[BUG] Invalid references for NVD CVE identifiers in CycloneDX JSON 1.4 format #93
Comments
|
FYI @madpah |
|
Thanks @damiencarol - will look at getting a fix for this. |
|
@damiencarol - so this is a little bit of a challenge to implement correctly when data is being sourced from OSS Index. Let's take an example - [
{
"coordinates": "pkg:pypi/[email protected]",
"reference": "https://ossindex.sonatype.org/component/pkg:pypi/[email protected]?utm_source=mozilla&utm_medium=integration&utm_content=5.0",
"vulnerabilities": [
{
"id": "4dc8bf86-e2ee-45b0-881f-bb4f03748b5b",
"displayName": "CVE-2017-11424",
"title": "[CVE-2017-11424] Improper Access Control",
"description": "In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.",
"cvssScore": 7.5,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cve": "CVE-2017-11424",
"reference": "https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=mozilla&utm_medium=integration&utm_content=5.0",
"externalReferences": [
"https://github.com/jpadilla/pyjwt/pull/277",
"https://nvd.nist.gov/vuln/detail/CVE-2017-11424"
]
}
]
}
]This tells us of 1 known Vulnerability -
Note - we have no additional information about the external references. From a read of the specification, the I suspect the correct course of action here will be to stop mapping OSS Index What are your thoughts? |
|
@madpah 3 things:
"references": [
{
"id": "CVE-2018-7489",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997"
}
}
],So my advice would be to just:
"references": [
{
"id": "CVE-2018-7489",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997"
}
}
],Again thanks a lot for the insights/feedback |
|
@damiencarol - so, I believe what we are saying (double confirming here!):
"cve": "CVE-2017-11424",
"reference": "https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=mozilla&utm_medium=integration&utm_content=5.0",becomes "references": [
{
"id": "CVE-2017-11424",
"source": {
"url": "https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=mozilla&utm_medium=integration&utm_content=5.0"
}
}
]
"externalReferences": [
"https://github.com/jpadilla/pyjwt/pull/277",
"https://nvd.nist.gov/vuln/detail/CVE-2017-11424"
]becomes: "advisories": [
{
"url": "https://github.com/jpadilla/pyjwt/pull/277"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11424"
}
]With regards to your point 3, the logic is fine, but:
Let me know if I've miss-understood your point 3. Thanks for getting involved! |
|
@madpah Nah it's good. what you described is good. If we can have these modifications I can build a smart "detection" that detect CVE in the Id of the reference. |
|
Thanks for coming back so quickly @damiencarol - glad we agree :-) |
|
Although - doing point 1 will duplicate data further - so is it even needed @damiencarol ? See this example: "vulnerabilities": [
{
"bom-ref": "4dc8bf86-e2ee-45b0-881f-bb4f03748b5b",
"id": "CVE-2017-11424",
"source": {
"name": "Oss Index",
"url": "https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration"
},
"references": [
{
"id": "CVE-2017-11424",
"source": {
"name": "Oss Index",
"url": "https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration"
}
}
],
...The data now held in |
|
@madpah ok, I see the pb now. [
{
"coordinates": "pkg:pypi/[email protected]",
"reference": "https://ossindex.sonatype.org/component/pkg:pypi/[email protected]?utm_source=mozilla&utm_medium=integration&utm_content=5.0",
"vulnerabilities": [
{
"id": "4dc8bf86-e2ee-45b0-881f-bb4f03748b5b",
"displayName": "CVE-2017-11424",
"title": "[CVE-2017-11424] Improper Access Control",
"description": "In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.",
"cvssScore": 7.5,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cve": "CVE-2017-11424",
"reference": "https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=mozilla&utm_medium=integration&utm_content=5.0",
"externalReferences": [
"https://github.com/jpadilla/pyjwt/pull/277",
"https://nvd.nist.gov/vuln/detail/CVE-2017-11424"
]
}
]
}
]CycloneDX ...
"vulnerabilities": [
{
"bom-ref": "...",
"id": "4dc8bf86-e2ee-45b0-881f-bb4f03748b5b",
"source": {
"name": "OSS index",
"url": "https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt"
},
"references": [
{
"id": "CVE-2017-11424",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11424"
}
}
],
...See the Id now is the ID of OSS index. We can even use it in DefectDojo for internal process as it would be to use directly the id of the vulnerability. For the CVE we have another system dedicated to it. I hope it's clear. |
|
Makes sense @damiencarol - I'll also feedback to CycloneDX folks about the documentation (https://cyclonedx.org/docs/1.4/json/#vulnerabilities_items_id) as this isn't as clear as it could be IMVHO :-) If you wouldn't mind checking the example produced with these changes on #94, that would be super and we can get this merged and released. Thanks again for your input @damiencarol. |
|
testing this branch right now. |
|
@madpah made some tests and the branch is good! ...
"advisories": [
{
"url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188"
}
],
... |
|
Thanks for the quick fix @madpah ! 👍 |
Describe the bug
Version <=
1.4.1produce wrong references in the CycloneDX JSON report.To Reproduce
Steps to reproduce the behavior:
jake ddt -o ~/dd2/unittests/scans/cyclonedx/jake2.json --output-format json --schema-version 1.4 --clear-cacheExpected behavior
According to the specification, references like CVE identifier should be like this:
But current format is like this which is not compliant with the schema of the spec:
A lot of data are missing. I'm interested in the
source > nameand theidwhich critical to know it's CVE by program.Desktop (please complete the following information):
Additional context
I'm working with reports of Jake/CycloneDX JSON 1.4 format
The text was updated successfully, but these errors were encountered: