Add VRT 1.4 and handling for CWE and Remediation Advice mappings (#20)

* Add VRT 1.4

* Add remediation advice mapping

* Add CWE mapping

* Update Changelog

* Update mapping handlings to handle multiple keys and to merge arrays

* Add mapping specs and mapping fixture data

Author: Devin Riley

.gitmodules

@@ -13,3 +13,6 @@
 [submodule "lib/data/1.3.1"]
 	path = lib/data/1.3.1
 	url = git@github.com:bugcrowd/vulnerability-rating-taxonomy.git
+[submodule "lib/data/1.4"]
+	path = lib/data/1.4
+	url = git@github.com:bugcrowd/vulnerability-rating-taxonomy.git

CHANGELOG.md

@@ -5,10 +5,15 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
 
 ## [Unreleased]
 ### Added
-
-### Removed
+- VRT 1.4 data
+- Support for mappings with `keys` metadata
+- CWE mapping
+- Bugcrowd Remediation Advice mapping
 
 ### Changed
+- Mappings with array values now caolesce downwards.
+  Child VRT nodes will include values from parent nodes if a mapping
+  provides node data as an array.
 
 ## [v0.4.6](https://github.com/bugcrowd/vrt-ruby/compare/v0.4.5...v0.4.6) - 2018-02-05
 ### Changed

lib/data/1.4

@@ -17,7 +17,7 @@ module VRT
                    'name' => 'Other',
                    'priority' => nil,
                    'type' => 'category' }.freeze
-  MAPPINGS = %i[cvss_v3].freeze
+  MAPPINGS = %i[cvss_v3 remediation_advice cwe].freeze
 
   @version_json = {}
   @last_update = {}

lib/vrt.rb

@@ -14,19 +14,25 @@ def get(id_list, version)
         id_list = VRT.find_node(vrt_id: id_list.join('.'), preferred_version: @min_version).id_list
         version = @min_version
       end
-
-      # iterate through the id components, keeping track of where we are in the mapping file
-      # and the most specific mapped value found so far
       mapping = @mappings[version]['content']
-      best_guess = @mappings[version]['metadata']['default']
-      id_list.each do |id|
-        entry = mapping[id]
-        break unless entry # mapping file doesn't go this deep, return previous value
-        best_guess = entry[@scheme] if entry[@scheme]
-        # use the children mapping for the next iteration
-        mapping = entry['children'] || {}
+      default = @mappings[version]['metadata']['default']
+      keys = @mappings[version]['metadata']['keys']
+      if keys
+        # Convert mappings with multiple keys to be nested under a single
+        # top-level key. Remediation advice has keys 'remediation_advice'
+        # and 'references' so we convert it to look like
+        # { remediation_advice: { remediation_advice: '...', references: [...] } }
+        keys.each_with_object({}) do |key, acc|
+          acc[key.to_sym] = get_key(
+            id_list: id_list,
+            mapping: mapping,
+            key: key,
+            default: default&.try(:[], key)
+          )
+        end
+      else
+        get_key(id_list: id_list, mapping: mapping, key: @scheme, default: default)
       end
-      best_guess
     end
 
     private
@@ -50,14 +56,35 @@ def load_mappings
     # becomes
     #     {one: {'id': 'one', 'foo': 'bar'}, two: {'id': 'two', 'foo': 'baz'}}
     def key_by_id(mapping)
-      case mapping
-      when Array
+      if mapping.is_a?(Array) && mapping.first.is_a?(Hash) && mapping.first.key?('id')
         mapping.each_with_object({}) { |entry, acc| acc[entry['id'].to_sym] = key_by_id(entry) }
-      when Hash
+      elsif mapping.is_a?(Hash)
         mapping.each_with_object({}) { |(key, value), acc| acc[key] = key_by_id(value) }
       else
         mapping
       end
     end
+
+    def get_key(id_list:, mapping:, key:, default:)
+      # iterate through the id components, keeping track of where we are in the mapping file
+      # and the most specific mapped value found so far
+      best_guess = default
+      id_list.each do |id|
+        entry = mapping[id]
+        break unless entry # mapping file doesn't go this deep, return previous value
+        best_guess = merge_arrays(best_guess, entry[key]) if entry[key]
+        # use the children mapping for the next iteration
+        mapping = entry['children'] || {}
+      end
+      best_guess
+    end
+
+    def merge_arrays(previous_value, new_value)
+      if previous_value.is_a?(Array) && new_value.is_a?(Array)
+        new_value | previous_value
+      else
+        new_value
+      end
+    end
   end
 end

lib/vrt/mapping.rb

@@ -0,0 +1,60 @@
+{
+  "metadata": {
+    "default": ["CWE-2000"]
+  },
+  "content": [
+    {
+      "id": "server_security_misconfiguration",
+      "cwe": ["CWE-933"],
+      "children": [
+        {
+          "id": "unsafe_cross_origin_resource_sharing",
+          "cwe": ["CWE-942"]
+        },
+        {
+          "id": "path_traversal",
+          "cwe": ["CWE-22", "CWE-73"]
+        },
+        {
+          "id": "directory_listing_enabled",
+          "cwe": ["CWE-548"]
+        },
+        {
+          "id": "ssl_attack_breach_poodle_etc",
+          "cwe": ["CWE-310"]
+        },
+        {
+          "id": "using_default_credentials",
+          "cwe": ["CWE-255", "CWE-521"]
+        },
+        {
+          "id": "misconfigured_dns",
+          "children": [
+            {
+              "id": "zone_transfer",
+              "cwe": ["CWE-669"]
+            }
+          ]
+        },
+        {
+          "id": "dbms_misconfiguration",
+          "children": [
+            {
+              "id": "excessively_privileged_user_dba",
+              "cwe": ["CWE-250"]
+            }
+          ]
+        },
+        {
+          "id": "lack_of_password_confirmation",
+          "children": [
+            {
+              "id": "change_password",
+              "cwe": ["CWE-620"]
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

spec/sample_vrt/2.0/mappings/cwe.json

@@ -0,0 +1,59 @@
+{
+  "metadata": {
+    "default": null,
+    "keys": ["remediation_advice", "references"]
+  },
+  "content": [
+    {
+      "id": "server_security_misconfiguration",
+      "references": [
+        "https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration",
+        "http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration"
+      ],
+      "children": [
+        {
+          "id": "unsafe_cross_origin_resource_sharing",
+          "remediation_advice": "This is advice",
+          "references": [
+            "https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Cross_Origin_Resource_Sharing",
+            "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
+          ]
+        },
+        {
+          "id": "directory_listing_enabled",
+          "remediation_advice": "Restrict directory listings being displayed from the server configuration.  \n\nExample for Apache:\n\n1. Edit the server configuration file or edit/create directory .htaccess\n2. Add the following line:\nOptions -Indexes\n3. If it is the last line, make sure you have a new line after it.",
+          "references": [
+            "http://projects.webappsec.org/w/page/13246922/Directory%20Indexing"
+          ]
+        },
+        {
+          "id": "misconfigured_dns",
+          "children": [
+            {
+              "id": "subdomain_takeover",
+              "remediation_advice": "1. Set up your external service so it fully listens to your wildcard DNS.\n2. Keep your DNS-entries constantly vetted and restricted.",
+              "references": [
+                "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/"
+              ]
+            },
+            {
+              "id": "zone_transfer",
+              "remediation_advice": "Do not allow DNS zone transfers.",
+              "references": [
+                "https://www.sans.org/reading-room/whitepapers/dns/securing-dns-zone-transfer-868",
+                "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0532"
+              ]
+            },
+            {
+              "id": "missing_caa_record",
+              "remediation_advice": "As the domain name holder you can modify the DNS zone file to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain.",
+              "references": [
+                "https://tools.ietf.org/html/rfc6844"
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

spec/sample_vrt/2.0/mappings/remediation_advice.json

@@ -0,0 +1,60 @@
+{
+  "metadata": {
+    "default": ["CWE-2000"]
+  },
+  "content": [
+    {
+      "id": "server_security_misconfiguration",
+      "cwe": ["CWE-933"],
+      "children": [
+        {
+          "id": "unsafe_cross_origin_resource_sharing",
+          "cwe": ["CWE-942"]
+        },
+        {
+          "id": "path_traversal",
+          "cwe": ["CWE-22", "CWE-73"]
+        },
+        {
+          "id": "directory_listing_enabled",
+          "cwe": ["CWE-548"]
+        },
+        {
+          "id": "ssl_attack_breach_poodle_etc",
+          "cwe": ["CWE-310"]
+        },
+        {
+          "id": "using_default_credentials",
+          "cwe": ["CWE-255", "CWE-521"]
+        },
+        {
+          "id": "misconfigured_dns",
+          "children": [
+            {
+              "id": "zone_transfer",
+              "cwe": ["CWE-669"]
+            }
+          ]
+        },
+        {
+          "id": "dbms_misconfiguration",
+          "children": [
+            {
+              "id": "excessively_privileged_user_dba",
+              "cwe": ["CWE-250"]
+            }
+          ]
+        },
+        {
+          "id": "lack_of_password_confirmation",
+          "children": [
+            {
+              "id": "change_password",
+              "cwe": ["CWE-620"]
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

spec/sample_vrt/999.999/mappings/cwe.json

@@ -0,0 +1,59 @@
+{
+  "metadata": {
+    "default": null,
+    "keys": ["remediation_advice", "references"]
+  },
+  "content": [
+    {
+      "id": "server_security_misconfiguration",
+      "references": [
+        "https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration",
+        "http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration"
+      ],
+      "children": [
+        {
+          "id": "unsafe_cross_origin_resource_sharing",
+          "remediation_advice": "This is advice",
+          "references": [
+            "https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Cross_Origin_Resource_Sharing",
+            "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
+          ]
+        },
+        {
+          "id": "directory_listing_enabled",
+          "remediation_advice": "Restrict directory listings being displayed from the server configuration.  \n\nExample for Apache:\n\n1. Edit the server configuration file or edit/create directory .htaccess\n2. Add the following line:\nOptions -Indexes\n3. If it is the last line, make sure you have a new line after it.",
+          "references": [
+            "http://projects.webappsec.org/w/page/13246922/Directory%20Indexing"
+          ]
+        },
+        {
+          "id": "misconfigured_dns",
+          "children": [
+            {
+              "id": "subdomain_takeover",
+              "remediation_advice": "1. Set up your external service so it fully listens to your wildcard DNS.\n2. Keep your DNS-entries constantly vetted and restricted.",
+              "references": [
+                "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/"
+              ]
+            },
+            {
+              "id": "zone_transfer",
+              "remediation_advice": "Do not allow DNS zone transfers.",
+              "references": [
+                "https://www.sans.org/reading-room/whitepapers/dns/securing-dns-zone-transfer-868",
+                "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0532"
+              ]
+            },
+            {
+              "id": "missing_caa_record",
+              "remediation_advice": "As the domain name holder you can modify the DNS zone file to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain.",
+              "references": [
+                "https://tools.ietf.org/html/rfc6844"
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}