search

smartdevicelink / bson_c_lib

Library for converting a map to and from BSON format
BSD 3-Clause "New" or "Revised" License
1 stars 12 forks source link

iOS Aegis vulnerability scan mixing this library with GNU Bison lib #60

Closed answerquest closed 1 year ago

answerquest commented 1 year ago

This lib on cocoapods: https://cocoapods.org/pods/BiSON

Aegis scan on our IPA that is containing SmartDeviceLink lib (and I guess this one too as dependency) has flagged a high vulnerability as follows:

COMPONENT   BiSON
COMPONENT_VERSION   1.2.5
CVE_CODE    CVE-2020-14150
CVSS_2_SCORE    2.1
CVSS_3_SCORE    5.5
CVE_DESCRIPTON  GNU Bison before 3.5.4 allows attackers to cause a denial of service (application crash). NOTE: there is a risk only if Bison is used with untrusted input, and an observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug reports were intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.
CWE_CODE    NVD-CWE-noinfo
CVE_PUBLISHED_DATE  2020-06-15

So its mixed up one lib with another due to the identical naming of this lib in cocoapods.

What can be done here?

It's generally not a good idea to keep a your lib's name exactly same as a pre-existing lib's name.

joeygrover commented 1 year ago

Searching on cocoapods, this project is the only library named BiSON available. It is never going to be possible avoid every naming collision with all other libraries that exist, but on cocoapods this project owns the name. Therefore it seems the tool itself should have an issue reported that it has incorrectly identified a library.