fix: missing entries in triage file are not added again from SBOM file #4158
Comments
|
Definitely sounds like a bug. Not sure off the top of my head why this might happen. @mastersans while you've been poking around in triage stuff for the refactoring, did you see anything that might have caused this? |
|
@terriko I am not sure what is causing this issue for now, I'll looking it while handling improving triaging process for now i have only looked into parsing and generation in detail. |
|
I've been working on this today and I may have a solution, I need to clean up the code a bit and then I'll make a PR. |
|
I put up #4160 for this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
I have a cyclone dx SBOM file like this one, with only one component to keep it short:
{ "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "serialNumber": "urn:uuid:ca34e20e-90c2-4e59-1496-1918d361b92e", "metadata": { "tools": [ { "vendor": "nikstur", "name": "bombon", "version": "0.2.0" } ], "component": { "type": "application", "bom-ref": "glmbkr6i7n6flk6sy3xcinnnqpk8c5lw-nixos-system-devNet-reserve-controller-23.11pre-git", "name": "nixos-system-devNet-reserve-controller-23.11pre-git", "version": "", "scope": "required", "purl": "pkg:nix/nixos-system-devNet-reserve-controller-23.11pre-git@" } }, "components": [ { "type": "application", "bom-ref": "1zy01hjzwvvia6h9dq5xar88v77fgh9x-glibc-2.38-44", "name": "glibc", "version": "2.38", "description": "The GNU C Library", "scope": "required", "licenses": [ { "license": { "id": "LGPL-2.0-or-later" } } ], "purl": "pkg:nix/glibc@2.38", "externalReferences": [ { "type": "vcs", "url": "https://ftpmirror.gnu.org/glibc/glibc-2.38.tar.xz", "hashes": [ { "alg": "SHA-256", "content": "fb82998998b2b29965467bc1b69d152e9c307d2cf301c9eafb4555b770ef3fd2" } ] }, { "type": "website", "url": "https://www.gnu.org/software/libc/" } ] } ] }I then run
cve-bin-tooland generate a triage file with:and I get the following triage file with 4 vulnerabilities listed:
{ "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "vulnerabilities": [ { "id": "CVE-2023-4911", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4911" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-4911&vector=CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1" }, "score": 7.8, "severity": "high", "method": "CVSSv3", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "description": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.", "recommendation": "", "advisories": [], "created": "NOT_KNOWN", "published": "NOT_KNOWN", "updated": "", "analysis": { "state": "in_triage", "response": [], "detail": "NewFound" }, "affects": [ { "ref": "urn:cbt:1/gnu#glibc:2.38" } ] }, { "id": "CVE-2023-5156", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5156" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-5156&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1" }, "score": 7.5, "severity": "high", "method": "CVSSv3", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "description": "A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.", "recommendation": "", "advisories": [], "created": "NOT_KNOWN", "published": "NOT_KNOWN", "updated": "", "analysis": { "state": "in_triage", "response": [], "detail": "NewFound" }, "affects": [ { "ref": "urn:cbt:1/gnu#glibc:2.38" } ] }, { "id": "CVE-2023-6246", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6246" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-6246&vector=CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1" }, "score": 7.8, "severity": "high", "method": "CVSSv3", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "description": "A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.", "recommendation": "", "advisories": [], "created": "NOT_KNOWN", "published": "NOT_KNOWN", "updated": "", "analysis": { "state": "in_triage", "response": [], "detail": "NewFound" }, "affects": [ { "ref": "urn:cbt:1/gnu#glibc:2.38" } ] }, { "id": "CVE-2023-6779", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6779" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-6779&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1" }, "score": 7.5, "severity": "high", "method": "CVSSv3", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "description": "An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.", "recommendation": "", "advisories": [], "created": "NOT_KNOWN", "published": "NOT_KNOWN", "updated": "", "analysis": { "state": "in_triage", "response": [], "detail": "NewFound" }, "affects": [ { "ref": "urn:cbt:1/gnu#glibc:2.38" } ] } ] }If I then remove one of the vulnerabilities manually and run the same command with the triage file,
the removed vulnerability is not added again to the triage file.
To reproduce
See above.
Expected behaviour: missing entries are added again
Actual behaviour: missing entries are not added again
Version/platform info
Version of CVE-bin-tool( e.g. output of
cve-bin-tool --version): 3.3Installed from pypi or github? from nixpkgs
Operating system:
Linux framework 6.9.3 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 30 07:45:04 UTC 2024 x86_64 GNU/LinuxPython version: Python 3.11.9
Anything else?
The text was updated successfully, but these errors were encountered: