From: "Ludovic Courtès" <ludo@gnu.org>
To: Brice Waegeneire <brice@waegenei.re>
Cc: 40142@debbugs.gnu.org
Subject: bug#40142: CVE checker return false positives
Date: Sat, 21 Mar 2020 17:25:23 +0100 [thread overview]
Message-ID: <87sgi1znd8.fsf@gnu.org> (raw)
In-Reply-To: <0bb3b7878b37095b4ed7fa49aee5936f@waegenei.re> (Brice Waegeneire's message of "Fri, 20 Mar 2020 09:10:31 +0000")
Hi,
Brice Waegeneire <brice@waegenei.re> skribis:
> The CVE checker of “guix lint” returns false positives:
> ┌────
> │ LANGUAGE=C guix lint git 2>&1
> ├───
> │ gnu/packages/version-control.scm:149:2: git@2.25.1: probably
> vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110,
> CVE-2018-1000182
[...]
> • [CVE-2020-2136]: “Jenkins Git Plugin 4.2.0 and earlier […]”
> • [CVE-2019-1003010]: “[…] Jenkins Git Plugin 3.9.1 and earlier […]”
> • [CVE-2018-1000110]: “[…] Jenkins Git Plugin version 3.7.0 and earlier
> […]”
> • [CVE-2018-1000182]: “[…] Jenkins Git Plugin 3.9.0 and older […]”
(guix cve) reports it as applying to “git”:
--8<---------------cut here---------------start------------->8---
scheme@(guix cve)> (define items
(call-with-decompressed-port 'gzip (http-fetch (yearly-feed-uri 2020))
json->cve-items))
scheme@(guix cve)> (find (lambda (item)
(string=? (cve-id (cve-item-cve item)) "CVE-2020-2136"))
items)
$130 = #<<cve-item> cve: #<<cve> id: "CVE-2020-2136" data-type: CVE data-format: MITRE references: (#<<cve-reference> url: "http://www.openwall.com/lists/oss-security/2020/03/09/1" tags: ("Third Party Advisory")> #<<cve-reference> url: "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1723" tags: ("Vendor Advisory")>)> configurations: (("git" (<= "4.2.0"))) published-date: #<date nanosecond: 0 second: 0 minute: 15 hour: 16 day: 9 month: 3 year: 2020 zone-offset: 0> last-modified-date: #<date nanosecond: 0 second: 0 minute: 4 hour: 20 day: 9 month: 3 year: 2020 zone-offset: 0>>
--8<---------------cut here---------------end--------------->8---
I think the problem stems from the fact that the CVE configuration
specify “jenkins:git” (where “jenkins” is the “vendor” and “git” is the
“product”), but we just strip the vendor part:
--8<---------------cut here---------------start------------->8---
$ wget -O - -q https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz| gunzip | jq
[…]
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"operator": "OR",
"cpe_match": [
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*",
"versionEndIncluding": "4.2.0"
}
]
}
]
--8<---------------cut here---------------end--------------->8---
It’s usually the case that the vendor part has little relevance for free
software packages, but in this case it does make a difference.
Probably the fix would be to preserve the vendor part in the API and to
somehow use it meaningfully.
Ideas & patches welcome!
> Also note the missing / on the first line and it output on `stderr'
> instead of `stdout'.
What do you mean?
Thanks,
Ludo’.
next prev parent reply other threads:[~2020-03-21 16:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-20 9:10 bug#40142: CVE checker return false positives Brice Waegeneire
2020-03-21 16:25 ` Ludovic Courtès [this message]
2020-03-21 16:57 ` Brice Waegeneire
2020-04-01 17:01 ` bug#40142: (guix cve) discards configuration "vendor", leading to " Brice Waegeneire
2020-04-02 10:38 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sgi1znd8.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=40142@debbugs.gnu.org \
--cc=brice@waegenei.re \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).