Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vendor/product/versions in container but not mentioned in README #41

Open
ElectricNroff opened this issue May 29, 2024 · 5 comments
Open

vendor/product/versions in container but not mentioned in README #41

ElectricNroff opened this issue May 29, 2024 · 5 comments
Assignees
@amanion-cisa
Labels
blocked This issue or pull request is awaiting the outcome of another issue or pull request bug This issue or pull request addresses broken functionality cpe Issues around CPE strings

Comments

@ElectricNroff
Copy link

The CISAADP container has the affected.vendor, affected.product, and affected.versions fields in at least several hundred CVE Records, but nothing in https://github.com/cisagov/vulnrichment/blob/034bc878aecbbc99cc211b0ceafa3fc53ddb5459/README.md mentions that this should be occurring. Also, in at least a few cases, the vendor/product/versions data is inaccurate relative to both the CNA container and the references. For example, here is an off-by-one error (for the version 24.0.1) caused by erroneous replacement of lessThanOrEqual with lessThan:

vulnrichment/2024/20xxx/CVE-2024-20794.json

Lines 18 to 25 in 4395c94

"product": "Animate",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "24.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"

vulnrichment/2024/20xxx/CVE-2024-20794.json

Lines 139 to 148 in 4395c94

"cpe:2.3:a:adobe:animate:*:*:*:*:*:*:*:*"
],
"vendor": "adobe",
"product": "animate",
"versions": [
{
"status": "affected",
"version": "*",
"lessThan": "24.0.1 ",
"versionType": "custom"

If enriching vendor/product/versions is currently less important than CVSS/CWE/CPE, then one might consider an alternative design of the affected property:

"affected": [
        {
          "cpes": [
            "cpe:2.3:a:a_legitimate_vendor_name:a_real_product_name:*:*:*:*:*:*:*:*"
            ],
          "collectionURL": "https://github.com/cisagov/vulnrichment/blob/develop/NULL-collection.md",
          "packageName": "NULL",
          "defaultStatus": "unknown"
        }
      ]

in which collectionURL/packageName/defaultStatus would be the same in all CISAADP containers that provide an affected property. Then, https://github.com/cisagov/vulnrichment/blob/develop/NULL-collection.md could offer a brief explanation that it is not really a collection, that CISA is not enriching vendor/product/versions in the initial production rollout, but (because of the current design of the CVE Record Format) JSON validation requires perfunctory non-blank values for collectionURL/packageName/defaultStatus.
@todb-cisa todb-cisa added bug This issue or pull request addresses broken functionality cpe Issues around CPE strings labels May 30, 2024
@todb-cisa
Copy link
Collaborator

This looks like it's blocked, or possibly just influenced by, this upstream issue in CPE-land: CVEProject/cve-schema#321 . More cycles shall be spent on this to figure out how to best solve this issue for everyone, not just ADPs or CVEs.

@todb-cisa todb-cisa added the blocked This issue or pull request is awaiting the outcome of another issue or pull request label Jun 5, 2024
@amanion-cisa
Copy link
Collaborator

An option is to document the behavior (in the README), at least until a more lasting solution or decision is in place.

@todb-cisa
Copy link
Collaborator

Still blocked by CVEProject/cve-schema#321 .

@jwoytek-cisa
Copy link
Collaborator

Currently being discussed at Quality Working Group in CVE.

amanion-cisa added a commit to amanion-cisa/vulnrichment that referenced this issue Sep 19, 2024
@amanion-cisa
cpes, affected, versions, cisagov#41
ae02046 
Signed-off-by: Art Manion <arthur.manion@associates.cisa.dhs.gov>
@amanion-cisa amanion-cisa mentioned this issue Sep 19, 2024
Merged
todb-cisa pushed a commit that referenced this issue Sep 23, 2024
@amanion-cisa
Vulnrichment wip (#117)
a578b3b 
Looks good to me!

* cpes, affected, versions, #41

Signed-off-by: Art Manion <arthur.manion@associates.cisa.dhs.gov>

* 2 spaces per indent

Signed-off-by: Art Manion <arthur.manion@associates.cisa.dhs.gov>

---------

Signed-off-by: Art Manion <arthur.manion@associates.cisa.dhs.gov>
@todb-cisa
Copy link
Collaborator

Hi @ElectricNroff ! Is this actually resolved by #117?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amanion-cisa amanion-cisa

Labels
blocked This issue or pull request is awaiting the outcome of another issue or pull request bug This issue or pull request addresses broken functionality cpe Issues around CPE strings
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ElectricNroff @todb-cisa @amanion-cisa @jwoytek-cisa