fix: do not skip NVD vulns with just CVSSv3 (#1236)

RTann · web-flow · commit ed064aeebe86 · 2023-08-22T13:17:20.000-07:00
diff --git a/e2etests/testcase_test.go b/e2etests/testcase_test.go
@@ -2817,7 +2817,7 @@ var testCases = []testCase{
 					},
 				},
 				AddedBy: "sha256:2408cc74d12b6cd092bb8b516ba7d5e290f485d3eb9672efc00f0583730179e8",
-				FixedBy: "1.1.1q-r0",
+				FixedBy: "1.1.1v-r0",
 			},
 		},
 	},
@@ -3808,9 +3808,9 @@ Applications using RegexRequestMatcher with '.' in the regular expression are po
 								},
 								"CVSSv3": map[string]interface{}{
 									"ExploitabilityScore": 3.9,
-									"ImpactScore":         5.9,
-									"Score":               9.8,
-									"Vectors":             "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+									"ImpactScore":         3.6,
+									"Score":               7.5,
+									"Vectors":             "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
 								},
 							},
 						},
@@ -3819,7 +3819,7 @@ Applications using RegexRequestMatcher with '.' in the regular expression are po
 					{
 						Name:          "CVE-2022-3786",
 						NamespaceName: "ubuntu:22.04",
-						Description:   "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).",
+						Description:   "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.",
 						Link:          "https://ubuntu.com/security/CVE-2022-3786",
 						Severity:      "Important",
 						Metadata: map[string]interface{}{
@@ -3841,7 +3841,7 @@ Applications using RegexRequestMatcher with '.' in the regular expression are po
 						FixedBy: "3.0.2-0ubuntu1.7",
 					},
 				},
-				FixedBy: "3.0.2-0ubuntu1.7",
+				FixedBy: "3.0.2-0ubuntu1.10",
 				// This image installs the openssl pacakge in the second layer;
 				// however, the first layer already installed libssl3 whose source package is openssl.
 				// Therefore, we claim openssl was installed in the first layer.
@@ -3864,6 +3864,7 @@ Applications using RegexRequestMatcher with '.' in the regular expression are po
 				NamespaceName: "ubuntu:22.10",
 				VersionFormat: "dpkg",
 				Version:       "3.0.5-2ubuntu2",
+				FixedBy:       "3.0.5-2ubuntu2.3",
 				AddedBy:       "sha256:2b441754735ea7decb684ef19d54115fc309c270fe7b87ed36aa3773ce50b78b",
 			},
 		},
@@ -4152,4 +4153,81 @@ All OpenShift Container Platform 4.10 users are advised to upgrade to these upda
 			},
 		},
 	},
+	{
+		image:                   "nginx:1.25.0-alpine",
+		registry:                "https://registry-1.docker.io",
+		source:                  "NVD",
+		namespace:               "alpine:v3.17",
+		onlyCheckSpecifiedVulns: true,
+		expectedFeatures: []apiV1.Feature{
+			{
+				Name:          "libx11",
+				NamespaceName: "alpine:v3.17",
+				VersionFormat: "apk",
+				Version:       "1.8.4-r0",
+				Vulnerabilities: []apiV1.Vulnerability{
+					{
+						Name:          "CVE-2023-3138",
+						NamespaceName: "alpine:v3.17",
+						Description:   "A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.",
+						Link:          "https://www.cve.org/CVERecord?id=CVE-2023-3138",
+						Severity:      "Important",
+						FixedBy:       "1.8.4-r1",
+						Metadata: map[string]interface{}{
+							"NVD": map[string]interface{}{
+								"CVSSv2": map[string]interface{}{
+									"ExploitabilityScore": 0.0,
+									"ImpactScore":         0.0,
+									"Score":               0.0,
+									"Vectors":             "",
+								},
+								"CVSSv3": map[string]interface{}{
+									"ExploitabilityScore": 3.9,
+									"ImpactScore":         3.6,
+									"Score":               7.5,
+									"Vectors":             "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+								},
+							},
+						},
+					},
+				},
+				FixedBy: "1.8.4-r1",
+				AddedBy: "sha256:4aacde79cec42c8d0c5886185e70a16b107ae8c6b1a67d63d6efdb6d6978ed97",
+			},
+			{
+				Name:          "nghttp2",
+				NamespaceName: "alpine:v3.17",
+				VersionFormat: "apk",
+				Version:       "1.51.0-r0",
+				Vulnerabilities: []apiV1.Vulnerability{
+					{
+						Name:          "CVE-2023-35945",
+						NamespaceName: "alpine:v3.17",
+						Description:   "Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.",
+						Link:          "https://www.cve.org/CVERecord?id=CVE-2023-35945",
+						Severity:      "Important",
+						FixedBy:       "1.51.0-r1",
+						Metadata: map[string]interface{}{
+							"NVD": map[string]interface{}{
+								"CVSSv2": map[string]interface{}{
+									"ExploitabilityScore": 0.0,
+									"ImpactScore":         0.0,
+									"Score":               0.0,
+									"Vectors":             "",
+								},
+								"CVSSv3": map[string]interface{}{
+									"ExploitabilityScore": 3.9,
+									"ImpactScore":         3.6,
+									"Score":               7.5,
+									"Vectors":             "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+								},
+							},
+						},
+					},
+				},
+				FixedBy: "1.51.0-r1",
+				AddedBy: "sha256:4aacde79cec42c8d0c5886185e70a16b107ae8c6b1a67d63d6efdb6d6978ed97",
+			},
+		},
+	},
 }
diff --git a/ext/vulnmdsrc/nvd/json.go b/ext/vulnmdsrc/nvd/json.go
@@ -121,7 +121,7 @@ func (n *nvdEntry) Summary() string {
 }
 
 func (n *nvdEntry) Metadata() *types.Metadata {
-	if n.Impact.BaseMetricV2.CVSSv2.String() == "" {
+	if n.Impact.BaseMetricV2.CVSSv2.String() == "" && n.Impact.BaseMetricV3.CVSSv3.String() == "" {
 		return nil
 	}
 	metadata := &types.Metadata{
diff --git a/ext/vulnmdsrc/nvd/nvd.go b/ext/vulnmdsrc/nvd/nvd.go
@@ -39,6 +39,7 @@ const (
 
 type appender struct {
 	metadata map[string]*metadataEnricher
+	skipped  int
 }
 
 type metadataEnricher struct {
@@ -85,7 +86,7 @@ func (a *appender) BuildCache(dumpDir string) error {
 		}
 		_ = f.Close()
 	}
-	log.Infof("Obtained metadata for %d vulns", len(a.metadata))
+	log.Infof("Obtained metadata for %d NVD vulns (skipped %d)", len(a.metadata), a.skipped)
 
 	return nil
 }
@@ -104,6 +105,8 @@ func (a *appender) parseDataFeed(r io.Reader) error {
 		enricher := newMetadataEnricher(&nvdEntry)
 		if enricher.metadata != nil {
 			a.metadata[nvdEntry.Name()] = enricher
+		} else {
+			a.skipped++
 		}
 	}
 
diff --git a/ext/vulnmdsrc/redhat/redhat.go b/ext/vulnmdsrc/redhat/redhat.go
@@ -23,6 +23,7 @@ const (
 
 type appender struct {
 	metadata map[string]*metadataEnricher
+	skipped  int
 }
 
 type metadataEnricher struct {
@@ -69,7 +70,7 @@ func (a *appender) BuildCache(dumpDir string) error {
 		}
 		_ = f.Close()
 	}
-	log.Infof("Obtained metadata for %d vulns", len(a.metadata))
+	log.Infof("Obtained metadata for %d Red Hat vulns (skipped %d)", len(a.metadata), a.skipped)
 
 	return nil
 }
@@ -87,6 +88,8 @@ func (a *appender) parseDataFeed(r io.Reader) error {
 		enricher := newMetadataEnricher(&redhatEntry)
 		if enricher.metadata != nil {
 			a.metadata[redhatEntry.Name()] = enricher
+		} else {
+			a.skipped++
 		}
 	}
 
diff --git a/ext/vulnsrc/manual/manual.go b/ext/vulnsrc/manual/manual.go
@@ -3,7 +3,6 @@ package manual
 import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stackrox/scanner/database"
-	"github.com/stackrox/scanner/ext/versionfmt/dpkg"
 	"github.com/stackrox/scanner/ext/vulnsrc"
 )
 
@@ -13,168 +12,7 @@ type updater struct {
 }
 
 // Vulnerabilities lists vulnerabilities which may not already exist in the feeds for other distros.
-var Vulnerabilities = []database.Vulnerability{
-	{
-		Name: "CVE-2022-3602",
-		Namespace: database.Namespace{
-			Name:          "ubuntu:22.04",
-			VersionFormat: dpkg.ParserName,
-		},
-		Description: "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).",
-		Link:        "https://ubuntu.com/security/CVE-2022-3602",
-		Severity:    database.HighSeverity,
-		FixedIn: []database.FeatureVersion{
-			{
-				Feature: database.Feature{
-					Name: "openssl",
-					Namespace: database.Namespace{
-						Name:          "ubuntu:22.04",
-						VersionFormat: dpkg.ParserName,
-					},
-				},
-				Version: "3.0.2-0ubuntu1.7",
-			},
-		},
-		Metadata: map[string]interface{}{
-			"NVD": map[string]interface{}{
-				"PublishedDateTime":    "2022-11-01T16:00Z",
-				"LastModifiedDateTime": "2022-11-02T16:00Z",
-				"CVSSv2": map[string]interface{}{
-					"ExploitabilityScore": 0.0,
-					"ImpactScore":         0.0,
-					"Score":               0.0,
-					"Vectors":             "",
-				},
-				"CVSSv3": map[string]interface{}{
-					"ExploitabilityScore": 3.9,
-					"ImpactScore":         5.9,
-					"Score":               9.8,
-					"Vectors":             "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-				},
-			},
-		},
-	},
-	{
-		Name: "CVE-2022-3602",
-		Namespace: database.Namespace{
-			Name:          "ubuntu:22.10",
-			VersionFormat: dpkg.ParserName,
-		},
-		Description: "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).",
-		Link:        "https://ubuntu.com/security/CVE-2022-3602",
-		Severity:    database.HighSeverity,
-		FixedIn: []database.FeatureVersion{
-			{
-				Feature: database.Feature{
-					Name: "openssl",
-					Namespace: database.Namespace{
-						Name:          "ubuntu:22.10",
-						VersionFormat: dpkg.ParserName,
-					},
-				},
-				Version: "3.0.5-2ubuntu2",
-			},
-		},
-		Metadata: map[string]interface{}{
-			"NVD": map[string]interface{}{
-				"PublishedDateTime":    "2022-11-01T16:00Z",
-				"LastModifiedDateTime": "2022-11-02T16:00Z",
-				"CVSSv2": map[string]interface{}{
-					"ExploitabilityScore": 0.0,
-					"ImpactScore":         0.0,
-					"Score":               0.0,
-					"Vectors":             "",
-				},
-				"CVSSv3": map[string]interface{}{
-					"ExploitabilityScore": 3.9,
-					"ImpactScore":         5.9,
-					"Score":               9.8,
-					"Vectors":             "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-				},
-			},
-		},
-	},
-	{
-		Name: "CVE-2022-3786",
-		Namespace: database.Namespace{
-			Name:          "ubuntu:22.04",
-			VersionFormat: dpkg.ParserName,
-		},
-		Description: "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).",
-		Link:        "https://ubuntu.com/security/CVE-2022-3786",
-		Severity:    database.HighSeverity,
-		FixedIn: []database.FeatureVersion{
-			{
-				Feature: database.Feature{
-					Name: "openssl",
-					Namespace: database.Namespace{
-						Name:          "ubuntu:22.04",
-						VersionFormat: dpkg.ParserName,
-					},
-				},
-				Version: "3.0.2-0ubuntu1.7",
-			},
-		},
-		Metadata: map[string]interface{}{
-			"NVD": map[string]interface{}{
-				"PublishedDateTime":    "2022-11-01T16:00Z",
-				"LastModifiedDateTime": "2022-11-02T16:00Z",
-				"CVSSv2": map[string]interface{}{
-					"ExploitabilityScore": 0.0,
-					"ImpactScore":         0.0,
-					"Score":               0.0,
-					"Vectors":             "",
-				},
-				"CVSSv3": map[string]interface{}{
-					"ExploitabilityScore": 3.9,
-					"ImpactScore":         3.6,
-					"Score":               7.5,
-					"Vectors":             "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-				},
-			},
-		},
-	},
-	{
-		Name: "CVE-2022-3786",
-		Namespace: database.Namespace{
-			Name:          "ubuntu:22.10",
-			VersionFormat: dpkg.ParserName,
-		},
-		Description: "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).",
-		Link:        "https://ubuntu.com/security/CVE-2022-3786",
-		Severity:    database.HighSeverity,
-		FixedIn: []database.FeatureVersion{
-			{
-				Feature: database.Feature{
-					Name: "openssl",
-					Namespace: database.Namespace{
-						Name:          "ubuntu:22.10",
-						VersionFormat: dpkg.ParserName,
-					},
-				},
-				Version: "3.0.5-2ubuntu2",
-			},
-		},
-		Metadata: map[string]interface{}{
-			"NVD": map[string]interface{}{
-				"PublishedDateTime":    "2022-11-01T16:00Z",
-				"LastModifiedDateTime": "2022-11-02T16:00Z",
-				"CVSSv2": map[string]interface{}{
-					"ExploitabilityScore": 0.0,
-					"ImpactScore":         0.0,
-					"Score":               0.0,
-					"Vectors":             "",
-				},
-				"CVSSv3": map[string]interface{}{
-					"ExploitabilityScore": 3.9,
-					"ImpactScore":         3.6,
-					"Score":               7.5,
-					"Vectors":             "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-				},
-			},
-		},
-	},
-}
+var Vulnerabilities = []database.Vulnerability{}
 
 func (u updater) Update(_ vulnsrc.DataStore) (resp vulnsrc.UpdateResponse, _ error) {
 	log.WithField("package", "Manual Entries").Info("Start fetching vulnerabilities")

Original file line number	Diff line number	Diff line change
`@@ -121,7 +121,7 @@ func (n *nvdEntry) Summary() string {`
`121`	`121`	`}`
`122`	`122`
`123`	`123`	`func (n nvdEntry) Metadata() types.Metadata {`
`124`		`- if n.Impact.BaseMetricV2.CVSSv2.String() == "" {`
	`124`	`+ if n.Impact.BaseMetricV2.CVSSv2.String() == "" && n.Impact.BaseMetricV3.CVSSv3.String() == "" {`
`125`	`125`	`return nil`
`126`	`126`	`}`
`127`	`127`	`metadata := &types.Metadata{`
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,7 @@ const (`
`39`	`39`
`40`	`40`	`type appender struct {`
`41`	`41`	`metadata map[string]*metadataEnricher`
	`42`	`+ skipped int`
`42`	`43`	`}`
`43`	`44`
`44`	`45`	`type metadataEnricher struct {`
`@@ -85,7 +86,7 @@ func (a *appender) BuildCache(dumpDir string) error {`
`85`	`86`	`}`
`86`	`87`	`_ = f.Close()`
`87`	`88`	`}`
`88`		`- log.Infof("Obtained metadata for %d vulns", len(a.metadata))`
	`89`	`+ log.Infof("Obtained metadata for %d NVD vulns (skipped %d)", len(a.metadata), a.skipped)`
`89`	`90`
`90`	`91`	`return nil`
`91`	`92`	`}`
`@@ -104,6 +105,8 @@ func (a *appender) parseDataFeed(r io.Reader) error {`
`104`	`105`	`enricher := newMetadataEnricher(&nvdEntry)`
`105`	`106`	`if enricher.metadata != nil {`
`106`	`107`	`a.metadata[nvdEntry.Name()] = enricher`
	`108`	`+ } else {`
	`109`	`+ a.skipped++`
`107`	`110`	`}`
`108`	`111`	`}`
`109`	`112`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ const (`
`23`	`23`
`24`	`24`	`type appender struct {`
`25`	`25`	`metadata map[string]*metadataEnricher`
	`26`	`+ skipped int`
`26`	`27`	`}`
`27`	`28`
`28`	`29`	`type metadataEnricher struct {`
`@@ -69,7 +70,7 @@ func (a *appender) BuildCache(dumpDir string) error {`
`69`	`70`	`}`
`70`	`71`	`_ = f.Close()`
`71`	`72`	`}`
`72`		`- log.Infof("Obtained metadata for %d vulns", len(a.metadata))`
	`73`	`+ log.Infof("Obtained metadata for %d Red Hat vulns (skipped %d)", len(a.metadata), a.skipped)`
`73`	`74`
`74`	`75`	`return nil`
`75`	`76`	`}`
`@@ -87,6 +88,8 @@ func (a *appender) parseDataFeed(r io.Reader) error {`
`87`	`88`	`enricher := newMetadataEnricher(&redhatEntry)`
`88`	`89`	`if enricher.metadata != nil {`
`89`	`90`	`a.metadata[redhatEntry.Name()] = enricher`
	`91`	`+ } else {`
	`92`	`+ a.skipped++`
`90`	`93`	`}`
`91`	`94`	`}`
`92`	`95`