Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-30187 is not reported for java and Python SDKs #2024

Open
prabhu opened this issue Feb 29, 2024 · 3 comments
Open

CVE-2022-30187 is not reported for java and Python SDKs #2024

prabhu opened this issue Feb 29, 2024 · 3 comments
Labels
data quality Issues with data quality

Comments

@prabhu
Copy link

prabhu commented Feb 29, 2024

Describe the bug
When searching for CVE-2022-30187, there is only a single result belonging to GHSA being presented.

https://osv.dev/vulnerability/GHSA-64x4-9hc6-r2h6

The GHSA entry doesn't include Java and Python SDKs. NVD (!) and MSRC feeds are correct here.

https://nvd.nist.gov/vuln/detail/CVE-2022-30187
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30187

NOTE: While this is a single example, a quick and dirty script that compares NVD data with equivalent OSV shows huge discrepancies (CPE converted to purl and matched against OSV) where it is not clear which database is even correct. Will create a separate ticket for this.

To Reproduce
Steps to reproduce the behaviour:

  1. search for CVE-2022-30187

Expected behaviour
Package information must match NVD (CPEs belonging to application packages)

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.
@cuixq cuixq added the data quality Issues with data quality label Mar 4, 2024
@andrewpollock
Copy link
Contributor

Hey @prabhu

Thanks for taking a look at our data, I'd love to more broadly explore any gaps you've identified using this CPE to Purl technique you mention.

In the case of this particular CVE, I'm not seeing how there's a discrepancy?

Looking at https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-30187, I can see the following CPEs:

        "configurations": [
          {
            "nodes": [
              {
                "operator": "OR",
                "negate": false,
                "cpeMatch": [
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:.net:*:*",
                    "versionEndExcluding": "12.13.0",
                    "matchCriteriaId": "76C885A0-06D7-4573-97BA-FBCA7653F008"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:python:*:*",
                    "versionEndExcluding": "12.13.0",
                    "matchCriteriaId": "2E1A488F-D561-4005-AFF8-468860F40816"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:java:*:*",
                    "versionEndExcluding": "12.18.0",
                    "matchCriteriaId": "153D4518-8E6D-48D0-9BC5-EB482EDBF07B"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:microsoft:azure_storage_queue:*:*:*:*:*:python:*:*",
                    "versionEndExcluding": "12.4.0",
                    "matchCriteriaId": "F765F0A9-3756-4C1E-85B0-1438474B4590"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:microsoft:azure_storage_queue:*:*:*:*:*:.net:*:*",
                    "versionEndExcluding": "12.11.0",
                    "matchCriteriaId": "5444CD1F-54C8-4918-8842-5320DE43FDBC"
                  }
                ]
              }
            ]
          }
        ],

which seems to me to correlate with what is currently available for https://api.osv.dev/v1/vulns/GHSA-64x4-9hc6-r2h6:

  "affected": [
    {
      "package": {
        "name": "Azure.Storage.Queues",
        "ecosystem": "NuGet",
        "purl": "pkg:nuget/Azure.Storage.Queues"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.11.0"
            }
          ]
        }
      ],
      "versions": [
        "12.0.0",
        "12.1.0",
        "12.1.1",
        "12.10.0",
        "12.2.0",
        "12.3.0",
        "12.3.1",
        "12.3.2",
        "12.4.0",
        "12.4.1",
        "12.4.2",
        "12.5.0",
        "12.6.0",
        "12.6.1",
        "12.6.2",
        "12.7.0",
        "12.8.0",
        "12.9.0"
      ],
      "database_specific": {
        "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-64x4-9hc6-r2h6/GHSA-64x4-9hc6-r2h6.json"
      }
    },
    {
      "package": {
        "name": "Azure.Storage.Blobs",
        "ecosystem": "NuGet",
        "purl": "pkg:nuget/Azure.Storage.Blobs"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.13.0"
            }
          ]
        }
      ],
      "versions": [
        "12.0.0",
        "12.1.0",
        "12.10.0",
        "12.11.0",
        "12.12.0",
        "12.2.0",
        "12.3.0",
        "12.4.0",
        "12.4.1",
        "12.4.2",
        "12.4.3",
        "12.4.4",
        "12.5.0",
        "12.5.1",
        "12.6.0",
        "12.7.0",
        "12.8.0",
        "12.8.1",
        "12.8.2",
        "12.8.3",
        "12.8.4",
        "12.9.0",
        "12.9.1"
      ],
      "database_specific": {
        "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-64x4-9hc6-r2h6/GHSA-64x4-9hc6-r2h6.json"
      }
    }
  ],

i.e., I'm seeing:

  • Azure.Storage.Queues
  • Azure.Storage.Blobs

The CVE itself isn't converting to a first class OSV record (it's just an alias of GHSA-64x4-9hc6-r2h6 as you note), because our conversion process hasn't been able to derive a Git repository CPEs, and looking at https://github.com/scanoss/purl2cpe/tree/main/data/microsoft, which I've been using as an independent cross-reference, I'm not seeing anything particularly useful there, either.

Could you please elaborate on how the current behaviour is not aligning with what you're expecting?

@prabhu
Copy link
Author

prabhu commented Mar 4, 2024

Thanks @andrewpollock. I will share the script once it's in good shape. It is currently buggy and unreliable.

Regarding the CPE, you can find java and python under target_sw, which is how the package ecosystem is represented. Depscan, for example, can now report these vulnerabilities for the equivalent maven and pypi packages in addition to nuget as well.

Perhaps retain the raw CPE information for NVD under database_specific and ensure both NVD and GHSA information are presented for all CVEs?

@andrewpollock
Copy link
Contributor

Regarding the CPE, you can find java and python under target_sw, which is how the package ecosystem is represented.

Ah, I see. Thanks for highlighting that.

In the case of GHSA-64x4-9hc6-r2h6 specifically, any deficiencies in comprehensiveness need to be taken up with the GitHub Advisory Database, via https://github.com/advisories/GHSA-64x4-9hc6-r2h6/improve

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
data quality Issues with data quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@prabhu @andrewpollock @cuixq