-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Previously, if the platform CPE was more complicated than a single "running on/with" entry, grype-db would leave it blank. Now, when several "running on/with" entries are present, emit a row for each of them, in order to reduce false positives caused by more permissive platform constraint. Note that "running on/with" could be an application or platform CPE. For example, Redis or OpenShift might be coded as a type "a" CPE (for "application"), but might be a platform (displayed in the "running on or with" section of the NVD UI). For these, consider them platforms and emit a platform CPE. Signed-off-by: Will Murphy <[email protected]>
- Loading branch information
1 parent
9e71b2f
commit af631d9
Showing
7 changed files
with
1,140 additions
and
13 deletions.
There are no files selected for viewing
166 changes: 166 additions & 0 deletions
166
pkg/process/v5/transformers/nvd/test-fixtures/cve-2020-10729.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,166 @@ | ||
| { | ||
| "cve": { | ||
| "id": "CVE-2020-10729", | ||
| "sourceIdentifier": "[email protected]", | ||
| "published": "2021-05-27T19:15:07.880", | ||
| "lastModified": "2021-12-10T19:57:06.357", | ||
| "vulnStatus": "Analyzed", | ||
| "descriptions": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6." | ||
| }, | ||
| { | ||
| "lang": "es", | ||
| "value": "Se encontró un fallo en el uso de valores insuficientemente aleatorios en Ansible. Dos búsquedas de contraseñas aleatorias de la misma longitud generan el mismo valor que la acción de almacenamiento en caché de la plantilla para el mismo archivo, ya que no se realiza una reevaluación. La mayor amenaza de esta vulnerabilidad sería que todas las contraseñas estén expuestas a la vez para el archivo. Este fallo afecta a Ansible Engine versiones anteriores a 2.9.6" | ||
| } | ||
| ], | ||
| "metrics": { | ||
| "cvssMetricV31": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "cvssData": { | ||
| "version": "3.1", | ||
| "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", | ||
| "attackVector": "LOCAL", | ||
| "attackComplexity": "LOW", | ||
| "privilegesRequired": "LOW", | ||
| "userInteraction": "NONE", | ||
| "scope": "UNCHANGED", | ||
| "confidentialityImpact": "HIGH", | ||
| "integrityImpact": "NONE", | ||
| "availabilityImpact": "NONE", | ||
| "baseScore": 5.5, | ||
| "baseSeverity": "MEDIUM" | ||
| }, | ||
| "exploitabilityScore": 1.8, | ||
| "impactScore": 3.6 | ||
| } | ||
| ], | ||
| "cvssMetricV2": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "cvssData": { | ||
| "version": "2.0", | ||
| "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", | ||
| "accessVector": "LOCAL", | ||
| "accessComplexity": "LOW", | ||
| "authentication": "NONE", | ||
| "confidentialityImpact": "PARTIAL", | ||
| "integrityImpact": "NONE", | ||
| "availabilityImpact": "NONE", | ||
| "baseScore": 2.1 | ||
| }, | ||
| "baseSeverity": "LOW", | ||
| "exploitabilityScore": 3.9, | ||
| "impactScore": 2.9, | ||
| "acInsufInfo": false, | ||
| "obtainAllPrivilege": false, | ||
| "obtainUserPrivilege": false, | ||
| "obtainOtherPrivilege": false, | ||
| "userInteractionRequired": false | ||
| } | ||
| ] | ||
| }, | ||
| "weaknesses": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "description": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "CWE-330" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Secondary", | ||
| "description": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "CWE-330" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "configurations": [ | ||
| { | ||
| "operator": "AND", | ||
| "nodes": [ | ||
| { | ||
| "operator": "OR", | ||
| "negate": false, | ||
| "cpeMatch": [ | ||
| { | ||
| "vulnerable": true, | ||
| "criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*", | ||
| "versionEndExcluding": "2.9.6", | ||
| "matchCriteriaId": "EDFA8005-6FBE-4032-A499-608B7FA34F56" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "operator": "OR", | ||
| "negate": false, | ||
| "cpeMatch": [ | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", | ||
| "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A" | ||
| }, | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", | ||
| "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "nodes": [ | ||
| { | ||
| "operator": "OR", | ||
| "negate": false, | ||
| "cpeMatch": [ | ||
| { | ||
| "vulnerable": true, | ||
| "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", | ||
| "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831089", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Issue Tracking", | ||
| "Vendor Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://github.com/ansible/ansible/issues/34144", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Exploit", | ||
| "Issue Tracking", | ||
| "Third Party Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://www.debian.org/security/2021/dsa-4950", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Third Party Advisory" | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| } |
183 changes: 183 additions & 0 deletions
183
pkg/process/v5/transformers/nvd/test-fixtures/cve-2022-0543.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,183 @@ | ||
| { | ||
| "cve": { | ||
| "id": "CVE-2022-0543", | ||
| "sourceIdentifier": "[email protected]", | ||
| "published": "2022-02-18T20:15:17.583", | ||
| "lastModified": "2023-09-29T15:55:24.533", | ||
| "vulnStatus": "Analyzed", | ||
| "cisaExploitAdd": "2022-03-28", | ||
| "cisaActionDue": "2022-04-18", | ||
| "cisaRequiredAction": "Apply updates per vendor instructions.", | ||
| "cisaVulnerabilityName": "Debian-specific Redis Server Lua Sandbox Escape Vulnerability", | ||
| "descriptions": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution." | ||
| }, | ||
| { | ||
| "lang": "es", | ||
| "value": "Se ha detectado que redis, una base de datos persistente de valores clave, debido a un problema de empaquetado, es propenso a un escape del sandbox de Lua (específico de Debian), que podría resultar en una ejecución de código remota" | ||
| } | ||
| ], | ||
| "metrics": { | ||
| "cvssMetricV31": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "cvssData": { | ||
| "version": "3.1", | ||
| "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", | ||
| "attackVector": "NETWORK", | ||
| "attackComplexity": "LOW", | ||
| "privilegesRequired": "NONE", | ||
| "userInteraction": "NONE", | ||
| "scope": "CHANGED", | ||
| "confidentialityImpact": "HIGH", | ||
| "integrityImpact": "HIGH", | ||
| "availabilityImpact": "HIGH", | ||
| "baseScore": 10, | ||
| "baseSeverity": "CRITICAL" | ||
| }, | ||
| "exploitabilityScore": 3.9, | ||
| "impactScore": 6 | ||
| } | ||
| ], | ||
| "cvssMetricV2": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "cvssData": { | ||
| "version": "2.0", | ||
| "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", | ||
| "accessVector": "NETWORK", | ||
| "accessComplexity": "LOW", | ||
| "authentication": "NONE", | ||
| "confidentialityImpact": "COMPLETE", | ||
| "integrityImpact": "COMPLETE", | ||
| "availabilityImpact": "COMPLETE", | ||
| "baseScore": 10 | ||
| }, | ||
| "baseSeverity": "HIGH", | ||
| "exploitabilityScore": 10, | ||
| "impactScore": 10, | ||
| "acInsufInfo": false, | ||
| "obtainAllPrivilege": false, | ||
| "obtainUserPrivilege": false, | ||
| "obtainOtherPrivilege": false, | ||
| "userInteractionRequired": false | ||
| } | ||
| ] | ||
| }, | ||
| "weaknesses": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "description": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "CWE-862" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "configurations": [ | ||
| { | ||
| "operator": "AND", | ||
| "nodes": [ | ||
| { | ||
| "operator": "OR", | ||
| "negate": false, | ||
| "cpeMatch": [ | ||
| { | ||
| "vulnerable": true, | ||
| "criteria": "cpe:2.3:a:redis:redis:-:*:*:*:*:*:*:*", | ||
| "matchCriteriaId": "5EBE5E1C-C881-4A76-9E36-4FB7C48427E6" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "operator": "OR", | ||
| "negate": false, | ||
| "cpeMatch": [ | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", | ||
| "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB" | ||
| }, | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:-:*:*:*", | ||
| "matchCriteriaId": "3D94DA3B-FA74-4526-A0A0-A872684598C6" | ||
| }, | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", | ||
| "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252" | ||
| }, | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", | ||
| "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73" | ||
| }, | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", | ||
| "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "url": "http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Exploit", | ||
| "Third Party Advisory", | ||
| "VDB Entry" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://bugs.debian.org/1005787", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Issue Tracking", | ||
| "Patch", | ||
| "Third Party Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://lists.debian.org/debian-security-announce/2022/msg00048.html", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Mailing List", | ||
| "Third Party Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://security.netapp.com/advisory/ntap-20220331-0004/", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Third Party Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://www.debian.org/security/2022/dsa-5081", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Mailing List", | ||
| "Third Party Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Third Party Advisory" | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| } |
Oops, something went wrong.