Comments (4)
andrewpollock
commented on June 18, 2024
1
Perhaps retain the raw CPE information for NVD under
database_specificand ensure both NVD and GHSA information are presented for all CVEs?
That would not help in this situation, as the original data source is the GitHub Advisory Database. The NVD was not involved in this record at all.
I have gone ahead and suggested the GitHub Advisory Database record add the missing Java and Python packages so we can close out this issue.
from osv.dev.
andrewpollock
commented on June 18, 2024
Hey @prabhu
Thanks for taking a look at our data, I'd love to more broadly explore any gaps you've identified using this CPE to Purl technique you mention.
In the case of this particular CVE, I'm not seeing how there's a discrepancy?
Looking at https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-30187, I can see the following CPEs:
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:.net:*:*",
"versionEndExcluding": "12.13.0",
"matchCriteriaId": "76C885A0-06D7-4573-97BA-FBCA7653F008"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:python:*:*",
"versionEndExcluding": "12.13.0",
"matchCriteriaId": "2E1A488F-D561-4005-AFF8-468860F40816"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:java:*:*",
"versionEndExcluding": "12.18.0",
"matchCriteriaId": "153D4518-8E6D-48D0-9BC5-EB482EDBF07B"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_queue:*:*:*:*:*:python:*:*",
"versionEndExcluding": "12.4.0",
"matchCriteriaId": "F765F0A9-3756-4C1E-85B0-1438474B4590"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_queue:*:*:*:*:*:.net:*:*",
"versionEndExcluding": "12.11.0",
"matchCriteriaId": "5444CD1F-54C8-4918-8842-5320DE43FDBC"
}
]
}
]
}
],which seems to me to correlate with what is currently available for https://api.osv.dev/v1/vulns/GHSA-64x4-9hc6-r2h6:
"affected": [
{
"package": {
"name": "Azure.Storage.Queues",
"ecosystem": "NuGet",
"purl": "pkg:nuget/Azure.Storage.Queues"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "12.11.0"
}
]
}
],
"versions": [
"12.0.0",
"12.1.0",
"12.1.1",
"12.10.0",
"12.2.0",
"12.3.0",
"12.3.1",
"12.3.2",
"12.4.0",
"12.4.1",
"12.4.2",
"12.5.0",
"12.6.0",
"12.6.1",
"12.6.2",
"12.7.0",
"12.8.0",
"12.9.0"
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-64x4-9hc6-r2h6/GHSA-64x4-9hc6-r2h6.json"
}
},
{
"package": {
"name": "Azure.Storage.Blobs",
"ecosystem": "NuGet",
"purl": "pkg:nuget/Azure.Storage.Blobs"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "12.13.0"
}
]
}
],
"versions": [
"12.0.0",
"12.1.0",
"12.10.0",
"12.11.0",
"12.12.0",
"12.2.0",
"12.3.0",
"12.4.0",
"12.4.1",
"12.4.2",
"12.4.3",
"12.4.4",
"12.5.0",
"12.5.1",
"12.6.0",
"12.7.0",
"12.8.0",
"12.8.1",
"12.8.2",
"12.8.3",
"12.8.4",
"12.9.0",
"12.9.1"
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-64x4-9hc6-r2h6/GHSA-64x4-9hc6-r2h6.json"
}
}
],i.e., I'm seeing:
- Azure.Storage.Queues
- Azure.Storage.Blobs
The CVE itself isn't converting to a first class OSV record (it's just an alias of GHSA-64x4-9hc6-r2h6 as you note), because our conversion process hasn't been able to derive a Git repository CPEs, and looking at https://github.com/scanoss/purl2cpe/tree/main/data/microsoft, which I've been using as an independent cross-reference, I'm not seeing anything particularly useful there, either.
Could you please elaborate on how the current behaviour is not aligning with what you're expecting?
from osv.dev.
prabhu
commented on June 18, 2024
Thanks @andrewpollock. I will share the script once it's in good shape. It is currently buggy and unreliable.
Regarding the CPE, you can find java and python under target_sw, which is how the package ecosystem is represented. Depscan, for example, can now report these vulnerabilities for the equivalent maven and pypi packages in addition to nuget as well.
Perhaps retain the raw CPE information for NVD under database_specific and ensure both NVD and GHSA information are presented for all CVEs?
from osv.dev.
andrewpollock
commented on June 18, 2024
Regarding the CPE, you can find
javaandpythonundertarget_sw,which is how the package ecosystem is represented.
Ah, I see. Thanks for highlighting that.
In the case of GHSA-64x4-9hc6-r2h6 specifically, any deficiencies in comprehensiveness need to be taken up with the GitHub Advisory Database, via https://github.com/advisories/GHSA-64x4-9hc6-r2h6/improve
from osv.dev.
Related Issues (20)
- Bisection should not produce zero-length commit ranges HOT 1
- Improve the UX of failed vulnerability retrieval by the API
- Can't get Content-Length info with HEAD request HOT 4
- Show ecosystem case in osv.dev
- Data quality issue with GHSA-9wx4-h78v-vm56 HOT 3
- Advisories from GuardDog HOT 2
- Calculate and display the CVSS base score
- Make it possible to visually evaluate a list of vulnerabilities by severity
- Update material web components to 1.0
- Replace pipenv with a better dependency management tool HOT 5
- API: query vulnerabilities HOT 1
- Error importing osv in Python 3.9 HOT 2
- Include Alpine and Debian security tracker links to vulnerability `references` on OSV.dev HOT 1
- Data quality issue with CVE-2024-32760 (Alpine security tracker related) HOT 1
- Display the correct affected versions when filtering by ecosystem
- combine-to-osv: Include the CWE(s) from the underlying CVE in the resultant OSV record HOT 3
- Support commit enumeration on pathologically large repositories
- Advisories deleted from REST sources not being marked as withdrawn
- Request for Lowercase ( even Space-Free ) Abbreviation for Query API Eco Name HOT 4
- GitHub Actions version matching HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from osv.dev.