fix: Single quotes can trip Hugo YAML unmarshaler. (#62)

Signed-off-by: Simar <[email protected]> Signed-off-by: Simar <[email protected]>
aquasecurity · Sep 5, 2022 · ffa86e8 · ffa86e8
1 parent eeed611
commit ffa86e8
Show file tree

Hide file tree

Showing 4 changed files with 169 additions and 2 deletions.
diff --git a/docGen/main_test.go b/docGen/main_test.go
@@ -16,5 +16,5 @@ func (fakeClock) Now(format ...string) string {
 func TestGetAllFiles(t *testing.T) {
 	actual, err := getAllFiles("../goldens/json/nvd")
 	require.NoError(t, err)
-	assert.Equal(t, []string{"../goldens/json/nvd/CVE-2020-0001.json", "../goldens/json/nvd/CVE-2020-0002.json", "../goldens/json/nvd/CVE-2020-11932.json"}, actual)
+	assert.Equal(t, []string{"../goldens/json/nvd/CVE-2020-0001.json", "../goldens/json/nvd/CVE-2020-0002.json", "../goldens/json/nvd/CVE-2020-11932.json", "../goldens/json/nvd/CVE-2022-2788.json"}, actual)
 }
diff --git a/docGen/nvd.go b/docGen/nvd.go
@@ -404,7 +404,7 @@ func parseVulnerabilityJSONFile(fileName string) (VulnerabilityPost, error) {
 	if err != nil {
 		return VulnerabilityPost{}, err
 	}
-	vuln.Description = strings.NewReplacer(`"`, ``, `\`, ``).Replace(string(v.GetStringBytes("cve", "description", "description_data", "0", "value")))
+	vuln.Description = strings.NewReplacer(`"`, ``, `\`, ``, `'`, ``).Replace(string(v.GetStringBytes("cve", "description", "description_data", "0", "value")))
 	vuln.ID = string(v.GetStringBytes("cve", "CVE_data_meta", "ID"))
 	vuln.CWEID = string(v.GetStringBytes("cve", "problemtype", "problemtype_data", "0", "description", "0", "value"))
 	vuln.CVSS = CVSS{

diff --git a/docGen/nvd_test.go b/docGen/nvd_test.go
@@ -108,6 +108,61 @@ func TestParseVulnerabilityJSONFile(t *testing.T) {
 				},
 			},
 		},
+		{
+			fileName: "../goldens/json/nvd/CVE-2022-2788.json",
+			expectedBlogPost: VulnerabilityPost{
+				Layout: "vulnerability",
+				Title:  "CVE-2022-2788",
+				By:     "NVD",
+				Date:   "2020-01-08 12:19:15 +0000",
+				Vulnerability: Vulnerability{
+					ID:          "CVE-2022-2788",
+					CWEID:       "CWE-269",
+					Description: "Emerson Electrics Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: ..Filename, also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code.",
+					References: []string{
+						"https://source.android.com/security/bulletin/2020-01-01",
+					},
+					CVSS: CVSS{
+						V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
+						V2Score:  7.2,
+						V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+						V3Score:  7.8,
+					},
+					Dates: Dates{
+						Published: "2020-01-08 12:19:15 +0000",
+						Modified:  "2020-01-14 12:21:52 +0000",
+					},
+					NVDSeverityV2: "HIGH",
+					NVDSeverityV3: "HIGH",
+					AffectedSoftware: []AffectedSoftware{
+						{
+							Name:         "android",
+							Vendor:       "google",
+							StartVersion: "8.0",
+							EndVersion:   "8.0",
+						},
+						{
+							Name:         "android",
+							Vendor:       "google",
+							StartVersion: "8.1",
+							EndVersion:   "8.1",
+						},
+						{
+							Name:         "android",
+							Vendor:       "google",
+							StartVersion: "9.0",
+							EndVersion:   "9.0",
+						},
+						{
+							Name:         "android",
+							Vendor:       "google",
+							StartVersion: "10.0",
+							EndVersion:   "10.0",
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tc := range testCases {
 		actual, err := parseVulnerabilityJSONFile(tc.fileName)

diff --git a/goldens/json/nvd/CVE-2022-2788.json b/goldens/json/nvd/CVE-2022-2788.json
@@ -0,0 +1,112 @@
+{
+  "configurations": {
+    "CVE_data_version": "4.0",
+    "nodes": [
+      {
+        "cpe_match": [
+          {
+            "cpe23Uri": "cpe:2.3:o:google:android:8.0:*:*:*:*:*:*:*",
+            "vulnerable": true
+          },
+          {
+            "cpe23Uri": "cpe:2.3:o:google:android:8.1:*:*:*:*:*:*:*",
+            "vulnerable": true
+          },
+          {
+            "cpe23Uri": "cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*",
+            "vulnerable": true
+          },
+          {
+            "cpe23Uri": "cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*",
+            "vulnerable": true
+          }
+        ],
+        "operator": "OR"
+      }
+    ]
+  },
+  "cve": {
+    "CVE_data_meta": {
+      "ASSIGNER": "[email protected]",
+      "ID": "CVE-2022-2788"
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
+    "description": {
+      "description_data": [
+        {
+          "lang": "en",
+          "value": "Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '\\..\\Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code."
+        }
+      ]
+    },
+    "problemtype": {
+      "problemtype_data": [
+        {
+          "description": [
+            {
+              "lang": "en",
+              "value": "CWE-269"
+            }
+          ]
+        }
+      ]
+    },
+    "references": {
+      "reference_data": [
+        {
+          "name": "https://source.android.com/security/bulletin/2020-01-01",
+          "refsource": "CONFIRM",
+          "tags": [
+            "Vendor Advisory"
+          ],
+          "url": "https://source.android.com/security/bulletin/2020-01-01"
+        }
+      ]
+    }
+  },
+  "impact": {
+    "baseMetricV2": {
+      "acInsufInfo": false,
+      "cvssV2": {
+        "accessComplexity": "LOW",
+        "accessVector": "LOCAL",
+        "authentication": "NONE",
+        "availabilityImpact": "COMPLETE",
+        "baseScore": 7.2,
+        "confidentialityImpact": "COMPLETE",
+        "integrityImpact": "COMPLETE",
+        "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
+        "version": "2.0"
+      },
+      "exploitabilityScore": 3.9,
+      "impactScore": 10,
+      "obtainAllPrivilege": false,
+      "obtainOtherPrivilege": false,
+      "obtainUserPrivilege": false,
+      "severity": "HIGH",
+      "userInteractionRequired": false
+    },
+    "baseMetricV3": {
+      "cvssV3": {
+        "attackComplexity": "LOW",
+        "attackVector": "LOCAL",
+        "availabilityImpact": "HIGH",
+        "baseScore": 7.8,
+        "baseSeverity": "HIGH",
+        "confidentialityImpact": "HIGH",
+        "integrityImpact": "HIGH",
+        "privilegesRequired": "LOW",
+        "scope": "UNCHANGED",
+        "userInteraction": "NONE",
+        "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+        "version": "3.1"
+      },
+      "exploitabilityScore": 1.8,
+      "impactScore": 5.9
+    }
+  },
+  "lastModifiedDate": "2020-01-14T21:52Z",
+  "publishedDate": "2020-01-08T19:15Z"
+}