Some vulnerabilities reported by Depscan for the Java app Webgoat (7.1) do not match NIST/NVD Severity and/or CVSS 3.X Score

[naixea]

Context :

• Images : quay.io/appthreat/dep-scan:v2.1.9 and latest
• SBOM generated with CycloneDX maven plugin 2.7.2
• Env : VDB_HOME=/vdb NVD_START_YEAR=2018 GITHUB_PAGE_COUNT=2 GITHUB_TOKEN="xxxxxx"

depscan --cache -t java --suggest --bom /app/bom-java.json -o /app/depscan-webgoat.json

Some of the mismatches : xalan:2.7.2 CVE-2022-34169 is reported by Depscan as CRITICAL/9.0 and by NIST/NVD as HIGH/7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-34169

commons-collections:3.2.1 CVE-2015-7501 is reported by Depscan as CRITICAL/9.0 and by NIST/NVD as CRITICAL/9.8 https://nvd.nist.gov/vuln/detail/CVE-2015-7501

jackson-databind:2.6.3 CVE-2018-7489 is reported by Depscan as CRITICAL/9.0 and by NIST/NVD as CRITICAL/9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-7489

I tried to look directly in the database, which report the same mismatches : vdb --search xalan:2.7.2 vdb --search commons-collections:3.2.1 vdb --search jackson-databind:2.6.3

depscan-webgoat-7.1.zip

Regards

[prabhu]

@naixea This is an interesting bug!

OSV database uses this particular file - https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-9339-86wc-4qgf/GHSA-9339-86wc-4qgf.json which is missing a score.

So vdb is making up a default of 9.0 https://github.com/AppThreat/vulnerability-db/blob/master/vdb/lib/utils.py#L567

To search vdb, include the group name as well.

vdb --search "xalan:xalan:2.7.2"

[prabhu]

Thank you for reporting this bug. This is resolved in 2.1.0. Kindly try the latest vdb and let me know how it goes.

[naixea]

Hello @prabhu,

Thank you for solving this issue so quickly, this is much much better, most all vulnerabilities reported by vulnerability-db 2.1.0 match NIS/NVD Severity/Scoring 3.X but I found 2 left mismatches :

STILL MISMATCH WITH NIST/NVD but seems to MATCH WITH GITHUB ADVISORIES (is it a bug ?) Including but not limited to, I did no check every vulnerabilities reported :

xalan:2.7.2 CVE-2022-34169 is now reported by vulnerability-db 2.1.0 as CRITICAL/9.8 (previously CRITICAL/9.0) and by NIST/NVD as HIGH/7.5 and by GITHUB/advisories as CRITICAL/9.8 https://github.com/advisories/GHSA-9339-86wc-4qgf

junit:4.12 CVE-2020-15250 is reported by vulnerability-db 2.1.0 as MEDIUM/4.4 (previously CRITICAL/5.0) and by NIST/NVD as MEDIUM/5.5 and by GITHUB/advisories as MEDIUM/4.4 https://github.com/advisories/GHSA-269g-pwp5-87pp

Context :

• appthreat-depscan-2.3.0 and appthreat-vulnerability-db-2.1.0 python packages
• SBOM generated with CycloneDX maven plugin 2.7.2 for https://github.com/WebGoat/WebGoat/tree/7.1
• Env : VDB_HOME=/vdb NVD_START_YEAR=2018 GITHUB_PAGE_COUNT=2 GITHUB_TOKEN="xxxxxx"

rm /vdb/* vdb --cache vdb --search xalan:xalan:2.7.2 vdb --search junit:junit:4.12 depscan -t java --suggest --bom /app/bom-java.json -o /app/depscan-2.3.0-webgoat.json

depscan-2.3.0-webgoat-7.1.zip

Regards

[prabhu]

@naixea vdb uses an append-only file, so the hits from the top would show up as a vulnerability. OSV is the first source it downloads and refers to with default settings.

https://github.com/AppThreat/vulnerability-db/blob/master/vdb/cli.py#L161

Are you asking for a feature to prioritize NVD over OSV?

[naixea]

Sorry I thought that the sources priority was "1 OSV, 2 NVD, 3 GHA" but I understand now that it is "1 OSV, 2 GHA, 3 NVD" (corresponding to the order these sources are cached by vdb)

Are you asking for a feature to prioritize NVD over OSV? : No It's perfectly fine. Thanks again for solving the issue !

Regards

[prabhu]

Thank you, @naixea, for the confirmation!