Closed prabhu closed 3 months ago
Hey @prabhu
Thanks for taking a look at our data, I'd love to more broadly explore any gaps you've identified using this CPE to Purl technique you mention.
In the case of this particular CVE, I'm not seeing how there's a discrepancy?
Looking at https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-30187, I can see the following CPEs:
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:.net:*:*",
"versionEndExcluding": "12.13.0",
"matchCriteriaId": "76C885A0-06D7-4573-97BA-FBCA7653F008"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:python:*:*",
"versionEndExcluding": "12.13.0",
"matchCriteriaId": "2E1A488F-D561-4005-AFF8-468860F40816"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:java:*:*",
"versionEndExcluding": "12.18.0",
"matchCriteriaId": "153D4518-8E6D-48D0-9BC5-EB482EDBF07B"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_queue:*:*:*:*:*:python:*:*",
"versionEndExcluding": "12.4.0",
"matchCriteriaId": "F765F0A9-3756-4C1E-85B0-1438474B4590"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_queue:*:*:*:*:*:.net:*:*",
"versionEndExcluding": "12.11.0",
"matchCriteriaId": "5444CD1F-54C8-4918-8842-5320DE43FDBC"
}
]
}
]
}
],
which seems to me to correlate with what is currently available for https://api.osv.dev/v1/vulns/GHSA-64x4-9hc6-r2h6:
"affected": [
{
"package": {
"name": "Azure.Storage.Queues",
"ecosystem": "NuGet",
"purl": "pkg:nuget/Azure.Storage.Queues"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "12.11.0"
}
]
}
],
"versions": [
"12.0.0",
"12.1.0",
"12.1.1",
"12.10.0",
"12.2.0",
"12.3.0",
"12.3.1",
"12.3.2",
"12.4.0",
"12.4.1",
"12.4.2",
"12.5.0",
"12.6.0",
"12.6.1",
"12.6.2",
"12.7.0",
"12.8.0",
"12.9.0"
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-64x4-9hc6-r2h6/GHSA-64x4-9hc6-r2h6.json"
}
},
{
"package": {
"name": "Azure.Storage.Blobs",
"ecosystem": "NuGet",
"purl": "pkg:nuget/Azure.Storage.Blobs"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "12.13.0"
}
]
}
],
"versions": [
"12.0.0",
"12.1.0",
"12.10.0",
"12.11.0",
"12.12.0",
"12.2.0",
"12.3.0",
"12.4.0",
"12.4.1",
"12.4.2",
"12.4.3",
"12.4.4",
"12.5.0",
"12.5.1",
"12.6.0",
"12.7.0",
"12.8.0",
"12.8.1",
"12.8.2",
"12.8.3",
"12.8.4",
"12.9.0",
"12.9.1"
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-64x4-9hc6-r2h6/GHSA-64x4-9hc6-r2h6.json"
}
}
],
i.e., I'm seeing:
The CVE itself isn't converting to a first class OSV record (it's just an alias of GHSA-64x4-9hc6-r2h6 as you note), because our conversion process hasn't been able to derive a Git repository CPEs, and looking at https://github.com/scanoss/purl2cpe/tree/main/data/microsoft, which I've been using as an independent cross-reference, I'm not seeing anything particularly useful there, either.
Could you please elaborate on how the current behaviour is not aligning with what you're expecting?
Thanks @andrewpollock. I will share the script once it's in good shape. It is currently buggy and unreliable.
Regarding the CPE, you can find java
and python
under target_sw,
which is how the package ecosystem is represented. Depscan, for example, can now report these vulnerabilities for the equivalent maven and pypi packages in addition to nuget as well.
Perhaps retain the raw CPE information for NVD under database_specific
and ensure both NVD and GHSA information are presented for all CVEs?
Regarding the CPE, you can find
java
andpython
undertarget_sw,
which is how the package ecosystem is represented.
Ah, I see. Thanks for highlighting that.
In the case of GHSA-64x4-9hc6-r2h6 specifically, any deficiencies in comprehensiveness need to be taken up with the GitHub Advisory Database, via https://github.com/advisories/GHSA-64x4-9hc6-r2h6/improve
Perhaps retain the raw CPE information for NVD under
database_specific
and ensure both NVD and GHSA information are presented for all CVEs?
That would not help in this situation, as the original data source is the GitHub Advisory Database. The NVD was not involved in this record at all.
I have gone ahead and suggested the GitHub Advisory Database record add the missing Java and Python packages so we can close out this issue.
Describe the bug When searching for CVE-2022-30187, there is only a single result belonging to GHSA being presented.
https://osv.dev/vulnerability/GHSA-64x4-9hc6-r2h6
The GHSA entry doesn't include Java and Python SDKs. NVD (!) and MSRC feeds are correct here.
https://nvd.nist.gov/vuln/detail/CVE-2022-30187 https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30187
NOTE: While this is a single example, a quick and dirty script that compares NVD data with equivalent OSV shows huge discrepancies (CPE converted to purl and matched against OSV) where it is not clear which database is even correct. Will create a separate ticket for this.
To Reproduce Steps to reproduce the behaviour:
Expected behaviour Package information must match NVD (CPEs belonging to application packages)
Screenshots If applicable, add screenshots to help explain your problem.
Additional context Add any other context about the problem here.