search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
537 stars 202 forks source link

Suse scores importer should support version 4 #1592

Open nnobelis opened 1 month ago

nnobelis commented 1 month ago

Given a sample Suse score https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml:

CVE-2024-35255:
  cvss:
    - version: 3.1
      score: 5.5
      vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    - version: 4
      score: 6.8
      vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

The version 4 cvss is not imported because the importer does not support version 4: https://github.com/aboutcode-org/vulnerablecode/blob/ed17dbd5a7537b95faf9ef8d30a95333ffdcb3ca/vulnerabilities/importers/suse_scores.py#L34-L38

Additional questions:

Our VulnerableCode instance contains some weird values for this source:

image

  1. Can the cvssv2 and cvssv3 be old values from previous imports ?
  2. Why the cvsv3.1 has a score of 0 ?
  3. We noticed the public instance does not list suse.com as a source. Should we disable this importer ? https://public.vulnerablecode.io/vulnerabilities/VCID-p3vk-v2au-aaaa?search=CVE-2024-35255
keshav-space commented 1 month ago

The version 4 cvss is not imported because the importer does not support version 4:

@ziadhany has recently added support for CVSSv4 #1473, and we need to make sure we collect them in each importers.

1. Can the cvssv2 and cvssv3 be old values from previous imports ?

Suse doesn't have CVSSv2 and CVSSv3 scores for CVE-2024-35255. This could be coming from other importer(s). Can you confirm this in the History tab in your local VCIO instance?

2. Why the cvsv3.1 has a score of 0 ?

This looks like a bug, either in the data or in the importer itself. We would need the history to confirm it.

3. We noticed the public instance does not list suse.com as a source. Should we disable this importer ? https://public.vulnerablecode.io/vulnerabilities/VCID-p3vk-v2au-aaaa?search=CVE-2024-35255

We do run the suse_scores importer in our public.vulnerablecode.io instance, but we haven't run our importers in the last few weeks since we were fixing some data quality bugs. That's why we don't see the Suse scores for CVE-2024-35255 which is fairly recent (we're running the importers now, so we should get the Suse scores in the coming days).

nnobelis commented 1 month ago

Suse doesn't have CVSSv2 and CVSSv3 scores for CVE-2024-35255. This could be coming from other importer(s). Can you confirm this in the History tab in your local VCIO instance?

This looks like a bug, either in the data or in the importer itself. We would need the history to confirm it.

Unfortunately, the history tab of the CVE-2024-35255 is empty in our VulnerableCode instance :disappointed:

keshav-space commented 1 month ago

Unfortunately, the history tab of the CVE-2024-35255 is empty in our VulnerableCode instance 😞

This doesn't feel right. Can you share which version/commit of VulnerableCode you're running locally?

nnobelis commented 1 month ago

image

Hmm I checked again today and the "0" is gone, but the cvssv2 and cvssv3 scores are still here.

We are using version v34.0.0rc4.

keshav-space commented 1 month ago

We started our importers yesterday, and today we do have a suse score for CVE-2024-35255 in our public VCIO instance. The CVSSv3.1 corresponds to what is provided in https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml.

Screenshot from 2024-09-18 21-17-20

nnobelis commented 1 month ago

You get the entries for cvssv2 and cvssv3 too ! Any idea why ?

keshav-space commented 1 month ago

You get the entries for cvsv2 and vcsv3 too ! Any idea why ?

@nnobelis Thanks for reporting this. It took some time to reproduce the issue, and after much digging it turns out this is a bug.

The bug is in how we handle the VulnerabilityReference. Each VulnerabilityReference has a URL that is set to be unique. The hierarchical relationship is Vulnerability → VulnerabilityReference → VulnerabilitySeverity. To store a severity for vulnerability, we create a VulnerabilityReference (using the source URL of score) and then create a VulnerabilitySeverity (with severity details and ForeignKey relationship to VulnerabilityReference created earlier). Since the URL field is set to unique, things get complicated in the case of SUSE as all the scores come from the same URL i.e. "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml." This results in a single SUSE VulnerabilityReference linked to all vulnerabilities, which leads to a same set SUSE severity score for all vulnerabilities.

See the SUSE scores CVE-2023-33204 and CVE-2024-35255 they are identical.

Screenshot from 2024-09-23 14-01-15
Screenshot from 2024-09-23 14-01-02
nnobelis commented 1 month ago

Great find, thanks for looking into this !