
"url": "http://www.osvdb.org/797"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3"
],
"extensions": {
"extension-definition--2c5c13af-ee92-5246-9ba7-0b958f8cd34a": {
"extension_type": "toplevel-property-extension"
}
},
"x_cvss": {
"v2_0": {
"base_score": 7.5,
"base_severity": "HIGH",
"exploitability_score": 10,
"impact_score": 6.4,
"vector_string": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
}
},
"x_epss": {
"date": "2024-08-27",
"percentile": "0.791790000",
"score": "0.006180000"
},
"_bundle_id": "bundle--743ff2a1-157a-5379-9c80-14c9b850e5a7",
"_file_name": "cve-bundle-2008_09_01-00_00_00-2008_09_30-23_59_59.json",
"_stix2arango_note": "",
"_record_md5_hash": "7982ec8d9c4e8f4149c3c59d37aab268",
"_is_latest": true,
"_record_created": "2024-09-04T14:04:23.065238Z",
"_record_modified": "2024-09-04T14:04:23.065238Z"
}
]
]