Get Version of artifact which is not vulnerable

[hemanthacharya]

Hi @jeremylong ,

Thanks for the great tool.

The report the tool generates gives out all the vulnerable softwares/artifacts. But, how do I find the version which is not vulnerable so that I can update it?

• Is there a programmatic way to fetch the version which is not vulnerable from the nist db or any other api's ?
• Is there a way in the tool to fetch that details?

The information is critical in order to provide a patch to the vulnerable software. Please let me know.

Thanks

[jeremylong]

At the moment - the only way to know what to upgrade to is to use a combination of reading the NVD advisory which generally states a version or version range that is vulnerable. Then use something like the Maven Versions report or gradle-versions-plugin and determine which versions are available for upgrade.

The option I like best is, if your code is on github.com, use dependabot. Just keep everything as up to date as possible as not all vulnerabilities have a CVE (See the Snyk report on The State of Open Source Software). Dependabot will send in a PR when you are using a known vulnerable component (if the vulnerability is in one of the vulnerability repositories that they use).

[hemanthacharya]

Thanks for your suggestion. I have to go with the first option , where I need to read from the NVD and get the range of Vulnerable software's. Given that, is it possible from the tool to get all vulnerable versions of the vulnerable software or do I have to parse the report and then query the nvd for the range?

Thanks

[jeremylong]

The list of vulnerable versions is in the HTML report - at the bottom of every CVE entry there is a section:

Vulnerable Software & Versions: (show all)

The show all is a button that will expand the list of vulnerable software & versions.

[hemanthacharya]

I am generating the report in JSON format and I do not see all the versions like in the html report. I need to be able to parse the report so I am generating in JSON format.

[hemanthacharya]

Hi Jeremy,

I followed your first suggestion and extended the dependency checker to get all the vulnerable versions. I did this:

For a dependency, I read the identifier to get the cpe, and then get all the cpes for that vendor and product. Eg: for this jar : org.springframework:spring-aop:4.3.4.RELEASE , cpes : cpe:/a:pivotal_software:spring_framework:4.3.4 and cpe:/a:pivotal:spring_framework:4.3.4 I fetched all the vulnerable versions by database.getCPEs("pivotal","spring_framework") , but I do not see versions 4.3.4 in it.

Is there a reason for 2 cpes for that Jar?

could you please guide?

Thanks

[jeremylong]

The apparent duplicate CPEs listed are because the matching is primarily on the vendor and product (not the version number). There have been, historically, CPEs with many variations for products like Spring Framework that have had ownership changes (springsource->vmware->pivotal). The report includes all possible CPEs for the given version (not all will link to an actual CVE).

[hemanthacharya]

Your first statement : "The apparent duplicate CPEs listed are because the matching is primarily on the vendor and product (not the version number)"

and the last : "The report includes all possible CPEs for the given version"

are confusing. Did you mean "The report includes all possible CPEs for the given VENDOR"

[jeremylong]

No - I meant for the given version. See spring_framework 3.0.0 as an example:

• cpe:/a:springsource:spring_framework:3.0.0
• cpe:/a:vmware:springsource_spring_framework:3.0.0
• cpe:/a:pivotal:spring_framework:3.0.0

See how the version number stays the same but the CPE vendor and product change? These all refer to the same framework.

[hemanthacharya]

ok got it. So if I have to get all the vulnerable versions of the spring_framework from the DB, then I have to query for all the above 3 vendor/product combinations from the DB?

[hemanthacharya]

Hi @jeremylong ,

Can you please confirm if this is the right thing to do to fetch all the vulnerabilities of a product?

Thanks

[jeremylong]

All that complexity is taken care of in ODC. In the report when a CPE is identified each vulnerabililty (i.e. CVE) has a list of affected products (it is in the report).

[hemanthacharya]

I want to know all the Vulnerable versions of a Product, which is not shown in the JSON report. Then I believe I should be querying the DB with the Vendor/Product combination for all cpes correct?

[jeremylong]

You keep saying the vulnerable versions of a product is not in the JSON report - yet it absolutely is. See the example below (look for the vulnerableSoftware section):

{
  "source": "NVD",
  "name": "CVE-2015-7940",
  "cvssScore": "5.0",
  "cvssAccessVector": "NETWORK",
  "cvssAccessComplexity": "LOW",
  "cvssAuthenticationr": "NONE",
  "cvssConfidentialImpact": "PARTIAL",
  "cvssIntegrityImpact": "NONE",
  "cvssAvailabilityImpact": "NONE",
  "severity": "Medium",
  "cwe": "CWE-200 Information Exposure",
  "description": "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"",
  "notes": "",
  "references": [
    {
      "source": "FEDORA",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html",
      "name": "FEDORA-2015-7d95466eda"
    },
    {
      "source": "SUSE",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html",
      "name": "openSUSE-SU-2015:1911"
    },
    {
      "source": "MLIST",
      "url": "http://www.openwall.com/lists/oss-security/2015/10/22/9",
      "name": "[oss-security] 20151022 Re: CVE Request: invalid curve attack on bouncycastle"
    },
    {
      "source": "REDHAT",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html",
      "name": "RHSA-2016:2036"
    },
    {
      "source": "CONFIRM",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html",
      "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
    },
    {
      "source": "CONFIRM",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html",
      "name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
    },
    {
      "source": "SECTRACK",
      "url": "http://www.securitytracker.com/id/1037053",
      "name": "1037053"
    },
    {
      "source": "BID",
      "url": "http://www.securityfocus.com/bid/79091",
      "name": "79091"
    },
    {
      "source": "CONFIRM",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html",
      "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
    },
    {
      "source": "CONFIRM",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
      "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
    },
    {
      "source": "CONFIRM",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html",
      "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
    },
    {
      "source": "MISC",
      "url": "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html",
      "name": "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html"
    },
    {
      "source": "REDHAT",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html",
      "name": "RHSA-2016:2035"
    },
    {
      "source": "CONFIRM",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
      "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    },
    {
      "source": "UBUNTU",
      "url": "https://usn.ubuntu.com/3727-1/",
      "name": "USN-3727-1"
    },
    {
      "source": "MLIST",
      "url": "http://www.openwall.com/lists/oss-security/2015/10/22/7",
      "name": "[oss-security] 20151022 CVE Request: invalid curve attack on bouncycastle"
    },
    {
      "source": "DEBIAN",
      "url": "http://www.debian.org/security/2015/dsa-3417",
      "name": "DSA-3417"
    },
    {
      "source": "SECTRACK",
      "url": "http://www.securitytracker.com/id/1037046",
      "name": "1037046"
    },
    {
      "source": "SECTRACK",
      "url": "http://www.securitytracker.com/id/1037036",
      "name": "1037036"
    }
  ],
  "vulnerableSoftware": [
    {
      "software": "cpe:/a:bouncycastle:bouncy_castle_crypto_package:1.50",
      "allPreviousVersion": "true"
    },
    {
      "software": "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.54"
    },
    {
      "software": "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.55"
    },
    {
      "software": "cpe:/a:oracle:enterprise_manager_ops_center:12.1.4"
    },
    {
      "software": "cpe:/a:oracle:virtual_desktop_infrastructure:3.5.2"
    },
    {
      "software": "cpe:/a:oracle:application_testing_suite:12.5.0.3"
    },
    {
      "software": "cpe:/a:oracle:enterprise_manager_ops_center:12.2.2"
    },
    {
      "software": "cpe:/a:oracle:application_testing_suite:12.5.0.2"
    },
    {
      "software": "cpe:/a:oracle:application_testing_suite:12.5.0.1"
    }
  ]
},

[hemanthacharya]

Ok. Thanks for the explanation. Could you please confirm if my understanding is correct for the below example? -

For the JAR - spring-core-4.3.1.RELEASE.jar CPE's : 1. "name": "cpe:/a:pivotal:spring_framework:4.3.1", "confidence": "LOW" - I can suppress this

2. "name": "cpe:/a:pivotal_software:spring_framework:4.3.1", "confidence": "HIGHEST"

If I have to get all the vulnerable versions for pivotal_software/spring_framework, I need to collect all the vulnerableSoftware section for each item in the vulnerabilities array?

[jeremylong]

Why would you want to suppress CPE 1? It is a low confidence match - that ends up resulting in zero vulnerabilities. However, the NVD has previously used pivotal:spring_framework for other CVEs and it may get used again - suppressing this finding does nothing to the current report and risks introducing false negatives in the future.

[hemanthacharya]

ok got it.

One last clarification though. In the example you have given and for the example I have for spring_framework, in the vulnerableSoftware I was expecting only software with spring_framework cpes , but I also see

"vulnerableSoftware": [ { "software": "cpe:/a:pivotal_software:spring_framework:5.0.3" }, { "software": "cpe:/a:pivotal_software:spring_framework:5.0.4" }, { "software": "cpe:/a:pivotal_software:spring_framework:5.0.1" }, { "software": "cpe:/a:redhat:openshift:-" }, ...

"software": "cpe:/a:redhat:openshift:-" , is it a false negative that I should be suppressing?

Even in your example, I suppose the vulnerabilities is for the bouncy castle Jar, but I see entry in the vulnerableSoftware for other software's as well. So if I have to get all the versions for just bouncy castle , I should ignore other entries?

[jeremylong]

The vulnerable software comes from the NVD. If you read the description of the vulnerability it likely references Redhat's Openshift. You can't suppress openshift as it is not one of the matches to the JAR in the ODC report. Openshift shows up as another affected platform.

[hemanthacharya]

Thanks for the clarification Jeremy. Appreciate your time.

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.