Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not reply that a package has an unfixed vulnerability when in fact it is malicious #4530

Merged
merged 1 commit into from
Sep 18, 2024
Merged

Do not reply that a package has an unfixed vulnerability when in fact it is malicious #4530

merged 1 commit into from
Sep 18, 2024

Conversation

jhrozek
Copy link
Contributor

@jhrozek jhrozek commented Sep 18, 2024

Summary

Malicious packages that have a vulnerability entry MAL- are in fact
malicious. Our OSV evaluator handled the MAL- vulnerabilities the same
as all the others which meant that it would just reply with "A
vulnerability was found, but no fixed version exists yet".

A malicious package is unlikely to not be malicious again, so let's put
a sterner warning including a link to the vulnerability into the reply.

Fixes: #4528

Change Type

  • Bug fix (resolves an issue without affecting existing features)
  • Feature (adds new functionality without breaking changes)
  • Breaking change (may impact existing functionalities or require documentation updates)
  • Documentation (updates or additions to documentation)
  • Refactoring or test improvements (no bug fixes or new functionality)

Testing

manually, see e.g. jakubtestorg/bad-python#266

Review Checklist:

  • Reviewed my own code for quality and clarity.
  • Added comments to complex or tricky code sections.
  • Updated any affected documentation.
  • Included tests that validate the fix or feature.
  • Checked that related changes are merged.

@jhrozek
Do not reply that a package has an unfixed vulnerability when in fact…
c1362c9 
… it is malicious

Malicious packages that have a vulnerability entry `MAL-` are in fact
malicious. Our OSV evaluator handled the `MAL-` vulnerabilities the same
as all the others which meant that it would just reply with "A
vulnerability was found, but no fixed version exists yet".

A malicious package is unlikely to not be malicious again, so let's put
a sterner warning including a link to the vulnerability into the reply.

Fixes: mindersec#4528
@coveralls
Copy link

Coverage Status

coverage: 52.83% (-0.009%) from 52.839%
when pulling c1362c9 on jhrozek:mal_is_not_cve
into fabeea9 on stacklok:main.

@JAORMX JAORMX requested a review from blkt September 18, 2024 14:15
@jhrozek jhrozek merged commit 31a94e0 into mindersec:main Sep 18, 2024
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blkt blkt blkt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Minder's OSV evaluator treats malicious vulnerabilities like regular CVEs
3 participants
@jhrozek @coveralls @blkt