From 0aa53b4dffbc288d525e3042af42ee6e07167a1c Mon Sep 17 00:00:00 2001
From: Thomas Hungenberg <th-certbund@users.noreply.github.com>
Date: Mon, 5 Feb 2024 09:48:21 +0100
Subject: [PATCH 1/3] Add extract_cve_from_tag to Shadowserver parser
 _config.py

---
 intelmq/bots/parsers/shadowserver/_config.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/intelmq/bots/parsers/shadowserver/_config.py b/intelmq/bots/parsers/shadowserver/_config.py
index 6931e5410..f0ae52f37 100644
--- a/intelmq/bots/parsers/shadowserver/_config.py
+++ b/intelmq/bots/parsers/shadowserver/_config.py
@@ -290,6 +290,20 @@ def category_or_detail(value: str, row: Dict[str, str]) -> str:
     return row.get('detail', '')
 
 
+def extract_cve_from_tag(tag: str) -> Optional[str]:
+    """ Returns a string with a sorted comma-separated list of CVEs or None if no CVE found in tag. """
+    cveset = set()
+    tags = tag.split(";")
+
+    for t in tags:
+        if re.match('^cve-[0-9]+-[0-9]+$', t):
+            cveset.add(t)
+
+    if not (len(cveset)):
+        return None;
+    return (','.join(str(c) for c in sorted(cveset)))
+
+
 functions = {
     'add_UTC_to_timestamp': add_UTC_to_timestamp,
     'convert_bool': convert_bool,

From 64a3702f2f964b32c9ae5a54c4b0d546112fca0c Mon Sep 17 00:00:00 2001
From: Thomas Hungenberg <th-certbund@users.noreply.github.com>
Date: Mon, 5 Feb 2024 17:27:31 +0100
Subject: [PATCH 2/3] Update functions map in Shadowserver parser _config.py

---
 intelmq/bots/parsers/shadowserver/_config.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/intelmq/bots/parsers/shadowserver/_config.py b/intelmq/bots/parsers/shadowserver/_config.py
index f0ae52f37..00122ea26 100644
--- a/intelmq/bots/parsers/shadowserver/_config.py
+++ b/intelmq/bots/parsers/shadowserver/_config.py
@@ -322,6 +322,7 @@ def extract_cve_from_tag(tag: str) -> Optional[str]:
     'scan_exchange_type': scan_exchange_type,
     'scan_exchange_identifier': scan_exchange_identifier,
     'category_or_detail': category_or_detail,
+    'extract_cve_from_tag': extract_cve_from_tag,
 }
 
 

From 3c32675831ecacf3a350466dc6eed79779a6f2a8 Mon Sep 17 00:00:00 2001
From: Thomas Hungenberg <th-certbund@users.noreply.github.com>
Date: Tue, 6 Feb 2024 10:49:00 +0100
Subject: [PATCH 3/3] Change separator from comma to semicolon to prevent
 problems with parsing csv data

---
 intelmq/bots/parsers/shadowserver/_config.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/intelmq/bots/parsers/shadowserver/_config.py b/intelmq/bots/parsers/shadowserver/_config.py
index 00122ea26..f52d01c42 100644
--- a/intelmq/bots/parsers/shadowserver/_config.py
+++ b/intelmq/bots/parsers/shadowserver/_config.py
@@ -291,7 +291,7 @@ def category_or_detail(value: str, row: Dict[str, str]) -> str:
 
 
 def extract_cve_from_tag(tag: str) -> Optional[str]:
-    """ Returns a string with a sorted comma-separated list of CVEs or None if no CVE found in tag. """
+    """ Returns a string with a sorted semicolon-separated list of CVEs or None if no CVE found in tag. """
     cveset = set()
     tags = tag.split(";")
 
@@ -300,8 +300,8 @@ def extract_cve_from_tag(tag: str) -> Optional[str]:
             cveset.add(t)
 
     if not (len(cveset)):
-        return None;
-    return (','.join(str(c) for c in sorted(cveset)))
+        return None
+    return (';'.join(str(c) for c in sorted(cveset)))
 
 
 functions = {