Reporting Inaccurate Affected Components in GitHub Advisory Database

[catch22out]

Dear maintainers of github advisory-database:

We thank GitHub Advisory for providing valuable data to the public. We are utilizing this database for security purposes, and we greatly appreciate the contribution.

During our analysis of the CVE entries, we have identified an issue with the accuracy of the "package" field where the listed affected components does not align with the actual affected components. It can either be incomplete or incorrect.

For instance, in the first entry, CVE-2019-15477 https://github.com/github/advisory-database/blob/6ea0ea8bbfd74f67b7b60b86aac2d0cfe8a6152d/advisories/github-reviewed/2019/08/GHSA-f5f4-m7qp-w6gc/GHSA-f5f4-m7qp-w6gc.json, the database states that the affected component is io.jooby:jooby. However, upon further investigation, we have found that the correct affected component should be org.jooby:jooby, as evidenced by the patch available at https://github.com/jooby-project/jooby/pull/1368/commits/34856a738829d8fedca4ed27bd6ff413af87186f.

Another example is CVE-2018-20094 https://github.com/github/advisory-database/blob/6ea0ea8bbfd74f67b7b60b86aac2d0cfe8a6152d/advisories/github-reviewed/2018/12/GHSA-8j39-fgfp-vxh8/GHSA-8j39-fgfp-vxh8.json, where the same discrepancy occurs. As mentioned in the poc (https://github.com/xuxueli/xxl-conf/issues/61), the ConfController.java line 150 is affected, and this method is located in https://github.com/xuxueli/xxl-conf/blob/6726dfe7979ea6d8fb983771471cde69789de632/xxl-conf-admin/src/main/java/com/xxl/conf/admin/controller/ConfController.java, the affected scope can be more specific: com.xuxueli:xxl-conf-admin.

After thorough examination, we have discovered a total of 64 CVE that contain incorrect or incomplete affected component information. In order to prevent misleading information to end users or false alarms from tools built upon this database, we chose to report these issues to you.

Attached csv document contains 64 records of the erroneous components in the vulnerability database. The fields in the csv file are explained as follows:

• Vulnerability ID: Unique CVE identifier/GHSA identifier for each vulnerability entry.
• Erroneous Affected Component: The list affected ecosystem and component names in vulnerability database which is either incomplete or incorrect. The format is: “ecosystemsplitcomponent”.
• Suggested Component: The correct affected ecosystem and component names according to our inspection where it is corrected either by adding component names or rectifying the existing component names. The format is: “ecosystemsplitcomponent”.
• Evidence: Justification for the change.

For further details, please refer to the attached csv file. We hope our findings are beneficial to the community security.

Attached CSV File: Github.Inaccurate.Affected.Components.csv

If you have any questions or require additional information, please do not hesitate to reach out to us. We kindly request your feedback on the accuracy of our analysis and look forward to receiving your input.

[catch22out]

@taladrane @KateCatlin @shelbyc We thank GitHub Advisory for the valuable data provided. While analyzing CVE entries, we found inaccuracies in the "package" field, with affected components not aligning with the actual ones, possibly being incomplete or incorrect.

The timely and accurate vulnerability information can significantly enhance open-source security. We raised this concern several weeks ago, and now we are considering whether using pull requests instead of issues would be more effective(maybe 64 PRs?)

[shelbyc]

Hi @catch22out, Thank you for bringing these advisories to our attention. At the moment, we're working with reduced staff but can still review each advisory individually. If you're interested in being credited if we find the proposed changes to be accurate, you can make one community contribution pull request for each GHSA. Otherwise, we can go through the CSV when we can and let you know in this issue what we find with respect to each affected product.

[catch22out]

Hi @shelbyc, We've submitted several pull requests, but unfortunately, they haven't been merged into the main branch and the problem of inaccurate components still persists within those GHSA. Consequently, we've shifted our approach to open this issue.

We've also identified inaccuracies in affected components within GitLab. Most of the components we reported were accepted. Recently, we manually pickup the overlap of our reporting between GitHub and GitLab, and we've provided a list of 29 GHSA that have been confirmed by GitLab. The fields "GitLab Feedback" and "GitLab Reference" are introduced to indicate GitLab's acceptance status and acceptance evidence.

We believe this can reduce your workload. If you have any questions or run into any issues, please don't hesitate to contact us. We kindly request your feedback on the accuracy of our analysis and look forward to receiving your input~

[taladrane]

hi @catch22out 👋 thank you so much for your patience on this as we work through it. I want to share an update about this work and ask for some additional information on a few advisories. We've updated the following advisories to match your suggestions:

• GHSA-f5f4-m7qp-w6gc
• GHSA-8j39-fgfp-vxh8
• GHSA-6g3c-2mh5-7q6x
• GHSA-fmqw-vqh5-cwq9
• GHSA-9x5v-8352-244g
• GHSA-43fp-vwwg-qgv6
• GHSA-mm57-9j6q-rxm2
• GHSA-qcgx-crrx-38v5
• GHSA-2m8h-fgr8-2q9w
• GHSA-h7mf-qrm9-2848
• GHSA-q7fr-vqhq-v5xr
• GHSA-r6fx-55x3-f9x6
• GHSA-h8jc-jmrf-9h8f
• GHSA-jh5g-9m4v-9vv9
• GHSA-26vr-8j45-3r4w
• GHSA-2mp8-qvqm-3xwq
• GHSA-92wj-x78c-m4fx
• GHSA-pmqq-7wfv-jfff
• GHSA-f6f2-pwrj-64h3
• GHSA-v6wr-fch2-vm5w
• GHSA-9jq9-c2cv-pcrj
• GHSA-g644-pr5v-vppf
• GHSA-jc7p-5r39-9477
• GHSA-6v7w-535j-rq5m
• GHSA-ccjp-w723-2jf2
• GHSA-793h-6f7r-6qvm + GHSA-9p5g-vg43-mj5r
• GHSA-fh32-35w2-rxcc
• GHSA-xjrr-xv9m-4pw5
• GHSA-344f-f5vg-2jfj
• GHSA-pr38-qpxm-g88x
• GHSA-jqx5-h2hw-5q4f
• GHSA-gfwj-fwqj-fp3v
• GHSA-4fv4-cq5v-x45m
• GHSA-p63h-7hw8-5cw4
• GHSA-vvw4-rfwf-p6hx
• GHSA-xhw6-hjc9-679m
• GHSA-729f-wvj3-c4pj
• GHSA-w69w-jvc7-wjgv
• GHSA-5993-wwpg-m92c
• GHSA-qhm4-jxv7-j9pq
• GHSA-m6mm-q862-j366
• GHSA-74qp-233x-p5j8
• GHSA-f268-65qc-98vg
• GHSA-cqqj-4p63-rrmm
• GHSA-3357-829x-m9pr
• GHSA-w4fj-ccr6-7pcp
• GHSA-c4r5-xvgw-2942
• GHSA-p699-3wgc-7h72
• GHSA-q2xp-75m7-gv52
• GHSA-rpvr-mw7r-25xx
• GHSA-grg4-wf29-r9vv
• GHSA-wc4x-4gm2-74j8
• GHSA-9xrj-439h-62hg
• GHSA-42wx-65g4-5cxv
• GHSA-484q-784p-8m5h
• GHSA-7q8g-gpfp-v8gx
• GHSA-pr5m-4w22-8483

The following advisories are ones that we either have additional questions about or currently disagree with your feedback:

• GHSA-ffm7-7r8g-77xm: Partially agree - we agree with addingorg.apache.cxf:cxf-rt-management as Snyk included the commit reference: https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECXF-564238
• GHSA-pc4w-8v5j-29w9: We're unable to find anything related to neo4j-shell on GitHub, including older versions on the neo4j repo. Do you have any additional information about this?
• GHSA-mc8v-mgrf-8f4m: while we agree in theory, we can only support modules in Go since users have to update the module to update an associated package.
• GHSA-3pp3-77j6-8ph6: Almost agree - changes are made to a file in this pom.xml tree, which corresponds with org.apache.nifi:nifi-web (https://central.sonatype.com/artifact/org.apache.nifi/nifi-web), not org.apache.nifi:nifi-web-security
• GHSA-9gcm-f4x3-8jpw: Partially agree - the correct package is only org.springframework:spring-web based on the commit (https://github.com/spring-projects/spring-framework/commit/f64fa3dea10af125d612d3a997aece93d21bc875)
• GHSA-3448-vfvv-xp9g: Disagree. The tika-parser-sqlite3-module was introduced in 2021. The vulnerability is more likely affecting tika-parsers as the file SQLite3Parser in versions before 1.20 can be found here.
• GHSA-grc3-8q8m-4j7c: Disagree - the only file changed in the fix commit corresponds to org.apache.accumulo:accumulo-master

[KateCatlin]

Hi @catch22out, thank you again for your assistance in finding these errors!

Did this resolve this for you or are there any errors persisting? If it's all resolve, I'll go ahead and close this issue!

[catch22out]

Thank you for all your efforts! You have collectively complete disagree with https://github.com/advisories/GHSA-3448-vfvv-xp9g and https://github.com/advisories/GHSA-grc3-8q8m-4j7c. For the first one, we agree with your decision, SQLite3Parser also appear in tika-parser-sqlite3-module but not vulnerable. For the second one, there are still some questions. The repository is changed and the artifact of accumulo-manager is deleted currently. When roll back to the patched version, the modified vulnerable file is server/manager/src/main/java/org/apache/accumulo/master/MasterClientServiceHandler.java and the pom.xml file in https://github.com/apache/accumulo/blob/64c176eaa29703031e6a4fce9e8d883c6b41424e/server/manager/pom.xml pointed to accumulo-manager. In all, we would like to express our sincere gratitude to GitHub for your recognition and support of our work. We are also very appreciative of your willingness to take the time to address these issues and look forward to making further contributions to the open-source ecosystem in the future🙂.

[catch22out]

Currently, we have discovered some additional inaccuracies in affected components for Ten GHSAs. We also kindly request your attention to these inaccuracies.

[taladrane]

hi @catch22out 👋 thank you for the feedback! We've reviewed and agree with your suggestions for those 10 GHSAs and have made the appropriate updates. Following up on CVE-2020-17533 / GHSA-grc3-8q8m-4j7c, where we still disagree, here is our reasoning:

• The PR which corresponds to the main branch and the 2.1.0 branch, has MasterClientServiceHandler.java in server/manager. If a user builds the code from the main branch or uses 2.1.0, that's where the file will be.
  • However, when the fix was backported to 2.0.1 and 1.10.1, the fix was applied to the server/master folder because that is where MasterClientServiceHandler.java is in those versions. The fix commit for 1.10.1 has MasterClientServiceHandler.java in service/master too.
  • If you look at the vulnerable versions 2.0.0 and 1.10.0, there is no manager subfolder under the server folder, only master. manager doesn't appear until 2.1.0 . So while the fix appears the manager folder, manager is never actually vulnerable.
    • https://github.com/apache/accumulo/tree/rel/2.0.0/server
    • https://github.com/apache/accumulo/tree/rel/1.10.0/server
    • https://github.com/apache/accumulo/tree/rel/2.1.0/server
  • Here's the PR that renames master to manager in 2.1.0:
• Additionally, MvnRepository says that the name of org.apache.accumulo:accumulo-master is changed to org.apache.accumulo:accumulo-manager in 2.1.0. So manager has no vulnerable versions associated with it.

[KateCatlin]

@catch22out any other questions here or shall we close this issue out?

[catch22out]

Thank you for the discussion. I agree with the conclusion of @taladrane. I believe all aspects of the issue have been addressed. I don't have any further questions at the moment. Let's go ahead and close this issue. Thanks again for your review!