search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
528 stars 198 forks source link

Question: problem with npm importer or something else? #488

Open kipz opened 3 years ago

kipz commented 3 years ago

We're running a vulnerablecode instance here https://vulnerablecode.atomist.com/, and have been doing some spot-checks on the data, and often see confusing results.

Take for example: https://nvd.nist.gov/vuln/detail/CVE-2021-32640

This was reported by Github, and is present on npmjs.org too.

However, a search for this on our vulnerablecode instance (on which we've run all the importers), doesn't show the npmjs package, just the debian ones (no purl with name ws, just node-ws)

https://vulnerablecode.atomist.com/vulnerabilities/20110

I'm curious about whether this is expected or are there bugs somewhere in the importers? Perhaps one importer is overwriting data from another? Or perhaps the npm importer isn't storing any data?

FWIW: running npm audit on a project with an old version of ws does suggest an upgrade, and this uses the same APIs as the npm importer AFAIK.

Any insights would be much appreciated.

pombredanne commented 3 years ago

@kipz Thanks for the detailed report. It looks like a bug for sure. Let me try to reproduce on a fresh instance

Hritik14 commented 3 years ago

I've looked into it and this is because currently our npm importer fetches the data from https://github.com/nodejs/security-wg which doesn't contain the required advisory. The said repository is not handling ecosystem vulnerabilities. There appears to be an ongoing discussion regarding this.

In short, the advisory data from nodejs is different from that of npm. Ironically, we had https://github.com/nexB/vulnerablecode/issues/101 for collecting npm advisories which was closed in favor of the nodejs advisories.

We could either:

Further, there might be a problem with debian importer as the reported purl mentions pkg:deb/debian/node-ws@1.1.0 which should be unrelated to the affected versions mentioned in the github advisory. This could be a result of https://github.com/nexB/vulnerablecode/issues/140

sbs2001 commented 3 years ago

@Hritik14 I get the feeling that nodejs-wg is abandoned last updated -> 3 months ago. Let's keep it as it is for awhile, meanwhile your (1) approach makes sense.

The won't be much work since the schemas both sources are indentical. See https://github.com/nexB/vulnerablecode/pull/228

pombredanne commented 3 years ago

I guess that there may be some slow down per https://github.com/nodejs/security-wg/issues/662 and we likely want to use both sources of https://registry.npmjs.org/-/npm/v1/security/advisories and https://github.com/nodejs/security-wg rather than just one in this case.

pombredanne commented 3 years ago

Actually the problem may be deeper than this: https://nodejs.medium.com/node-js-ecosystem-vulnerability-reporting-program-winding-down-591d9a8cd2c7 ... this is basically close sourcing this source of npm issues at Snyk from the face of it. So IMHO:

  1. keep what we have and ensure we collect all
  2. possibly archive some of the raw upstream data
  3. we need more and more to ensure that we can cross ref these vulnerabilities to multi-source them IMHO