Querying CVE XML elements at specific depth in powershell



This is probably really easy but I've been stuck for days. Obviously I'm inexperienced. I'm trying to strip data out of the National Vulnerability Database feeds which are stored in XML. The full file is available here: (https)://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml


I'm trying to iterate through all the elements. So I can call their attributes inside the for loop and get the data I need.


Here is a sample. There are several hundred entries but they all share very similar structure.



<?xml version='1.0' encoding='UTF-8'?>
<nvd xmlns:scap-core="http://ift.tt/NzHmNH" xmlns:xsi="http://ift.tt/ra1lAU" xmlns:patch="http://ift.tt/NKMPjX" xmlns:vuln="http://ift.tt/NKMP3F" xmlns:cvss="http://ift.tt/1iVa5bi" xmlns:cpe-lang="http://ift.tt/10J2fMj" xmlns="http://ift.tt/NKMPjZ" pub_date="2014-11-05T04:44:52" xsi:schemaLocation="http://ift.tt/NKMPjX http://ift.tt/10J2gQi http://ift.tt/NzHmNH http://ift.tt/1otmQti http://ift.tt/NKMPjZ http://ift.tt/119xeSN" nvd_xml_version="2.0">
<entry id="CVE-1999-0004">
<vuln:vulnerable-configuration id="http://nvd.nist.gov/">
  <cpe-lang:logical-test operator="OR" negate="false">
    <cpe-lang:fact-ref name="cpe:/a:hp:dtmail"/>
    <cpe-lang:fact-ref name="cpe:/a:university_of_washington:pine:4.02"/>
  </cpe-lang:logical-test>
</vuln:vulnerable-configuration>
<vuln:vulnerable-configuration id="http://nvd.nist.gov/">
  <cpe-lang:logical-test operator="OR" negate="false">
    <cpe-lang:fact-ref name="cpe:/o:sco:unixware:7.0"/>
  </cpe-lang:logical-test>
</vuln:vulnerable-configuration>
<vuln:vulnerable-software-list>
  <vuln:product>cpe:/a:university_of_washington:pine:4.02</vuln:product>
  <vuln:product>cpe:/o:sco:unixware:7.0</vuln:product>
  <vuln:product>cpe:/a:hp:dtmail</vuln:product>
</vuln:vulnerable-software-list>
<vuln:cve-id>CVE-1999-0004</vuln:cve-id>
<vuln:published-datetime>1997-12-16T00:00:00.000-05:00</vuln:published-datetime>
<vuln:last-modified-datetime>2008-09-09T08:33:31.007-04:00</vuln:last-modified-datetime>
<vuln:cvss>
  <cvss:base_metrics upgraded-from-version="1.0">
    <cvss:score>5.0</cvss:score>
    <cvss:access-vector approximated="true">NETWORK</cvss:access-vector>
    <cvss:access-complexity>LOW</cvss:access-complexity>
    <cvss:authentication>NONE</cvss:authentication>
    <cvss:confidentiality-impact>NONE</cvss:confidentiality-impact>
    <cvss:integrity-impact>NONE</cvss:integrity-impact>
    <cvss:availability-impact>PARTIAL</cvss:availability-impact>
    <cvss:source>http://ift.tt/10J2gQq;
    <cvss:generated-on-datetime>2004-01-01T00:00:00.000-05:00</cvss:generated-on-datetime>
  </cvss:base_metrics>
</vuln:cvss>
<vuln:references reference_type="UNKNOWN" xml:lang="en">
  <vuln:source>MS</vuln:source>
  <vuln:reference href="http://ift.tt/119xgtK" xml:lang="en">MS98-008</vuln:reference>
</vuln:references>
<vuln:summary>MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook.</vuln:summary>
</entry>
<entry id="CVE-1999-0005">
<vuln:vulnerable-configuration id="http://nvd.nist.gov/">
  <cpe-lang:logical-test operator="OR" negate="false">
    <cpe-lang:fact-ref name="cpe:/a:netscape:messaging_server:3.55"/>
    <cpe-lang:fact-ref name="cpe:/a:university_of_washington:imap:10.234"/>
  </cpe-lang:logical-test>
</vuln:vulnerable-configuration>
<vuln:vulnerable-software-list>
  <vuln:product>cpe:/a:university_of_washington:imap:10.234</vuln:product>
  <vuln:product>cpe:/a:netscape:messaging_server:3.55</vuln:product>
</vuln:vulnerable-software-list>
<vuln:cve-id>CVE-1999-0005</vuln:cve-id>
<vuln:published-datetime>1998-07-20T00:00:00.000-04:00</vuln:published-datetime>
<vuln:last-modified-datetime>2008-09-09T08:33:31.117-04:00</vuln:last-modified-datetime>
<vuln:cvss>
  <cvss:base_metrics upgraded-from-version="1.0">
    <cvss:score>10.0</cvss:score>
    <cvss:access-vector approximated="true">NETWORK</cvss:access-vector>
    <cvss:access-complexity>LOW</cvss:access-complexity>
    <cvss:authentication>NONE</cvss:authentication>
    <cvss:confidentiality-impact>COMPLETE</cvss:confidentiality-impact>
    <cvss:integrity-impact>COMPLETE</cvss:integrity-impact>
    <cvss:availability-impact>COMPLETE</cvss:availability-impact>
    <cvss:source>http://ift.tt/10J2gQq;
    <cvss:generated-on-datetime>2004-01-01T00:00:00.000-05:00</cvss:generated-on-datetime>
  </cvss:base_metrics>
</vuln:cvss>
<vuln:security-protection>ALLOWS_ADMIN_ACCESS</vuln:security-protection>
<vuln:references reference_type="UNKNOWN" xml:lang="en">
  <vuln:source>BID</vuln:source>
  <vuln:reference href="http://ift.tt/1udvqD2" xml:lang="en">130</vuln:reference>
</vuln:references>
<vuln:references reference_type="UNKNOWN" xml:lang="en">
  <vuln:source>SUN</vuln:source>
  <vuln:reference href="http://ift.tt/1udvqD4" xml:lang="en">00177</vuln:reference>
</vuln:references>
<vuln:summary>Arbitrary command execution via IMAP buffer overflow in authenticate command.   
</vuln:summary>
</entry>
</nvd>


Code:



#load Document
$xdoc = new-object System.Xml.XmlDocument
$file = resolve-path("D:\vt\nvdcve-2.0-2002.xml")
$xdoc.load($file)
#this is the only query I've written that acutally returns anything
$nodes = $xdoc.SelectNodes("//*[@id]")
#but it will match the <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> elements
#so when I try to start pulling values
foreach ($node in $nodes) {
    $id = $node.attributes['id'].value
    Write-Output $id
    #to-do get relevant childnode data and store it in an array
}


The output looks like this



CVE-1999-0004
http://nvd.nist.gov/
http://nvd.nist.gov/
CVE-1999-0005
http://nvd.nist.gov/


That you for taking the time to read my message. Respectfully, MM


No comments:

Post a Comment

Subscribe to: Post Comments (Atom)