Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report CVEs from the NVD when affected packages have unspecified version #5284

Merged
merged 14 commits into from Jun 30, 2020
Merged

Report CVEs from the NVD when affected packages have unspecified version #5284

merged 14 commits into from Jun 30, 2020

Conversation

JcabreraC
Copy link
Member

@JcabreraC JcabreraC commented Jun 22, 2020
edited

Related issue
#5280

Description

Currently, by adding the NVD as a feed for Linux agents, vulnerabilities that the NVD includes in affected packages without specifying the version, do not report alerts to avoid false positives.

This PR is to study those vulnerabilities that are marked as undetermined (needs triage, ignored, unfixed) and that the NVD reports the packages as affected without specifying a range of vulnerable versions.

With this change, the number of alerts increases, and we now alert of vulnerabilities that according to the vendor's OVAL are vulnerable and that we did not report before.

Tests

  • Compilation without warnings in every supported platform
    • Linux
  • Source installation
  • Package installation
  • Review logs syntax and correct language
  • Fix unit test

@JcabreraC JcabreraC self-assigned this Jun 22, 2020
@JcabreraC JcabreraC changed the base branch from 3.13 to 3.14 June 22, 2020 15:43
@chemamartinez chemamartinez self-requested a review June 24, 2020 10:28
@JcabreraC JcabreraC linked an issue Jun 24, 2020 that may be closed by this pull request
Vulnerability Detector: Report CVEs from the NVD when affected packages have unspecified version #5280
Closed
@JcabreraC JcabreraC changed the title Changed ignore value Report CVEs from the NVD when affected packages have unspecified version Jun 26, 2020
@chemamartinez chemamartinez merged commit d44f8c7 into 3.14 Jun 30, 2020
@chemamartinez chemamartinez deleted the vuln-detector-change-ignore-value branch June 30, 2020 08:08
@chemamartinez chemamartinez mentioned this pull request Jun 30, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TomasTurina TomasTurina TomasTurina approved these changes

@chemamartinez chemamartinez chemamartinez approved these changes

Assignees

@JcabreraC JcabreraC

Labels
module/vulnerability detector
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability Detector: Report CVEs from the NVD when affected packages have unspecified version
3 participants
@JcabreraC @TomasTurina @chemamartinez