You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I then run cve-bin-tool and generate a triage file with:
cve-bin-tool --sbom cyclonedx --sbom-file sbom.json --severity high --vex triage.vex
and I get the following triage file with 4 vulnerabilities listed:
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"vulnerabilities": [
{
"id": "CVE-2023-4911",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4911"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-4911&vector=CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1"
},
"score": 7.8,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.",
"recommendation": "",
"advisories": [],
"created": "NOT_KNOWN",
"published": "NOT_KNOWN",
"updated": "",
"analysis": {
"state": "in_triage",
"response": [],
"detail": "NewFound"
},
"affects": [
{
"ref": "urn:cbt:1/gnu#glibc:2.38"
}
]
},
{
"id": "CVE-2023-5156",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5156"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-5156&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1"
},
"score": 7.5,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.",
"recommendation": "",
"advisories": [],
"created": "NOT_KNOWN",
"published": "NOT_KNOWN",
"updated": "",
"analysis": {
"state": "in_triage",
"response": [],
"detail": "NewFound"
},
"affects": [
{
"ref": "urn:cbt:1/gnu#glibc:2.38"
}
]
},
{
"id": "CVE-2023-6246",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6246"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-6246&vector=CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1"
},
"score": 7.8,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.",
"recommendation": "",
"advisories": [],
"created": "NOT_KNOWN",
"published": "NOT_KNOWN",
"updated": "",
"analysis": {
"state": "in_triage",
"response": [],
"detail": "NewFound"
},
"affects": [
{
"ref": "urn:cbt:1/gnu#glibc:2.38"
}
]
},
{
"id": "CVE-2023-6779",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6779"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-6779&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1"
},
"score": 7.5,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"description": "An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.",
"recommendation": "",
"advisories": [],
"created": "NOT_KNOWN",
"published": "NOT_KNOWN",
"updated": "",
"analysis": {
"state": "in_triage",
"response": [],
"detail": "NewFound"
},
"affects": [
{
"ref": "urn:cbt:1/gnu#glibc:2.38"
}
]
}
]
}
If I then remove one of the vulnerabilities manually and run the same command with the triage file,
the removed vulnerability is not added again to the triage file.
To reproduce
See above.
Expected behaviour: missing entries are added again
Actual behaviour: missing entries are not added again
Version/platform info
Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.3
Installed from pypi or github? from nixpkgs
Operating system: Linux framework 6.9.3 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 30 07:45:04 UTC 2024 x86_64 GNU/Linux
Python version: Python 3.11.9
Anything else?
The text was updated successfully, but these errors were encountered:
@terriko I am not sure what is causing this issue for now, I'll looking it while handling improving triaging process for now i have only looked into parsing and generation in detail.
Description
I have a cyclone dx SBOM file like this one, with only one component to keep it short:
I then run
cve-bin-tool
and generate a triage file with:and I get the following triage file with 4 vulnerabilities listed:
If I then remove one of the vulnerabilities manually and run the same command with the triage file,
the removed vulnerability is not added again to the triage file.
To reproduce
See above.
Expected behaviour: missing entries are added again
Actual behaviour: missing entries are not added again
Version/platform info
Version of CVE-bin-tool( e.g. output of
cve-bin-tool --version
): 3.3Installed from pypi or github? from nixpkgs
Operating system:
Linux framework 6.9.3 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 30 07:45:04 UTC 2024 x86_64 GNU/Linux
Python version: Python 3.11.9
Anything else?
The text was updated successfully, but these errors were encountered: