XML help please

nicksberger · April 27, 2016, 5:08pm

Does anyone have ideas on best ways to parse specific data from this xml - https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2016.xml.gz
In fixlet debugger how would I pull back the following (obviously there are multiple entries in the xml, i would want a line for each unique one) -

vuln:cve-id
vuln:published-datetime
cvss:score

an example would be …

CVE-2016-0008||2016-01-13T00:59:06.420-05:00||4.3

My initial thought was something like this -

preceding texts of firsts "</vuln:cve-id>" of following texts of firsts "<vuln:cve-id>" of lines of file "nvdcve-2.0-2016.xml" of folder "c:\users\username\downloads"

AlanM · April 27, 2016, 10:39pm

Depending on the OS and the version of your deployment I would think you would want to use the XML inspectors more than a file line inspector

https://developer.bigfix.com/relevance/reference/file.html#xml-document-of-file-xml-dom-document

JasonWalker · April 27, 2016, 11:49pm

There are not a lot of good examples of XML parsing, and both the Inspector List and Inspector Guide are a little light in this area. Here are a couple of queries I was able to put together, see if the help:

q: (node values of attributes "id" of it, node values of child node of selects "vuln:published-datetime" of it, node values of child node of selects "vuln:cvss/cvss:base_metrics/cvss:score" of it )of child nodes whose (node value of attribute "id" of it starts with "CVE") of selects "nvd" of xml document of file "c:\temp\full.xml"
A: CVE-2016-0002, 2016-01-13T00:59:01.433-05:00, 7.6
A: CVE-2016-0003, 2016-01-13T00:59:02.683-05:00, 9.3
A: CVE-2016-0005, 2016-01-13T00:59:03.653-05:00, 4.3
A: CVE-2016-0006, 2016-01-13T00:59:04.590-05:00, 6.9
A: CVE-2016-0007, 2016-01-13T00:59:05.513-05:00, 6.9
A: CVE-2016-0008, 2016-01-13T00:59:06.420-05:00, 4.3

If you want to generate an output file via an Action, you might be able to do something like

appendfile{ concatenation "%0d%0a" of (node value of attribute "id" of it & "%0d%0a" &  node value of child node of select "vuln:published-datetime" of it & "%0d%0a" &  node value of child node of select "vuln:cvss/cvss:base_metrics/cvss:score" of it )of child nodes whose (node value of attribute "id" of it starts with "CVE") of selects "nvd" of xml document of file "c:\temp\full.xml"}

nicksberger · April 28, 2016, 8:37am

Jason thanks for your help, much appreciated.

When I appendfile using the pluralized relevance i’m missing the line/carriage returns (As expected) -

appendfile {concatenation "%0d%0a" of (node values of attributes "id" of it; node values of child nodes of selects "vuln:published-datetime" of it; node values of child nodes of selects "vuln:cvss/cvss:base_metrics/cvss:score" of it )of child nodes whose (node value of attribute "id" of it starts with "CVE") of selects "nvd" of xml document of file "C:\Temp\CVE_Test\nvdcve-2.0-2016.xml"}

move __appendfile "C:\Temp\CVE_Test\nvdcve.txt"

HOWEVER

When adding & “%0d%0a” &, the relevance bombs out with singular expression refers to non existent object.

My requirement is to return a single txt file with multiple lines listing the 3 attributes (either comma or double pipe delimited)

does that make sense ?

JasonWalker · April 28, 2016, 2:07pm

You need one line listing something like
CVE_ID|ReleaseDate|Severity,
or
CVE_ID
ReleaseDate
Severity

The “singular expression refers to non existent object” implies that at least one node in the XML is missing one of these fields. Try this in the debugger - the “|” operator returns an alternate value in case of an error, so you can look for these error messages in the result to see if there’s a bad formatting in the XML (unlikely, I downloaded the same XML from the URL you provided), or whether we are selecting the wrong parent nodes, or something else-

q: (node values of attributes "id" of it | "missing id"; node values of child nodes of selects "vuln:published-datetime" of it | "missing published-datetime"; node values of child nodes of selects "vuln:cvss/cvss:base_metrics/cvss:score" of it  | "missing score") of child nodes whose (node value of attribute "id" of it starts with "CVE") of selects "nvd" of xml document of file "C:\Temp\CVE_Test\nvdcve-2.0-2016.xml"

nicksberger · April 28, 2016, 2:13pm

I need to write the results to file using appendfile, don’t really care what the delimiters are but preferably double pipe if possible.
so…

ID1||Date||Score
ID2||Date||Score
ID3||Date||Score
ID4||Date||Score

the relevance is returning - A singular expression is required

Can you help pls ?

nicksberger · April 29, 2016, 8:50am

RESOLVED all working, thanks for pointing me in the right direction.

 {concatenation "%0d%0a" of (node value of attribute "id" of it | "NULL ID" & "||" & (node value of child node of selects "vuln:published-datetime" of it | "NULL PUBLISHDATE") & "||" & (node value of child node of selects "vuln:cvss/cvss:base_metrics/cvss:score" of it  | "NULL SCORE")) of child nodes whose (node value of attribute "id" of it starts with "CVE") of selects "nvd" of xml document of file "E:\BES Tools\CVE\Automation\nvdcve-2.0-2012.xml"}