11 files changed, 127 insertions, 22 deletions

diff --git a/bin/mitre/datasource_2010.json b/bin/mitre/datasource_2010.json
new file mode 100755
index 00000000..547de7a8
--- /dev/null
+++ b/bin/mitre/datasource_2010.json
@@ -0,0 +1,18 @@
+{
+  "datasource" : [
+    {
+      "key" : "0020-mitre-2010",
+      "data" : "cve",
+      "source" : "mitre",
+      "name" : "MITRE",
+      "description" : "MITRE 2010",
+      "cve_filter" : "CVE-2010",
+      "init" : "bin/mitre/srtool_mitre.py --download-only --source='Mitre 2010' --file=data/allitems-cvrf-year-2010.xml --url-file=allitems-cvrf-year-2010.xml",
+      "update" : "bin/mitre/srtool_mitre.py --download-only --source='Mitre 2010' --file=data/allitems-cvrf-year-2010.xml --url-file=allitems-cvrf-year-2010.xml",
+      "lookup" : "bin/mitre/srtool_mitre.py --file=data/allitems-cvrf-year-2010.xml %command%",
+      "update_frequency" : "3",
+      "_comment_" : "Update on Saturdays at 2:00 am",
+      "update_time" : "{\"weekday\":\"5\",\"hour\":\"2\"}"
+    }
+  ]
+}
diff --git a/bin/mitre/datasource_2011.json b/bin/mitre/datasource_2011.json
new file mode 100755
index 00000000..2138154a
--- /dev/null
+++ b/bin/mitre/datasource_2011.json
@@ -0,0 +1,18 @@
+{
+  "datasource" : [
+    {
+      "key" : "0020-mitre-2011",
+      "data" : "cve",
+      "source" : "mitre",
+      "name" : "MITRE",
+      "description" : "MITRE 2011",
+      "cve_filter" : "CVE-2011",
+      "init" : "bin/mitre/srtool_mitre.py --download-only --source='Mitre 2011' --file=data/allitems-cvrf-year-2011.xml --url-file=allitems-cvrf-year-2011.xml",
+      "update" : "bin/mitre/srtool_mitre.py --download-only --source='Mitre 2011' --file=data/allitems-cvrf-year-2011.xml --url-file=allitems-cvrf-year-2011.xml",
+      "lookup" : "bin/mitre/srtool_mitre.py --file=data/allitems-cvrf-year-2011.xml %command%",
+      "update_frequency" : "3",
+      "_comment_" : "Update on Saturdays at 2:00 am",
+      "update_time" : "{\"weekday\":\"5\",\"hour\":\"2\"}"
+    }
+  ]
+}
diff --git a/bin/mitre/datasource_2012.json b/bin/mitre/datasource_2012.json
new file mode 100755
index 00000000..49f32562
--- /dev/null
+++ b/bin/mitre/datasource_2012.json
@@ -0,0 +1,18 @@
+{
+  "datasource" : [
+    {
+      "key" : "0020-mitre-2012",
+      "data" : "cve",
+      "source" : "mitre",
+      "name" : "MITRE",
+      "description" : "MITRE 2012",
+      "cve_filter" : "CVE-2012",
+      "init" : "bin/mitre/srtool_mitre.py --download-only --source='Mitre 2012' --file=data/allitems-cvrf-year-2012.xml --url-file=allitems-cvrf-year-2012.xml",
+      "update" : "bin/mitre/srtool_mitre.py --download-only --source='Mitre 2012' --file=data/allitems-cvrf-year-2012.xml --url-file=allitems-cvrf-year-2012.xml",
+      "lookup" : "bin/mitre/srtool_mitre.py --file=data/allitems-cvrf-year-2012.xml %command%",
+      "update_frequency" : "3",
+      "_comment_" : "Update on Saturdays at 2:00 am",
+      "update_time" : "{\"weekday\":\"5\",\"hour\":\"2\"}"
+    }
+  ]
+}
diff --git a/bin/mitre/datasource_2013.json b/bin/mitre/datasource_2013.json
new file mode 100755
index 00000000..d18fe739
--- /dev/null
+++ b/bin/mitre/datasource_2013.json
@@ -0,0 +1,18 @@
+{
+  "datasource" : [
+    {
+      "key" : "0020-mitre-2013",
+      "data" : "cve",
+      "source" : "mitre",
+      "name" : "MITRE",
+      "description" : "MITRE 2013",
+      "cve_filter" : "CVE-2013",
+      "init" : "bin/mitre/srtool_mitre.py --download-only --source='Mitre 2013' --file=data/allitems-cvrf-year-2013.xml --url-file=allitems-cvrf-year-2013.xml",
+      "update" : "bin/mitre/srtool_mitre.py --download-only --source='Mitre 2013' --file=data/allitems-cvrf-year-2013.xml --url-file=allitems-cvrf-year-2013.xml",
+      "lookup" : "bin/mitre/srtool_mitre.py --file=data/allitems-cvrf-year-2013.xml %command%",
+      "update_frequency" : "3",
+      "_comment_" : "Update on Saturdays at 2:00 am",
+      "update_time" : "{\"weekday\":\"5\",\"hour\":\"2\"}"
+    }
+  ]
+}
diff --git a/bin/mitre/datasource_2014.json b/bin/mitre/datasource_2014.json
new file mode 100755
index 00000000..fc469f99
--- /dev/null
+++ b/bin/mitre/datasource_2014.json
@@ -0,0 +1,18 @@
+{
+  "datasource" : [
+    {
+      "key" : "0020-mitre-2014",
+      "data" : "cve",
+      "source" : "mitre",
+      "name" : "MITRE",
+      "description" : "MITRE 2014",
+      "cve_filter" : "CVE-2014",
+      "init" : "bin/mitre/srtool_mitre.py --download-only --source='Mitre 2014' --file=data/allitems-cvrf-year-2014.xml --url-file=allitems-cvrf-year-2014.xml",
+      "update" : "bin/mitre/srtool_mitre.py --download-only --source='Mitre 2014' --file=data/allitems-cvrf-year-2014.xml --url-file=allitems-cvrf-year-2014.xml",
+      "lookup" : "bin/mitre/srtool_mitre.py --file=data/allitems-cvrf-year-2014.xml %command%",
+      "update_frequency" : "3",
+      "_comment_" : "Update on Saturdays at 2:00 am",
+      "update_time" : "{\"weekday\":\"5\",\"hour\":\"2\"}"
+    }
+  ]
+}
diff --git a/bin/mitre/datasource_2015.json b/bin/mitre/datasource_2015.json
index 0ce89f12..e91f7bd0 100755
--- a/bin/mitre/datasource_2015.json
+++ b/bin/mitre/datasource_2015.json
@@ -7,8 +7,8 @@
       "name" : "MITRE",
       "description" : "MITRE 2015",
       "cve_filter" : "CVE-2015",
-      "init" : "bin/mitre/srtool_mitre.py -I --source='Mitre 2015' --file=data/allitems-cvrf-year-2015.xml --url-file=allitems-cvrf-year-2015.xml",
-      "update" : "bin/mitre/srtool_mitre.py -u --source='Mitre 2015' --file=data/allitems-cvrf-year-2015.xml --url-file=allitems-cvrf-year-2015.xml",
+      "init" : "bin/mitre/srtool_mitre.py --initialize --source='Mitre 2015' --file=data/allitems-cvrf-year-2015.xml --url-file=allitems-cvrf-year-2015.xml",
+      "update" : "bin/mitre/srtool_mitre.py --update --source='Mitre 2015' --file=data/allitems-cvrf-year-2015.xml --url-file=allitems-cvrf-year-2015.xml",
       "lookup" : "bin/mitre/srtool_mitre.py --file=data/allitems-cvrf-year-2015.xml %command%",
       "update_frequency" : "3",
       "_comment_" : "Update on Saturdays at 2:00 am",
diff --git a/bin/mitre/datasource_2016.json b/bin/mitre/datasource_2016.json
index 36ca814f..5fba94b6 100755
--- a/bin/mitre/datasource_2016.json
+++ b/bin/mitre/datasource_2016.json
@@ -7,8 +7,8 @@
       "name" : "MITRE",
       "description" : "MITRE 2016",
       "cve_filter" : "CVE-2016",
-      "init" : "bin/mitre/srtool_mitre.py -I --source='Mitre 2016' --file=data/allitems-cvrf-year-2016.xml --url-file=allitems-cvrf-year-2016.xml",
-      "update" : "bin/mitre/srtool_mitre.py -u --source='Mitre 2016' --file=data/allitems-cvrf-year-2016.xml --url-file=allitems-cvrf-year-2016.xml",
+      "init" : "bin/mitre/srtool_mitre.py --initialize --source='Mitre 2016' --file=data/allitems-cvrf-year-2016.xml --url-file=allitems-cvrf-year-2016.xml",
+      "update" : "bin/mitre/srtool_mitre.py --update --source='Mitre 2016' --file=data/allitems-cvrf-year-2016.xml --url-file=allitems-cvrf-year-2016.xml",
       "lookup" : "bin/mitre/srtool_mitre.py --file=data/allitems-cvrf-year-2016.xml %command%",
       "update_frequency" : "3",
       "_comment_" : "Update on Saturdays at 2:00 am",
diff --git a/bin/mitre/datasource_2017.json b/bin/mitre/datasource_2017.json
index 2b326bf4..9047fd5e 100755
--- a/bin/mitre/datasource_2017.json
+++ b/bin/mitre/datasource_2017.json
@@ -7,8 +7,8 @@
       "name" : "MITRE",
       "description" : "MITRE 2017",
       "cve_filter" : "CVE-2017",
-      "init" : "bin/mitre/srtool_mitre.py -I --source='Mitre 2017' --file=data/allitems-cvrf-year-2017.xml --url-file=allitems-cvrf-year-2017.xml",
-      "update" : "bin/mitre/srtool_mitre.py -u --source='Mitre 2017' --file=data/allitems-cvrf-year-2017.xml --url-file=allitems-cvrf-year-2017.xml",
+      "init" : "bin/mitre/srtool_mitre.py --initialize --source='Mitre 2017' --file=data/allitems-cvrf-year-2017.xml --url-file=allitems-cvrf-year-2017.xml",
+      "update" : "bin/mitre/srtool_mitre.py --update --source='Mitre 2017' --file=data/allitems-cvrf-year-2017.xml --url-file=allitems-cvrf-year-2017.xml",
       "lookup" : "bin/mitre/srtool_mitre.py --file=data/allitems-cvrf-year-2017.xml %command%",
       "update_frequency" : "3",
       "_comment_" : "Update on Saturdays at 2:00 am",
diff --git a/bin/mitre/datasource_2018.json b/bin/mitre/datasource_2018.json
index ebb6eff2..567c46bd 100755
--- a/bin/mitre/datasource_2018.json
+++ b/bin/mitre/datasource_2018.json
@@ -7,8 +7,8 @@
       "name" : "MITRE",
       "description" : "MITRE 2018",
       "cve_filter" : "CVE-2018",
-      "init" : "bin/mitre/srtool_mitre.py -I --source='Mitre 2018' --file=data/allitems-cvrf-year-2018.xml --url-file=allitems-cvrf-year-2018.xml",
-      "update" : "bin/mitre/srtool_mitre.py -u --source='Mitre 2018' --file=data/allitems-cvrf-year-2018.xml --url-file=allitems-cvrf-year-2018.xml",
+      "init" : "bin/mitre/srtool_mitre.py --initialize --source='Mitre 2018' --file=data/allitems-cvrf-year-2018.xml --url-file=allitems-cvrf-year-2018.xml",
+      "update" : "bin/mitre/srtool_mitre.py --update --source='Mitre 2018' --file=data/allitems-cvrf-year-2018.xml --url-file=allitems-cvrf-year-2018.xml",
       "lookup" : "bin/mitre/srtool_mitre.py --file=data/allitems-cvrf-year-2018.xml %command%",
       "update_frequency" : "3",
       "_comment_" : "Update on Saturdays at 2:00 am",
diff --git a/bin/mitre/datasource_2019.json b/bin/mitre/datasource_2019.json
index 7113aa95..f106f88f 100755
--- a/bin/mitre/datasource_2019.json
+++ b/bin/mitre/datasource_2019.json
@@ -7,8 +7,8 @@
       "name" : "MITRE",
       "description" : "MITRE 2019",
       "cve_filter" : "CVE-2019",
-      "init" : "bin/mitre/srtool_mitre.py -I --source='Mitre 2019' --file=data/allitems-cvrf-year-2019.xml --url-file=allitems-cvrf-year-2019.xml",
-      "update" : "bin/mitre/srtool_mitre.py -u --source='Mitre 2019' --file=data/allitems-cvrf-year-2019.xml --url-file=allitems-cvrf-year-2019.xml",
+      "init" : "bin/mitre/srtool_mitre.py --initialize --source='Mitre 2019' --file=data/allitems-cvrf-year-2019.xml --url-file=allitems-cvrf-year-2019.xml",
+      "update" : "bin/mitre/srtool_mitre.py --update --source='Mitre 2019' --file=data/allitems-cvrf-year-2019.xml --url-file=allitems-cvrf-year-2019.xml",
       "lookup" : "bin/mitre/srtool_mitre.py --file=data/allitems-cvrf-year-2019.xml %command%",
       "update_frequency" : "3",
       "_comment_" : "Update on Saturdays at 2:00 am",
diff --git a/bin/mitre/srtool_mitre.py b/bin/mitre/srtool_mitre.py
index 3c6af89d..3928e51e 100755
--- a/bin/mitre/srtool_mitre.py
+++ b/bin/mitre/srtool_mitre.py
@@ -113,15 +113,16 @@ def get_cve_default_status(is_init,publishedDate,description):
     if is_init:
         # Note: the NIST 'published date' is in the format "2017-05-11", so do a simple string compare
         #print("INIT status: %s versus %s" % (init_new_date,publishedDate))
-        if not publishedDate or (publishedDate > init_new_date):
-            # Is this reserved by Mitre? Is '** RESERVED **' within the first 20 char positions?
-            reserved_pos = description.find('** RESERVED **')
-            if (0 <= reserved_pos) and (20 > reserved_pos):
-                return ORM.STATUS_NEW_RESERVED
-            else:
+#        if not publishedDate or (publishedDate > init_new_date):
+#            # Is this reserved by Mitre? Is '** RESERVED **' within the first 20 char positions?
+#            reserved_pos = description.find('** RESERVED **')
+#            if (0 <= reserved_pos) and (20 > reserved_pos):
+#                return ORM.STATUS_NEW_RESERVED
+#            else:
+        if True:
                 return ORM.STATUS_NEW
-        else:
-            return ORM.STATUS_HISTORICAL
+#        else:
+#            return ORM.STATUS_HISTORICAL
     else:
         return ORM.STATUS_NEW
 
@@ -276,6 +277,7 @@ def append_cve_database(is_init,file_xml):
     cur_write = conn.cursor()
     cur_ds = conn.cursor()
     datasource_id = 0
+    srtool_today = datetime.today()
 
     i = 0
     for child in root:
@@ -317,12 +319,19 @@ def append_cve_database(is_init,file_xml):
             # Get the default CVE status
             status = get_cve_default_status(is_init,summary['Published'],summary['Description'])
 
-            sql = ''' INSERT into orm_cve (name, name_sort, priority, status, comments, comments_private, cve_data_type, cve_data_format, cve_data_version, public, publish_state, publish_date, description, publishedDate, lastModifiedDate, recommend, recommend_list, cvssV3_baseScore, cvssV3_baseSeverity, cvssV2_baseScore, cvssV2_severity, srt_updated, packages)
-            VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'''
-            cur.execute(sql, (cve_name, get_name_sort(cve_name), ORM.PRIORITY_UNDEFINED, status, '', '', 'CVE', 'MITRE', '', 1, ORM.PUBLISH_UNPUBLISHED, '', summary['Description'], summary['Published'], summary['Modified'],0, '', '', '', '', '', datetime.now(),''))
+            #                                0       1         2         3       4              5           6      7              8                9                10           11             12                13          14           15            16               17               18           19                20                   21                22            23           24           25
+            sql = ''' INSERT into orm_cve (name, name_sort, priority, status, comments, comments_private, tags, cve_data_type, cve_data_format, cve_data_version, public, publish_state, publish_date, acknowledge_date, description, publishedDate, lastModifiedDate, recommend, recommend_list, cvssV3_baseScore, cvssV3_baseSeverity, cvssV2_baseScore, cvssV2_severity, srt_updated, srt_created, packages)
+            VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'''
+            cur.execute(sql, (cve_name, get_name_sort(cve_name), ORM.PRIORITY_UNDEFINED, status, '', '', '', 'CVE', 'MITRE', '', 1, ORM.PUBLISH_UNPUBLISHED, '', summary['Description'], summary['Published'], summary['Modified'],0, '', '', '', '', '', '', datetime.now(), datetime.now(),''))
+            #                    0         1                        2                      3     4   5    6    7       8      9 10     11                    12           13                      14                    15        16  17  18  19  20  21  22     23          24              25
             cve_id = cur.lastrowid
             print("MITRE:ADDED %20s\r" % cve_name)
 
+            # Also create CVE history entry
+            update_comment = "%s {%s}" % (ORM.UPDATE_CREATE_STR % ORM.UPDATE_SOURCE_CVE,'Created from MITRE')
+            sql = '''INSERT INTO orm_cvehistory (cve_id, comment, date, author) VALUES (?,?,?,?)'''
+            cur.execute(sql, (cve_id,update_comment,srtool_today,ORM.USER_SRTOOL_NAME,) )
+
         # Add this data source to the CVE
         sql = '''SELECT * FROM orm_cvesource WHERE cve_id=? AND datasource_id=? '''
         if not cur_ds.execute(sql, (cve_id,datasource_id)).fetchone():
@@ -405,13 +414,16 @@ def main(argv):
     # setup
 
     parser = argparse.ArgumentParser(description='srtool_mitre.py: manage Mitre CVE data')
-    parser.add_argument('--initialize', '-I', action='store_const', const='init_mitre', dest='command', help='Download the Mitre source CVE file')
+    parser.add_argument('--initialize', '-I', action='store_const', const='init_mitre', dest='command', help='Download the Mitre source CVE file, add CVEs')
     parser.add_argument('--update', '-u', action='store_const', const='update_mitre', dest='command', help='Update the Mitre source CVE file')
     parser.add_argument('--source', dest='source', help='Local CVE source file')
     parser.add_argument('--url-file', dest='url_file', help='CVE URL extension')
+    parser.add_argument('--download-only', action='store_const', const='download_mitre', dest='command', help='Download the Mitre source CVE file only')
     parser.add_argument('--cve-detail', '-d', dest='cve_detail', help='Fetch CVE detail')
     parser.add_argument('--file', dest='cve_file', help='Local CVE source file')
+
     parser.add_argument('--force', '-f', action='store_true', dest='force_update', help='Force update')
+    parser.add_argument('--update-skip-history', '-H', action='store_true', dest='update_skip_history', help='Skip history updates')
     parser.add_argument('--verbose', '-v', action='store_true', dest='is_verbose', help='Enable verbose debugging output')
     parser.add_argument('--dump', '-D', action='store_const', const='dump', dest='command', help='test dump data')
     parser.add_argument('--dump2', '-2', action='store_const', const='dump2', dest='command', help='test dump data')
@@ -449,12 +461,15 @@ def main(argv):
         print("ERROR: missing --url_file parameter")
         exit(1)
 
+    # Currently no different between initialize and update actions
     if 'init_mitre' == args.command:
         init_mitre_file(args.source,args.url_file,args.cve_file,args.force_update)
         append_cve_database(True,args.cve_file)
     elif 'update_mitre' == args.command:
         init_mitre_file(args.source,args.url_file,args.cve_file,args.force_update)
         append_cve_database(False,args.cve_file)
+    elif 'download_mitre' == args.command:
+        init_mitre_file(args.source,args.url_file,args.cve_file,args.force_update)
     else:
         print("Command not found")