search

CVEProject / cve-services

This repo contains the source for the CVE Services API.
Creative Commons Zero v1.0 Universal
155 stars 72 forks source link

CVSS 3 score mismatch errors shown later than other errors #1209

Open ElectricNroff opened 8 months ago

ElectricNroff commented 8 months ago

If POST /cve/:id/cna is used to submit a CNA container in which there is a CVSS 3 baseScore/BaseSeverity mismatch and also a second problem (e.g., no references), then the initial submission shows only the latter error. The former error is only shown after the CNA fixes the second problem and re-submits. In some cases, this makes it slower for a CNA to converge on a correct CNA container. (Only CVSS 3 is affected by this issue, not CVSS 4.) For example (here 10.0 is not supposed to be low, and there are no references),

{"cnaContainer":{"affected": [{"vendor": "v","product": "p",
"defaultStatus": "affected"}],
"descriptions": [{"lang": "en","value": "abc def ghi"}],
"metrics": [{"format": "CVSS","scenarios": [{"lang": "en","value": "GENERAL"}],
"cvssV3_1": {
    "baseScore": 10.0,
    "baseSeverity": "LOW",
    "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
    "version": "3.1"
}}]}}

outcome is:

{"error":"INVALID_JSON_SCHEMA","message":"CVE cnaContainer JSON schema validation FAILED.","details":
{"errors":[{"instancePath":"/cnaContainer","schemaPath":
"#/properties/cnaContainer/required","keyword":"required","params":
{"missingProperty":"references"},"message":"must have required property 'references'"}]}}

If the CNA partially corrects this to:

{"cnaContainer":{"affected": [{"vendor": "v","product": "p",
"defaultStatus": "affected"}],
"descriptions": [{"lang": "en","value": "abc def ghi"}],
"metrics": [{"format": "CVSS","scenarios": [{"lang": "en","value": "GENERAL"}],
"cvssV3_1": {
    "baseScore": 10.0,
    "baseSeverity": "LOW",
    "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
    "version": "3.1"
}}],
"references": [{"url": "https://example.com/r"}]}}

then the outcome is a long (but fully acceptable) error message about the various score mappings that were not satisfied:

{"error":"INVALID_JSON_SCHEMA","message":"CVE cnaContainer JSON schema validation FAILED.","details":
{"errors":[{"instancePath":"/containers/cna/metrics/0/cvssV3_1/baseScore",
"schemaPath":
"#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType/maximum",
[etc.]

This two-step situation occurs because score checks only occur during schema validation in src/controller/cve.controller/cve.controller.js whereas other checks (e.g., missing references) occur during the earlier schema validation in src/controller/cve.controller/index.js

This could perhaps be addressed by copying a few lines from src/middleware/schemas/CVE_JSON_5.1_bundled.json to src/middleware/schemas/5.1_published_cna_container.json

jdaigneau5 commented 1 week ago

Dev Note: Need to confirm that this is fixed as a result of https://github.com/CVEProject/cve-services/commit/defd2b94a0ca1d7c0bc731039edfe2104db053e5