The "cves.json" endpoint doesn't provide all the vulnerabilities

pereyra-m commented 2 years ago

Summary

There are certain vulnerabilities that can be obtained individually but aren't returned by the general API using a filter. See example below.

Process

This CVE can be obtained individually

https://ubuntu.com/security/cves/CVE-2020-1951.json

{"bugs":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954302"],"cvss3":5.5,"description":"\nA carefully crafted or corrupt PSD file can cause an infinite loop in\nApache Tika's PSDParser in versions 1.0-1.23.","id":"CVE-2020-1951","mitigation":"","notes":[],"notices":[{"cves_ids":["CVE-2020-1951","CVE-2020-1950"],"description":"It was discovered that Apache Tika can have an excessive memory usage by\nusing a crafted or corrupt PSD file. An attacker could use it to cause a\ndenial of service (crash). (CVE-2020-1950, CVE-2020-1951)\n","id":"USN-4564-1","instructions":"In general, a standard system update will make all the necessary changes.\n","is_hidden":false,"published":"2020-10-05T17:29:37.430543","references":[],"release_packages":{"xenial":[{"description":"A content analysis toolkit","is_source":true,"name":"tika","version":"1.5-4ubuntu0.1"},{"is_source":false,"is_visible":true,"name":"libtika-java","pocket":"security","source_link":"https://launchpad.net/ubuntu/+source/tika","version":"1.5-4ubuntu0.1","version_link":"https://launchpad.net/ubuntu/+source/tika/1.5-4ubuntu0.1"}]},"summary":"Apache Tika could be made to crash if it opened a specially crafted\nfile.\n","title":"Apache Tika vulnerabilities","type":"USN"}],"notices_ids":["USN-4564-1"],"packages":[{"debian":"https://tracker.debian.org/pkg/tika","name":"tika","source":"https://ubuntu.com/security/cve?package=tika","statuses":[{"component":null,"description":"","pocket":null,"release_codename":"bionic","status":"needs-triage"},{"component":null,"description":"reached end-of-life","pocket":null,"release_codename":"eoan","status":"ignored"},{"component":null,"description":"","pocket":null,"release_codename":"focal","status":"needs-triage"},{"component":null,"description":"reached end-of-life","pocket":null,"release_codename":"groovy","status":"ignored"},{"component":null,"description":"reached end-of-life","pocket":null,"release_codename":"hirsute","status":"ignored"},{"component":null,"description":"reached end-of-life","pocket":null,"release_codename":"impish","status":"ignored"},{"component":null,"description":"","pocket":null,"release_codename":"jammy","status":"needs-triage"},{"component":null,"description":"","pocket":null,"release_codename":"precise","status":"DNE"},{"component":null,"description":"","pocket":null,"release_codename":"trusty","status":"DNE"},{"component":null,"description":"","pocket":null,"release_codename":"upstream","status":"needs-triage"},{"component":null,"description":"1.5-4ubuntu0.1","pocket":null,"release_codename":"xenial","status":"released"}],"ubuntu":"https://packages.ubuntu.com/search?suite=all&section=all&arch=any&searchon=sourcenames&keywords=tika"}],"patches":{"tika":[]},"priority":"low","published":"2020-03-23T14:15:00","references":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1951","https://www.openwall.com/lists/oss-security/2020/03/18/4","https://lists.apache.org/thread.html/rd8c1b42bd0e31870d804890b3f00b13d837c528f7ebaf77031323172%40%3Cdev.tika.apache.org%3E","https://lists.debian.org/debian-lts-announce/2020/03/msg00035.html","https://ubuntu.com/security/notices/USN-4564-1","https://ubuntu.com/security/notices/USN-4564-1"],"status":"active","tags":{"tika":[]},"ubuntu_description":""}

And also in the cves.json endpoint using a filter

https://ubuntu.com/security/cves.json?limit=1&q=CVE-2020-1951

{"cves":[{"bugs":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954302"],"cvss3":5.5,"description":"\nA carefully crafted or corrupt PSD file can cause an infinite loop in\nApache Tika's PSDParser in versions 1.0-1.23.","id":"CVE-2020-1951","mitigation":"","notes":[],"notices":[{"cves_ids":["CVE-2020-1951","CVE-2020-1950"],"description":"It was discovered that Apache Tika can have an excessive memory usage by\nusing a crafted or corrupt PSD file. An attacker could use it to cause a\ndenial of service (crash). (CVE-2020-1950, CVE-2020-1951)\n","id":"USN-4564-1","instructions":"In general, a standard system update will make all the necessary changes.\n","is_hidden":false,"published":"2020-10-05T17:29:37.430543","references":[],"release_packages":{"xenial":[{"description":"A content analysis toolkit","is_source":true,"name":"tika","version":"1.5-4ubuntu0.1"},{"is_source":false,"is_visible":true,"name":"libtika-java","pocket":"security","source_link":"https://launchpad.net/ubuntu/+source/tika","version":"1.5-4ubuntu0.1","version_link":"https://launchpad.net/ubuntu/+source/tika/1.5-4ubuntu0.1"}]},"summary":"Apache Tika could be made to crash if it opened a specially crafted\nfile.\n","title":"Apache Tika vulnerabilities","type":"USN"}],"notices_ids":["USN-4564-1"],"packages":[{"debian":"https://tracker.debian.org/pkg/tika","name":"tika","source":"https://ubuntu.com/security/cve?package=tika","statuses":[{"component":null,"description":"","pocket":null,"release_codename":"bionic","status":"needs-triage"},{"component":null,"description":"reached end-of-life","pocket":null,"release_codename":"eoan","status":"ignored"},{"component":null,"description":"","pocket":null,"release_codename":"focal","status":"needs-triage"},{"component":null,"description":"reached end-of-life","pocket":null,"release_codename":"groovy","status":"ignored"},{"component":null,"description":"reached end-of-life","pocket":null,"release_codename":"hirsute","status":"ignored"},{"component":null,"description":"reached end-of-life","pocket":null,"release_codename":"impish","status":"ignored"},{"component":null,"description":"","pocket":null,"release_codename":"jammy","status":"needs-triage"},{"component":null,"description":"","pocket":null,"release_codename":"precise","status":"DNE"},{"component":null,"description":"","pocket":null,"release_codename":"trusty","status":"DNE"},{"component":null,"description":"","pocket":null,"release_codename":"upstream","status":"needs-triage"},{"component":null,"description":"1.5-4ubuntu0.1","pocket":null,"release_codename":"xenial","status":"released"}],"ubuntu":"https://packages.ubuntu.com/search?suite=all&section=all&arch=any&searchon=sourcenames&keywords=tika"}],"patches":{"tika":[]},"priority":"low","published":"2020-03-23T14:15:00","references":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1951","https://www.openwall.com/lists/oss-security/2020/03/18/4","https://lists.apache.org/thread.html/rd8c1b42bd0e31870d804890b3f00b13d837c528f7ebaf77031323172%40%3Cdev.tika.apache.org%3E","https://lists.debian.org/debian-lts-announce/2020/03/msg00035.html","https://ubuntu.com/security/notices/USN-4564-1","https://ubuntu.com/security/notices/USN-4564-1"],"status":"active","tags":{"tika":[]},"ubuntu_description":""}],"limit":1,"offset":0,"total_results":1}

But with another CVE we have a different behavior. This CVE can be obtained individually

https://ubuntu.com/security/cves/CVE-2021-1345.json

{"bugs":null,"cvss3":null,"description":null,"id":"CVE-2021-1345","mitigation":null,"notes":[{"author":"ubuntu-security","note":"Does not apply to software found in Ubuntu."}],"notices":[],"notices_ids":[],"packages":[],"patches":null,"priority":null,"published":null,"references":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1345"],"status":"not-in-ubuntu","tags":null,"ubuntu_description":null}

But not using a filter

https://ubuntu.com/security/cves.json?limit=1&q=CVE-2021-1345

{"cves":[],"limit":1,"offset":0,"total_results":0}

Current and expected result

It seems that the cves.json endpoint doesn't contain all the available vulnerabilities.

This endpoint should have the same content than the cves/{cve_id}.json one.

Browser details

Brave browser: [Versión 1.43.89 Chromium: 105.0.5195.102 (Build oficial) (64 bits)]

mtruj013 commented 1 year ago

Thanks again for raising this @pereyra-m

To explain, this actually related to https://github.com/canonical/ubuntu-com-security-api/issues/115. A status as far a CVE is concerned can mean two separate things: the actual CVE status ("not-in-ubuntu", "active", "rejected") and the status of a package in relation to a specific Ubuntu release ("released", "DNE", "needed", "not-affected", "deferred", "needs-triage", "ignored", "pending") . The status parameter refers to package status. I added the ability to query by cve_status in this pr, however the default functionality of returning only active CVEs unless otherwise specified remains unchanged.

As this CVE has a status of "not-in-ubuntu" adding that as a param to your query would fix this issue: https://ubuntu.com/security/cves.json?limit=1&q=CVE-2021-1345&cve_status=not-in-ubuntu

Obtaining the CVE individually as you mentioned above was unaffected because that calls a separate endpoint which does not filter by active CVEs by default.

I'm closing this as it is now behaving as expected, but please feel free to reopen this issue if you continue to have problems.

pereyra-m commented 1 year ago

Great! Thank you!

canonical / ubuntu-com-security-api