Agree, Feel Free to Open an Enhancement Request against the Documents and perhaps provide some sample use cases...
I am seeing more of these with CVE databases perhaps a feature request around CVE Matching Against the Elasticsearch Repository and tag is Security.
I am not familiar in detail with the OVAL database so a few things are unclear to me but here is an
I do see the new JSON format like this so perhaps where the range would make sense?
"version": "1.0.0",
"status": "affected",
"lessThan": "1.0.6",
Example based on the OP @maggo question he did not specify ranges so I am not sure if that applies or not.
Here is some simple code, I am sure it will not solve the entire issue but perhaps it will provide some other ideas.
It does some processing when loading the CVE data
Then it uses similar processing before calling the enrich processor
DELETE discuss-cve-data
PUT /discuss-cve-data
{
"mappings": {
"properties": {
"CVEID": {
"type": "keyword"
},
"affected_product": {
"type": "keyword"
},
"affected_version": {
"type": "keyword"
},
"notes": {
"type": "keyword"
},
"cve_product_version_unique_id": {
"type": "keyword"
}
}
}
}
PUT _ingest/pipeline/discuss-cve-prep
{
"processors": [
{
"set": {
"field": "cve_product_version_unique_id",
"value": "{{affected_product}} - {{affected_version}}"
}
}
]
}
POST discuss-cve-data/_doc?pipeline=discuss-cve-prep
{
"affected_product": "chrome",
"affected_version": "1.5",
"CVEID": "CVE-1234-5678",
"notes" : "Bad Chrome Bug"
}
POST discuss-cve-data/_doc?pipeline=discuss-cve-prep
{
"affected_product": "chrome",
"affected_version": "1.5",
"CVEID": "CVE-1234-3333",
"notes" : "Another Bad Chrome Bug"
}
POST discuss-cve-data/_doc?pipeline=discuss-cve-prep
{
"affected_product": "chrome",
"affected_version": "1.6",
"CVEID": "CVE-1234-9999",
"notes" : "Worse Chrome Bug"
}
POST discuss-cve-data/_doc?pipeline=discuss-cve-prep
{
"affected_product": "safari",
"affected_version": "3.2",
"CVEID": "CVE-1234-8888",
"notes" : "Bad Safari Bug"
}
GET discuss-cve-data/_search
{
"fields": ["*"]
}
DELETE /_enrich/policy/discuss-cve-data-policy
# Create enrichment policy
PUT /_enrich/policy/discuss-cve-data-policy
{
"match": {
"indices": "discuss-cve-data",
"match_field": "cve_product_version_unique_id",
"enrich_fields": ["cveid","notes"]
}
}
POST /_enrich/policy/discuss-cve-data-policy/_execute
DELETE _ingest/pipeline/discuss-cve-lookup
PUT _ingest/pipeline/discuss-cve-lookup
{
"processors": [
{
"set": {
"field": "cve_product_version_unique_id",
"value": "{{product}} - {{version}}"
}
},
{
"enrich": {
"policy_name": "discuss-cve-data-policy",
"field": "cve_product_version_unique_id",
"target_field": "cve_data",
"max_matches": 128
}
}
]
}
DELETE discuss-product-logs
PUT /discuss-product-logs
{
"mappings": {
"properties": {
"product": {
"type": "keyword"
},
"version": {
"type": "keyword"
},
"message": {
"type": "keyword"
},
"cve_product_version_unique_id": {
"type": "keyword"
}
}
}
}
POST discuss-product-logs/_doc?pipeline=discuss-cve-lookup
{
"product": "chrome",
"version": "1.5",
"message": "this is a log line"
}
POST discuss-product-logs/_doc?pipeline=discuss-cve-lookup
{
"product": "chrome",
"version": "1.6",
"message": "this is another log line"
}
POST discuss-product-logs/_doc?pipeline=discuss-cve-lookup
{
"product": "chrome",
"version": "1.7",
"message": "this is another log line"
}
POST discuss-product-logs/_doc?pipeline=discuss-cve-lookup
{
"product": "safari",
"version": "3.2",
"message": "this is another log line"
}
POST discuss-product-logs/_doc?pipeline=discuss-cve-lookup
{
"product": "safari",
"version": "3.3",
"message": "this is another log line"
}
GET discuss-product-logs/_search
Results
{
"took": 0,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 5,
"relation": "eq"
},
"max_score": 1,
"hits": [
{
"_index": "discuss-product-logs",
"_id": "nDcaioYBQV01Dpx0-vsY",
"_score": 1,
"_source": {
"cve_data": [
{
"cve_product_version_unique_id": "chrome - 1.5",
"notes": "Bad Chrome Bug"
},
{
"cve_product_version_unique_id": "chrome - 1.5",
"notes": "Another Bad Chrome Bug"
}
],
"product": "chrome",
"message": "this is a log line",
"version": "1.5",
"cve_product_version_unique_id": "chrome - 1.5"
}
},
{
"_index": "discuss-product-logs",
"_id": "nTcaioYBQV01Dpx0-vs_",
"_score": 1,
"_source": {
"cve_data": [
{
"cve_product_version_unique_id": "chrome - 1.6",
"notes": "Worse Chrome Bug"
}
],
"product": "chrome",
"message": "this is another log line",
"version": "1.6",
"cve_product_version_unique_id": "chrome - 1.6"
}
},
{
"_index": "discuss-product-logs",
"_id": "njcaioYBQV01Dpx0-vtL",
"_score": 1,
"_source": {
"product": "chrome",
"message": "this is another log line",
"version": "1.7",
"cve_product_version_unique_id": "chrome - 1.7"
}
},
{
"_index": "discuss-product-logs",
"_id": "nzcaioYBQV01Dpx0-vtX",
"_score": 1,
"_source": {
"cve_data": [
{
"cve_product_version_unique_id": "safari - 3.2",
"notes": "Bad Safari Bug"
}
],
"product": "safari",
"message": "this is another log line",
"version": "3.2",
"cve_product_version_unique_id": "safari - 3.2"
}
},
{
"_index": "discuss-product-logs",
"_id": "oDcaioYBQV01Dpx0-vtj",
"_score": 1,
"_source": {
"product": "safari",
"message": "this is another log line",
"version": "3.3",
"cve_product_version_unique_id": "safari - 3.3"
}
}
]
}
}