revised; enabling openssl advisors with different versions

.gitignore

@@ -16,3 +16,6 @@
 /test/ae-vulnerability-mirror/
 
 /.mvn/
+
+# FIXME: how to deal with correlation data? Split?
+/advisors/correlation/shared

README.md

@@ -26,9 +26,9 @@
 
 ## Build Instructions
 
-Mirror the vulnerability databases once using the `mirror-database` profile:
+Mirror the vulnerability databases once using the `mirror-download` profile:
 
-    mvn clean install -Pmirror-database,index-database
+    mvn clean install -Pmirror-download,mirror-index
 
 To successfully mirror the database an API-Key might be necessary if not provided already.
 Either create a new top-level directory `.maven` containing a `maven.config` file which should contain the following:
@@ -37,7 +37,7 @@ Either create a new top-level directory `.maven` containing a `maven.config` fil
 
 Or append the flag directly via CLI:
 
-    mvn clean install -Pmirror-database,index-database -Dnvd.apikey=<api-key>
+    mvn clean install -Pmirror-download,mirror-index -Dnvd.apikey=<api-key>
 
 This process may take around 40 minutes. The process will create a local mirror of public vulnerability data in the `.database`
 folder. Rerun the process to update the data regularly.

advisors/example-advisor/assessment/baseline.yaml

@@ -14,5 +14,7 @@ history:
 
 scope: inventory
 
-cvssV3: MAV:A/MAC:H
-cvssV2: AV:A
+cvssV3:
+  lower: MAV:A/MAC:H
+cvssV2:
+  lower: AV:A

advisors/openssl-1.1-advisor/assessment/baseline.yaml_

@@ -0,0 +1,20 @@
+history:
+  - rationale:
+      "<p>
+          The application services are operated in an isolated network. No direct access from the external adversaries
+          shall be possible.
+      </p>
+      <p>
+          The CVSS vectors have been adjusted to expect that an adversary must have access to the network the 
+          application service are deployed (MAV:A; AV:A). Additional privileges are required (MAC:H) as the adversary 
+          must have already passed the gateway-level security perimeter or the physical protection of the data center.
+      </p>"
+    date: 2024-08-24
+    author: KKL
+
+scope: inventory
+
+cvssV3:
+  lower: MAV:A/MAC:H
+cvssV2:
+  lower: AV:A

advisors/openssl-1.1-advisor/context/CTX_external-attackers.yaml

@@ -0,0 +1,21 @@
+sets:
+  - name: external attacker
+    category: external threat
+    score: 3.0
+    min:
+      - amount: 1
+        keywords:
+          - external attacker
+          - external attackers
+          - external adversary
+          - external adversaries
+          - external user
+          - remote attacker
+          - remote attackers
+          - remote adversary
+          - remote adversaries
+          - remote code execution
+          - remote code executions
+          - RCE
+          - execute arbitrary code
+          - initiate the attack remotely

advisors/openssl-1.1-advisor/context/CTX_information-disclosure.yaml

@@ -0,0 +1,19 @@
+sets:
+  - name: information disclosure
+    category: confidentiality threat
+    score: 3.0
+    min:
+      - amount: 1
+        keywords:
+          - information disclosure
+          - making private services on the VM accessible to the network
+          - leaking credential
+          - leaked credential
+          - leaked credentials
+          - credential leak
+          - credentials leak
+          - exposed credantial
+          - credential exposed
+          - credentials exposed
+          - readable by unauthorized
+          - readable by unauthorised

advisors/openssl-1.1-advisor/context/CTX_malicious-content.yaml

@@ -0,0 +1,17 @@
+sets:
+  - name: malicious content
+    category: integrity threat
+    score: 3.0
+    min:
+      - amount: 1
+        keywords:
+          - request smuggling
+          - missing input validation
+          - SQL injection
+          - sql injection
+          - sql-injection
+          - XML External Entity Injection
+          - XML Entity Expansion
+          - XXE
+          - specifically crafted request
+          - specifically crafted conent

advisors/openssl-1.1-advisor/context/CTX_privilege-escalation.yaml

@@ -0,0 +1,14 @@
+sets:
+  - name: privilege escalation
+    category: general threat
+    score: 3.0
+    min:
+      - amount: 1
+        keywords:
+          - privilege escalation
+          - jailbreak
+          - container escape
+          - to access any other file
+          - arbitrary code execution
+          - allows unauthorized acccess
+          - allows unauthorised acccess

advisors/openssl-1.1-advisor/context/CTX_request-forgery.yaml

@@ -0,0 +1,10 @@
+sets:
+  - name: request forgery
+    category: external threat
+    score: 2.0
+    min:
+      - amount: 1
+        keywords:
+          - cross-site request forgery
+          - CSFR
+          - forge requests

advisors/openssl-1.1-advisor/context/CTX_resource-exemption.yaml

@@ -0,0 +1,14 @@
+sets:
+  - name: resource exemption
+    category: external threat
+    score: 1.0
+    min:
+      - amount: 1
+        keywords:
+          - resource consumption
+          - resource exemption
+          - denial of service
+          - denial of service attacks
+          - connection pool exhaustion
+          - memory leak
+          - resource leak

advisors/openssl-advisor/context/README.md → advisors/openssl-1.1-advisor/context/README.md

@@ -1,5 +1,3 @@
 # Vulnerability Context Definition
 
 Within the folder `context` configurations can be places that help to prioritize vulnerabilities on a general level.
-
-Currently, no context information is provided.

advisors/openssl-1.1-advisor/pom.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.metaeffekt.example.documentation</groupId>
+        <artifactId>ae-advisors</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>ae-openssl-1.1-advisor</artifactId>
+    <packaging>jar</packaging>
+
+    <properties>
+        <input.inventory>${project.basedir}/inventory/openssl-inventory.xls</input.inventory>
+
+        <dashboard.title>OpenSSL-1.1.1o</dashboard.title>
+        <dashboard.subtitle>Vulnerability Assessment Dashboard</dashboard.subtitle>
+        <dashboard.footer>Demo Dashboard for OpenSSL-1.1.1o</dashboard.footer>
+    </properties>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.metaeffekt.core</groupId>
+                <artifactId>ae-inventory-maven-plugin</artifactId>
+            </plugin>
+            <!-- FIXME: fix plugins; remove configuration on project level -->
+            <plugin>
+                <groupId>com.metaeffekt.artifact.analysis</groupId>
+                <artifactId>ae-inventory-enrichment-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.metaeffekt.example.documentation</groupId>
+            <artifactId>ae-inventory-extractor</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+    </dependencies>
+
+</project>

advisors/openssl-3.0-advisor/assessment/README.md

@@ -0,0 +1,8 @@
+# Vulnerability Assessment
+
+The `assessment` folder container yaml files that contain context-specific assessment information.
+
+The example uses an assessment of CVE-2021-44228 (here as an applicable vulnerability) and CVE-2021-45046 as 
+vulnerability that is not applicable, because the affected MDC feature is not used in this context.
+
+The example is artifical and meant to illustrate the different options for vulnerability assessment.

advisors/openssl-3.0-advisor/assessment/baseline.yaml_

@@ -0,0 +1,20 @@
+history:
+  - rationale:
+      "<p>
+          The application services are operated in an isolated network. No direct access from the external adversaries
+          shall be possible.
+      </p>
+      <p>
+          The CVSS vectors have been adjusted to expect that an adversary must have access to the network the 
+          application service are deployed (MAV:A; AV:A). Additional privileges are required (MAC:H) as the adversary 
+          must have already passed the gateway-level security perimeter or the physical protection of the data center.
+      </p>"
+    date: 2024-08-24
+    author: KKL
+
+scope: inventory
+
+cvssV3:
+  lower: MAV:A/MAC:H
+cvssV2:
+  lower: AV:A

advisors/openssl-3.0-advisor/context/CTX_external-attackers.yaml

@@ -0,0 +1,21 @@
+sets:
+  - name: external attacker
+    category: external threat
+    score: 3.0
+    min:
+      - amount: 1
+        keywords:
+          - external attacker
+          - external attackers
+          - external adversary
+          - external adversaries
+          - external user
+          - remote attacker
+          - remote attackers
+          - remote adversary
+          - remote adversaries
+          - remote code execution
+          - remote code executions
+          - RCE
+          - execute arbitrary code
+          - initiate the attack remotely

advisors/openssl-3.0-advisor/context/CTX_information-disclosure.yaml

@@ -0,0 +1,19 @@
+sets:
+  - name: information disclosure
+    category: confidentiality threat
+    score: 3.0
+    min:
+      - amount: 1
+        keywords:
+          - information disclosure
+          - making private services on the VM accessible to the network
+          - leaking credential
+          - leaked credential
+          - leaked credentials
+          - credential leak
+          - credentials leak
+          - exposed credantial
+          - credential exposed
+          - credentials exposed
+          - readable by unauthorized
+          - readable by unauthorised

advisors/openssl-3.0-advisor/context/CTX_malicious-content.yaml

@@ -0,0 +1,17 @@
+sets:
+  - name: malicious content
+    category: integrity threat
+    score: 3.0
+    min:
+      - amount: 1
+        keywords:
+          - request smuggling
+          - missing input validation
+          - SQL injection
+          - sql injection
+          - sql-injection
+          - XML External Entity Injection
+          - XML Entity Expansion
+          - XXE
+          - specifically crafted request
+          - specifically crafted conent

advisors/openssl-3.0-advisor/context/CTX_privilege-escalation.yaml

@@ -0,0 +1,14 @@
+sets:
+  - name: privilege escalation
+    category: general threat
+    score: 3.0
+    min:
+      - amount: 1
+        keywords:
+          - privilege escalation
+          - jailbreak
+          - container escape
+          - to access any other file
+          - arbitrary code execution
+          - allows unauthorized acccess
+          - allows unauthorised acccess

advisors/openssl-3.0-advisor/context/CTX_request-forgery.yaml

@@ -0,0 +1,10 @@
+sets:
+  - name: request forgery
+    category: external threat
+    score: 2.0
+    min:
+      - amount: 1
+        keywords:
+          - cross-site request forgery
+          - CSFR
+          - forge requests

advisors/openssl-3.0-advisor/context/CTX_resource-exemption.yaml

@@ -0,0 +1,14 @@
+sets:
+  - name: resource exemption
+    category: external threat
+    score: 1.0
+    min:
+      - amount: 1
+        keywords:
+          - resource consumption
+          - resource exemption
+          - denial of service
+          - denial of service attacks
+          - connection pool exhaustion
+          - memory leak
+          - resource leak

advisors/openssl-3.0-advisor/context/README.md

@@ -0,0 +1,3 @@
+# Vulnerability Context Definition
+
+Within the folder `context` configurations can be places that help to prioritize vulnerabilities on a general level.

advisors/openssl-advisor/pom.xml → advisors/openssl-3.0-advisor/pom.xml

@@ -9,12 +9,15 @@
         <version>1.0.0-SNAPSHOT</version>
     </parent>
 
-    <artifactId>ae-openssl-advisor</artifactId>
+    <artifactId>ae-openssl-3.0-advisor</artifactId>
     <packaging>jar</packaging>
 
     <properties>
-        <input.inventory>${project.build.directory}/input/inventory/ae-inventory-extractor-inventory.xls</input.inventory>
-        <correlation.dir>correlation</correlation.dir>
+        <input.inventory>${project.basedir}/inventory/openssl-inventory.xls</input.inventory>
+
+        <dashboard.title>OpenSSL-3.0.6</dashboard.title>
+        <dashboard.subtitle>Vulnerability Assessment Dashboard</dashboard.subtitle>
+        <dashboard.footer>Demo Dashboard for OpenSSL-3.0.6</dashboard.footer>
     </properties>
 
     <build>