I have cve2stix data in Arango, imported using stix2arango like so;
python3 utilities/arango_cti_processor/insert_archive_cve.py \
--database forum_demo
I want to filter created CVEs by date. e.g. show me all CVEs published in June.
How can I filter the results based on time?
cve2stix Vulnerability objects look like this:
[
[
{
"created": "2024-07-31T11:15:11.010Z",
"created_by_ref": "identity--562918ee-d5da-5579-b6a1-fae50cc6bad3",
"description": "The Tainacan plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_file' function in all versions up to, and including, 0.21.7. The function is also vulnerable to directory traversal. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.",
"extensions": {
"extension-definition--2c5c13af-ee92-5246-9ba7-0b958f8cd34a": {
"extension_type": "toplevel-property-extension"
}
},
"external_references": [
{
"source_name": "cve",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7135",
"external_id": "CVE-2024-7135"
},
{
"source_name": "cwe",
"url": "https://cwe.mitre.org/data/definitions/CWE-862.html",
"external_id": "CWE-862"
},
{
"source_name": "[email protected]",
"description": "",
"url": "https://plugins.trac.wordpress.org/browser/tainacan/trunk/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php#L370"
},
{
"source_name": "[email protected]",
"description": "",
"url": "https://plugins.trac.wordpress.org/browser/tainacan/trunk/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php#L378"
},
{
"source_name": "[email protected]",
"description": "",
"url": "https://plugins.trac.wordpress.org/changeset/3127693/"
},
{
"source_name": "[email protected]",
"description": "",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4dd0c6a-75af-4b53-ac13-fc4ef0e9001d?source=cve"
}
],
"id": "vulnerability--c51f60bc-ed38-5fce-b5cb-e17773b8b02d",
"modified": "2024-07-31T12:57:02.300Z",
"name": "CVE-2024-7135",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3"
],
"spec_version": "2.1",
"type": "vulnerability",
"x_cvss": {
"v3_1": {
"base_score": 6.5,
"base_severity": "MEDIUM",
"exploitability_score": 2.8,
"impact_score": 3.6,
"vector_string": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
},
"x_epss": {
"date": "2024-08-30",
"percentile": "0.306560000",
"score": "0.000680000"
}
}
]
]
The created date shows the date the NVD published it. The modified date shows when the record was last updated (most CVEs are usually update quite a few times b/c they are usually published with minimal info).
Thus in your scenario we want to filter on created time.
This search will return CVEs published in June
FOR doc IN nvd_cve_vertex_collection
FILTER DATE_MONTH(doc.created) == 6
AND doc.type == "vulnerability"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
If you need to search for specific dates…
FOR doc IN nvd_cve_vertex_collection
FILTER DATE_TIMESTAMP(doc.created) >= DATE_TIMESTAMP("2024-06-04T00:00:00Z")
AND DATE_TIMESTAMP(doc.created) <= DATE_TIMESTAMP("2024-06-09T23:59:59Z")
AND doc.type == "vulnerability"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
You can get a overview of how many CVEs are reported each month as follows;
FOR doc IN nvd_cve_vertex_collection
FILTER doc.type == "vulnerability"
COLLECT yearMonth = CONCAT(DATE_YEAR(doc.created), "-", RIGHT("0" + DATE_MONTH(doc.created), 2)) WITH COUNT INTO count
RETURN { yearMonth, count }
Results look like this:
[
{
"yearMonth": "1988-10",
"count": 1
},
{
"yearMonth": "1988-11",
"count": 1
},
{
"yearMonth": "1989-1",
"count": 1
},
{
"yearMonth": "1989-10",
"count": 1
},
{
"yearMonth": "1989-7",
"count": 1
},
{
"yearMonth": "1990-1",
"count": 1
},
{
"yearMonth": "1990-10",
"count": 5
},
{
"yearMonth": "1990-12",
"count": 2
},