search

fasten-project / vulnerability-producer

Gathers, enriches and publishes vulnerability information to a Kafka topic.
https://www.fasten-project.eu/
Apache License 2.0
6 stars 3 forks source link

Fix bug that generates purls for versions that did not have the vulnerability #92

Closed MagielBruntink closed 3 years ago

MagielBruntink commented 3 years ago

In seemingly quite a few cases, purls are erroneously generated for versions that come after the "first patched version". This leads to false positives down the line, as patched versions still get the vulnerabilities injected.

One example is CVE-2019-14893, for which the package is correctly identified as jackson-databind by the producer. The first_patched_purls is also correctly showing pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10. However, the list of purls affected by the vulnerability contains many patched versions, which are shown below. Both the full producer and consumer vulnerability JSON files are attached for that CVE.

CVE-2019-14893-consumer.json.gz CVE-2019-14893-producer.json.gz

"purls": [
    ....
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr2",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr3",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.3",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.1",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.1",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.2",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.2",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.5",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.3",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.3",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.7",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.6",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.0.rc1",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.4",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.0",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.4",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.5",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.1",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.5",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.2",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.6",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.3",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.0-rc1",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.4",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.0-rc2",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.0",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.5.1",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.7",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.4",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.8",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.1",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.2",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.3",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.5",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.4",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.0-rc1",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.5",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.0-rc2",
    "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.0"
]
MagielBruntink commented 3 years ago

Would you perhaps be able to assist @elanzini ?

cg122 commented 3 years ago

Another example observed is CVE-2019-3802, which is correctly matched to org.springframework.data:spring-data-jpa. As patch applied, the vulnerability is "in versions up to and including 2.1.6, 2.0.14 and 1.11.20". 

"first_patched_purls": [
        "pkg:maven/org.springframework.data/spring-data-jpa@1.11.22", 
        "pkg:maven/org.springframework.data/spring-data-jpa@2.1.8"
]

However, following versions are also identified as vulnerable ones:

"vulnerable_purls": [
         ...,
    "pkg:maven/org.springframework.data/spring-data-jpa@2.1.8.RELEASE",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.2.6.RELEASE",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.3.6.RELEASE",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.3.7.RELEASE",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.4.8",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.4.10",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.5.2",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.5.3",
    "pkg:maven/org.springframework.data/spring-data-jpa@1.9.4.RELEASE",
    "pkg:maven/org.springframework.data/spring-data-jpa@1.11.7.RELEASE",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.1.8.RELEASE",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.2.6.RELEASE",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.3.6.RELEASE",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.3.7.RELEASE",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.4.8",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.4.10",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.5.2",
    "pkg:maven/org.springframework.data/spring-data-jpa@2.5.3"
]
MagielBruntink commented 3 years ago

After a local run of vulnerability producer, this issue seems fixed. CVE-2019-14893 gets a correct list of purls, as do CVE-2020-8840, CVE-2017-12615 (some of the CVEs that we checked).