From 4bf87be640005505bea7236bf99f44963ce40326 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Thu, 7 Dec 2023 15:31:45 -0500 Subject: [PATCH 1/3] track example transformations Signed-off-by: Will Murphy --- transforms/github/GHSA-prp9-9gxw-38j8.json | 73 ++++++++++++++++++++++ transforms/nvd/CVE-2017-8806.json | 64 +++++++++++++++++++ 2 files changed, 137 insertions(+) create mode 100644 transforms/github/GHSA-prp9-9gxw-38j8.json create mode 100644 transforms/nvd/CVE-2017-8806.json diff --git a/transforms/github/GHSA-prp9-9gxw-38j8.json b/transforms/github/GHSA-prp9-9gxw-38j8.json new file mode 100644 index 00000000..944a5006 --- /dev/null +++ b/transforms/github/GHSA-prp9-9gxw-38j8.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-prp9-9gxw-38j8", + "modified": "2023-01-29T05:06:34Z", + "published": "2022-05-24T19:05:32Z", + "aliases": [ + "CVE-2020-9493" + ], + "summary": "Apache Chainsaw deserialization flaw", + "details": "A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "log4j:apache-chainsaw" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9493" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/logging-chainsaw" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r50d389c613ba6062a26aa57e163c09bfee4ff2d95d67331d75265b83@%3Cannounce.apache.org%3E" + }, + { + "type": "WEB", + "url": "https://www.openwall.com/lists/oss-security/2021/06/16/1" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2021/06/16/1" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2022/01/18/5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2021-06-16T08:15:00Z" + } +} \ No newline at end of file diff --git a/transforms/nvd/CVE-2017-8806.json b/transforms/nvd/CVE-2017-8806.json new file mode 100644 index 00000000..74ba3119 --- /dev/null +++ b/transforms/nvd/CVE-2017-8806.json @@ -0,0 +1,64 @@ +{ + "comment": "upstream has incorrect CPEs; change configurations array to be correct", + "changes": { + "configurations": [ + { + "operator": "AND", + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:postgresql:postgresql:-:*:*:*:*:debian:*:*", + "matchCriteriaId": "0C9B105E-91CA-4D33-B60B-6CF6BFFEEB55" + }, + { + "vulnerable": true, + "criteria": "cpe:2.3:a:postgresql:postgresql:-:*:*:*:*:ubuntu:*:*", + "matchCriteriaId": "297620F7-BBB5-43EC-B792-1DE5097052AC" + } + ] + }, + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": false, + "criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", + "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084" + }, + { + "vulnerable": false, + "criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", + "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B" + }, + { + "vulnerable": false, + "criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.04:*:*:*:*:*:*:*", + "matchCriteriaId": "588D4F37-0A56-47A4-B710-4D5F3D214FB9" + }, + { + "vulnerable": false, + "criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", + "matchCriteriaId": "9070C9D8-A14A-467F-8253-33B966C16886" + }, + { + "vulnerable": false, + "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", + "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43" + }, + { + "vulnerable": false, + "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", + "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252" + } + ] + } + ] + } + ] + } +} From 7691244438203ae18103b3ec3c8fb69d3f84ae00 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Thu, 7 Dec 2023 15:43:32 -0500 Subject: [PATCH 2/3] WIP: simple working NVD changer Signed-off-by: Will Murphy --- src/vunnel/providers/nvd/manager.py | 19 +++++++++++++++++++ transforms/github/GHSA-prp9-9gxw-38j8.json | 2 +- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/src/vunnel/providers/nvd/manager.py b/src/vunnel/providers/nvd/manager.py index 19c85b78..afaa6f57 100644 --- a/src/vunnel/providers/nvd/manager.py +++ b/src/vunnel/providers/nvd/manager.py @@ -5,6 +5,8 @@ import os from typing import TYPE_CHECKING, Any +import orjson + from .api import NvdAPI if TYPE_CHECKING: @@ -79,5 +81,22 @@ def _download_updates(self, last_updated: datetime.datetime) -> Generator[tuple[ def _unwrap_records(self, response: dict[str, Any]) -> Generator[tuple[str, dict[str, Any]], Any, None]: for vuln in response["vulnerabilities"]: cve_id = vuln["cve"]["id"] + overrides = self._get_ovverides_for_id(cve_id) + if "cve" in vuln: + vuln["cve"].update(overrides) year = cve_id.split("-")[1] yield os.path.join(year, cve_id), vuln + + def _get_ovverides_for_id(self, vuln_id: str) -> dict: + override_path = os.path.join("transforms", "nvd", f"{vuln_id}.json".lower()) + changes = {} + try: + with open(override_path) as f: + j = orjson.loads(f.read()) + if "comment" in j: + self.logger.info(f"Applying changes to {vuln_id} because of {j['comment']}") + if "changes" in j: + changes = j["changes"] + except FileNotFoundError: + pass + return changes diff --git a/transforms/github/GHSA-prp9-9gxw-38j8.json b/transforms/github/GHSA-prp9-9gxw-38j8.json index 944a5006..69189ec1 100644 --- a/transforms/github/GHSA-prp9-9gxw-38j8.json +++ b/transforms/github/GHSA-prp9-9gxw-38j8.json @@ -70,4 +70,4 @@ "github_reviewed_at": null, "nvd_published_at": "2021-06-16T08:15:00Z" } -} \ No newline at end of file +} From c9aaa56193ced79e5a0bb163d18e1c43f7e4b941 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Fri, 8 Dec 2023 10:09:47 -0500 Subject: [PATCH 3/3] WIP: example gh changes Signed-off-by: Will Murphy --- src/vunnel/providers/nvd/manager.py | 2 +- transforms/github/changes.yaml | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 transforms/github/changes.yaml diff --git a/src/vunnel/providers/nvd/manager.py b/src/vunnel/providers/nvd/manager.py index afaa6f57..4f201c61 100644 --- a/src/vunnel/providers/nvd/manager.py +++ b/src/vunnel/providers/nvd/manager.py @@ -87,7 +87,7 @@ def _unwrap_records(self, response: dict[str, Any]) -> Generator[tuple[str, dict year = cve_id.split("-")[1] yield os.path.join(year, cve_id), vuln - def _get_ovverides_for_id(self, vuln_id: str) -> dict: + def _get_ovverides_for_id(self, vuln_id: str) -> dict[str, Any]: override_path = os.path.join("transforms", "nvd", f"{vuln_id}.json".lower()) changes = {} try: diff --git a/transforms/github/changes.yaml b/transforms/github/changes.yaml new file mode 100644 index 00000000..ea500d2c --- /dev/null +++ b/transforms/github/changes.yaml @@ -0,0 +1,8 @@ +# pretend the following PRs were merged +include-prs: + - https://github.com/github/advisory-database/pull/2630 + +# assuming the following GHSAs were reviewed, even if they +# are not returned by the API +assume-reviewed: + - GHSA-some-asdf