Dedupe CSAF Vulnerability IDs #147
Comments
…esting. Signed-off-by: Caroline Russell <caroline@appthreat.dev>
…esting. Signed-off-by: Caroline Russell <caroline@appthreat.dev> Fix: CSAF reference regexes, updated relevant test Signed-off-by: Caroline Russell <caroline@appthreat.dev>
|
How do other vendors handle this scenario? Any examples we can find from providers such as redhat? |
|
@prabhu I'm afraid I don't know how vendors handle this - according to the generator section, Red Hat's CSAFs are produced using the Red Hat SDEngine, but I don't know any details. The CSAF 2.0 schema is clear that it must be unique entries and there isn't any reason to store the exact same thing twice for the same vulnerability anyway. It doesn't have to be unique across the whole document, just in the ids attached per vulnerability. There's really only two ways to deal with this issue - either prevent duplicate IDs from being generated in the first place from the reference list, or remove them afterwards. The latter is quicker.
Here's Red Hat's Issues in SDEngine's CSAF implementation of advisories issue tracker |
|
Does this tool help? Perhaps the product tree is used to link to all products that are related to the given vulnerability? |
|
@prabhu This is unrelated to the product tree. The entries duplicated are in vulnerabilities, and their only fields are system_name and text - for the system that created the id, and the id itself, respectively. You can look at the test for format_references in test_csaf.py for examples of what this data looks like. |
#148) * Fix: Issue #147 plus CSAF revision_history bugs, reference regexes, testing. Signed-off-by: Caroline Russell <caroline@appthreat.dev> Fix: CSAF reference regexes, updated relevant test Signed-off-by: Caroline Russell <caroline@appthreat.dev> * Bump version Signed-off-by: Caroline Russell <caroline@appthreat.dev> --------- Signed-off-by: Caroline Russell <caroline@appthreat.dev>
CSAF 2.0 will fail validation if the same vulnerability ID is listed more than once per vulnerability. IDs are generated programmatically by parsing the list of references. When multiple references are listed which point to the same vulnerability, a duplicate entry is added.
Example:
https://github.com/advisories/GHSA-v845-jxx5-vc9fhttps://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9fBoth references may be included but we must only add a single entry in the IDs section.
Similarly, since commit and issue IDs are not unique, we should extract the repository name and include it in the system name.
The text was updated successfully, but these errors were encountered: