From a985730d913bb588c6106a97d6a3aa3e24b38547 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Thu, 13 Jun 2024 19:53:37 +0200 Subject: [PATCH] fix: remove alias mechanism from osv MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OSV database sometimes as entries such as https://osv.dev/vulnerability/PYSEC-2020-209 with no severity field but an alias to an other OSV entry which has one: https://osv.dev/vulnerability/CVE-2020-14365 Since its addition in commit 09417a2632a2d17b8ad6d93e71aa785648f914f1, cve-bin-tool will create an entry for CVE-2020-14635 but this entry will not contain any score which is obviously wrong so drop this alias mechanism. Moreover, this alias mechanism combined with the fact that OSV updated many "old" entries (such as https://osv.dev/vulnerability/CVE-2017-1000099 updated in May 2024) raises the following issue with libcurl 7.54.1 with 19 UKNOWN CVEs: ╭─────────────╮ │ CPE SUMMARY │ ╰─────────────╯ ┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓ ┃ Vendor ┃ Product ┃ Version ┃ Latest Upstream Stable Version ┃ CRITICAL CVEs Count ┃ HIGH CVEs Count ┃ MEDIUM CVEs Count ┃ LOW CVEs Count ┃ UNKNOWN CVEs Count ┃ TOTAL CVEs Count ┃ ┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩ │ haxx │ libcurl │ 7.54.1 │ 8.8.0 │ 0 │ 0 │ 2 │ 0 │ 19 │ 21 │ └────────┴─────────┴─────────┴────────────────────────────────┴─────────────────────┴─────────────────┴───────────────────┴────────────────┴────────────────────┴──────────────────┘ ╭─────────────────╮ │ NewFound CVEs │ ╰─────────────────╯ ┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓ ┃ Vendor ┃ Product ┃ Version ┃ CVE Number ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃ ┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩ │ haxx │ libcurl │ 7.54.1 │ CVE-2017-1000099 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2017-1000100 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2017-1000254 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2017-1000257 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2017-8816 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2017-8817 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2018-1000005 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2018-14618 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2018-16890 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2019-3822 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2019-3823 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2019-5436 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2020-8231 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2020-8285 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2020-8286 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2021-22876 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2021-22924 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2023-27535 │ NVD │ MEDIUM │ 5.9 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2023-27536 │ NVD │ MEDIUM │ 5.9 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2023-27538 │ OSV │ UNKNOWN │ unknown │ │ haxx │ libcurl │ 7.54.1 │ CVE-2023-38546 │ OSV │ UNKNOWN │ unknown │ └────────┴─────────┴─────────┴──────────────────┴────────┴──────────┴──────────────────────┘ After this change, the correct result is retrieved from NVD: ╭─────────────╮ │ CPE SUMMARY │ ╰─────────────╯ ┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓ ┃ Vendor ┃ Product ┃ Version ┃ Latest Upstream Stable Version ┃ CRITICAL CVEs Count ┃ HIGH CVEs Count ┃ MEDIUM CVEs Count ┃ LOW CVEs Count ┃ UNKNOWN CVEs Count ┃ TOTAL CVEs Count ┃ ┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩ │ haxx │ libcurl │ 7.54.1 │ 8.8.0 │ 6 │ 7 │ 6 │ 2 │ 0 │ 21 │ └────────┴─────────┴─────────┴────────────────────────────────┴─────────────────────┴─────────────────┴───────────────────┴────────────────┴────────────────────┴──────────────────┘ ╭─────────────────╮ │ NewFound CVEs │ ╰─────────────────╯ ┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓ ┃ Vendor ┃ Product ┃ Version ┃ CVE Number ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃ ┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩ │ haxx │ libcurl │ 7.54.1 │ CVE-2017-1000099 │ NVD │ MEDIUM │ 6.5 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2017-1000100 │ NVD │ MEDIUM │ 6.5 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2017-1000254 │ NVD │ HIGH │ 7.5 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2017-1000257 │ NVD │ CRITICAL │ 9.1 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2017-8816 │ NVD │ CRITICAL │ 9.8 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2017-8817 │ NVD │ CRITICAL │ 9.8 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2018-1000005 │ NVD │ CRITICAL │ 9.1 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2018-14618 │ NVD │ CRITICAL │ 9.8 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2018-16890 │ NVD │ HIGH │ 7.5 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2019-3822 │ NVD │ CRITICAL │ 9.8 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2019-3823 │ NVD │ HIGH │ 7.5 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2019-5436 │ NVD │ HIGH │ 7.8 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2020-8231 │ NVD │ HIGH │ 7.5 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2020-8285 │ NVD │ HIGH │ 7.5 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2020-8286 │ NVD │ HIGH │ 7.5 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2021-22876 │ NVD │ MEDIUM │ 5.3 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2021-22924 │ NVD │ LOW │ 3.7 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2023-27535 │ NVD │ MEDIUM │ 5.9 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2023-27536 │ NVD │ MEDIUM │ 5.9 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2023-27538 │ NVD │ MEDIUM │ 5.5 (v3) │ │ haxx │ libcurl │ 7.54.1 │ CVE-2023-38546 │ NVD │ LOW │ 3.7 (v3) │ └────────┴─────────┴─────────┴──────────────────┴────────┴──────────┴──────────────────────┘ This alias mechanism is probably the root cause of #3721 Signed-off-by: Fabrice Fontaine --- cve_bin_tool/data_sources/osv_source.py | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/cve_bin_tool/data_sources/osv_source.py b/cve_bin_tool/data_sources/osv_source.py index bb9bb4ac91..6cfed5ef75 100644 --- a/cve_bin_tool/data_sources/osv_source.py +++ b/cve_bin_tool/data_sources/osv_source.py @@ -251,15 +251,7 @@ def format_data(self, all_cve_entries): affected_data = [] for cve_item in all_cve_entries: - cve_in_alias = None - - for cve in cve_item.get("aliases", []): - if "CVE" in cve: - cve_in_alias = cve - break - - # if CVE has alias of the form "CVE-year-xxxx" keep that as CVE ID, will help in checking for duplicates - cve_id = cve_in_alias if cve_in_alias is not None else cve_item["id"] + cve_id = cve_item["id"] severity = cve_item.get("severity", None) vector = None