search

anchore / anchore-engine

A service that analyzes docker images and scans for vulnerabilities
Apache License 2.0
1.58k stars 273 forks source link

API response for /query/vulnerabilities is missing NVD CVSS scores in some cases #1329

Open nightfurys opened 2 years ago

nightfurys commented 2 years ago

Environment

Problem /query/vulnerabilities API response contains nvd_data attribute for each vulnerability in the result. The value of the attribute represents the NVD assigned CVSS scores. This field is not correctly populated for a small subset of vulnerabilities in the system. Instead of a list of results, the value is a null reference as noted below. The issue affects only those vulnerabilities that exclusively belong in the nvd namespace with grype as the vulnerabilities provider (v2 scanner). It does not affect the legacy vulnerability provider (v1 scanner)

% curl -u user:password "http://localhost:8228/v1/query/vulnerabilities?id=CVE-2019-15780"
{
  "page": "1",
  "returned_count": 1,
  "total_count": 1,
  "vulnerabilities": [
    {
      "affected_packages": [
        {
          "name": "formidable_form_builder",
          "type": "unknown",
          "version": "< 4.02.01",
          "will_not_fix": false
        }
      ],
      "description": "The formidable plugin before 4.02.01 for WordPress has unsafe deserialization.",
      "id": "CVE-2019-15780",
      "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15780",
      "namespace": "nvd",
      "nvd_data": null,
      "references": [
        {
          "source": "N/A",
          "url": "https://wordpress.org/plugins/formidable/#developers"
        },
        {
          "source": "N/A",
          "url": "https://raw.githubusercontent.com/Strategy11/formidable-forms/master/changelog.txt"
        },
        {
          "source": "N/A",
          "url": "https://pentest.co.uk/labs/advisory/cve-2019-15780/"
        },
        {
          "source": "N/A",
          "url": "https://wpvulndb.com/vulnerabilities/9935"
        }
      ],
      "severity": "Critical",
      "vendor_data": []
    }
  ]
}

Workaround The API also supports a namespace query parameter to filter results based on the namespace. Supply it with nvd value to view the NVD CVSS scores

% curl -u user:password "http://localhost:8228/v1/query/vulnerabilities?id=CVE-2019-15780&namespace=nvd"
{
  "page": "1",
  "returned_count": 1,
  "total_count": 1,
  "vulnerabilities": [
    {
      "affected_packages": [
        {
          "name": "formidable_form_builder",
          "type": "unknown",
          "version": "< 4.02.01",
          "will_not_fix": false
        }
      ],
      "description": "The formidable plugin before 4.02.01 for WordPress has unsafe deserialization.",
      "id": "CVE-2019-15780",
      "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15780",
      "namespace": "nvd",
      "nvd_data": [
        {
          "cvss_v2": {
            "base_metrics": {
              "base_score": 7.5,
              "expolitability_score": 10,
              "impact_score": 6.4
            },
            "severity": "High",
            "vector_string": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "cvss_v3": null,
          "id": "CVE-2019-15780"
        },
        {
          "cvss_v2": null,
          "cvss_v3": {
            "base_metrics": {
              "base_score": 9.8,
              "expolitability_score": 3.9,
              "impact_score": 5.9
            },
            "severity": "Critical",
            "vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "id": "CVE-2019-15780"
        }
      ],
      "references": [
        {
          "source": "N/A",
          "url": "https://wordpress.org/plugins/formidable/#developers"
        },
        {
          "source": "N/A",
          "url": "https://raw.githubusercontent.com/Strategy11/formidable-forms/master/changelog.txt"
        },
        {
          "source": "N/A",
          "url": "https://pentest.co.uk/labs/advisory/cve-2019-15780/"
        },
        {
          "source": "N/A",
          "url": "https://wpvulndb.com/vulnerabilities/9935"
        }
      ],
      "severity": "Critical",
      "vendor_data": []
    }
  ]
}