search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.15k stars 445 forks source link

fix: missing entries in triage file are not added again from SBOM file #4158

Open r-vdp opened 1 month ago

r-vdp commented 1 month ago

Description

I have a cyclone dx SBOM file like this one, with only one component to keep it short:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "version": 1,
  "serialNumber": "urn:uuid:ca34e20e-90c2-4e59-1496-1918d361b92e",
  "metadata": {
    "tools": [
      {
        "vendor": "nikstur",
        "name": "bombon",
        "version": "0.2.0"
      }
    ],
    "component": {
      "type": "application",
      "bom-ref": "glmbkr6i7n6flk6sy3xcinnnqpk8c5lw-nixos-system-devNet-reserve-controller-23.11pre-git",
      "name": "nixos-system-devNet-reserve-controller-23.11pre-git",
      "version": "",
      "scope": "required",
      "purl": "pkg:nix/nixos-system-devNet-reserve-controller-23.11pre-git@"
    }
  },
  "components": [
    {
      "type": "application",
      "bom-ref": "1zy01hjzwvvia6h9dq5xar88v77fgh9x-glibc-2.38-44",
      "name": "glibc",
      "version": "2.38",
      "description": "The GNU C Library",
      "scope": "required",
      "licenses": [
        {
          "license": {
            "id": "LGPL-2.0-or-later"
          }
        }
      ],
      "purl": "pkg:nix/glibc@2.38",
      "externalReferences": [
        {
          "type": "vcs",
          "url": "https://ftpmirror.gnu.org/glibc/glibc-2.38.tar.xz",
          "hashes": [
            {
              "alg": "SHA-256",
              "content": "fb82998998b2b29965467bc1b69d152e9c307d2cf301c9eafb4555b770ef3fd2"
            }
          ]
        },
        {
          "type": "website",
          "url": "https://www.gnu.org/software/libc/"
        }
      ]
    }
  ]
}

I then run cve-bin-tool and generate a triage file with:

cve-bin-tool --sbom cyclonedx --sbom-file sbom.json --severity high --vex triage.vex

and I get the following triage file with 4 vulnerabilities listed:

{
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
   "version": 1,
   "vulnerabilities": [
      {
         "id": "CVE-2023-4911",
         "source": {
            "name": "NVD",
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4911"
         },
         "ratings": [
            {
               "source": {
                  "name": "NVD",
                  "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-4911&vector=CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1"
               },
               "score": 7.8,
               "severity": "high",
               "method": "CVSSv3",
               "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
            }
         ],
         "description": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.",
         "recommendation": "",
         "advisories": [],
         "created": "NOT_KNOWN",
         "published": "NOT_KNOWN",
         "updated": "",
         "analysis": {
            "state": "in_triage",
            "response": [],
            "detail": "NewFound"
         },
         "affects": [
            {
               "ref": "urn:cbt:1/gnu#glibc:2.38"
            }
         ]
      },
      {
         "id": "CVE-2023-5156",
         "source": {
            "name": "NVD",
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5156"
         },
         "ratings": [
            {
               "source": {
                  "name": "NVD",
                  "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-5156&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1"
               },
               "score": 7.5,
               "severity": "high",
               "method": "CVSSv3",
               "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            }
         ],
         "description": "A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.",
         "recommendation": "",
         "advisories": [],
         "created": "NOT_KNOWN",
         "published": "NOT_KNOWN",
         "updated": "",
         "analysis": {
            "state": "in_triage",
            "response": [],
            "detail": "NewFound"
         },
         "affects": [
            {
               "ref": "urn:cbt:1/gnu#glibc:2.38"
            }
         ]
      },
      {
         "id": "CVE-2023-6246",
         "source": {
            "name": "NVD",
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6246"
         },
         "ratings": [
            {
               "source": {
                  "name": "NVD",
                  "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-6246&vector=CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1"
               },
               "score": 7.8,
               "severity": "high",
               "method": "CVSSv3",
               "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
            }
         ],
         "description": "A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.",
         "recommendation": "",
         "advisories": [],
         "created": "NOT_KNOWN",
         "published": "NOT_KNOWN",
         "updated": "",
         "analysis": {
            "state": "in_triage",
            "response": [],
            "detail": "NewFound"
         },
         "affects": [
            {
               "ref": "urn:cbt:1/gnu#glibc:2.38"
            }
         ]
      },
      {
         "id": "CVE-2023-6779",
         "source": {
            "name": "NVD",
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6779"
         },
         "ratings": [
            {
               "source": {
                  "name": "NVD",
                  "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-6779&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1"
               },
               "score": 7.5,
               "severity": "high",
               "method": "CVSSv3",
               "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            }
         ],
         "description": "An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.",
         "recommendation": "",
         "advisories": [],
         "created": "NOT_KNOWN",
         "published": "NOT_KNOWN",
         "updated": "",
         "analysis": {
            "state": "in_triage",
            "response": [],
            "detail": "NewFound"
         },
         "affects": [
            {
               "ref": "urn:cbt:1/gnu#glibc:2.38"
            }
         ]
      }
   ]
}

If I then remove one of the vulnerabilities manually and run the same command with the triage file, 

cve-bin-tool --sbom cyclonedx --sbom-file sbom.json --severity high --triage-file triage.vex --vex triage.vex

the removed vulnerability is not added again to the triage file.

To reproduce

See above.

Expected behaviour: missing entries are added again Actual behaviour: missing entries are not added again

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.3 Installed from pypi or github? from nixpkgs Operating system: Linux framework 6.9.3 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 30 07:45:04 UTC 2024 x86_64 GNU/Linux Python version: Python 3.11.9

Anything else?

terriko commented 1 month ago

Definitely sounds like a bug. Not sure off the top of my head why this might happen.

@mastersans while you've been poking around in triage stuff for the refactoring, did you see anything that might have caused this?

mastersans commented 1 month ago

@terriko I am not sure what is causing this issue for now, I'll looking it while handling improving triaging process for now i have only looked into parsing and generation in detail.

r-vdp commented 1 month ago

I've been working on this today and I may have a solution, I need to clean up the code a bit and then I'll make a PR.

r-vdp commented 1 month ago

I put up #4160 for this.