Open almaz045 opened 5 months ago
It's matching gitlab:gitlab. We recently added an exclusion to match numpy:numpy for python. Since gitlab itself is developed in ruby, this list is acceptable for pkg:gem
. Let me see what could be done to sharpen the alias logic.
This commit trims some false positives using sw_edition
attributes but not a lot since many NVD entries lack a value for this attribute.
https://github.com/owasp-dep-scan/dep-scan/pull/289/commits/81c980cebcb95ff74d12c0cb3c44adba42c34b4c
On vdb6, it works fine since no aliases are involved.
python vdb/cli.py --search "pkg:pypi/gitlab@1.0.2"
I can't run this way:)
vulnerability-db-6.0.1/vdb$ python cli.py --search "pkg:pypi/gitlab@1.0.2" Traceback (most recent call last): File "/home/user/Desktop/Programs/vulnerability-db-6.0.1/vdb/cli.py", line 15, in <module> from vdb.lib import config, db6 as db_lib, search ImportError: cannot import name 'db6' from 'vdb.lib' (/home/user/.local/lib/python3.10/site-packages/vdb/lib/__init__.py)
When try to install dependencies:
$ poetry install [tool.poetry] section not found in /home/user/Desktop/Programs/vulnerability-db-6.0.1/pyproject.toml
@almaz045, use the pypi version
pip install appthreat-vulnerability-db[all]
vdb --download-image
vdb --bom bomfile
$ vdb --search "pkg:pypi/gitlab@1.0.2" ___ /\ ._ ._ | |_ ._ _ _. _|_ /--\ |_) |_) | | | | (/_ (_| |_ | | VDB Results ┏━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━┓ ┃ CVE ┃ Locator ┃ Description ┃ ┡━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━┩ └─────┴─────────┴─────────────┘
Now it works well. Now I need to update vdb to 5.6.7 to avoid the previously noted FPs or does this only work for 6.0.1?
@almaz045, 5.6.7 trims down a bit but not a lot. 6.0.1 will be used by depscan v6 which might reduce the false positives a bit more.
The fundamental issue we are dealing with is the need for aliases to match the NVD data which surprisingly has correct information for a few CVEs that are missed by both OSV and GHSA. These aliases are also resulting in false positives.
PURL of wrongly matched component
pkg:pypi/gitlab@1.0.2
Depscan findings
P.S. the latest version of pypi/gitlab is 1.0.2 (https://pypi.org/project/gitlab/1.0.2/#history). But depscan thinks that this pypi package == gitlab version, but it is just a pypi package version, which we can't directly map to the gitlab version.