Update master (#226)

* Clarify bounty targets in insights (#219)

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Update vdb to get dotnet case fixes (#222)

* Update vdb to get dotnet case fixes

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Fix test for cvss 3

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

depscan/lib/analysis.py

@@ -539,9 +539,9 @@ def prepare_vdr(options: PrepareVdrOptions):
         if clinks.get("poc") or clinks.get("Bug Bounty"):
             if reached_purls.get(purl):
                 insights.append(
-                    "[bright_red]:exclamation_mark: Reachable and Exploitable[/bright_red]"
+                    "[yellow]:notebook_with_decorative_cover: Reachable Bounty target[/yellow]"
                 )
-                plain_insights.append("Reachable and Exploitable")
+                plain_insights.append("Reachable Bounty target")
                 has_reachable_poc_count += 1
                 has_reachable_exploit_count += 1
                 pkg_requires_attn = True
@@ -560,8 +560,10 @@ def prepare_vdr(options: PrepareVdrOptions):
                 pkg_requires_attn = True
         if clinks.get("vendor") and package_type not in config.OS_PKG_TYPES:
             if reached_purls.get(purl):
-                insights.append(":receipt: Reachable")
-                plain_insights.append("Reachable")
+                # If it has a poc, an insight might have gotten added above
+                if not pkg_requires_attn:
+                    insights.append(":receipt: Reachable")
+                    plain_insights.append("Reachable")
             else:
                 insights.append(":receipt: Vendor Confirmed")
                 plain_insights.append("Vendor Confirmed")

depscan/lib/config.py

@@ -151,6 +151,7 @@ def resource_path(relative_path):
     "json-smart": "json-smart-v2",
     "ojdbc7": "jdbc",
     "System.Text": ".net",
+    "System.Net": "asp.net_core",
     "Microsoft.IdentityModel.Clients.ActiveDirectory": "active_directory_authentication_library",
     "starkbank_ecdsa": "ecdsa-elixir",
     "php-pear": "pear-core-minimal",

pyproject.toml

@@ -1,12 +1,12 @@
 [project]
 name = "owasp-depscan"
-version = "5.2.1"
+version = "5.2.2"
 description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},
 ]
 dependencies = [
-    "appthreat-vulnerability-db>=5.5.8",
+    "appthreat-vulnerability-db>=5.5.10",
     "defusedxml",
     "oras",
     "PyYAML",

test/test_csaf.py

@@ -446,6 +446,7 @@ def test_parse_cvss():
         'modifiedConfidentialityImpact': 'HIGH',
         'modifiedIntegrityImpact': 'HIGH',
         'modifiedPrivilegesRequired': 'NONE',
+        'modifiedScope': 'UNCHANGED',
         'modifiedUserInteraction': 'NONE',
         'privilegesRequired': 'NONE',
         'scope': 'UNCHANGED',
@@ -924,6 +925,7 @@ def test_add_vulnerabilities():
                     'modifiedConfidentialityImpact': 'HIGH',
                     'modifiedIntegrityImpact': 'HIGH',
                     'modifiedPrivilegesRequired': 'NONE',
+                    'modifiedScope': 'UNCHANGED',
                     'modifiedUserInteraction': 'REQUIRED',
                     'privilegesRequired': 'NONE',
                     'scope': 'UNCHANGED',
@@ -1017,6 +1019,7 @@ def test_add_vulnerabilities():
                         'modifiedConfidentialityImpact': 'HIGH',
                         'modifiedIntegrityImpact': 'HIGH',
                         'modifiedPrivilegesRequired': 'NONE',
+                        'modifiedScope': 'UNCHANGED',
                         'modifiedUserInteraction': 'NONE',
                         'privilegesRequired': 'NONE',
                         'scope': 'UNCHANGED',