search

mrl5 / vulner

Discover CVEs for packages installed by the portage
Mozilla Public License 2.0
7 stars 1 forks source link

errors when package version "0" or "9999" is passed #54

Closed mrl5 closed 2 years ago

mrl5 commented 2 years ago

affected commands

vulner scan and vulner cpe

precondition

$ vulner sync

steps to reproduce

$ vulner cpe '[{"name":"ethertypes","version":"0"}]'

or

$ vulner cpe '[{"name":"ethertypes","version":"9999"}]'

expected result

{} is returned

actual result

stdout flooded with feed contents (feed that was downloaded in precondidtion step)

additional info

with vulner scan it causes HTTP 400 errors flood:

[2022-07-23T13:08:39Z WARN  vulner::command::scan] found CVEs for net-misc/ethertypes-0 ...
[2022-07-23T13:09:28Z ERROR vulner::command::scan] net-misc/ethertypes-0: HTTP status client error (400 Bad Request) for url (https://services.nvd.nist.gov/rest/json/cves/1.0?cpeMatchString=cpe:2.3:a:gdprinfo:cookie_notice_\\&_consent_banner_for_gdpr_\\&_ccpa_compliance:1.2.0:*:*:*:*:wordpress:*:*&apiKey=REDACTED)
[2022-07-23T13:10:12Z ERROR vulner::command::scan] net-misc/ethertypes-0: HTTP status client error (400 Bad Request) for url (https://services.nvd.nist.gov/rest/json/cves/1.0?cpeMatchString=cpe:2.3:a:smartypantsplugins:sp_project_\\&_document_manager:2.6.4.5:*:*:*:*:wordpress:*:*&apiKey=REDACTED)
[2022-07-23T13:10:36Z ERROR vulner::command::scan] net-misc/ethertypes-0: HTTP status client error (400 Bad Request) for url (https://services.nvd.nist.gov/rest/json/cves/1.0?cpeMatchString=cpe:2.3:a:joomla:joomla\\!:3.9.4:rc1:*:*:*:*:*:*&apiKey=REDACTED)
[2022-07-23T13:11:15Z ERROR vulner::command::scan] net-misc/ethertypes-0: HTTP status client error (400 Bad Request) for url (https://services.nvd.nist.gov/rest/json/cves/1.0?cpeMatchString=cpe:2.3:a:acyba:acymailing:4.2.0:*:*:*:*:joomla\\!:*:*&apiKey=REDACTED)
[2022-07-23T13:11:20Z ERROR vulner::command::scan] net-misc/ethertypes-0: HTTP status client error (400 Bad Request) for url (https://services.nvd.nist.gov/rest/json/cves/1.0?cpeMatchString=cpe:2.3:o:cisco:aironet_access_point_firmware:8.5\\(131.0\\):*:*:*:*:*:*:*&apiKey=REDACTED)
mrl5 commented 2 years ago

unfortunately this bug has additional impact, that is a subject of #55

mrl5 commented 2 years ago

rootcause

in https://github.com/mrl5/vulner/blob/c1386904a7d6002d223e0b7ee1c6980f5e1bf01e/crates/cpe-tag/python/integrator.py#L5

assert run([{"name":"ethertypes","version":"0"}]) == ''

this empty string then propagates here: https://github.com/mrl5/vulner/blob/c1386904a7d6002d223e0b7ee1c6980f5e1bf01e/crates/cpe-tag/src/searchers.rs#L19-L20

so that later every line in feed is matched ...

the best part is that it's expected behavior of ripgrep (according to this discussion: https://github.com/BurntSushi/ripgrep/discussions/2091)

and the same applies here: https://github.com/mrl5/vulner/blob/c1386904a7d6002d223e0b7ee1c6980f5e1bf01e/crates/cpe-tag/src/searchers.rs#L44

for https://docs.rs/regex/latest/regex/struct.Regex.html - I wonder if it's expected behavior: https://github.com/rust-lang/regex/discussions/896