From 6a37cefcb1357f0e68333baddf41a3027bb613cd Mon Sep 17 00:00:00 2001 From: becojo <172889+becojo@users.noreply.github.com> Date: Thu, 27 Jun 2024 15:34:09 -0400 Subject: [PATCH 1/2] add gitlab CVE-2024-5655 Signed-off-by: becojo <172889+becojo@users.noreply.github.com> --- opa/rego/external/build_platform.rego | 48 +++++++++++++++++++-------- 1 file changed, 34 insertions(+), 14 deletions(-) diff --git a/opa/rego/external/build_platform.rego b/opa/rego/external/build_platform.rego index f8b839b..cc660a9 100644 --- a/opa/rego/external/build_platform.rego +++ b/opa/rego/external/build_platform.rego @@ -1,20 +1,40 @@ package external.build_platform advisories = { - "gitlab": {"CVE-2024-2651": { - "osv_id": "CVE-2024-2651", - "published": "2024-05-14T00:00:00Z", - "aliases": [], - "summary": "It was possible for an attacker to cause a denial of service using maliciously crafted markdown content.", - "severity": [{ - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - }], - "cwe_ids": ["CWE-400"], - "vulnerable_versions": [], - "vulnerable_version_ranges": [">=0,<16.9.7"], - "vulnerable_commit_shas": [], - }}, + "gitlab": { + "CVE-2024-5655": { + "osv_id": "CVE-2024-5655", + "published": "2024-06-26T00:00:00Z", + "aliases": [], + "summary": "It was possible for an attacker to trigger a pipeline as another user under certain circumstances.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", + }], + "cwe_ids": ["CWE-284"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [ + ">=15.8.0,<16.11.5", + ">=17.0.0,<17.0.3", + ">=17.1.0,<17.1.1", + ], + "vulnerable_commit_shas": [], + }, + "CVE-2024-2651": { + "osv_id": "CVE-2024-2651", + "published": "2024-05-14T00:00:00Z", + "aliases": [], + "summary": "It was possible for an attacker to cause a denial of service using maliciously crafted markdown content.", + "severity": [{ + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + }], + "cwe_ids": ["CWE-400"], + "vulnerable_versions": [], + "vulnerable_version_ranges": [">=0,<16.9.7"], + "vulnerable_commit_shas": [], + }, + }, "github": {"CVE-2024-4985": { "osv_id": "CVE-2024-4985", "published": "2024-05-20T00:00:00Z", From 10e71fc4a52ae55f28261858f970ebfbc659a756 Mon Sep 17 00:00:00 2001 From: Becojo Date: Thu, 27 Jun 2024 15:42:29 -0400 Subject: [PATCH 2/2] fix rego, inventory test --- .../known_vulnerability_in_build_platform.rego | 15 ++++----------- scanner/inventory_test.go | 8 ++++++++ 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/opa/rego/rules/known_vulnerability_in_build_platform.rego b/opa/rego/rules/known_vulnerability_in_build_platform.rego index 9a732e6..5edbe33 100644 --- a/opa/rego/rules/known_vulnerability_in_build_platform.rego +++ b/opa/rego/rules/known_vulnerability_in_build_platform.rego @@ -15,18 +15,11 @@ import rego.v1 rule := poutine.rule(rego.metadata.chain()) -provider_advisory(provider, provider_version) = advisory if { - version := provider_version - advisory := advisories[provider][osv_id] - - regex.match("^[0-9]+(\\.[0-9]+)*?$", version) - - semver.constraint_check(advisory.vulnerable_version_ranges[_], version) -} - results contains poutine.finding(rule, input.provider, { "osv_id": advisory.osv_id, "details": sprintf("Provider: %s", [input.provider]), }) if { - advisory := provider_advisory(input.provider, input.version) -} \ No newline at end of file + advisory := advisories[input.provider][osv_id] + regex.match("^[0-9]+(\\.[0-9]+)*?$", input.version) + semver.constraint_check(advisory.vulnerable_version_ranges[_], input.version) +} diff --git a/scanner/inventory_test.go b/scanner/inventory_test.go index bb7d8f6..5d5da9f 100644 --- a/scanner/inventory_test.go +++ b/scanner/inventory_test.go @@ -253,6 +253,14 @@ func TestFindings(t *testing.T) { Details: "Provider: gitlab", }, }, + { + RuleId: "known_vulnerability_in_build_platform", + Purl: "gitlab", + Meta: opa.FindingMeta{ + OsvId: "CVE-2024-5655", + Details: "Provider: gitlab", + }, + }, { RuleId: "injection", Purl: purl,