search

google / osv.dev

Open source vulnerability DB and triage service.
https://osv.dev
Apache License 2.0
1.49k stars 182 forks source link

CVE-2022-30187 is not reported for java and Python SDKs #2024

Closed prabhu closed 3 months ago

prabhu commented 6 months ago

Describe the bug When searching for CVE-2022-30187, there is only a single result belonging to GHSA being presented.

https://osv.dev/vulnerability/GHSA-64x4-9hc6-r2h6

The GHSA entry doesn't include Java and Python SDKs. NVD (!) and MSRC feeds are correct here.

https://nvd.nist.gov/vuln/detail/CVE-2022-30187 https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30187

NOTE: While this is a single example, a quick and dirty script that compares NVD data with equivalent OSV shows huge discrepancies (CPE converted to purl and matched against OSV) where it is not clear which database is even correct. Will create a separate ticket for this.

To Reproduce Steps to reproduce the behaviour:

  1. search for CVE-2022-30187

Expected behaviour Package information must match NVD (CPEs belonging to application packages)

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here.

andrewpollock commented 6 months ago

Hey @prabhu

Thanks for taking a look at our data, I'd love to more broadly explore any gaps you've identified using this CPE to Purl technique you mention.

In the case of this particular CVE, I'm not seeing how there's a discrepancy?

Looking at https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-30187, I can see the following CPEs:

        "configurations": [
          {
            "nodes": [
              {
                "operator": "OR",
                "negate": false,
                "cpeMatch": [
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:.net:*:*",
                    "versionEndExcluding": "12.13.0",
                    "matchCriteriaId": "76C885A0-06D7-4573-97BA-FBCA7653F008"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:python:*:*",
                    "versionEndExcluding": "12.13.0",
                    "matchCriteriaId": "2E1A488F-D561-4005-AFF8-468860F40816"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:java:*:*",
                    "versionEndExcluding": "12.18.0",
                    "matchCriteriaId": "153D4518-8E6D-48D0-9BC5-EB482EDBF07B"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:microsoft:azure_storage_queue:*:*:*:*:*:python:*:*",
                    "versionEndExcluding": "12.4.0",
                    "matchCriteriaId": "F765F0A9-3756-4C1E-85B0-1438474B4590"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:microsoft:azure_storage_queue:*:*:*:*:*:.net:*:*",
                    "versionEndExcluding": "12.11.0",
                    "matchCriteriaId": "5444CD1F-54C8-4918-8842-5320DE43FDBC"
                  }
                ]
              }
            ]
          }
        ],

which seems to me to correlate with what is currently available for https://api.osv.dev/v1/vulns/GHSA-64x4-9hc6-r2h6:

  "affected": [
    {
      "package": {
        "name": "Azure.Storage.Queues",
        "ecosystem": "NuGet",
        "purl": "pkg:nuget/Azure.Storage.Queues"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.11.0"
            }
          ]
        }
      ],
      "versions": [
        "12.0.0",
        "12.1.0",
        "12.1.1",
        "12.10.0",
        "12.2.0",
        "12.3.0",
        "12.3.1",
        "12.3.2",
        "12.4.0",
        "12.4.1",
        "12.4.2",
        "12.5.0",
        "12.6.0",
        "12.6.1",
        "12.6.2",
        "12.7.0",
        "12.8.0",
        "12.9.0"
      ],
      "database_specific": {
        "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-64x4-9hc6-r2h6/GHSA-64x4-9hc6-r2h6.json"
      }
    },
    {
      "package": {
        "name": "Azure.Storage.Blobs",
        "ecosystem": "NuGet",
        "purl": "pkg:nuget/Azure.Storage.Blobs"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.13.0"
            }
          ]
        }
      ],
      "versions": [
        "12.0.0",
        "12.1.0",
        "12.10.0",
        "12.11.0",
        "12.12.0",
        "12.2.0",
        "12.3.0",
        "12.4.0",
        "12.4.1",
        "12.4.2",
        "12.4.3",
        "12.4.4",
        "12.5.0",
        "12.5.1",
        "12.6.0",
        "12.7.0",
        "12.8.0",
        "12.8.1",
        "12.8.2",
        "12.8.3",
        "12.8.4",
        "12.9.0",
        "12.9.1"
      ],
      "database_specific": {
        "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-64x4-9hc6-r2h6/GHSA-64x4-9hc6-r2h6.json"
      }
    }
  ],

i.e., I'm seeing:

The CVE itself isn't converting to a first class OSV record (it's just an alias of GHSA-64x4-9hc6-r2h6 as you note), because our conversion process hasn't been able to derive a Git repository CPEs, and looking at https://github.com/scanoss/purl2cpe/tree/main/data/microsoft, which I've been using as an independent cross-reference, I'm not seeing anything particularly useful there, either.

Could you please elaborate on how the current behaviour is not aligning with what you're expecting?

prabhu commented 6 months ago

Thanks @andrewpollock. I will share the script once it's in good shape. It is currently buggy and unreliable.

Regarding the CPE, you can find java and python under target_sw, which is how the package ecosystem is represented. Depscan, for example, can now report these vulnerabilities for the equivalent maven and pypi packages in addition to nuget as well.

Perhaps retain the raw CPE information for NVD under database_specific and ensure both NVD and GHSA information are presented for all CVEs?

andrewpollock commented 6 months ago

Regarding the CPE, you can find java and python under target_sw, which is how the package ecosystem is represented.

Ah, I see. Thanks for highlighting that.

In the case of GHSA-64x4-9hc6-r2h6 specifically, any deficiencies in comprehensiveness need to be taken up with the GitHub Advisory Database, via https://github.com/advisories/GHSA-64x4-9hc6-r2h6/improve

andrewpollock commented 4 months ago

Perhaps retain the raw CPE information for NVD under database_specific and ensure both NVD and GHSA information are presented for all CVEs?

That would not help in this situation, as the original data source is the GitHub Advisory Database. The NVD was not involved in this record at all.

I have gone ahead and suggested the GitHub Advisory Database record add the missing Java and Python packages so we can close out this issue.