search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
543 stars 201 forks source link

Apparent conflict re whether a PURL has a vulnerability #1653

Closed johnmhoran closed 1 week ago

johnmhoran commented 1 week ago

Here's an example from a vcio_report output -- VCIO says the PURL has no vuln, just fixes one, while this data seems to report one affected_by vuln while at the same time reports 'is_vulnerable': False,:

    }, {
        'input_purl': 'pkg:npm/micromatch@4.0.8',
        'vuln_details': {
            'url': 'http://public.vulnerablecode.io/api/packages/874737',
            'purl': 'pkg:npm/micromatch@4.0.8',
            'type': 'npm',
            'namespace': '',
            'name': 'micromatch',
            'version': '4.0.8',
            'qualifiers': {},
            'subpath': '',
            'is_vulnerable': False,
            'next_non_vulnerable_version': None,
            'latest_non_vulnerable_version': None,
            'affected_by_vulnerabilities': [{
                    'url': 'http://public.vulnerablecode.io/api/vulnerabilities/529754',
                    'vulnerability_id': 'VCID-4yky-bgk9-aaak',
                    'summary': "The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.",
                    'references': [{
johnmhoran commented 1 week ago

The above data comes from API V1; just checked V2, which reports:

. . .
        "packages": [
            {
                "purl": "pkg:npm/micromatch@4.0.8",
                "affected_by_vulnerabilities": [],
                "fixing_vulnerabilities": [
                    "VCID-4yky-bgk9-aaak"
                ],
                "next_non_vulnerable_version": null,
                "latest_non_vulnerable_version": null,
                "risk_score": null
            }
        ]
johnmhoran commented 1 week ago

For reference, compare:

https://public.vulnerablecode.io/api/packages?purl=pkg:npm/micromatch@4.0.8 with https://public.vulnerablecode.io/api/v2/packages?purl=pkg:npm/micromatch@4.0.8

sschuberth commented 1 week ago

I'm seeing similar inconsistencies for pkg:golang/github.com/quic-go/quic-go@0.40.0. Some time around Friday last week API v1 stopped to report affected_by_vulnerabilities for it (they seem to have erroneously shifted to fixing_vulnerabilities).

But API v2 reports vulnerabilities, compare:

https://public.vulnerablecode.io/api/packages?purl=pkg:golang/github.com/quic-go/quic-go@0.40.0 https://public.vulnerablecode.io/api/v2/packages?purl=pkg:golang/github.com/quic-go/quic-go@0.40.0

TG1999 commented 1 week ago

Fixed by https://github.com/aboutcode-org/vulnerablecode/pull/1654