search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
535 stars 201 forks source link

Missing details on NVD vulnerability #340

Open pombredanne opened 3 years ago

pombredanne commented 3 years ago

https://nvd.nist.gov/vuln/detail/CVE-2020-7965 is imported and has CPE but we do not relate that to any package and therefore it misses that pkg:pypi/webargs@5.5.2 is vulnerable.

pombredanne commented 3 years ago

See also for related details https://github.com/CycloneDX/cyclonedx-python/pull/157

sbs2001 commented 3 years ago

The only source for python vulnerabilities is github, and they don't have this vulnerability.

Inferring the purl solely from cpe is dangerous. But it did point us to the changelog.

This is good example of why need to parse changelogs.

pombredanne commented 3 years ago

Inferring the purl solely from cpe is dangerous. But it did point us to the changelog. This is good example of why need to parse changelogs.

https://github.com/pyupio/changelogs may help as discussed in the past and this
https://github.com/pyupio/safety-db/blob/master/data/insecure_full.json#L20724 was likely derived from this changelog https://github.com/marshmallow-code/webargs/blob/dev/CHANGELOG.rst#553-2020-01-28 Yet! I wonder if we should instead focus on curation by hand rather automation in these cases?

And what if we start our curated mapping of CPEs to purls? We can make a best effort to deal with changelogs separately alright