Closed HenrikBach1 closed 3 years ago
Hi Henrick
From the output, I notice that cvechecker detects that you have bzip2 version 1.0.8, and coreutils 8.30.
The CVEs for bzip2 and coreutils seem to only focus on lower versions: coreutils up to 8.23 and bzip2 up to 1.0.6. Hence, cvechecker assumes that these vulnerabilities are not applicable to your system (as your system has higher versions installed).
If your system is vulnerable to these CVEs, then cvechecker might have incorrectly identified the installed versions (for either bzip2 or coreutils). But before we look into that, let's first confirm if the detected versions are indeed OK and which CVEs specifically you would expect to still be listed as vulnerabilities on your system.
Hi Sven
First of all, I'm trying to learn all this security stuff and the behavior of the cvechecker. So I apologize for my misunderstandings.
Can you please give me some hints to understand the fields of a CVE:
# | Product Type | Vendor | Product | Version | Update | Edition | Language |
-- | -- | -- | -- | -- | -- | -- | -- | --
1 | Application | GNU | Coreutils | * | * | * | *
-- | -- | -- | -- | -- | -- | -- | -- | --
and
# | Product Type | Vendor | Product | Version | Update | Edition | Language |
-- | -- | -- | -- | -- | -- | -- | -- | --
1 | Application | Bzip | Bzip2 | * | * | * | *
2 | Application | Bzip | Bzip2 | 0.9 A | * | * | *
...
-- | -- | -- | -- | -- | -- | -- | -- | --
Especially, how to interpret the rows of the Version
field.
Hi Hendrik
No apologies needed, I should've documented it when I was working on it.
The rows themselves are not representing CVEs but CPEs. A CPE is a "Common Platform Enumeration" and is an identifier for an asset (software title, operating system, appliance or something else). These CPEs are used by CVEs to structurally identify for which software a vulnerability is applicable.
For instance, if we take a look at CVE-2017-18018 (https://www.cvedetails.com/cve/CVE-2017-18018/), you will notice "Products affected by CVE-2017-18018" which has the exact structure as you find in the database.
The version field in such a CPE is the version as it is published by the vendor or project. As each project can decide for themselves how to approach versioning, CVE/CPE does not try to standardize here, it just asks for a version.
With the CVE definitions, we then refer to these CPEs to state if something is vulnerable or not. While in the past, CVEs had to explicitly iterate over all the CPEs affected, recent CVE standards allow for expressions (such as "any version less than 0.9 A").
Finally, if you see an asterisk (*) in a field, then it means "any". So a CPE identifier with "*" in the version means "any version of this product".
If you want to go through the nitty gritty details of CPE, you can check out https://nvd.nist.gov/products/cpe.
Hi
I need help to understand why the
cvechecker -rC
command isn't reporting any vulnerabilities. I know that thebzip/bzip2
or better yetcoreutils 8.30
application has reported CVE (https://www.cvedetails.com/version/390343/Bzip-Bzip2--.html and https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-5075/year-2020/opdos-1/GNU-Coreutils.html):What am I doing wrong?