Search code examples
regexmongodbwhitelist

Regex like search in mongo db nestex query

I'm currently working on a project where I'm using MongoDB to store my data. The two collections have the following format:

CVE

{
  "Modified" : "2014-09-27T06:55:04.867-04:00",
  "Published" : "2014-09-27T06:55:04.867-04:00",
  "_id" : ObjectId("542923711bb35a10e3053986"),
  "cvss" : "9.3",
  "cwe" : "Unknown",
  "id" : "CVE-2014-3062",
  "last-modified" : "2014-09-29T09:00:35.803-04:00",
  "references" : [
    "http://xforce.iss.net/xforce/xfdb/93540",
    "http://www-01.ibm.com/support/docview.wss?uid=swg21683609"
  ],
  "summary" : "Unspecified vulnerability in IBM Security QRadar SIEM 7.1 MR2 and 7.2 MR2 allows remote attackers to execute arbitrary code via unknown vectors.",
  "vulnerable_configuration" : [ 
    "cpe:/a:ibm:qradar_security_information_and_event_manager:7.1.0",
    "cpe:/a:ibm:qradar_security_information_and_event_manager:7.2.0" 
  ]
}

mgmt_whitelist

{
 "_id" : ObjectId("548855641bb35a2dc5675244"),
 "id" : "cpe:/a:ibm:qradar_security_information_and_event_manager:7.2.0"
}

I'd like to find all the items in CVE with a vulnerable configuration in mgmt_whitelist, which I can easily achieve by using:

db.cves.find(
    {'vulnerable_configuration':
        {'$in': db.mgmt_whitelist.distinct('id')}
    }
).sort({Modified: -1}).limit(10)

However, the whitelist also contains records like

{
  "_id" : ObjectId("54885ff41bb35a2f57a7c567"),
  "id" : "cpe:/a:7-zip:7-zip" 
}

which is a CPE format without version. I would like to be able to do a regex-like search, so that these kinds of whitelisted items are also found in the search.

I tried

db.cves.find(
    {'vulnerable_configuration':
        {'$in': 
            {'$regex':db.mgmt_whitelist.distinct('id')
        }
    }
).sort({Modified: -1}).limit(10)

but that didn't work... What should I do instead?

Thanks in advance,

Pidgey

Solution

  • I found the problem. To add a regex that contains : and /, I needed to use new RegExp(). So in the end, I use something like this:

    db.cves.find(
  {'vulnerable_configuration':
    {'$in': 
      [new RegExp("cpe:/a:gnu:bash"),new RegExp("cpe:/a:adobe:acrobat_reader")]
    }
  }
).sort({Modified: -1}).limit(10)

    It's as shame I can't do everything in one statement (please correct me if I'm wrong), but I can solve that with my code. Thanks for your advice, BatScream