1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
use super::state::ConstValue;
use super::*;
use crate::common::{Description, ProblemType, Product, ProviderMetadata, Reference, Tag};
use serde::{Deserialize, Deserializer, Serialize, Serializer};
use serde_json::Value;
use std::ops::{Deref, DerefMut};
use uuid::Uuid;
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct State;
const STATE_VALUE: &str = "PUBLISHED";
impl Serialize for State {
fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
where
S: Serializer,
{
serializer.serialize_str(STATE_VALUE)
}
}
impl<'de> Deserialize<'de> for State {
fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where
D: Deserializer<'de>,
{
deserializer
.deserialize_str(ConstValue(STATE_VALUE))
.map(|()| State)
}
}
#[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct Metadata {
pub state: State,
#[serde(flatten)]
pub common: common::Metadata,
}
impl Deref for Metadata {
type Target = common::Metadata;
fn deref(&self) -> &Self::Target {
&self.common
}
}
impl DerefMut for Metadata {
fn deref_mut(&mut self) -> &mut Self::Target {
&mut self.common
}
}
#[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct Containers {
pub cna: CnaContainer,
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub adp: Vec<AdpContainer>,
}
#[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct CnaContainer {
#[serde(flatten)]
pub common: common::CnaContainer,
/// The date/time this CVE ID was associated with a vulnerability by a CNA.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub date_assigned: Option<Timestamp>,
/// If known, the date/time the vulnerability was disclosed publicly.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub date_public: Option<Timestamp>,
/// A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub title: Option<String>,
/// A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
pub descriptions: Vec<Description>,
/// List of affected products.
pub affected: Vec<Product>,
/// This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub problem_types: Vec<ProblemType>,
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub references: Vec<Reference>,
/// Collection of impacts of this vulnerability.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub impacts: Vec<Impact>,
/// Collection of impact scores with attribution.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub metrics: Vec<Metric>,
/// Configurations required for exploiting this vulnerability.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub configurations: Vec<Description>,
/// Workarounds and mitigations for this vulnerability.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub workarounds: Vec<Description>,
/// Information about solutions or remediations available for this vulnerability.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub solutions: Vec<Description>,
/// Information about exploits of the vulnerability.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub exploits: Vec<Description>,
/// This is timeline information for significant events about this vulnerability or changes to the CVE Record.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub timeline: Vec<Timeline>,
/// Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub credits: Vec<Credit>,
/// This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub source: Option<Value>,
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub tags: Vec<Tag>,
/// List of taxonomy items related to the vulnerability.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub taxonomy_mappings: Vec<TaxonomyMapping>,
}
#[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct Impact {
/// CAPEC ID that best relates to this impact.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub capec_id: Option<String>,
/// Prose description of the impact scenario. At a minimum provide the description given by CAPEC.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub descriptions: Vec<Description>,
}
/// This is impact type information (e.g. a text description, CVSSv2, CVSSv3, CVSSv4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.
#[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct Metric {
/// Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub format: Option<String>,
/// Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub scenarios: Vec<Scenario>,
#[serde(default, skip_serializing_if = "Option::is_none")]
#[serde(rename = "cvssV4_0")]
pub cvss_v4_0: Option<Value>,
#[serde(default, skip_serializing_if = "Option::is_none")]
#[serde(rename = "cvssV3_1")]
pub cvss_v3_1: Option<Value>,
#[serde(default, skip_serializing_if = "Option::is_none")]
#[serde(rename = "cvssV3_0")]
pub cvss_v3_0: Option<Value>,
#[serde(default, skip_serializing_if = "Option::is_none")]
#[serde(rename = "cvssV2_0")]
pub cvss_v2_0: Option<Value>,
#[serde(default, skip_serializing_if = "Option::is_none")]
pub other: Option<OtherMetric>,
}
/// A non-standard impact description, may be prose or JSON block.
#[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct OtherMetric {
/// Name of the non-standard impact metrics format used.
pub r#type: String,
/// JSON object not covered by another metrics format.
pub content: Value,
}
#[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct Scenario {
#[serde(rename = "lang")]
pub language: String,
/// Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.
#[serde(default = "Scenario::default_value")]
pub value: String,
}
impl Scenario {
pub fn default_value() -> String {
"GENERAL".to_string()
}
}
#[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct Timeline {
/// Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ssZZZZ - if the timezone offset is not given, GMT (0000) is assumed.
pub time: Timestamp,
/// The language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.
#[serde(rename = "lang")]
pub language: String,
/// A summary of the event.
pub value: String,
}
#[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct Credit {
/// The language used when describing the credits. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.
#[serde(rename = "lang")]
pub language: String,
pub value: String,
/// UUID of the user being credited if present in the CVE User Registry (optional). This UUID can be used to lookup the user record in the user registry service.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub user: Option<Uuid>,
/// Type or role of the entity being credited (optional).
#[serde(default, skip_serializing_if = "is_default_credit_type")]
pub r#type: CreditType,
}
fn is_default_credit_type(value: &CreditType) -> bool {
*value == CreditType::Finder
}
/// Type or role of the entity being credited.
#[derive(Copy, Clone, Debug, Default, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "lowercase")]
#[non_exhaustive]
pub enum CreditType {
/// identifies the vulnerability.
#[default]
Finder,
/// notifies the vendor of the vulnerability to a CNA.
Reporter,
/// validates the vulnerability to ensure accuracy or severity.
Analyst,
/// facilitates the coordinated response process.
Coordinator,
/// prepares a code change or other remediation plans.
#[serde(rename = "remediation developer")]
RemediationDeveloper,
/// reviews vulnerability remediation plans or code changes for effectiveness and completeness.
#[serde(rename = "remediation reviewer")]
RemediationReviewer,
/// tests and verifies the vulnerability or its remediation.
#[serde(rename = "remediation verifier")]
RemediationVerifier,
/// names of tools used in vulnerability discovery or identification.
Tool,
/// supports the vulnerability identification or remediation activities.
Sponsor,
Other,
}
#[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct TaxonomyMapping {
/// The name of the taxonomy.
#[serde(rename = "taxonomyName")]
pub name: String,
/// The version of taxonomy the identifiers come from.
#[serde(default, skip_serializing_if = "Option::is_none")]
#[serde(rename = "taxonomyVersion")]
pub version: Option<String>,
/// List of relationships to the taxonomy for the vulnerability. Relationships can be between the taxonomy and the CVE or two taxonomy items.
#[serde(rename = "taxonomyRelations")]
pub relations: Vec<TaxonomyRelation>,
}
#[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct TaxonomyRelation {
/// Identifier of the item in the taxonomy. Used as the subject of the relationship.
#[serde(rename = "taxonomyId")]
pub id: String,
/// A description of the relationship.
#[serde(rename = "relationshipName")]
pub name: String,
/// The target of the relationship. Can be the CVE ID or another taxonomy identifier.
#[serde(rename = "relationshipValue")]
pub value: String,
}
#[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct AdpContainer {
pub provider_metadata: ProviderMetadata,
/// If known, the date/time the vulnerability was disclosed publicly.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub date_public: Option<Timestamp>,
/// A title, headline, or a brief phrase summarizing the information in an ADP container.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub title: Option<String>,
/// A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub descriptions: Vec<Description>,
/// List of affected products.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub affected: Vec<Product>,
/// This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub problem_types: Vec<ProblemType>,
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub references: Vec<Reference>,
/// Collection of impacts of this vulnerability.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub impacts: Vec<Impact>,
/// Collection of impact scores with attribution.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub metrics: Vec<Metric>,
/// Configurations required for exploiting this vulnerability.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub configurations: Vec<Description>,
/// Workarounds and mitigations for this vulnerability.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub workarounds: Vec<Description>,
/// Information about solutions or remediations available for this vulnerability.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub solutions: Vec<Description>,
/// Information about exploits of the vulnerability.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub exploits: Vec<Description>,
/// This is timeline information for significant events about this vulnerability or changes to the CVE Record.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub timeline: Vec<Timeline>,
/// Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub credits: Vec<Credit>,
/// This is the source information (who discovered it, who researched it, etc.) and optionally a chain of CNA information (e.g. the originating CNA and subsequent parent CNAs who have processed it before it arrives at the MITRE root).\n Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF this source entry is NOT in the root (e.g. it is part of a vendor statement) then it must contain at least one type of data entry.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub source: Option<Value>,
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub tags: Vec<Tag>,
/// List of taxonomy items related to the vulnerability.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
pub taxonomy_mappings: Vec<TaxonomyMapping>,
}
#[cfg(test)]
mod test {
use super::*;
#[test]
fn parse_metadata() {
let input = r#"
{
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7088",
"datePublished": "2019-11-15T14:19:48",
"dateReserved": "2013-12-12T00:00:00",
"dateUpdated": "2019-11-15T14:19:48",
"state": "PUBLISHED"
}
"#;
let _metadata: Metadata = serde_json::from_str(input).unwrap();
}
#[test]
fn default_value_returns_general() {
let value = Scenario::default_value();
assert_eq!(value, "GENERAL");
}
}