Fixed Version compare for issue #179

2013-05-06 22:33:18 +02:00
parent ebe35cb7b2
commit 77ebd9d4fd
5 changed files with 32 additions and 5 deletions
--- a/data/plugin_vulns.xml
+++ b/data/plugin_vulns.xml
@@ -3144,6 +3144,7 @@
      <reference>http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html</reference>
      <metasploit>exploits/unix/webapp/php_wordpress_total_cache</metasploit>
      <type>RCE</type>
+      <fixed_in>0.9.2.9</fixed_in>
    </vulnerability>
  </plugin>

--- a/data/vuln.xsd
+++ b/data/vuln.xsd
@@ -51,6 +51,7 @@
      <xs:element name="reference" type="uritype" maxOccurs="unbounded" minOccurs="1"/>
      <xs:element name="metasploit" type="stringtype" maxOccurs="unbounded" minOccurs="0"/>
      <xs:element name="type" type="typetype"/>
+      <xs:element name="fixed_in" type="stringtype" minOccurs="0"/>
    </xs:sequence>
  </xs:complexType>

--- a/lib/common/models/vulnerability.rb
+++ b/lib/common/models/vulnerability.rb
@@ -5,20 +5,22 @@ require 'vulnerability/output'
 class Vulnerability
  include Vulnerability::Output

-  attr_accessor :title, :references, :type, :metasploit_modules
+  attr_accessor :title, :references, :type, :fixed_in, :metasploit_modules

  #
  # @param [ String ] title The title of the vulnerability
  # @param [ String ] type  The type of the vulnerability
  # @param [ Array ] references References urls
  # @param [ Array ] metasploit_modules Metasploit modules for the vulnerability
+	# @param [ String ] fixed_in  Vuln fixed in Version X
  #
  # @return [ Vulnerability ]
-  def initialize(title, type, references, metasploit_modules = [])
+  def initialize(title, type, references, metasploit_modules = [], fixed_in)
    @title              = title
    @type               = type
    @references         = references
    @metasploit_modules = metasploit_modules
+    @fixed_in						= fixed_in
  end

  # @param [ Vulnerability ] other
@@ -26,7 +28,11 @@ class Vulnerability
  # @return [ Boolean ]
  # :nocov:
  def ==(other)
-    title == other.title && type == other.type && references == other.references
+    title == other.title &&
+        type == other.type &&
+        references == other.references &&
+        fixed_in == other.fixed_in &&
+        metasploit_modules == other.metasploit_modules
  end
  # :nocov:

@@ -40,7 +46,8 @@ class Vulnerability
      xml_node.search('title').text,
      xml_node.search('type').text,
      xml_node.search('reference').map(&:text),
-      xml_node.search('metasploit').map(&:text)
+      xml_node.search('metasploit').map(&:text),
+      xml_node.search('fixed_in').text
    )
  end

--- a/lib/common/models/wp_item/vulnerable.rb
+++ b/lib/common/models/wp_item/vulnerable.rb
@@ -12,7 +12,18 @@ class WpItem
      vulnerabilities = Vulnerabilities.new

      xml.xpath(vulns_xpath).each do |node|
-        vulnerabilities << Vulnerability.load_from_xml_node(node)
+        vuln = Vulnerability.load_from_xml_node(node)
+        if vuln
+          if version && vuln.fixed_in && !vuln.fixed_in.empty?
+            if VersionCompare::is_newer_or_same?(vuln.fixed_in, version)
+              # "Hooray, fixed"
+            else
+              vulnerabilities << vuln
+            end
+          else
+            vulnerabilities << vuln
+          end
+        end
      end
      vulnerabilities
    end
--- a/lib/common/version_compare.rb
+++ b/lib/common/version_compare.rb
@@ -0,0 +1,7 @@
+# encoding: UTF-8
+
+class VersionCompare
+	def self.is_newer_or_same?(version1, version2)
+		(version1 == version2) || (Gem::Version.new(version1) < Gem::Version.new(version2))
+	end
+end