Searching for cve2stix data using date ranges?

0101001001001 · 4 September 2024 14:33

I have cve2stix data in Arango, imported using stix2arango like so;

python3 utilities/arango_cti_processor/insert_archive_cve.py \
  --database forum_demo

I want to filter created CVEs by date. e.g. show me all CVEs published in June.

How can I filter the results based on time?

dgreenwood-dogesec · 4 September 2024 14:34

cve2stix Vulnerability objects look like this:

[
  [
    {
      "created": "2024-07-31T11:15:11.010Z",
      "created_by_ref": "identity--562918ee-d5da-5579-b6a1-fae50cc6bad3",
      "description": "The Tainacan plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_file' function in all versions up to, and including, 0.21.7. The function is also vulnerable to directory traversal. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.",
      "extensions": {
        "extension-definition--2c5c13af-ee92-5246-9ba7-0b958f8cd34a": {
          "extension_type": "toplevel-property-extension"
        }
      },
      "external_references": [
        {
          "source_name": "cve",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7135",
          "external_id": "CVE-2024-7135"
        },
        {
          "source_name": "cwe",
          "url": "https://cwe.mitre.org/data/definitions/CWE-862.html",
          "external_id": "CWE-862"
        },
        {
          "source_name": "security@wordfence.com",
          "description": "",
          "url": "https://plugins.trac.wordpress.org/browser/tainacan/trunk/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php#L370"
        },
        {
          "source_name": "security@wordfence.com",
          "description": "",
          "url": "https://plugins.trac.wordpress.org/browser/tainacan/trunk/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php#L378"
        },
        {
          "source_name": "security@wordfence.com",
          "description": "",
          "url": "https://plugins.trac.wordpress.org/changeset/3127693/"
        },
        {
          "source_name": "security@wordfence.com",
          "description": "",
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4dd0c6a-75af-4b53-ac13-fc4ef0e9001d?source=cve"
        }
      ],
      "id": "vulnerability--c51f60bc-ed38-5fce-b5cb-e17773b8b02d",
      "modified": "2024-07-31T12:57:02.300Z",
      "name": "CVE-2024-7135",
      "object_marking_refs": [
        "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
        "marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3"
      ],
      "spec_version": "2.1",
      "type": "vulnerability",
      "x_cvss": {
        "v3_1": {
          "base_score": 6.5,
          "base_severity": "MEDIUM",
          "exploitability_score": 2.8,
          "impact_score": 3.6,
          "vector_string": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
        }
      },
      "x_epss": {
        "date": "2024-08-30",
        "percentile": "0.306560000",
        "score": "0.000680000"
      }
    }
  ]
]

The created date shows the date the NVD published it. The modified date shows when the record was last updated (most CVEs are usually update quite a few times b/c they are usually published with minimal info).

Thus in your scenario we want to filter on created time.

This search will return CVEs published in June

FOR doc IN nvd_cve_vertex_collection
FILTER DATE_MONTH(doc.created) == 6
AND doc.type == "vulnerability"
LET keys = ATTRIBUTES(doc)
  LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
  RETURN KEEP(doc, filteredKeys)

If you need to search for specific dates…

FOR doc IN nvd_cve_vertex_collection
FILTER DATE_TIMESTAMP(doc.created) >= DATE_TIMESTAMP("2024-06-04T00:00:00Z")
AND DATE_TIMESTAMP(doc.created) <= DATE_TIMESTAMP("2024-06-09T23:59:59Z")
AND doc.type == "vulnerability"
LET keys = ATTRIBUTES(doc)
  LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
  RETURN KEEP(doc, filteredKeys)

You can get a overview of how many CVEs are reported each month as follows;

FOR doc IN nvd_cve_vertex_collection
FILTER doc.type == "vulnerability"
COLLECT yearMonth = CONCAT(DATE_YEAR(doc.created), "-", RIGHT("0" + DATE_MONTH(doc.created), 2)) WITH COUNT INTO count
RETURN { yearMonth, count }

Results look like this:

[
  {
    "yearMonth": "1988-10",
    "count": 1
  },
  {
    "yearMonth": "1988-11",
    "count": 1
  },
  {
    "yearMonth": "1989-1",
    "count": 1
  },
  {
    "yearMonth": "1989-10",
    "count": 1
  },
  {
    "yearMonth": "1989-7",
    "count": 1
  },
  {
    "yearMonth": "1990-1",
    "count": 1
  },
  {
    "yearMonth": "1990-10",
    "count": 5
  },
  {
    "yearMonth": "1990-12",
    "count": 2
  },