search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
543 stars 200 forks source link

Support conan #1022

Open pombredanne opened 1 year ago

pombredanne commented 1 year ago

We have some data but we do not support handling them yet per https://github.com/nexB/vulnerablecode/issues/769

DennisClark commented 1 year ago

See https://gitlab.com/gitlab-org/advisories-community/-/tree/main/conan

DennisClark commented 1 year ago

nees to be supported in univers as well

DennisClark commented 1 year ago

See https://docs.conan.io/en/latest/versioning/version_ranges.html

also https://github.com/conan-io

DennisClark commented 1 year ago

and, of course, https://github.com/conan-io/conan-center-index/tree/master/recipes

johnmhoran commented 1 year ago

I've been using the version of https://gitlab.com/gitlab-org/advisories-community I cloned on 2023-02-16 to extract Conan-related data while working on adding Conan support to vulnerablecode and univers. There are 428 Conan advisories in that data, and I've found 3 small groups of advisories with odd values for the affected_range field. Summary info for these is listed below; and for the time being I plan to exclude these advisories from the vulnerablecode support we're adding to the gitlab.py importer.

  1. 'affected_range': '<0'

There are two advisories in this group. Given the description, it appears these are false positives, e.g., "'description': 'This advisory has been marked as a False Positive and has been removed.'"

{'identifier': 'CVE-2020-14150', 'package_slug': 'conan/boost', 'title': 'False positive', 'description': 'This advisory has been marked as a False Positive and has been removed.', 'date': '2023-02-16', 'pubdate': '2020-06-30', 'affected_range': '<0', 'fixed_versions': [], 'affected_versions': 'All versions before 0', 'not_impacted': '', 'solution': 'Unfortunately, there is no solution available yet.', 'urls': ['https://nvd.nist.gov/vuln/detail/CVE-2020-14150'], 'cvss_v2': 'AV:L/AC:L/Au:N/C:N/I:N/A:P', 'cvss_v3': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H', 'uuid': '7a149e90-5771-4905-8d4e-a64d311113bd', 'cwe_ids': ['CWE-1035', 'CWE-937'], 'identifiers': ['CVE-2020-14150']}

{'identifier': 'CVE-2021-3149', 'identifiers': ['CVE-2021-3149'], 'package_slug': 'conan/openssl', 'title': "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", 'description': 'This advisory has been marked as a false positive.', 'date': '2022-07-23', 'pubdate': '2021-02-22', 'affected_range': '<0', 'fixed_versions': [], 'affected_versions': 'None', 'not_impacted': 'None', 'solution': 'Nothing to be done.', 'urls': ['https://nvd.nist.gov/vuln/detail/CVE-2021-3149', 'https://www.digitaldefense.com/resources/vulnerability-research/netshield-corporation-nano-25/', 'https://www.netshieldcorp.com/netshield-appliances/', 'https://kc.mcafee.com/corporate/index?page=content&id=SB10356'], 'cvss_v2': 'AV:N/AC:L/Au:S/C:C/I:C/A:C', 'cvss_v3': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H', 'uuid': '62a7c5d4-4d0d-4850-a6a2-4542bc2e661a', 'cwe_ids': ['CWE-1035', 'CWE-78', 'CWE-937']}
  1. 'affected_range': ''

This group also includes two advisories. The empty value appears to mean "all versions", e.g., "'affected_range': '', 'fixed_versions': [], 'affected_versions': 'All versions',".

{'identifier': 'CVE-2021-41959', 'identifiers': ['CVE-2021-41959'], 'package_slug': 'conan/jerryscript', 'title': 'Missing Release of Memory after Effective Lifetime', 'description': 'JerryScript Git version 14ff5bf does not sufficiently track and release allocated memory via `jerry-core/ecma/operations/ecma-regexp-object.c` after `RegExp`, which causes a memory leak.', 'date': '2022-05-11', 'pubdate': '2022-05-03', 'affected_range': '', 'fixed_versions': [], 'affected_versions': 'All versions', 'not_impacted': '', 'solution': 'Unfortunately, there is no solution available yet.', 'urls': ['https://nvd.nist.gov/vuln/detail/CVE-2021-41959', 'https://github.com/jerryscript-project/jerryscript/issues/4781', 'https://github.com/jerryscript-project/jerryscript/pull/4787'], 'cvss_v2': 'AV:N/AC:L/Au:N/C:N/I:N/A:P', 'cvss_v3': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H', 'uuid': 'dc613a1d-10c5-401e-99de-b2415303faa5', 'cwe_ids': ['CWE-1035', 'CWE-401', 'CWE-937']}

{'identifier': 'CVE-2022-22901', 'identifiers': ['CVE-2022-22901'], 'package_slug': 'conan/jerryscript', 'title': 'Reachable Assertion', 'description': "There is an Assertion in 'context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION' failed at parser_parse_function_arguments in /js/js-parser.c of JerryScript commit a6ab5e9.", 'date': '2022-02-25', 'pubdate': '2022-02-17', 'affected_range': '', 'fixed_versions': [], 'affected_versions': 'All versions', 'not_impacted': '', 'solution': 'Unfortunately, there is no solution available yet.', 'urls': ['https://nvd.nist.gov/vuln/detail/CVE-2022-22901', 'http://jerryscript.com', 'https://github.com/jerryscript-project/jerryscript', 'https://github.com/jerryscript-project/jerryscript/issues/4916'], 'cvss_v2': 'AV:N/AC:M/Au:N/C:N/I:N/A:P', 'cvss_v3': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H', 'uuid': 'ab59f096-784e-4ffb-8dcb-1cc3e093d56b', 'cwe_ids': ['CWE-1035', 'CWE-617', 'CWE-937']}

Note that for the first of these two, CVE-2021-41959, both the advisory and the NVD page (https://nvd.nist.gov/vuln/detail/CVE-2021-41959) have a link to a jerryscript PR (https://github.com/jerryscript-project/jerryscript/pull/4787) that asserts that the relevant issue was fixed on 2021-10-01, seven months before the NVD publication date. Notwithstanding the availability of this information, the advisory includes this field/value: "'solution': 'Unfortunately, there is no solution available yet.'"

  1. 'affected_range': '=cci.20200203'

There's just one advisory with this version/version range syntax that, to my untutored eye, does not seem to comply with either Conan 1.x (https://docs.conan.io/1/versioning/version_ranges.html) or Conan 2.x (https://docs.conan.io/2/tutorial/versioning/version_ranges.html) syntax. Perhaps the prefix cci refers to the Conan Center Index (https://github.com/conan-io/conan-center-index), though I've seen nothing yet to support that suspicion.

{'identifier': 'CVE-2021-28021', 'identifiers': ['CVE-2021-28021'], 'package_slug': 'conan/stb', 'title': 'Out-of-bounds Write', 'description': 'Buffer overflow vulnerability in function `stbi__extend_receive` in `stb_image.h` in stb via a crafted JPEG file.', 'date': '2023-02-01', 'pubdate': '2021-10-15', 'affected_range': '=cci.20200203', 'fixed_versions': ['cci.20210713'], 'affected_versions': 'Version cci.20200203', 'not_impacted': 'All versions before cci.20200203, all versions after cci.20210713', 'solution': 'Upgrade to version cci.20210713 or above.', 'urls': ['https://nvd.nist.gov/vuln/detail/CVE-2021-28021'], 'cvss_v2': 'AV:N/AC:M/Au:N/C:P/I:P/A:P', 'cvss_v3': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H', 'uuid': '755a7f87-0cba-4df2-af7e-6be29787c524', 'cwe_ids': ['CWE-1035', 'CWE-787', 'CWE-937']}

See also, e.g., https://conan.io/center/tiny-bignum-c .

There are no other cci examples from the advisories, but here's an example of a different Conan package that uses cci in its version value:

https://conan.io/center/imgui .