Open question: vendor / tool name mapping across sources

Rafiot commented 1 year ago

We have a few ways to represent what is affected by a vulnerability.

Let's go through them with a random CVE (CVE-2023-21825).

CVE - contains a CPE 2.3 entry:

{
  "resultsPerPage": 1,
  "startIndex": 0,
  "totalResults": 1,
  "format": "NVD_CVE",
  "version": "2.0",
  "timestamp": "2023-06-01T16:03:47.303",
  "vulnerabilities": [
    {
      "cve": {
        "id": "CVE-2023-21825",
        "sourceIdentifier": "secalert_us@oracle.com",
        "published": "2023-01-18T00:15:12.517",
        "lastModified": "2023-01-24T19:41:12.840",
        "vulnStatus": "Analyzed",
        "descriptions": [
          {
            "lang": "en",
            "value": "Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Supplier Management).  Supported versions that are affected are 12.2.6-12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupplier Portal.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle iSupplier Portal accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)."
          }
        ],
        "metrics": {
          "cvssMetricV31": [
            {
              "source": "secalert_us@oracle.com",
              "type": "Primary",
              "cvssData": {
                "version": "3.1",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "attackVector": "NETWORK",
                "attackComplexity": "LOW",
                "privilegesRequired": "NONE",
                "userInteraction": "NONE",
                "scope": "UNCHANGED",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 1.4
            }
          ]
        },
        "weaknesses": [
          {
            "source": "nvd@nist.gov",
            "type": "Primary",
            "description": [
              {
                "lang": "en",
                "value": "NVD-CWE-noinfo"
              }
            ]
          }
        ],
        "configurations": [
          {
            "nodes": [
              {
                "operator": "OR",
                "negate": false,
                "cpeMatch": [
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:oracle:isupplier_portal:*:*:*:*:*:*:*:*",
                    "versionStartIncluding": "12.2.6",
                    "versionEndIncluding": "12.2.8",
                    "matchCriteriaId": "7B6D4280-C1CC-4361-9A7C-B9C55F8CFF8C"
                  }
                ]
              }
            ]
          }
        ],
        "references": [
          {
            "url": "https://www.oracle.com/security-alerts/cpujan2023.html",
            "source": "secalert_us@oracle.com",
            "tags": [
              "Patch",
              "Vendor Advisory"
            ]
          }
        ]
      }
    }
  ]
}

GSD - something somewhat close to a CPE 2.3 but not really, and a complete copy of the CVE

{
    "GSD": {
        "alias": "CVE-2023-21825",
        "id": "GSD-2023-21825"
    },
    "namespaces": {
        "cve.org": {
            "CVE_data_meta": {
                "ASSIGNER": "secalert_us@oracle.com",
                "ID": "CVE-2023-21825",
                "STATE": "PUBLIC"
            },
            "affects": {
                "vendor": {
                    "vendor_data": [
                        {
                            "product": {
                                "product_data": [
                                    {
                                        "product_name": "iSupplier Portal",
                                        "version": {
                                            "version_data": [
                                                {
                                                    "version_affected": "=",
                                                    "version_value": "12.2.6-12.2.8"
                                                }
                                            ]
                                        }
                                    }
                                ]
                            },
                            "vendor_name": "Oracle Corporation"
                        }
                    ]
                }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
                "description_data": [
                    {
                        "lang": "eng",
                        "value": "Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Supplier Management).  Supported versions that are affected are 12.2.6-12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupplier Portal.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle iSupplier Portal accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)."
                    },
                    {
                        "lang": "eng",
                        "value": "Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Supplier Management). Supported versions that are affected are 12.2.6-12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupplier Portal. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle iSupplier Portal accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)."
                    }
                ]
            },
            "impact": {
                "cvss": [
                    {
                        "attackComplexity": "LOW",
                        "attackVector": "NETWORK",
                        "availabilityImpact": "NONE",
                        "baseScore": 5.3,
                        "baseSeverity": "MEDIUM",
                        "confidentialityImpact": "LOW",
                        "integrityImpact": "NONE",
                        "privilegesRequired": "NONE",
                        "scope": "UNCHANGED",
                        "userInteraction": "NONE",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                        "version": "3.1"
                    }
                ]
            },
            "problemtype": {
                "problemtype_data": [
                    {
                        "description": [
                            {
                                "lang": "eng",
                                "value": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupplier Portal.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle iSupplier Portal accessible data."
                            }
                        ]
                    }
                ]
            },
            "references": {
                "reference_data": [
                    {
                        "name": "https://www.oracle.com/security-alerts/cpujan2023.html",
                        "refsource": "MISC",
                        "url": "https://www.oracle.com/security-alerts/cpujan2023.html"
                    }
                ]
            }
        },
        "nvd.nist.gov": {
            "configurations": {
                "CVE_data_version": "4.0",
                "nodes": [
                    {
                        "children": [],
                        "cpe_match": [
                            {
                                "cpe23Uri": "cpe:2.3:a:oracle:isupplier_portal:*:*:*:*:*:*:*:*",
                                "cpe_name": [],
                                "versionEndIncluding": "12.2.8",
                                "versionStartIncluding": "12.2.6",
                                "vulnerable": true
                            }
                        ],
                        "operator": "OR"
                    }
                ]
            },
            "cve": {
                "CVE_data_meta": {
                    "ASSIGNER": "secalert_us@oracle.com",
                    "ID": "CVE-2023-21825"
                },
                "data_format": "MITRE",
                "data_type": "CVE",
                "data_version": "4.0",
                "description": {
                    "description_data": [
                        {
                            "lang": "en",
                            "value": "Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Supplier Management).  Supported versions that are affected are 12.2.6-12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupplier Portal.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle iSupplier Portal accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)."
                        }
                    ]
                },
                "problemtype": {
                    "problemtype_data": [
                        {
                            "description": [
                                {
                                    "lang": "en",
                                    "value": "NVD-CWE-noinfo"
                                }
                            ]
                        }
                    ]
                },
                "references": {
                    "reference_data": [
                        {
                            "name": "https://www.oracle.com/security-alerts/cpujan2023.html",
                            "refsource": "MISC",
                            "tags": [
                                "Patch",
                                "Vendor Advisory"
                            ],
                            "url": "https://www.oracle.com/security-alerts/cpujan2023.html"
                        }
                    ]
                }
            },
            "impact": {
                "baseMetricV3": {
                    "cvssV3": {
                        "attackComplexity": "LOW",
                        "attackVector": "NETWORK",
                        "availabilityImpact": "NONE",
                        "baseScore": 5.3,
                        "baseSeverity": "MEDIUM",
                        "confidentialityImpact": "LOW",
                        "integrityImpact": "NONE",
                        "privilegesRequired": "NONE",
                        "scope": "UNCHANGED",
                        "userInteraction": "NONE",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                        "version": "3.1"
                    },
                    "exploitabilityScore": 3.9,
                    "impactScore": 1.4
                }
            },
            "lastModifiedDate": "2023-01-24T19:41Z",
            "publishedDate": "2023-01-18T00:15Z"
        }
    }
}

Github advisory - empty until reviewed

{
  "schema_version": "1.4.0",
  "id": "GHSA-pf47-j984-4hxc",
  "modified": "2023-01-18T00:30:18Z",
  "published": "2023-01-18T00:30:18Z",
  "aliases": [
    "CVE-2023-21825"
  ],
  "details": "Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Supplier Management).  Supported versions that are affected are 12.2.6-12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupplier Portal.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle iSupplier Portal accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
    }
  ],
  "affected": [

  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21825"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2023.html"
    }
  ],
  "database_specific": {
    "cwe_ids": [

    ],
    "severity": "MODERATE",
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-18T00:15:00Z"
  }
}

Other example - CVE CVE-2023-32999

{
  "resultsPerPage": 1,
  "startIndex": 0,
  "totalResults": 1,
  "format": "NVD_CVE",
  "version": "2.0",
  "timestamp": "2023-06-01T16:16:23.483",
  "vulnerabilities": [
    {
      "cve": {
        "id": "CVE-2023-32999",
        "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
        "published": "2023-05-16T17:15:12.160",
        "lastModified": "2023-05-31T18:46:35.313",
        "vulnStatus": "Analyzed",
        "descriptions": [
          {
            "lang": "en",
            "value": "A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials."
          }
        ],
        "metrics": {
          "cvssMetricV31": [
            {
              "source": "nvd@nist.gov",
              "type": "Primary",
              "cvssData": {
                "version": "3.1",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "attackVector": "NETWORK",
                "attackComplexity": "LOW",
                "privilegesRequired": "LOW",
                "userInteraction": "NONE",
                "scope": "UNCHANGED",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 1.4
            }
          ]
        },
        "weaknesses": [
          {
            "source": "nvd@nist.gov",
            "type": "Primary",
            "description": [
              {
                "lang": "en",
                "value": "CWE-276"
              }
            ]
          }
        ],
        "configurations": [
          {
            "nodes": [
              {
                "operator": "OR",
                "negate": false,
                "cpeMatch": [
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:jenkins:appspider:*:*:*:*:*:jenkins:*:*",
                    "versionEndIncluding": "1.0.15",
                    "matchCriteriaId": "AC299A2B-F122-46A1-B408-E3F97C9C494E"
                  }
                ]
              }
            ]
          }
        ],
        "references": [
          {
            "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121",
            "source": "jenkinsci-cert@googlegroups.com",
            "tags": [
              "Vendor Advisory"
            ]
          }
        ]
      }
    }
  ]
}

{
    "GSD": {
        "alias": "CVE-2023-32999",
        "id": "GSD-2023-32999"
    },
    "namespaces": {
        "cve.org": {
            "CVE_data_meta": {
                "ASSIGNER": "jenkinsci-cert@googlegroups.com",
                "ID": "CVE-2023-32999",
                "STATE": "PUBLIC"
            },
            "affects": {
                "vendor": {
                    "vendor_data": [
                        {
                            "product": {
                                "product_data": [
                                    {
                                        "product_name": "Jenkins AppSpider Plugin",
                                        "version": {
                                            "version_data": [
                                                {
                                                    "version_affected": "<=",
                                                    "version_name": "0",
                                                    "version_value": "1.0.15"
                                                }
                                            ]
                                        }
                                    }
                                ]
                            },
                            "vendor_name": "Jenkins Project"
                        }
                    ]
                }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
                "description_data": [
                    {
                        "lang": "eng",
                        "value": "A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials."
                    }
                ]
            },
            "problemtype": {
                "problemtype_data": [
                    {
                        "description": [
                            {
                                "lang": "eng",
                                "value": "n/a"
                            }
                        ]
                    }
                ]
            },
            "references": {
                "reference_data": [
                    {
                        "name": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121",
                        "refsource": "MISC",
                        "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121"
                    }
                ]
            }
        },
        "nvd.nist.gov": {
            "configurations": {
                "CVE_data_version": "4.0",
                "nodes": [
                    {
                        "children": [],
                        "cpe_match": [
                            {
                                "cpe23Uri": "cpe:2.3:a:jenkins:appspider:*:*:*:*:*:jenkins:*:*",
                                "cpe_name": [],
                                "versionEndIncluding": "1.0.15",
                                "vulnerable": true
                            }
                        ],
                        "operator": "OR"
                    }
                ]
            },
            "cve": {
                "CVE_data_meta": {
                    "ASSIGNER": "jenkinsci-cert@googlegroups.com",
                    "ID": "CVE-2023-32999"
                },
                "data_format": "MITRE",
                "data_type": "CVE",
                "data_version": "4.0",
                "description": {
                    "description_data": [
                        {
                            "lang": "en",
                            "value": "A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials."
                        }
                    ]
                },
                "problemtype": {
                    "problemtype_data": [
                        {
                            "description": [
                                {
                                    "lang": "en",
                                    "value": "CWE-276"
                                }
                            ]
                        }
                    ]
                },
                "references": {
                    "reference_data": [
                        {
                            "name": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121",
                            "refsource": "MISC",
                            "tags": [
                                "Vendor Advisory"
                            ],
                            "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121"
                        }
                    ]
                }
            },
            "impact": {
                "baseMetricV3": {
                    "cvssV3": {
                        "attackComplexity": "LOW",
                        "attackVector": "NETWORK",
                        "availabilityImpact": "NONE",
                        "baseScore": 4.3,
                        "baseSeverity": "MEDIUM",
                        "confidentialityImpact": "NONE",
                        "integrityImpact": "LOW",
                        "privilegesRequired": "LOW",
                        "scope": "UNCHANGED",
                        "userInteraction": "NONE",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                        "version": "3.1"
                    },
                    "exploitabilityScore": 2.8,
                    "impactScore": 1.4
                }
            },
            "lastModifiedDate": "2023-05-31T18:46Z",
            "publishedDate": "2023-05-16T17:15Z"
        }
    }
}

{
  "schema_version": "1.4.0",
  "id": "GHSA-2c5c-fhr8-pwh9",
  "modified": "2023-05-17T03:37:09Z",
  "published": "2023-05-16T18:30:16Z",
  "aliases": [
    "CVE-2023-32999"
  ],
  "summary": "Jenkins AppSpider Plugin missing permission check",
  "details": "Jenkins AppSpider Plugin 1.0.15 and earlier does not perform a permission check in a method implementing form validation.\n\nThis allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.\n\nAdditionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.\n\nAppSpider Plugin 1.0.16 requires POST requests and Overall/Administer permission for the affected form validation method.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.rapid7:jenkinsci-appspider-plugin"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.16"
            }
          ]
        }
      ],
      "database_specific": {
        "last_known_affected_version_range": "<= 1.0.15"
      }
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32999"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121"
    }
  ],
  "database_specific": {
    "cwe_ids": [

    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-17T03:37:09Z",
    "nvd_published_at": null
  }
}

Rafiot commented 1 year ago

Follow up question on that: how do we handle vulnerabilities that only apply if multiple products are involved?

Example: CVE-2008-0732

{
  "cve": {
    "id": "CVE-2008-0732",
    "sourceIdentifier": "cve@mitre.org",
    "published": "2008-02-12T21:00:00.000",
    "lastModified": "2008-09-05T21:35:50.617",
    "vulnStatus": "Analyzed",
    "descriptions": [
      {
        "lang": "en",
        "value": "The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories."
      },
      {
        "lang": "es",
        "value": "La secuencia de comandos init de Apache Geronimo sobre SUSE Linux sigue enlaces simbólicos cuando realiza una operación de cambio en la propiedad de ficheros o directorios, que permite a usuarios locales obtener acceso a ficheros y directorios no especificados."
      }
    ],
    "metrics": {
      "cvssMetricV2": [
        {
          "source": "nvd@nist.gov",
          "type": "Primary",
          "cvssData": {
            "version": "2.0",
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
            "accessVector": "LOCAL",
            "accessComplexity": "LOW",
            "authentication": "NONE",
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.1
          },
          "baseSeverity": "LOW",
          "exploitabilityScore": 3.9,
          "impactScore": 2.9,
          "acInsufInfo": false,
          "obtainAllPrivilege": false,
          "obtainUserPrivilege": false,
          "obtainOtherPrivilege": false,
          "userInteractionRequired": false
        }
      ]
    },
    "weaknesses": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "description": [
          {
            "lang": "en",
            "value": "CWE-59"
          }
        ]
      }
    ],
    "configurations": [
      {
        "operator": "AND",
        "nodes": [
          {
            "operator": "OR",
            "negate": false,
            "cpeMatch": [
              {
                "vulnerable": false,
                "criteria": "cpe:2.3:o:suse:suse_linux:*:*:*:*:*:*:*:*",
                "matchCriteriaId": "67527281-81FA-4068-9E0A-7B19FB6A208A"
              }
            ]
          },
          {
            "operator": "OR",
            "negate": false,
            "cpeMatch": [
              {
                "vulnerable": true,
                "criteria": "cpe:2.3:a:apache:geronimo:*:*:*:*:*:*:*:*",
                "matchCriteriaId": "67517877-5475-4CDA-A634-4CDE447D41D1"
              }
            ]
          }
        ]
      }
    ],
    "references": [
      {
        "url": "http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00003.html",
        "source": "cve@mitre.org",
        "tags": [
          "Patch"
        ]
      }
    ]
  }
}

If we use the same approach as defined in the existing CVE Search API, we'll have this vulnerability in suse:suse_linux when it is not the case all the time.

adulau commented 1 year ago

Could we imagine a fuzzy strategy for the different sources? where approximate results are calculated in another set? Like we did for cpe-guesser https://github.com/cve-search/cpe-guesser

Rafiot commented 1 year ago

We can do something like that, but I really fear there will be a lot of improper guesses (the CPE refs are super weak).

As long as we have a reference to a CVE in whichever vulnerability entry, we automatically get the CPE:

For GSD (as it is a copy of NVD with a few meta information and the keys are moved around), we always have it, and their IDs are directly mapped to CVE, it won't be a problem:

"GSD": {
        "alias": "CVE-2023-21825",
        "id": "GSD-2023-21825"
    }

For Github, they add the CVE entry in the aliases as soon as they have it, which means we automatically get it as soon as we load the update. And when the alias isn't set (GHSA-gpv5-7x3g-ghjv for example), but the CVE exists (https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-34104), we still can still map them by looking for entries that contain a link to the github advisories in the references of the CVE - I'm going to add some heuristics like that. As soon as we can link a non-NVD vuln to a CVE, we get the CPE.

It doesn't really solve the issue with the CPE requiring operators, but it's better than nothing.

cve-search / vulnerability-lookup

Open question: vendor / tool name mapping across sources #5