Skip to content

Add advisory date to MSRC #659

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 29, 2025
Merged

Add advisory date to MSRC #659

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 80 additions & 16 deletions pkg/process/v6/transformers/msrc/test-fixtures/microsoft-msrc-0.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,11 @@
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4493470",
"https://support.microsoft.com/help/4493470"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4494440",
Expand All @@ -22,7 +26,11 @@
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4494440",
"https://support.microsoft.com/help/4494440"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4503267",
Expand All @@ -31,7 +39,11 @@
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4503267",
"https://support.microsoft.com/en-us/help/4503267"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4507460",
Expand All @@ -40,7 +52,11 @@
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4507460",
"https://support.microsoft.com/help/4507460"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4512517",
Expand All @@ -49,7 +65,11 @@
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4512517",
"https://support.microsoft.com/help/4512517"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4516044",
Expand All @@ -58,7 +78,11 @@
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4516044",
"https://support.microsoft.com/help/4516044"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
}
],
"id": "CVE-2019-0671",
Expand Down Expand Up @@ -90,79 +114,119 @@
"is_latest": false,
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4093119"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4103723",
"is_first": false,
"is_latest": false,
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4103723"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4284880",
"is_first": false,
"is_latest": false,
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4284880"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4338814",
"is_first": false,
"is_latest": false,
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4338814"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4343887",
"is_first": false,
"is_latest": false,
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4343887"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4345418",
"is_first": false,
"is_latest": true,
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4345418"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4457131",
"is_first": false,
"is_latest": false,
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4457131"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4462917",
"is_first": false,
"is_latest": false,
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4462917"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4467691",
"is_first": false,
"is_latest": false,
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4467691"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
},
{
"id": "4471321",
"is_first": false,
"is_latest": true,
"links": [
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4471321"
]
],
"available": {
"date": "2019-11-12",
"kind": "advisory"
}
}
],
"id": "CVE-2018-8116",
Expand Down
18 changes: 14 additions & 4 deletions pkg/process/v6/transformers/msrc/transform.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ func getRanges(vuln unmarshal.MSRCVulnerability) []grypeDB.AffectedRange {
}

func getFix(vuln unmarshal.MSRCVulnerability) *grypeDB.Fix {
fixedInVersion := fixedInKB(vuln)
fixedInVersion, fixDetail := fixedInKB(vuln)

fixState := grypeDB.FixedStatus
if fixedInVersion == "" {
Expand All @@ -83,18 +83,28 @@ func getFix(vuln unmarshal.MSRCVulnerability) *grypeDB.Fix {
return &grypeDB.Fix{
Version: fixedInVersion,
State: fixState,
Detail: fixDetail,
}
}

// fixedInKB finds the "latest" patch (KB id) amongst the available microsoft patches and returns it
// if the "latest" patch cannot be found, an empty string is returned
func fixedInKB(vulnerability unmarshal.MSRCVulnerability) string {
func fixedInKB(vulnerability unmarshal.MSRCVulnerability) (string, *grypeDB.FixDetail) {
for _, fixedIn := range vulnerability.FixedIn {
if fixedIn.IsLatest {
return fixedIn.ID
var detail *grypeDB.FixDetail
if fixedIn.Available.Date != "" {
detail = &grypeDB.FixDetail{
Available: &grypeDB.FixAvailability{
Date: internal.ParseTime(fixedIn.Available.Date),
Kind: fixedIn.Available.Kind,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to have a non-empty kind to be processed correctly downstream?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about it but decided that the date information was the primary / most important information here (a missing kind probably shouldn't block a date being conveyed).

},
}
}
return fixedIn.ID, detail
}
}
return ""
return "", nil
}

func getReferences(vuln unmarshal.MSRCVulnerability) []grypeDB.Reference {
Expand Down
16 changes: 16 additions & 0 deletions pkg/process/v6/transformers/msrc/transform_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,12 @@ func TestParseMSRCEntry(t *testing.T) {
Fix: &grypeDB.Fix{
Version: "4516044",
State: grypeDB.FixedStatus,
Detail: &grypeDB.FixDetail{
Available: &grypeDB.FixAvailability{
Date: timePtr(time.Date(2019, 11, 12, 0, 0, 0, 0, time.UTC)),
Kind: "advisory",
},
},
},
},
},
Expand Down Expand Up @@ -155,6 +161,12 @@ func TestParseMSRCEntry(t *testing.T) {
Fix: &grypeDB.Fix{
Version: "4345418",
State: grypeDB.FixedStatus,
Detail: &grypeDB.FixDetail{
Available: &grypeDB.FixAvailability{
Date: timePtr(time.Date(2019, 11, 12, 0, 0, 0, 0, time.UTC)),
Kind: "advisory",
},
},
},
},
},
Expand Down Expand Up @@ -183,3 +195,7 @@ func TestParseMSRCEntry(t *testing.T) {
}
}
}

func timePtr(t time.Time) *time.Time {
return &t
}
12 changes: 8 additions & 4 deletions pkg/provider/unmarshal/msrc_vulnerability.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,14 @@ type MSRCVulnerability struct {
Vector string `json:"vector"`
} `json:"cvss"`
FixedIn []struct {
ID string `json:"id"`
IsFirst bool `json:"is_first"`
IsLatest bool `json:"is_latest"`
Links []string `json:"links"`
ID string `json:"id"`
IsFirst bool `json:"is_first"`
IsLatest bool `json:"is_latest"`
Links []string `json:"links"`
Available struct {
Date string `json:"date,omitempty"`
Kind string `json:"kind,omitempty"`
} `json:"available,omitempty"`
} `json:"fixed_in"`
ID string `json:"id"`
Link string `json:"link"`
Expand Down