Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apparent conflict re whether a PURL has a vulnerability #1653

Closed
johnmhoran opened this issue Nov 14, 2024 · 4 comments
Closed

Apparent conflict re whether a PURL has a vulnerability #1653

johnmhoran opened this issue Nov 14, 2024 · 4 comments
Labels
bug

Comments

@johnmhoran
Copy link
Member

Here's an example from a vcio_report output -- VCIO says the PURL has no vuln, just fixes one, while this data seems to report one affected_by vuln while at the same time reports 'is_vulnerable': False,:

    }, {
        'input_purl': 'pkg:npm/[email protected]',
        'vuln_details': {
            'url': 'http://public.vulnerablecode.io/api/packages/874737',
            'purl': 'pkg:npm/[email protected]',
            'type': 'npm',
            'namespace': '',
            'name': 'micromatch',
            'version': '4.0.8',
            'qualifiers': {},
            'subpath': '',
            'is_vulnerable': False,
            'next_non_vulnerable_version': None,
            'latest_non_vulnerable_version': None,
            'affected_by_vulnerabilities': [{
                    'url': 'http://public.vulnerablecode.io/api/vulnerabilities/529754',
                    'vulnerability_id': 'VCID-4yky-bgk9-aaak',
                    'summary': "The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.",
                    'references': [{
@johnmhoran johnmhoran added the bug label Nov 14, 2024
@johnmhoran
Copy link
Member Author

The above data comes from API V1; just checked V2, which reports:

. . .
        "packages": [
            {
                "purl": "pkg:npm/[email protected]",
                "affected_by_vulnerabilities": [],
                "fixing_vulnerabilities": [
                    "VCID-4yky-bgk9-aaak"
                ],
                "next_non_vulnerable_version": null,
                "latest_non_vulnerable_version": null,
                "risk_score": null
            }
        ]

@johnmhoran
Copy link
Member Author

For reference, compare:

https://public.vulnerablecode.io/api/packages?purl=pkg:npm/[email protected]
with
https://public.vulnerablecode.io/api/v2/packages?purl=pkg:npm/[email protected]

@sschuberth
Copy link

sschuberth commented Nov 14, 2024
edited
Loading

I'm seeing similar inconsistencies for pkg:golang/github.com/quic-go/[email protected]. Some time around Friday last week API v1 stopped to report affected_by_vulnerabilities for it (they seem to have erroneously shifted to fixing_vulnerabilities).

But API v2 reports vulnerabilities, compare:

https://public.vulnerablecode.io/api/packages?purl=pkg:golang/github.com/quic-go/[email protected]
https://public.vulnerablecode.io/api/v2/packages?purl=pkg:golang/github.com/quic-go/[email protected]

@TG1999 TG1999 mentioned this issue Nov 15, 2024
Merged
@TG1999
Copy link
Contributor

TG1999 commented Nov 15, 2024

Fixed by #1654

@TG1999 TG1999 closed this as completed Nov 15, 2024
sschuberth added a commit to oss-review-toolkit/ort that referenced this issue Nov 15, 2024
@sschuberth
Revert "fix(vulnerable-code): Still get vulnerabilities for which a f…
5a0a0cd 
…ix exists"

This reverts commit a00353f as this turned ouot to be an API bug in
VulnerableCode, not a bug in ORT. See [1] and the fix at [2].

[1]: aboutcode-org/vulnerablecode#1653
[2]: https://github.com/aboutcode-org/vulnerablecode/pull/1654/files#diff-aa1f810efa851d29f01bf17059cfb96c028302d3a8f60d647b9e521ba1872193R326

Signed-off-by: Sebastian Schuberth <[email protected]>
sschuberth added a commit to oss-review-toolkit/ort that referenced this issue Nov 15, 2024
@sschuberth
Revert "fix(vulnerable-code): Still get vulnerabilities for which a f…
3d64147 
…ix exists"

This reverts commit a00353f as this turned out to be an API bug in
VulnerableCode, not a bug in ORT. See [1] and the fix at [2].

[1]: aboutcode-org/vulnerablecode#1653
[2]: https://github.com/aboutcode-org/vulnerablecode/pull/1654/files#diff-aa1f810efa851d29f01bf17059cfb96c028302d3a8f60d647b9e521ba1872193R326

Signed-off-by: Sebastian Schuberth <[email protected]>
sschuberth added a commit to oss-review-toolkit/ort that referenced this issue Nov 15, 2024
@sschuberth
Revert "fix(vulnerable-code): Still get vulnerabilities for which a f…
a974802 
…ix exists"

This reverts commit a00353f as this turned out to be an API bug in
VulnerableCode, not a bug in ORT. See [1] and the fix at [2].

[1]: aboutcode-org/vulnerablecode#1653
[2]: https://github.com/aboutcode-org/vulnerablecode/pull/1654/files#diff-aa1f810efa851d29f01bf17059cfb96c028302d3a8f60d647b9e521ba1872193R326

Signed-off-by: Sebastian Schuberth <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sschuberth @johnmhoran @TG1999