search

kunalnagarco / action-cve

A GitHub action that sends Dependabot Vulnerability Alerts to multiple sources.
https://github.com/marketplace/actions/check-cve
MIT License
24 stars 22 forks source link

Severity filter not working? #186

Closed mauritz-lovgren closed 2 months ago

mauritz-lovgren commented 3 months ago

Hi,

I am getting vulnerabilities with MEDIUM severity even though I have specified the following:

jobs:
  notify-vulnerabilites:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Notify Vulnerabilities
        uses: kunalnagarco/action-cve@v1.13.2
        with:
          token: ${{ secrets.WF_READ_PKG }}
          slack_webhook: ${{ inputs.slack-webhook }}
          severity: high,critical

Received in my target Slack channel:

Package name: org.apache.commons:commons-compress
Vulnerability Version Range: >= 1.3, < 1.26.0
Patched Version: 1.26.0
Severity: HIGH
Summary: Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file

Package name: org.apache.james:apache-mime4j-core
Vulnerability Version Range: < 0.8.10
Patched Version: 0.8.10
Severity: MEDIUM
Summary: Apache James MIME4J improper input validation vulnerability

Package name: org.apache.commons:commons-compress
Vulnerability Version Range: >= 1.21, < 1.26.0
Patched Version: 1.26.0
Severity: HIGH
Summary: Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file

Package name: org.apache.james:apache-mime4j-storage
Vulnerability Version Range: < 0.8.9
Patched Version: 0.8.9
Severity: MEDIUM
Summary: Apache James MIME4J vulnerable to information disclosure to local users

Package name: io.netty:netty-handler
Vulnerability Version Range: < 4.1.94.Final
Patched Version: 4.1.94.Final
Severity: MEDIUM
Summary: netty-handler SniHandler 16MB allocation

Is this to be expected, or have I specified the severity attribute wrong?

jarkkotuovinen commented 3 months ago

Same here. I guess the severity is not read at all in the const severity = getInput('severity') or smth 🤔 (These might be related: https://github.com/actions/toolkit/issues/1624 https://github.com/actions/toolkit/issues/1576)

kunalnagar commented 2 months ago

@mauritz-lovgren @jarkkotuovinen - would it be possible for you folks to create a public repo to test this with?

Also, do you see the severity in the action run? Like so with another key?

jarkkotuovinen commented 2 months ago

@kunalnagar Possibly could create a public repo at some point but a I'm a bit busy atm with other stuff.

Yes, the severity is in there:

Run kunalnagarco/action-cve@v1.13.2 with: token: slack_webhook: severity: critical email_transport_smtp_host: smtp.gmail.com email_transport_smtp_port: 587 count: 20

kunalnagar commented 2 months ago

From my debugging, the severity is being passed through fine. However, the SDK does not seem to respect the severity. I've opened up an issue in the SDK: https://github.com/octokit/rest.js/issues/458

Hope to learn more about the issue soon. It's possible I may be missing something.

kunalnagar commented 2 months ago

@jarkkotuovinen @mauritz-lovgren Update on this thread: It seems like the culprit is an invalid value passed to the ecosystem key. I have opened up another issue in the actual GitHub API discussion section: https://github.com/orgs/community/discussions/134561

Meanwhile, I will add a null/undefined/empty check in the action - if an ecosystem value does not exist, it will not be passed along. It should resolve this issue 🙂

Edit: Feel free to review - I'll keep it open for the next few days: https://github.com/kunalnagarco/action-cve/pull/188

github-actions[bot] commented 2 months ago

:tada: This issue has been resolved in version 1.13.3 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: