Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix the display of outdated dependencies #63

Merged
merged 2 commits into from
Aug 26, 2024
Merged

Fix the display of outdated dependencies #63

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
674199c
Fix the display of outdated dependencies
PiranhaSa Aug 26, 2024
cc4489e
Fix the display of outdated dependencies
PiranhaSa Aug 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 15 additions & 9 deletions agent/osv_output_handler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -374,19 +374,10 @@ def construct_vuln(
f" has a security issue."
)
title = f"Use of Outdated Vulnerable Component: {vuln.package_name}@{vuln.package_version}"
technical_detail = ""
if path is not None:
technical_detail = f"Dependency `{vuln.package_name}` Found in {path} has a security issue: \n"
technical_detail += f"```\n{vuln.description}\n```"
else:
vuln.cves.sort(reverse=True)
title = f"Use of Outdated Vulnerable Component: {vuln.package_name}@{vuln.package_version}: {', '.join(vuln.cves[:MAX_SHOWN_CVES])}"

technical_detail = ""
if path is not None:
technical_detail = f"Dependency `{vuln.package_name}` Found in {path} has a security issue: \n"
technical_detail += f"{vuln.description}"

if vuln.file_type is not None and vuln.file_name is not None:
description = (
f"Dependency `{vuln.package_name}` with version `{vuln.package_version}`"
Expand All @@ -398,6 +389,21 @@ def construct_vuln(
f"Dependency `{vuln.package_name}` with version `{vuln.package_version}`"
f" has a security issue.\nThe issue is identified by CVEs: `{', '.join(vuln.cves)}`."
)

technical_detail = (
f"#### Dependency `{vuln.package_name}`:\n"
f"- **Version**: `{vuln.package_version}`\n"
)
if path is not None:
technical_detail += f"- **Location**: {path}\n"
osv_description = vuln.description.replace(
"## Recommendation\n\n", "Recommendation: "
)
if len(vuln.cves) == 0:
technical_detail += f"- **Description**:\n```{osv_description}\n```"
else:
technical_detail += f"- **Description**:\n{osv_description}\n"

yield Vulnerability(
entry=kb.Entry(
title=title,
Expand Down
20 changes: 12 additions & 8 deletions tests/osv_agent_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -335,9 +335,7 @@ def testAgentOSV_whenRiskLowerCase_doesNotCrash(
) in agent_mock[0].data["technical_detail"]

assert (
"""## Recommendation

Update to version 4.17.5 or later.
"""Recommendation: Update to version 4.17.5 or later.
- [CVE-2018-16487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487) : Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects."""
Expand Down Expand Up @@ -428,7 +426,7 @@ def testAgentOSV_always_emitVulnWithValidTechnicalDetail(
in agent_mock[0].data["technical_detail"]
)
assert (
"""- GHSA-f698-m2v9-5fh3 : Versions of `opencv`prior to 6.1.0 are vulnerable to Command Injection. The utils/ script find-opencv.js does not validate user input allowing attackers to execute arbitrary commands.\n\n\n## Recommendation\n\nUpgrade to version 6.1.0.\n\n"""
"""- GHSA-f698-m2v9-5fh3 : Versions of `opencv`prior to 6.1.0 are vulnerable to Command Injection. The utils/ script find-opencv.js does not validate user input allowing attackers to execute arbitrary commands.\n\n\nRecommendation: Upgrade to version 6.1.0.\n\n"""
in agent_mock[0].data["technical_detail"]
)
assert (
Expand Down Expand Up @@ -520,9 +518,15 @@ def testAgentOSV_whenPathInMessage_technicalDetailShouldIncludeIt(
)
assert agent_mock[0].data["risk_rating"] == "CRITICAL"
assert agent_mock[0].data["technical_detail"] == (
"""Dependency `opencv` Found in `lib/arm64-v8a/libBlinkID.so` has a security issue:
- GHSA-f698-m2v9-5fh3 : Versions of `opencv`prior to 6.1.0 are vulnerable to Command Injection. The utils/ script find-opencv.js does not validate user input allowing attackers to execute arbitrary commands.\n\n\n## Recommendation\n\nUpgrade to version 6.1.0.\n
- [CVE-2019-10061](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10061) : utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) prior to 6.1.0 is vulnerable to Command Injection. It does not validate user input allowing attackers to execute arbitrary commands.
"""#### Dependency `opencv`:
- **Version**: `3.4.0`
- **Location**: `lib/arm64-v8a/libBlinkID.so`
- **Description**:
- GHSA-f698-m2v9-5fh3 : Versions of `opencv`prior to 6.1.0 are vulnerable to Command Injection. The utils/ script find-opencv.js does not validate user input allowing attackers to execute arbitrary commands.\n

Recommendation: Upgrade to version 6.1.0.

- [CVE-2019-10061](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10061) : utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) prior to 6.1.0 is vulnerable to Command Injection. It does not validate user input allowing attackers to execute arbitrary commands.\n
"""
)

Expand Down Expand Up @@ -561,7 +565,7 @@ def testAgentOSV_whenElfLibraryFingerprintMessage_shouldExcludeNpmEcosystemVulnz
)
assert agent_mock[0].data["risk_rating"] == "POTENTIALLY"
assert agent_mock[0].data["technical_detail"] == (
"""```\n- OSV-2022-394 : OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47190\n\n```\nCrash type: Incorrect-function-pointer-type\nCrash state:\ncv::split\ncv::split\nTestSplitAndMerge\n```\n\n- OSV-2023-444 : OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59450\n\n```\nCrash type: Heap-buffer-overflow READ 4\nCrash state:\nopj_jp2_apply_pclr\nopj_jp2_decode\ncv::detail::Jpeg2KOpjDecoderBase::readData\n```\n\n\n```"""
"""#### Dependency `opencv`:\n- **Version**: `4.9.0`\n- **Description**:\n```- OSV-2022-394 : OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47190\n\n```\nCrash type: Incorrect-function-pointer-type\nCrash state:\ncv::split\ncv::split\nTestSplitAndMerge\n```\n\n- OSV-2023-444 : OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59450\n\n```\nCrash type: Heap-buffer-overflow READ 4\nCrash state:\nopj_jp2_apply_pclr\nopj_jp2_decode\ncv::detail::Jpeg2KOpjDecoderBase::readData\n```\n\n\n```"""
)
assert agent_mock[0].data["description"] == (
"""Dependency `opencv` with version `4.9.0` has a security issue."""
Expand Down
Loading