New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-30187 is not reported for java and Python SDKs #2024
Comments
Hey @prabhu Thanks for taking a look at our data, I'd love to more broadly explore any gaps you've identified using this CPE to Purl technique you mention. In the case of this particular CVE, I'm not seeing how there's a discrepancy? Looking at https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-30187, I can see the following CPEs: "configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:.net:*:*",
"versionEndExcluding": "12.13.0",
"matchCriteriaId": "76C885A0-06D7-4573-97BA-FBCA7653F008"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:python:*:*",
"versionEndExcluding": "12.13.0",
"matchCriteriaId": "2E1A488F-D561-4005-AFF8-468860F40816"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:java:*:*",
"versionEndExcluding": "12.18.0",
"matchCriteriaId": "153D4518-8E6D-48D0-9BC5-EB482EDBF07B"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_queue:*:*:*:*:*:python:*:*",
"versionEndExcluding": "12.4.0",
"matchCriteriaId": "F765F0A9-3756-4C1E-85B0-1438474B4590"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_queue:*:*:*:*:*:.net:*:*",
"versionEndExcluding": "12.11.0",
"matchCriteriaId": "5444CD1F-54C8-4918-8842-5320DE43FDBC"
}
]
}
]
}
], which seems to me to correlate with what is currently available for https://api.osv.dev/v1/vulns/GHSA-64x4-9hc6-r2h6: "affected": [
{
"package": {
"name": "Azure.Storage.Queues",
"ecosystem": "NuGet",
"purl": "pkg:nuget/Azure.Storage.Queues"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "12.11.0"
}
]
}
],
"versions": [
"12.0.0",
"12.1.0",
"12.1.1",
"12.10.0",
"12.2.0",
"12.3.0",
"12.3.1",
"12.3.2",
"12.4.0",
"12.4.1",
"12.4.2",
"12.5.0",
"12.6.0",
"12.6.1",
"12.6.2",
"12.7.0",
"12.8.0",
"12.9.0"
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-64x4-9hc6-r2h6/GHSA-64x4-9hc6-r2h6.json"
}
},
{
"package": {
"name": "Azure.Storage.Blobs",
"ecosystem": "NuGet",
"purl": "pkg:nuget/Azure.Storage.Blobs"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "12.13.0"
}
]
}
],
"versions": [
"12.0.0",
"12.1.0",
"12.10.0",
"12.11.0",
"12.12.0",
"12.2.0",
"12.3.0",
"12.4.0",
"12.4.1",
"12.4.2",
"12.4.3",
"12.4.4",
"12.5.0",
"12.5.1",
"12.6.0",
"12.7.0",
"12.8.0",
"12.8.1",
"12.8.2",
"12.8.3",
"12.8.4",
"12.9.0",
"12.9.1"
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-64x4-9hc6-r2h6/GHSA-64x4-9hc6-r2h6.json"
}
}
], i.e., I'm seeing:
The CVE itself isn't converting to a first class OSV record (it's just an alias of GHSA-64x4-9hc6-r2h6 as you note), because our conversion process hasn't been able to derive a Git repository CPEs, and looking at https://github.com/scanoss/purl2cpe/tree/main/data/microsoft, which I've been using as an independent cross-reference, I'm not seeing anything particularly useful there, either. Could you please elaborate on how the current behaviour is not aligning with what you're expecting? |
Thanks @andrewpollock. I will share the script once it's in good shape. It is currently buggy and unreliable. Regarding the CPE, you can find Perhaps retain the raw CPE information for NVD under |
Ah, I see. Thanks for highlighting that. In the case of GHSA-64x4-9hc6-r2h6 specifically, any deficiencies in comprehensiveness need to be taken up with the GitHub Advisory Database, via https://github.com/advisories/GHSA-64x4-9hc6-r2h6/improve |
Describe the bug
When searching for CVE-2022-30187, there is only a single result belonging to GHSA being presented.
https://osv.dev/vulnerability/GHSA-64x4-9hc6-r2h6
The GHSA entry doesn't include Java and Python SDKs. NVD (!) and MSRC feeds are correct here.
https://nvd.nist.gov/vuln/detail/CVE-2022-30187
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30187
NOTE: While this is a single example, a quick and dirty script that compares NVD data with equivalent OSV shows huge discrepancies (CPE converted to purl and matched against OSV) where it is not clear which database is even correct. Will create a separate ticket for this.
To Reproduce
Steps to reproduce the behaviour:
Expected behaviour
Package information must match NVD (CPEs belonging to application packages)
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: