leviathan
e4a600fef2
Adds per-CVE triage annotations that turn SKELETONKEY's JSON output
into something a SIEM/CTI/threat-intel pipeline can route on, and a
KEV badge in --list so operators see at-a-glance which modules
cover actively-exploited bugs.
New tool — tools/refresh-cve-metadata.py:
- Discovers CVEs by scanning modules/<dir>/ (no hardcoded list).
- Fetches CISA's Known Exploited Vulnerabilities catalog
(https://www.cisa.gov/.../known_exploited_vulnerabilities.csv).
- Fetches CWE classifications from NVD's CVE API 2.0
(services.nvd.nist.gov), throttled to the anonymous
5-req/30s limit (~3 minutes for 26 CVEs).
- Hand-curated ATT&CK technique mapping (T1068 default; T1611 for
container escapes, T1082 for kernel info leaks — MITRE doesn't
publish a clean CVE→technique feed).
- Generates three outputs:
docs/CVE_METADATA.json machine-readable, drift-checkable
docs/KEV_CROSSREF.md human-readable table
core/cve_metadata.c auto-generated lookup table
- --check mode diffs the committed JSON against a fresh fetch for
CI drift detection.
New core API — core/cve_metadata.{h,c}:
struct cve_metadata { cve, cwe, attack_technique, attack_subtechnique,
in_kev, kev_date_added };
const struct cve_metadata *cve_metadata_lookup(const char *cve);
Lookup keyed by CVE id, not module name — the metadata is properties
of the CVE (two modules covering the same bug see the same metadata).
The opsec_notes field stays on the module struct because exploit
technique varies per-module (different footprints).
Output surfacing:
- --list: new KEV column shows ★ for KEV-listed CVEs.
- --module-info (text): prints cwe / att&ck / 'in CISA KEV: YES (added
YYYY-MM-DD)' between summary and operations.
- --module-info / --scan (JSON): emits a 'triage' subobject with the
full record, plus an 'opsec_notes' field at top level when set.
Initial snapshot:
- 10 of 26 modules cover KEV-listed CVEs (dirty_cow, dirty_pipe,
pwnkit, sudo_samedit, ptrace_traceme, fuse_legacy, nf_tables,
overlayfs, overlayfs_setuid, netfilter_xtcompat).
- 24 of 26 have NVD CWE mappings; 2 unmapped (NVD has no weakness
record for CVE-2019-13272 and CVE-2026-46300 yet).
- All 26 mapped to an ATT&CK technique.
Verification:
- macOS local: 33 kernel_range + clean build, --module-info shows
'in CISA KEV: YES (added 2024-05-30)' for nf_tables, --list KEV
column renders.
- Linux (docker gcc:latest): 33 + 54 = 87 passes, 0 fails.
Follow-up commits will add per-module OPSEC notes and --explain mode.
237 lines
7.2 KiB
C
237 lines
7.2 KiB
C
/*
|
|
* SKELETONKEY — CVE metadata table
|
|
*
|
|
* AUTO-GENERATED by tools/refresh-cve-metadata.py from
|
|
* docs/CVE_METADATA.json. Do not hand-edit; rerun the script.
|
|
* Sources: CISA KEV catalog + NVD CVE API 2.0.
|
|
*/
|
|
|
|
#include "cve_metadata.h"
|
|
|
|
#include <stddef.h>
|
|
#include <string.h>
|
|
|
|
const struct cve_metadata cve_metadata_table[] = {
|
|
{
|
|
.cve = "CVE-2016-5195",
|
|
.cwe = "CWE-362",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = true,
|
|
.kev_date_added = "2022-03-03",
|
|
},
|
|
{
|
|
.cve = "CVE-2017-7308",
|
|
.cwe = "CWE-681",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2019-13272",
|
|
.cwe = NULL,
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = true,
|
|
.kev_date_added = "2021-12-10",
|
|
},
|
|
{
|
|
.cve = "CVE-2020-14386",
|
|
.cwe = "CWE-250",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2021-22555",
|
|
.cwe = "CWE-787",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = true,
|
|
.kev_date_added = "2025-10-06",
|
|
},
|
|
{
|
|
.cve = "CVE-2021-3156",
|
|
.cwe = "CWE-193",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = true,
|
|
.kev_date_added = "2022-04-06",
|
|
},
|
|
{
|
|
.cve = "CVE-2021-33909",
|
|
.cwe = "CWE-190",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2021-3493",
|
|
.cwe = "CWE-270",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = true,
|
|
.kev_date_added = "2022-10-20",
|
|
},
|
|
{
|
|
.cve = "CVE-2021-4034",
|
|
.cwe = "CWE-787",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = true,
|
|
.kev_date_added = "2022-06-27",
|
|
},
|
|
{
|
|
.cve = "CVE-2022-0185",
|
|
.cwe = "CWE-190",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = true,
|
|
.kev_date_added = "2024-08-21",
|
|
},
|
|
{
|
|
.cve = "CVE-2022-0492",
|
|
.cwe = "CWE-287",
|
|
.attack_technique = "T1611",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2022-0847",
|
|
.cwe = "CWE-665",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = true,
|
|
.kev_date_added = "2022-04-25",
|
|
},
|
|
{
|
|
.cve = "CVE-2022-25636",
|
|
.cwe = "CWE-269",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2022-2588",
|
|
.cwe = "CWE-416",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2023-0179",
|
|
.cwe = "CWE-190",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2023-0386",
|
|
.cwe = "CWE-282",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = true,
|
|
.kev_date_added = "2025-06-17",
|
|
},
|
|
{
|
|
.cve = "CVE-2023-0458",
|
|
.cwe = "CWE-476",
|
|
.attack_technique = "T1082",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2023-2008",
|
|
.cwe = "CWE-129",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2023-22809",
|
|
.cwe = "CWE-269",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2023-32233",
|
|
.cwe = "CWE-416",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2023-3269",
|
|
.cwe = "CWE-416",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2023-4622",
|
|
.cwe = "CWE-416",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2024-1086",
|
|
.cwe = "CWE-416",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = true,
|
|
.kev_date_added = "2024-05-30",
|
|
},
|
|
{
|
|
.cve = "CVE-2026-31635",
|
|
.cwe = "CWE-130",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2026-41651",
|
|
.cwe = "CWE-367",
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
{
|
|
.cve = "CVE-2026-46300",
|
|
.cwe = NULL,
|
|
.attack_technique = "T1068",
|
|
.attack_subtechnique = NULL,
|
|
.in_kev = false,
|
|
.kev_date_added = "",
|
|
},
|
|
};
|
|
|
|
const size_t cve_metadata_table_len =
|
|
sizeof(cve_metadata_table) / sizeof(cve_metadata_table[0]);
|
|
|
|
const struct cve_metadata *cve_metadata_lookup(const char *cve)
|
|
{
|
|
if (!cve) return NULL;
|
|
for (size_t i = 0; i < cve_metadata_table_len; i++) {
|
|
if (strcmp(cve_metadata_table[i].cve, cve) == 0)
|
|
return &cve_metadata_table[i];
|
|
}
|
|
return NULL;
|
|
}
|