Incorrect vulnerability details for CVE-2016-3720

[msymons]

Vulnerability URL Provide the URL to the OSS Index vulnerability. eg:

https://ossindex.sonatype.org/vuln/87e6a268-2456-4f78-815e-69c84d6b7a6c

Description

1. This is the OSS Index listing for CVE-2016-3720 but does not provide this in the CVE field. (only provided as part of the description),
2. The description has formatting oddities. ie, starts with an extra ">"
3. Missing CVSS Score
4. Missing CVSS Vector
5. Missing CWE

Some of this can be ilustrated in the REST response:

 {
  "coordinates": "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.4.5?type=jar",
  "description": "Data format extension for Jackson (http://jackson.codehaus.org) to offer\nalternative support for serializing POJOs as XML and deserializing XML as pojos.\nSupport implemented on top of Stax API (javax.xml.stream), by implementing core Jackson Streaming API types like JsonGenerator, JsonParser and JsonFactory.\nSome data-binding types overridden as well (ObjectMapper sub-classed as XmlMapper).",
  "reference": "https://ossindex.sonatype.org/component/pkg%3Amaven%2Fcom.fasterxml.jackson.dataformat%2Fjackson-dataformat-xml%402.4.5%3Ftype%3Djar",
  "vulnerabilities": [
    {
      "id": "87e6a268-2456-4f78-815e-69c84d6b7a6c",
      "title": "[CVE-2016-3720] Possible XML External Entity (XXE) vulnerability",
      "description": "> XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.\n> \n> -- [NIST](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3720)",
      "cvssScore": 0,
      "reference": "https://ossindex.sonatype.org/vuln/87e6a268-2456-4f78-815e-69c84d6b7a6c"
    }
  ]
}

(Aside: CWE missing from REST, but is it ever included?)

[msymons]

One other thing.. the CVE-2016-3720 listing includes an additional CPE for fedora.

[ken-duck]

Thanks for the info. Will be looking into this today.

On first glance, this appears to be an older vulnerability that was added in an older way. It should not happen with newer data. I will see about making this report cleaner in the meanwhile.

[ken-duck]

I believe this has been resolved by redoing the issue in a "newer" way and removing the old advisory. I need to verify that it updated appropriately once the data finds its way to the public instance.

[msymons]

I see the new advisory...

https://ossindex.sonatype.org/vuln/86bfb41b-53e0-4e9f-bda9-73723fb765f1

I see that it lists CWE as "not recorded"

However, in the CVE it's listed as: "Insufficient Information (NVD-CWE-noinfo)"

I do not think that this quite the same thing. Should not the advisory in OSS Index report "NVD-CWE-noinfo" and provide this in the REST response?

Separately, I note that CVE that have two CWE have problems in OSS Index.

https://ossindex.sonatype.org/vuln/5b39de39-3274-4851-bcc4-035c9759bd9f

Reports none.

[ken-duck]

Interesting. I will open a couple of internal bug reports.

1. Unify the UI and JSON responses when there is no CWE
2. Track down and resolve what is going on when there are multiple CWEs

[msymons]

@ken-duck, any update on handling of NVD-CWE-noinfo and multiple CWE?

[ken-duck]

Nothing yet, I'm afraid. I have been stretched rather thin lately, and the other team members are focussed on some major infrastructure changes. I will endeavour to find some time shortly (and thanks for the reminder, since that helps keep this issue top of mind).

Incidentally, we are also in the process of expanding the team which will allow us to respond to user suggestions/requests/bugs more quickly. No explicit timeline yet, but "coming soon!"

[ken-duck]

Still not forgotten, and the new team is closer to reality. I think I am finally catching up on things as well, so I should be able to get to doing "discovery" on the feature and start planning the effort.

[ken-duck]

Note, we have an issue on our internal bug tracking which is being used to follow development on this feature. I will try and update here when anything interesting happens.