From 30beda2ad28ec5cbfd954b8b02cdcedd145dc405 Mon Sep 17 00:00:00 2001 From: kota kanbe Date: Wed, 25 May 2016 10:43:18 +0900 Subject: [PATCH] Don't output Gorm's columns(ID, date) in JSON https://github.com/future-architect/vuls/pull/77 --- README.md | 53 ---------------------------------- models/models.go | 72 +++++++++++----------------------------------- nvd/nvd.go | 2 +- version/version.go | 2 +- 4 files changed, 19 insertions(+), 110 deletions(-) diff --git a/README.md b/README.md index 3a0acecd..be24863d 100644 --- a/README.md +++ b/README.md @@ -77,18 +77,8 @@ $ go-cve-dictionary server ``` $ curl http://127.0.0.1:1323/cves/CVE-2014-0160 | jq "." { - "ID": 63949, - "CreatedAt": "2016-03-23T20:50:52.712279635+09:00", - "UpdatedAt": "2016-03-23T20:50:52.712279635+09:00", - "DeletedAt": null, - "CveInfoID": 0, "CveID": "CVE-2014-0160", "Nvd": { - "ID": 63949, - "CreatedAt": "2016-03-23T20:50:52.712384527+09:00", - "UpdatedAt": "2016-03-23T20:50:52.712384527+09:00", - "DeletedAt": null, - "CveDetailID": 63949, "Summary": "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.", "Score": 5, "AccessVector": "NETWORK", @@ -100,12 +90,6 @@ $ curl http://127.0.0.1:1323/cves/CVE-2014-0160 | jq "." "Cpes": null, "References": [ { - "ID": 316262, - "CreatedAt": "2016-03-23T20:50:52.715120529+09:00", - "UpdatedAt": "2016-03-23T20:50:52.715120529+09:00", - "DeletedAt": null, - "JvnID": 0, - "NvdID": 63949, "Source": "CERT", "Link": "http://www.us-cert.gov/ncas/alerts/TA14-098A" }, @@ -115,11 +99,6 @@ $ curl http://127.0.0.1:1323/cves/CVE-2014-0160 | jq "." "LastModifiedDate": "2015-10-22T10:19:38.453-04:00" }, "Jvn": { - "ID": 651, - "CreatedAt": "2016-03-23T20:53:47.711776398+09:00", - "UpdatedAt": "2016-03-23T20:53:47.711776398+09:00", - "DeletedAt": null, - "CveDetailID": 63949, "Title": "OpenSSL の heartbeat 拡張に情報漏えいの脆弱性", "Summary": "OpenSSL の heartbeat 拡張の実装には、情報漏えいの脆弱性が存在します。TLS や DTLS 通信において OpenSSL のコードを実行しているプロセスのメモリ内容が通信相手に漏えいする可能性があります。", "JvnLink": "http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-001920.html", @@ -129,12 +108,6 @@ $ curl http://127.0.0.1:1323/cves/CVE-2014-0160 | jq "." "Vector": "(AV:N/AC:L/Au:N/C:P/I:N/A:N)", "References": [ { - "ID": 369475, - "CreatedAt": "2016-03-23T20:53:47.711885901+09:00", - "UpdatedAt": "2016-03-23T20:53:47.711885901+09:00", - "DeletedAt": null, - "JvnID": 651, - "NvdID": 0, "Source": "AT-POLICE", "Link": "http://www.npa.go.jp/cyberpolice/detect/pdf/20140410.pdf" }, @@ -154,17 +127,8 @@ $ curl http://127.0.0.1:1323/cves/CVE-2014-0160 | jq "." $ curl -v -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"name": "cpe:/a:rubyonrails:ruby_on_rails:4.0.2:-"}' http://localhost:1323/cpes | jq "." [ { - "ID": 345, - "CreatedAt": "2016-04-10T10:52:26.196610454+09:00", - "UpdatedAt": "2016-04-10T10:52:26.196610454+09:00", - "DeletedAt": null, - "CveInfoID": 0, "CveID": "CVE-2016-0751", "Nvd": { - "ID": 345, - "CreatedAt": "2016-04-10T10:52:26.196853826+09:00", - "UpdatedAt": "2016-04-10T10:52:26.196853826+09:00", - "DeletedAt": null, "CveDetailID": 345, "Summary": "actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.", "Score": 5, @@ -177,22 +141,10 @@ $ curl -v -H "Accept: application/json" -H "Content-type: application/json" -X P "Cpes": null, "References": [ { - "ID": 486, - "CreatedAt": "2016-04-10T10:52:26.217958168+09:00", - "UpdatedAt": "2016-04-10T10:52:26.217958168+09:00", - "DeletedAt": null, - "JvnID": 0, - "NvdID": 345, "Source": "MLIST", "Link": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ" }, { - "ID": 487, - "CreatedAt": "2016-04-10T10:52:26.218175571+09:00", - "UpdatedAt": "2016-04-10T10:52:26.218175571+09:00", - "DeletedAt": null, - "JvnID": 0, - "NvdID": 345, "Source": "MLIST", "Link": "http://www.openwall.com/lists/oss-security/2016/01/25/9" } @@ -201,11 +153,6 @@ $ curl -v -H "Accept: application/json" -H "Content-type: application/json" -X P "LastModifiedDate": "2016-03-18T21:02:43.817-04:00" }, "Jvn": { - "ID": 0, - "CreatedAt": "0001-01-01T00:00:00Z", - "UpdatedAt": "0001-01-01T00:00:00Z", - "DeletedAt": null, - "CveDetailID": 0, "Title": "", "Summary": "", "JvnLink": "", diff --git a/models/models.go b/models/models.go index f2d37ef1..e5c19e9b 100644 --- a/models/models.go +++ b/models/models.go @@ -5,7 +5,6 @@ import ( "time" "github.com/jinzhu/gorm" - log "github.com/kotakanbe/go-cve-dictionary/log" ) // CveDetails is for sorting @@ -25,8 +24,8 @@ func (c CveDetails) Less(i, j int) bool { // CveDetail is a parent of Jnv/Nvd model type CveDetail struct { - gorm.Model - CveInfoID uint // Foreign key + gorm.Model `json:"-"` + CveInfoID uint `json:"-"` CveID string Nvd Nvd @@ -37,55 +36,21 @@ type CveDetail struct { func (c CveDetail) CvssScore(lang string) float64 { switch lang { case "en": - if c.Nvd.GetID() != 0 && c.Nvd.CvssScore() != 0 { - log.Debugf("%s, Score :%f, Nvd.ID: %d, Lang: %s", - c.CveID, - c.Nvd.CvssScore(), - c.Nvd.ID, - lang) + if 0 < c.Nvd.CvssScore() { return c.Nvd.CvssScore() - } else if c.Jvn.GetID() != 0 && c.Jvn.CvssScore() != 0 { - log.Debugf("%s, Score :%f, Jvn.ID: %d, Lang: %s", - c.CveID, - c.Jvn.CvssScore(), - c.Jvn.ID, - lang) + } else if 0 < c.Jvn.CvssScore() { return c.Jvn.CvssScore() - } else { - log.Debugf("Cvss Score is unknown. CveID: %v", - c.Jvn.JvnID, - c.Jvn.Link(), - c.CveID, - ) } return -1 case "ja": - if c.Jvn.GetID() != 0 && c.Jvn.CvssScore() != 0 { - log.Debugf("%s, Score :%f, Jvn.ID: %d, Lang: %s", - c.CveID, - c.Jvn.CvssScore(), - c.Jvn.GetID(), - lang) + if 0 < c.Jvn.CvssScore() { return c.Jvn.CvssScore() - } else if c.Nvd.GetID() != 0 && c.Nvd.CvssScore() != 0 { - log.Debugf("%s, Score :%f, Nvd.ID: %d, Lang: %s", - c.CveID, - c.Nvd.CvssScore(), - c.Nvd.ID, - lang) + } else if 0 < c.Nvd.CvssScore() { return c.Nvd.CvssScore() - } else { - log.Debugf("Cvss Score is unknown. CveID: %v", - c.Jvn.JvnID, - c.Jvn.Link(), - c.CveID, - ) } return -1 default: - log.Errorf("Not implement yet. lang: %s", lang) return c.CvssScore("en") - // reutrn -1 } } @@ -125,8 +90,8 @@ type CveDictionary interface { // Nvd is a model of NVD type Nvd struct { - gorm.Model - CveDetailID uint + gorm.Model `json:"-"` + CveDetailID uint `json:"-"` Summary string @@ -212,15 +177,13 @@ func firstChar(str string) string { return string(str[0]) } -// Link return summary +// Link return empty string func (c Nvd) Link() string { - //TODO return NVD Link return "" } // VulnSiteReferences return References func (c Nvd) VulnSiteReferences() []Reference { - //TODO return NVD Link return c.References } @@ -241,8 +204,8 @@ func (c Nvd) LastModified() time.Time { // Jvn is a model of JVN type Jvn struct { - gorm.Model - CveDetailID uint + gorm.Model `json:"-"` + CveDetailID uint `json:"-"` Title string Summary string @@ -308,7 +271,6 @@ func (c Jvn) CvssSeverity() string { // VulnSiteReferences return summary func (c Jvn) VulnSiteReferences() []Reference { - //TODO return NVD Link return c.References } @@ -330,9 +292,9 @@ func (c Jvn) LastModified() time.Time { // Cpe is Child model of Jvn/Nvd. // see https://www.ipa.go.jp/security/vuln/CPE.html type Cpe struct { - gorm.Model - JvnID uint - NvdID uint + gorm.Model `json:"-"` + JvnID uint `json:"-"` + NvdID uint `json:"-"` // CPE Name (URL sytle) // JVN ... cpe:/a:oracle:mysql @@ -352,9 +314,9 @@ type Cpe struct { // Reference is Child model of Jvn/Nvd. // It holds reference information about the CVE. type Reference struct { - gorm.Model - JvnID uint - NvdID uint + gorm.Model `json:"-"` + JvnID uint `json:"-"` + NvdID uint `json:"-"` Source string Link string diff --git a/nvd/nvd.go b/nvd/nvd.go index 175bf5c4..11a98eda 100644 --- a/nvd/nvd.go +++ b/nvd/nvd.go @@ -153,7 +153,7 @@ func fetchFeedFile(url string, httpProxy string) (nvd Nvd, err error) { resp, body, errs = gorequest.New().Proxy(httpProxy).Get(url).End() // defer resp.Body.Close() - if len(errs) > 0 || resp.StatusCode != 200 { + if len(errs) > 0 || resp == nil || resp.StatusCode != 200 { return nvd, fmt.Errorf( "HTTP error. errs: %v, url: %s", errs, url) } diff --git a/version/version.go b/version/version.go index 0073ec8f..a7b4ee3b 100644 --- a/version/version.go +++ b/version/version.go @@ -4,4 +4,4 @@ package version const Name string = "go-cve-dictionary" // Version ... Version -const Version string = "0.1.0" +const Version string = "0.1.1"