From 233a92bb67a18a7f77dc9f3bdfad57a506de7640 Mon Sep 17 00:00:00 2001
From: Timo Pollmeier <timo.pollmeier@greenbone.net>
Date: Thu, 23 Jan 2025 14:46:18 +0100
Subject: [PATCH] Add: Setting to enable new CVE scan CPE matching

The setting "CVE-CPE Matching Version" has been added that allows
switching between the old "affected products" based matching for CVE
scans and the new one based on the extended matching rules.
For now the old version will be used by default.
---
 src/manage.c     | 17 ++++++++++++++---
 src/manage_sql.c | 27 +++++++++++++++++++++++++--
 src/manage_sql.h |  5 +++++
 3 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/src/manage.c b/src/manage.c
index a9a402045..06034a5da 100644
--- a/src/manage.c
+++ b/src/manage.c
@@ -3483,11 +3483,18 @@ cve_scan_report_host_json (task_t task,
  * @param[in]  task      Task.
  * @param[in]  report    The report to add the host, results and details to.
  * @param[in]  gvm_host  Host.
+ * @param[in]  matching_version  The CPE-CVE matching version (0 or 1) to use.
+ *
+ * With version 0 matching, CPEs are only compared to the affected products
+ *  lists of CVEs.
+ * With version 1 matching, CPEs are matched by evaluating the match criteria
+ *  for the CVEs.
  *
  * @return 0 success, 1 failed to get nthlast report for a host.
  */
 static int
-cve_scan_host (task_t task, report_t report, gvm_host_t *gvm_host)
+cve_scan_host (task_t task, report_t report, gvm_host_t *gvm_host,
+               int matching_version)
 {
   report_host_t report_host;
   gchar *ip, *host;
@@ -3533,7 +3540,8 @@ cve_scan_host (task_t task, report_t report, gvm_host_t *gvm_host)
           start_time = time (NULL);
           prognosis_report_host = 0;
 
-          if (sql_int64_0 ("SELECT count(1) FROM information_schema.tables"
+          if (matching_version == 1 &&
+              sql_int64_0 ("SELECT count(1) FROM information_schema.tables"
                            " WHERE table_schema = 'scap'"
                            " AND table_name = 'cpe_match_nodes';") > 0)
             {
@@ -3780,8 +3788,11 @@ fork_cve_scan_handler (task_t task, target_t target)
     }
   free (exclude_hosts);
 
+  int matching_version;
+  setting_value_int(SETTING_UUID_CVE_CPE_MATCHING_VERSION, &matching_version);
+
   while ((gvm_host = gvm_hosts_next (gvm_hosts)))
-    if (cve_scan_host (task, global_current_report, gvm_host))
+    if (cve_scan_host (task, global_current_report, gvm_host, matching_version))
       {
         set_task_interrupted (task,
                               "Failed to get nthlast report."
diff --git a/src/manage_sql.c b/src/manage_sql.c
index c0f2833bd..99635d030 100644
--- a/src/manage_sql.c
+++ b/src/manage_sql.c
@@ -16310,6 +16310,17 @@ check_db_settings ()
           "  'User Interface Date Format',"
           "  'Preferred date format to be used in client user interfaces.',"
           "  'system_default' );");
+
+  if (sql_int ("SELECT count(*) FROM settings"
+              " WHERE uuid = '" SETTING_UUID_CVE_CPE_MATCHING_VERSION "'"
+              " AND " ACL_IS_GLOBAL () ";")
+      == 0)
+    sql ("INSERT into settings (uuid, owner, name, comment, value)"
+          " VALUES"
+          " ('" SETTING_UUID_CVE_CPE_MATCHING_VERSION "', NULL,"
+          "  'CVE-CPE Matching Version',"
+          "  'Version of the CVE-CPE matching used in CVE scans.',"
+          "  '0' );");
 }
 
 /**
@@ -53565,6 +53576,8 @@ setting_name (const gchar *uuid)
     return "Feed Import Roles";
   if (strcmp (uuid, SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD) == 0)
     return "SecInfo SQL Buffer Threshold";
+  if (strcmp (uuid, SETTING_UUID_CVE_CPE_MATCHING_VERSION) == 0)
+    return "CVE-CPE Matching Version";
 
   return NULL;
 }
@@ -53605,6 +53618,8 @@ setting_description (const gchar *uuid)
   if (strcmp (uuid, SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD) == 0)
     return "Buffer size threshold in MiB for running buffered SQL statements"
            " in SecInfo updates before the end of the file being processed.";
+  if (strcmp (uuid, SETTING_UUID_CVE_CPE_MATCHING_VERSION) == 0)
+    return "Version of the CVE-CPE matching used in CVE scans.";
 
   return NULL;
 }
@@ -53700,6 +53715,12 @@ setting_verify (const gchar *uuid, const gchar *value, const gchar *user)
         return 1;
     }
 
+  if (strcmp (uuid, SETTING_UUID_CVE_CPE_MATCHING_VERSION) == 0)
+    {
+      if (strcmp (value, "0") && strcmp (value, "1"))
+        return 1;
+    }
+
   return 0;
 }
 
@@ -53794,7 +53815,8 @@ manage_modify_setting (GSList *log_config, const db_conn_info_t *database,
       && strcmp (uuid, SETTING_UUID_LSC_DEB_MAINTAINER)
       && strcmp (uuid, SETTING_UUID_FEED_IMPORT_OWNER)
       && strcmp (uuid, SETTING_UUID_FEED_IMPORT_ROLES)
-      && strcmp (uuid, SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD))
+      && strcmp (uuid, SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD)
+      && strcmp (uuid, SETTING_UUID_CVE_CPE_MATCHING_VERSION))
     {
       fprintf (stderr, "Error in setting UUID.\n");
       return 3;
@@ -53822,7 +53844,8 @@ manage_modify_setting (GSList *log_config, const db_conn_info_t *database,
       if ((strcmp (uuid, SETTING_UUID_DEFAULT_CA_CERT) == 0)
           || (strcmp (uuid, SETTING_UUID_FEED_IMPORT_OWNER) == 0)
           || (strcmp (uuid, SETTING_UUID_FEED_IMPORT_ROLES) == 0)
-          || (strcmp (uuid, SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD) == 0))
+          || (strcmp (uuid, SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD) == 0)
+          || (strcmp (uuid, SETTING_UUID_CVE_CPE_MATCHING_VERSION) == 0))
         {
           sql_rollback ();
           fprintf (stderr,
diff --git a/src/manage_sql.h b/src/manage_sql.h
index c7181ac4a..03a4dfe62 100644
--- a/src/manage_sql.h
+++ b/src/manage_sql.h
@@ -152,6 +152,11 @@
  */
 #define SETTING_UUID_USER_INTERFACE_DATE_FORMAT "d9857b7c-1159-4193-9bc0-18fae5473a69"
 
+/**
+ * @brief UUID of 'CVE-CPE Matching Version' setting.
+ */
+#define SETTING_UUID_CVE_CPE_MATCHING_VERSION "2e8a8ccc-219f-4a82-824a-3ad88b6d4029"
+
 /**
  * @brief Trust constant for error.
  */