bug: application should not use nvd statistics when nvd is disabled or nvd is using api2 #3801
Comments
|
I'm looking into this |
|
@mulder999 Seems like I am not able to produce the same ServerTimeoutError as I am getting the expected behavior with SBOM generation without any report of vulnerabilities. At first, the problem seemed to be in error handling where If the NVD data source is disabled, the application should not attempt to download NVD statistics. But, despite blocking the access to nvd.nist.gov, the exception seems to be handled already. Do update me if I am missing something.
|
|
I don't think we ever built the code to disable NVD the way the other sources can be disabled. As in, I was surprised to discover that it's even being listed as an option because I remember having a conversation about how disabling it probably wouldn't work because of the database setup so we shouldn't make it an option. I'd have to do some digging to see when it was made an option and whether anyone actually plumbed it through or whether it was a mistake in the argparse setup. That said, you're right that this is a bug. We either need to fix the disabling or accept that we shouldn't be providing it as an option. I think there have been enough changes that it should be possible to disable NVD correctly now but it may be harder than it is for the other data sources. Short term workaround: try |
|
@Mayankrai449 are you using an NVD_API_KEY in your testing and using API2? If you don't set a key, you're actually using the mirror and not talking to NVD directly which might be why you're not seeing the issue. |
|
@mulder999 okay, I took a quick peek and there is no code for disabling NVD. In fact, it's explicitly added as a default source, so the opposite is happening. If anyone's interested in working on this, take a look around line 695 in cli.py: cve-bin-tool/cve_bin_tool/cli.py Lines 695 to 700 in b4feb03 You'll want to try checking if NVD is disabled and doing the right thing there similar to the other sources. It MAY break things in unexpected ways but it might just work smoothly; won't know until you try or you read through every single place the |
|
@terriko I actually used my own requested NVD_API key. I will look into this bug and help with appropriate way of handling the disabling of NVD. |
|
@terriko After modification, NVD will no longer be added as default_source if it is in disabled_sources list. Do update if more changes are needed, I'd like to work on it. |
|
@terriko in fact the offline mode turned out as a chicken-egg problem for me because it mandates a database and exports also presumes access to nvd. I believe an interesting feature request would be to be able to generate only the SBOM, ie have to possibility to optionnally disable completely the vulnerability analysis as this could be performed later through other central vulnerability management tools (eg: dependency track). |
|
@mulder999 Do you mind if I ask: why use cve-bin-tool for generating sboms if you're not intending to use it for scanning? I'd like to understand the use case better. I had long assumed that people would use more established tools for SBOM generation -- are we doing something that isn't being provided by other tools that we should be making sure we keep doing? |
|
This auto-closed because #3814 should provide the requested functionality, but I'm going to re-open it while we work on adding tests. |
|
@terriko Extracting a SBOM from a binary is an exceptionally valuable feature, in my opinion. I utilize a variety of tools and also endeavor to modestly gather and share knowledge around the OSS SBOM extraction tools that can be leveraged for various tasks. As of now, I am not aware of any other concurrent tool to work with binaries in the OSS community. Please keep it ! |
|
I tested again with version 3.3, and it is still not possible to successfully disable NVD, making the whole tool virtually unusable unfortunately. Also the tool calls Here is the stack trace: |
|
Thanks for the updated report. Sounds like we've got more work to do here. |
|
Oh, and while we're definitely intending to fix things so NVD can be properly disabled, I've also started a brainstorming thread on what a more complete no-scan mode would need (e.g. making sure we don't print a bunch of "this has no cves" reports if no data sources were enabled, that sort of thing). If you've got any wishlist items you'd like to stick in there, we'd love to know about them!
|
Description
Application attempts to download nvd statistics despite nvd being disabled or nvd configured to use api v2.
To reproduce
Run this command:
Steps to reproduce the behaviour:
nvd.nist.gov(or briefly saturate them with requests so that your IP gets a temporary ban)cve-bin-tool --disable-data-source "NVD,OSV,GAD,CURL,REDHAT" --nvd api2 --nvd-api-key <key> --sbom-type cyclonedx --sbom-output application.sbom.json application.apkExpected behaviour:
SBOM is generated without any report of vulnerabilities
Actual behaviour:
Application crashes with a
ServerTimeoutError:Version/platform info
Version of CVE-bin-tool: 3.2.1.
Platform is completly irrelevant, here is some docker config you might want to use as a startup point:
Run with
mkdir -p ./data; touch ./data/application.apk; docker compose run --rm cvebintool.REM: The application is crashing before reaching the apk file. Feel free to use some real binary file for a more realistic case.
The text was updated successfully, but these errors were encountered: