lib/ronin/db/advisory.rb
# frozen_string_literal: true
#
# ronin-db-activerecord - ActiveRecord backend for the Ronin Database.
#
# Copyright (c) 2022-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
#
# ronin-db-activerecord is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ronin-db-activerecord is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with ronin-db-activerecord. If not, see <https://www.gnu.org/licenses/>.
#
require 'ronin/db/model'
require 'ronin/db/model/importable'
require 'active_record'
module Ronin
module DB
#
# Represents a vulnerability Advisory, with a Publisher, Number and
# URL.
#
class Advisory < ActiveRecord::Base
include Model
include Model::Importable
self.primary_key = :id
# @!attribute [rw] id
# Primary key of the advisory.
#
# @return [String]
attribute :id, :string
# @!attribute [rw] prefix
# The ID prefix (ex: `CVE` or `GHSA`).
#
# @return [String]
attribute :prefix, :string
validates :prefix, presence: true
# @!attribute [rw] year
# The year the advisory was published in.
#
# @return [Integer]
attribute :year, :integer
validates :year, allow_nil: true,
comparison: {
greater_than: 1990,
less_than_or_equal_to: Date.today.year
}
# @!attribute [rw] identifier
# The advisory identifier
#
# @return [String]
attribute :identifier, :string
validates :identifier, presence: true
#
# @api private
#
module ID
#
# Parses a security advisory ID.
#
# @param [String] string
# The security advisory ID String to split.
#
# @return [Hash{Symbol => Object}]
# The parsed security advisory ID.
#
# @raise [ArgumentError]
# The ID does not appear to be a valid security ID.
#
def self.parse(string)
if (match = string.match(/\A([A-Z]+)-(\d{4})[:-]([0-9][0-9-]+)\z/))
{
id: match[0],
prefix: match[1],
year: match[2].to_i,
identifier: match[3]
}
elsif (match = string.match(/\AMS(\d{2})-(\d{3,})\z/))
{
id: match[0],
prefix: 'MS',
year: 2000 + match[1].to_i,
identifier: match[2]
}
elsif (match = string.match(/\A([A-Z]+)-(.+)\z/))
{
id: match[0],
prefix: match[1],
identifier: match[2]
}
else
raise(ArgumentError,"id does not appear to be a valid security advisory ID: #{string.inspect}")
end
end
end
#
# Looks up the advisory.
#
# @param [String] id
#
# @return [Advisory, nil]
#
def self.lookup(id)
find_by(id: id)
end
#
# Parses an Advisory ID String.
#
# @param [String] id
# The ID String for the advisory.
#
# @return [Advisory]
# The new advisory.
#
# @api public
#
def self.import(id)
create(**ID.parse(id))
end
#
# Generates a URL for the advisory.
#
# @return [String, nil]
# The URL for the advisory.
#
# @api public
#
def url
case prefix
when 'CVE' then "https://nvd.nist.gov/vuln/detail/#{id}"
when 'RHSA' then "https://access.redhat.com/errata/#{id}"
when 'GHSA' then "https://github.com/advisories/#{id}"
end
end
#
# Converts the advisory to a String.
#
# @return [String]
# The advisory ID string.
#
# @api public
#
def to_s
self.id
end
end
end
end