Closed naixea closed 1 year ago
@naixea This is an interesting bug!
OSV database uses this particular file - https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-9339-86wc-4qgf/GHSA-9339-86wc-4qgf.json which is missing a score.
So vdb is making up a default of 9.0 https://github.com/AppThreat/vulnerability-db/blob/master/vdb/lib/utils.py#L567
To search vdb, include the group name as well.
vdb --search "xalan:xalan:2.7.2"
Thank you for reporting this bug. This is resolved in 2.1.0. Kindly try the latest vdb and let me know how it goes.
Hello @prabhu,
Thank you for solving this issue so quickly, this is much much better, most all vulnerabilities reported by vulnerability-db 2.1.0 match NIS/NVD Severity/Scoring 3.X but I found 2 left mismatches :
STILL MISMATCH WITH NIST/NVD but seems to MATCH WITH GITHUB ADVISORIES (is it a bug ?) Including but not limited to, I did no check every vulnerabilities reported :
xalan:2.7.2 CVE-2022-34169 is now reported by vulnerability-db 2.1.0 as CRITICAL/9.8 (previously CRITICAL/9.0) and by NIST/NVD as HIGH/7.5 and by GITHUB/advisories as CRITICAL/9.8 https://github.com/advisories/GHSA-9339-86wc-4qgf
junit:4.12 CVE-2020-15250 is reported by vulnerability-db 2.1.0 as MEDIUM/4.4 (previously CRITICAL/5.0) and by NIST/NVD as MEDIUM/5.5 and by GITHUB/advisories as MEDIUM/4.4 https://github.com/advisories/GHSA-269g-pwp5-87pp
Context :
rm /vdb/* vdb --cache vdb --search xalan:xalan:2.7.2 vdb --search junit:junit:4.12 depscan -t java --suggest --bom /app/bom-java.json -o /app/depscan-2.3.0-webgoat.json
Regards
@naixea vdb uses an append-only file, so the hits from the top would show up as a vulnerability. OSV is the first source it downloads and refers to with default settings.
https://github.com/AppThreat/vulnerability-db/blob/master/vdb/cli.py#L161
Are you asking for a feature to prioritize NVD over OSV?
Sorry I thought that the sources priority was "1 OSV, 2 NVD, 3 GHA" but I understand now that it is "1 OSV, 2 GHA, 3 NVD" (corresponding to the order these sources are cached by vdb)
Are you asking for a feature to prioritize NVD over OSV? : No It's perfectly fine. Thanks again for solving the issue !
Regards
Thank you, @naixea, for the confirmation!
Context :
depscan --cache -t java --suggest --bom /app/bom-java.json -o /app/depscan-webgoat.json
Some of the mismatches : xalan:2.7.2 CVE-2022-34169 is reported by Depscan as CRITICAL/9.0 and by NIST/NVD as HIGH/7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-34169
commons-collections:3.2.1 CVE-2015-7501 is reported by Depscan as CRITICAL/9.0 and by NIST/NVD as CRITICAL/9.8 https://nvd.nist.gov/vuln/detail/CVE-2015-7501
jackson-databind:2.6.3 CVE-2018-7489 is reported by Depscan as CRITICAL/9.0 and by NIST/NVD as CRITICAL/9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-7489
I tried to look directly in the database, which report the same mismatches : vdb --search xalan:2.7.2 vdb --search commons-collections:3.2.1 vdb --search jackson-databind:2.6.3
depscan-webgoat-7.1.zip
Regards