New approach for CVE checking

[hohwille]

With story #103 we want to have security checking to warn users before a tool installation as well as after that if a tool with critical CVEs is used/installed and if detected before installation the user shall be asked for confirmation.

We already implemented a lot of this with PR #119 and then created story #190 with some concerns and improvements. In the end we came to discussions that questioned the entire approach.

With this story we want to do a PoC/MVP on an alternative approach:

• We implement a direct check of a tool with «tool» + «edition» + «version». That most probably needs additional information that PR #119 added to URLUpdaters but would then be needed directly in ToolCommandlet. Example from maven:

  @Override
  public String getCpeVendor() {
  
  return "apache";
  }
  
  @Override
  public String getCpeProduct() {
  
  return "maven";
  }

• Before installation we call that check and see if that combination has (critical) CVEs.
• On the long run the user/project can configure a threshold for the severity, also blacklist CVEs, etc. but for PoC we can ignore this.
• Also ideally the check will give us a structured result that also includes the closest (stable) newer version that could be installed instead without critical CVEs if available. Then the installation process could ask the user if he instead wants to install that newer version instead to be safe of the CVEs. However, again for the PoC we do not need this.
• PR #119 already contains the code and dependency (org.owasp:dependency-check-core) that we need to implement this CVE check. If that happens inside IDEasy we must ensure that the CVE-DB is reused across multiple projects. Either the tool already creates this in a hidden folder of the users home directory or we can specify a directory so the data would be written somewhere in IDE_ROOT.

Things to analyze:

• How long does it take on the very first run with CVE-DB being downloaded, etc.?
• Would we get all the required information from this (e.g. next version fixing the CVEs) and could we configure threshold, etc. accordingly?
• If that library downloads stuff, can this somehow work together with our progress-bar, online/offline capability, proxy-support? Surely an advanced question that must not be answered with the very first PoC.

[hohwille]

I was doing some more research and came to the impression that the official CVE-DB is designed like a "blockchain": Some large monolithic monster designed to only grow and grow. There seems to be no existing (free) service to get only the CVEs for a dedicated tool (by CPE). Since the CVE-DB is very big and we only need less than 1% of that data, it seems waste to make every of our users to download that DB and keep it up-to-date. I would still like someone to take this story and do an analysis. But if that confirms my concerns, we should stay with the initial approach: We should add ALL CVEs of a tool to its security.json file then. The user/project could configure some priority threshold for the warnings of these CVEs he gets at runtime when using IDEasy.

[hohwille]

https://github.com/cve-search/cve-search

[hohwille]

https://www.pentestfactory.de/en/cve-quick-search-implementing-our-own-vulnerability-database/