add gitlab CVE-2024-5655 (#140)

* add gitlab CVE-2024-5655 Signed-off-by: becojo <[email protected]> * fix rego, inventory test --------- Signed-off-by: becojo <[email protected]> Co-authored-by: Becojo <[email protected]>
boostsecurityio · Jul 1, 2024 · e9d983d · e9d983d
1 parent c992e86
commit e9d983d
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 25 deletions.
diff --git a/opa/rego/external/build_platform.rego b/opa/rego/external/build_platform.rego
@@ -1,20 +1,40 @@
 package external.build_platform
 
 advisories = {
-	"gitlab": {"CVE-2024-2651": {
-		"osv_id": "CVE-2024-2651",
-		"published": "2024-05-14T00:00:00Z",
-		"aliases": [],
-		"summary": "It was possible for an attacker to cause a denial of service using maliciously crafted markdown content.",
-		"severity": [{
-			"type": "CVSS_V3",
-			"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
-		}],
-		"cwe_ids": ["CWE-400"],
-		"vulnerable_versions": [],
-		"vulnerable_version_ranges": [">=0,<16.9.7"],
-		"vulnerable_commit_shas": [],
-	}},
+	"gitlab": {
+		"CVE-2024-5655": {
+			"osv_id": "CVE-2024-5655",
+			"published": "2024-06-26T00:00:00Z",
+			"aliases": [],
+			"summary": "It was possible for an attacker to trigger a pipeline as another user under certain circumstances.",
+			"severity": [{
+				"type": "CVSS_V3",
+				"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
+			}],
+			"cwe_ids": ["CWE-284"],
+			"vulnerable_versions": [],
+			"vulnerable_version_ranges": [
+				">=15.8.0,<16.11.5",
+				">=17.0.0,<17.0.3",
+				">=17.1.0,<17.1.1",
+			],
+			"vulnerable_commit_shas": [],
+		},
+		"CVE-2024-2651": {
+			"osv_id": "CVE-2024-2651",
+			"published": "2024-05-14T00:00:00Z",
+			"aliases": [],
+			"summary": "It was possible for an attacker to cause a denial of service using maliciously crafted markdown content.",
+			"severity": [{
+				"type": "CVSS_V3",
+				"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
+			}],
+			"cwe_ids": ["CWE-400"],
+			"vulnerable_versions": [],
+			"vulnerable_version_ranges": [">=0,<16.9.7"],
+			"vulnerable_commit_shas": [],
+		},
+	},
 	"github": {"CVE-2024-4985": {
 		"osv_id": "CVE-2024-4985",
 		"published": "2024-05-20T00:00:00Z",

diff --git a/opa/rego/rules/known_vulnerability_in_build_platform.rego b/opa/rego/rules/known_vulnerability_in_build_platform.rego
@@ -15,18 +15,11 @@ import rego.v1
 
 rule := poutine.rule(rego.metadata.chain())
 
-provider_advisory(provider, provider_version) = advisory if {
-	version := provider_version
-	advisory := advisories[provider][osv_id]
-
-	regex.match("^[0-9]+(\\.[0-9]+)*?$", version)
-
-	semver.constraint_check(advisory.vulnerable_version_ranges[_], version)
-}
-
 results contains poutine.finding(rule, input.provider, {
 	"osv_id": advisory.osv_id,
 	"details": sprintf("Provider: %s", [input.provider]),
 }) if {
-	advisory := provider_advisory(input.provider, input.version)
-}
+	advisory := advisories[input.provider][osv_id]
+	regex.match("^[0-9]+(\\.[0-9]+)*?$", input.version)
+	semver.constraint_check(advisory.vulnerable_version_ranges[_], input.version)
+}
diff --git a/scanner/inventory_test.go b/scanner/inventory_test.go
@@ -253,6 +253,14 @@ func TestFindings(t *testing.T) {
 				Details: "Provider: gitlab",
 			},
 		},
+		{
+			RuleId: "known_vulnerability_in_build_platform",
+			Purl:   "gitlab",
+			Meta: opa.FindingMeta{
+				OsvId:   "CVE-2024-5655",
+				Details: "Provider: gitlab",
+			},
+		},
 		{
 			RuleId: "injection",
 			Purl:   purl,