From b7f467043aad42dc9632b27505f075db1338e715 Mon Sep 17 00:00:00 2001 From: ziadhany Date: Tue, 21 Nov 2023 16:24:12 +0200 Subject: [PATCH] Refactor OSV ecosystem mapping Fix the test Update univers version and pass nuget test Resolve merge conflict Add a test for golang Fix test by adding cwe to expected files Resolve merge conflict Signed-off-by: ziadhany --- requirements.txt | 2 +- vulnerabilities/importers/__init__.py | 2 + vulnerabilities/importers/github_osv.py | 56 +++++ vulnerabilities/importers/oss_fuzz.py | 2 +- vulnerabilities/importers/osv.py | 107 ++++++--- vulnerabilities/importers/pypa.py | 2 +- vulnerabilities/importers/pysec.py | 2 +- vulnerabilities/improvers/__init__.py | 1 + vulnerabilities/improvers/valid_versions.py | 6 + .../github_osv/github_osv_expected_1.json | 122 ++++++++++ .../github_osv/github_osv_expected_2.json | 79 ++++++ .../github_osv/github_osv_expected_3.json | 142 +++++++++++ .../github_osv/github_osv_expected_4.json | 194 +++++++++++++++ .../github_osv/github_osv_expected_5.json | 224 ++++++++++++++++++ .../github_osv/github_osv_expected_6.json | 91 +++++++ .../github_osv/github_osv_expected_7.json | 150 ++++++++++++ .../github_osv/github_osv_test_1.json | 71 ++++++ .../github_osv/github_osv_test_2.json | 63 +++++ .../github_osv/github_osv_test_3.json | 136 +++++++++++ .../github_osv/github_osv_test_4.json | 119 ++++++++++ .../github_osv/github_osv_test_5.json | 146 ++++++++++++ .../github_osv/github_osv_test_6.json | 73 ++++++ .../github_osv/github_osv_test_7.json | 178 ++++++++++++++ .../tests/test_data/pypa/pypa-expected.json | 2 +- vulnerabilities/tests/test_github_osv.py | 113 +++++++++ vulnerabilities/tests/test_osv.py | 22 +- vulnerabilities/tests/test_pypa.py | 6 +- vulnerabilities/tests/test_pysec.py | 6 +- 28 files changed, 2071 insertions(+), 46 deletions(-) create mode 100644 vulnerabilities/importers/github_osv.py create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_expected_1.json create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_expected_2.json create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_expected_3.json create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_expected_4.json create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_expected_5.json create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_expected_6.json create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_expected_7.json create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_test_1.json create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_test_2.json create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_test_3.json create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_test_4.json create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_test_5.json create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_test_6.json create mode 100644 vulnerabilities/tests/test_data/github_osv/github_osv_test_7.json create mode 100644 vulnerabilities/tests/test_github_osv.py diff --git a/requirements.txt b/requirements.txt index 042f541da..29a9b2490 100644 --- a/requirements.txt +++ b/requirements.txt @@ -106,7 +106,7 @@ toml==0.10.2 tomli==2.0.1 traitlets==5.1.1 typing_extensions==4.1.1 -univers==30.10.0 +univers==30.11.0 urllib3==1.26.18 wcwidth==0.2.5 websocket-client==0.59.0 diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index add6967f8..11c3a089d 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -18,6 +18,7 @@ from vulnerabilities.importers import fireeye from vulnerabilities.importers import gentoo from vulnerabilities.importers import github +from vulnerabilities.importers import github_osv from vulnerabilities.importers import gitlab from vulnerabilities.importers import istio from vulnerabilities.importers import mozilla @@ -67,6 +68,7 @@ fireeye.FireyeImporter, apache_kafka.ApacheKafkaImporter, oss_fuzz.OSSFuzzImporter, + github_osv.GithubOSVImporter, ] IMPORTERS_REGISTRY = {x.qualified_name: x for x in IMPORTERS_REGISTRY} diff --git a/vulnerabilities/importers/github_osv.py b/vulnerabilities/importers/github_osv.py new file mode 100644 index 000000000..bef06a8af --- /dev/null +++ b/vulnerabilities/importers/github_osv.py @@ -0,0 +1,56 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/nexB/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# +import json +import logging +from pathlib import Path +from typing import Iterable + +from vulnerabilities.importer import AdvisoryData +from vulnerabilities.importer import Importer +from vulnerabilities.importers.osv import parse_advisory_data +from vulnerabilities.utils import get_advisory_url + +logger = logging.getLogger(__name__) + + +class GithubOSVImporter(Importer): + license_url = "https://github.com/github/advisory-database/blob/main/LICENSE.md" + spdx_license_expression = "CC-BY-4.0" + repo_url = "git+https://github.com/github/advisory-database/" + importer_name = "GithubOSV Importer" + + def advisory_data(self) -> Iterable[AdvisoryData]: + supported_ecosystems = [ + "pypi", + "npm", + "maven", + "golang", + "composer", + "hex", + "gem", + "nuget", + "cargo", + ] + try: + self.clone(repo_url=self.repo_url) + base_path = Path(self.vcs_response.dest_dir) + # filter out non-github-reviewed files and only keep the files end-with .json + advisory_dirs = base_path / "advisories/github-reviewed" + for file in advisory_dirs.glob("**/*.json"): + advisory_url = get_advisory_url( + file=file, + base_path=base_path, + url="https://github.com/github/advisory-database/blob/main/", + ) + with open(file) as f: + raw_data = json.load(f) + yield parse_advisory_data(raw_data, supported_ecosystems, advisory_url) + finally: + if self.vcs_response: + self.vcs_response.delete() diff --git a/vulnerabilities/importers/oss_fuzz.py b/vulnerabilities/importers/oss_fuzz.py index e86df5ce8..e81f06fc2 100644 --- a/vulnerabilities/importers/oss_fuzz.py +++ b/vulnerabilities/importers/oss_fuzz.py @@ -40,7 +40,7 @@ def advisory_data(self) -> Iterable[AdvisoryData]: url="https://github.com/pypa/advisory-database/blob/main/", ) yield parse_advisory_data( - yaml_data, supported_ecosystem="oss-fuzz", advisory_url=advisory_url + yaml_data, supported_ecosystems=["oss-fuzz"], advisory_url=advisory_url ) finally: if self.vcs_response: diff --git a/vulnerabilities/importers/osv.py b/vulnerabilities/importers/osv.py index 1bf3f7c36..9497ba44a 100644 --- a/vulnerabilities/importers/osv.py +++ b/vulnerabilities/importers/osv.py @@ -13,10 +13,10 @@ from typing import Optional import dateparser +from cvss.exceptions import CVSS3MalformedError from packageurl import PackageURL from univers.version_range import RANGE_CLASS_BY_SCHEMES from univers.versions import InvalidVersion -from univers.versions import PypiVersion from univers.versions import SemverVersion from univers.versions import Version @@ -31,9 +31,21 @@ logger = logging.getLogger(__name__) +PURL_TYPE_BY_OSV_ECOSYSTEM = { + "npm": "npm", + "pypi": "pypi", + "maven": "maven", + "nuget": "nuget", + "packagist": "composer", + "rubygems": "gem", + "go": "golang", + "hex": "hex", + "cargo": "cargo", +} + def parse_advisory_data( - raw_data: dict, supported_ecosystem, advisory_url: str + raw_data: dict, supported_ecosystems, advisory_url: str ) -> Optional[AdvisoryData]: """ Return an AdvisoryData build from a ``raw_data`` mapping of OSV advisory and @@ -56,18 +68,21 @@ def parse_advisory_data( for affected_pkg in raw_data.get("affected") or []: purl = get_affected_purl(affected_pkg=affected_pkg, raw_id=raw_id) - if purl.type != supported_ecosystem: - logger.error(f"Unsupported package type: {purl!r} in OSV: {raw_id!r}") + + if not purl or purl.type not in supported_ecosystems: + logger.error(f"Unsupported package type: {affected_pkg!r} in OSV: {raw_id!r}") continue affected_version_range = get_affected_version_range( affected_pkg=affected_pkg, raw_id=raw_id, - supported_ecosystem=supported_ecosystem, + supported_ecosystem=purl.type, ) for fixed_range in affected_pkg.get("ranges") or []: - fixed_version = get_fixed_versions(fixed_range=fixed_range, raw_id=raw_id) + fixed_version = get_fixed_versions( + fixed_range=fixed_range, raw_id=raw_id, supported_ecosystem=purl.type + ) for version in fixed_version: affected_packages.append( @@ -121,14 +136,21 @@ def get_severities(raw_data) -> Iterable[VulnerabilitySeverity]: """ Yield VulnerabilitySeverity extracted from a mapping of OSV ``raw_data`` """ - for severity in raw_data.get("severity") or []: - if severity.get("type") == "CVSS_V3": - vector = severity["score"] - system = SCORING_SYSTEMS["cvssv3.1"] - score = system.compute(vector) - yield VulnerabilitySeverity(system=system, value=score, scoring_elements=vector) - else: - logger.error(f"Unsupported severity type: {severity!r} for OSV id: {raw_data['id']!r}") + try: + for severity in raw_data.get("severity") or []: + if severity.get("type") == "CVSS_V3": + vector = severity["score"] + valid_vector = vector[::-1] if vector[-1] == "/" else vector + system = SCORING_SYSTEMS["cvssv3.1"] + score = system.compute(valid_vector) + yield VulnerabilitySeverity(system=system, value=score, scoring_elements=vector) + + else: + logger.error( + f"Unsupported severity type: {severity!r} for OSV id: {raw_data['id']!r}" + ) + except CVSS3MalformedError as e: + logger.error(f"Invalid severity {e}") ecosystem_specific = raw_data.get("ecosystem_specific") or {} severity = ecosystem_specific.get("severity") @@ -173,21 +195,31 @@ def get_affected_purl(affected_pkg, raw_id): purl = package.get("purl") if purl: try: - return PackageURL.from_string(purl) + purl = PackageURL.from_string(purl) except ValueError: logger.error( f"Invalid PackageURL: {purl!r} for OSV " f"affected_pkg {affected_pkg} and id: {raw_id}" ) - - ecosys = package.get("ecosystem") - name = package.get("name") - if ecosys and name: - return PackageURL(type=ecosys, name=name) - - logger.error( - f"No PackageURL possible: {purl!r} for affected_pkg {affected_pkg} for OSV id: {raw_id}" - ) + else: + ecosys = package.get("ecosystem") + name = package.get("name") + if ecosys and name: + ecosys = ecosys.lower() + purl_type = PURL_TYPE_BY_OSV_ECOSYSTEM.get(ecosys) + if not purl_type: + return + namespace = "" + if purl_type == "maven": + namespace, _, name = name.partition(":") + + purl = PackageURL(type=purl_type, namespace=namespace, name=name) + else: + logger.error( + f"No PackageURL possible: {purl!r} for affected_pkg {affected_pkg} for OSV id: {raw_id}" + ) + return + return PackageURL.from_string(str(purl)) def get_affected_version_range(affected_pkg, raw_id, supported_ecosystem): @@ -206,18 +238,17 @@ def get_affected_version_range(affected_pkg, raw_id, supported_ecosystem): ) -def get_fixed_versions(fixed_range, raw_id) -> List[Version]: +def get_fixed_versions(fixed_range, raw_id, supported_ecosystem) -> List[Version]: """ Return a list of unique fixed univers Versions given a ``fixed_range`` univers VersionRange and a ``raw_id``. - For example:: - - >>> get_fixed_versions(fixed_range={}, raw_id="GHSA-j3f7-7rmc-6wqj") + >>> get_fixed_versions(fixed_range={}, raw_id="GHSA-j3f7-7rmc-6wqj", supported_ecosystem="pypi",) [] >>> get_fixed_versions( - ... fixed_range={"type": "ECOSYSTEM", "events": [{"fixed": "1.7.0"}]}, - ... raw_id="GHSA-j3f7-7rmc-6wqj" + ... fixed_range={"type": "ECOSYSTEM", "events": [{"fixed": "1.7.0"}], }, + ... raw_id="GHSA-j3f7-7rmc-6wqj", + ... supported_ecosystem="pypi", ... ) [PypiVersion(string='1.7.0')] """ @@ -228,21 +259,27 @@ def get_fixed_versions(fixed_range, raw_id) -> List[Version]: fixed_range_type = fixed_range["type"] - for version in extract_fixed_versions(fixed_range): + version_range_class = RANGE_CLASS_BY_SCHEMES.get(supported_ecosystem) + version_class = version_range_class.version_class if version_range_class else None - # FIXME: ECOSYSTEM does not imply PyPI!!!! + for version in extract_fixed_versions(fixed_range): if fixed_range_type == "ECOSYSTEM": try: - fixed_versions.append(PypiVersion(version)) + if not version_class: + raise InvalidVersion( + f"Unsupported version for ecosystem: {supported_ecosystem}" + ) + fixed_versions.append(version_class(version)) except InvalidVersion: - logger.error(f"Invalid PypiVersion: {version!r} for OSV id: {raw_id!r}") + logger.error( + f"Invalid version class: {version_class} - {version!r} for OSV id: {raw_id!r}" + ) elif fixed_range_type == "SEMVER": try: fixed_versions.append(SemverVersion(version)) except InvalidVersion: logger.error(f"Invalid SemverVersion: {version!r} for OSV id: {raw_id!r}") - else: logger.error(f"Unsupported fixed version type: {version!r} for OSV id: {raw_id!r}") diff --git a/vulnerabilities/importers/pypa.py b/vulnerabilities/importers/pypa.py index 0f545be55..e0648e1c2 100644 --- a/vulnerabilities/importers/pypa.py +++ b/vulnerabilities/importers/pypa.py @@ -34,7 +34,7 @@ def advisory_data(self) -> Iterable[AdvisoryData]: for advisory_url, raw_data in fork_and_get_files(base_path=path): yield parse_advisory_data( raw_data=raw_data, - supported_ecosystem="pypi", + supported_ecosystems=["pypi"], advisory_url=advisory_url, ) finally: diff --git a/vulnerabilities/importers/pysec.py b/vulnerabilities/importers/pysec.py index b42d7cb7e..058747463 100644 --- a/vulnerabilities/importers/pysec.py +++ b/vulnerabilities/importers/pysec.py @@ -40,5 +40,5 @@ def advisory_data(self) -> Iterable[AdvisoryData]: with zip_file.open(file_name) as f: vul_info = json.load(f) yield parse_advisory_data( - raw_data=vul_info, supported_ecosystem="pypi", advisory_url=url + raw_data=vul_info, supported_ecosystems=["pypi"], advisory_url=url ) diff --git a/vulnerabilities/improvers/__init__.py b/vulnerabilities/improvers/__init__.py index 9880bf9ee..0a9641f7b 100644 --- a/vulnerabilities/improvers/__init__.py +++ b/vulnerabilities/improvers/__init__.py @@ -24,6 +24,7 @@ valid_versions.DebianOvalImprover, valid_versions.UbuntuOvalImprover, valid_versions.OSSFuzzImprover, + valid_versions.GithubOSVImprover, vulnerability_status.VulnerabilityStatusImprover, ] diff --git a/vulnerabilities/improvers/valid_versions.py b/vulnerabilities/improvers/valid_versions.py index cada4bbb6..885d2060b 100644 --- a/vulnerabilities/improvers/valid_versions.py +++ b/vulnerabilities/improvers/valid_versions.py @@ -32,6 +32,7 @@ from vulnerabilities.importers.debian_oval import DebianOvalImporter from vulnerabilities.importers.elixir_security import ElixirSecurityImporter from vulnerabilities.importers.github import GitHubAPIImporter +from vulnerabilities.importers.github_osv import GithubOSVImporter from vulnerabilities.importers.gitlab import GitLabAPIImporter from vulnerabilities.importers.istio import IstioImporter from vulnerabilities.importers.nginx import NginxImporter @@ -460,3 +461,8 @@ class UbuntuOvalImprover(ValidVersionImprover): class OSSFuzzImprover(ValidVersionImprover): importer = OSSFuzzImporter ignorable_versions = [] + + +class GithubOSVImprover(ValidVersionImprover): + importer = GithubOSVImporter + ignorable_versions = [] diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_expected_1.json b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_1.json new file mode 100644 index 000000000..2182e5db4 --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_1.json @@ -0,0 +1,122 @@ +{ + "aliases": [ + "CVE-2015-8315", + "GHSA-3fx5-fwvr-xrjg" + ], + "summary": "Regular Expression Denial of Service in ms\nVersions of `ms` prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.\n\n## Proof of Concept\n```javascript\nvar ms = require('ms');\nvar genstr = function (len, chr) {\n var result = \"\";\n for (i=0; i<=len; i++) {\n result = result + chr;\n }\n\n return result;\n}\n\nms(genstr(process.argv[2], \"5\") + \" minutea\");\n\n```\n\n### Results\nShowing increase in execution time based on the input string.\n```\n$ time node ms.js 10000\n\nreal\t0m0.758s\nuser\t0m0.724s\nsys\t0m0.031s\n\n$ time node ms.js 20000\n\nreal\t0m2.580s\nuser\t0m2.494s\nsys\t0m0.047s\n\n$ time node ms.js 30000\n\nreal\t0m5.747s\nuser\t0m5.483s\nsys\t0m0.080s\n\n$ time node ms.js 80000\n\nreal\t0m41.022s\nuser\t0m38.894s\nsys\t0m0.529s\n```", + "affected_packages": [ + { + "package": { + "type": "npm", + "namespace": null, + "name": "ms", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": null, + "fixed_version": "0.7.1" + } + ], + "references": [ + { + "reference_id": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8315", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.5", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/unshiftio/millisecond/", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.5", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://support.f5.com/csp/article/K46337613?utm_source=f5support&utm_medium=RSS", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.5", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://www.npmjs.com/advisories/46", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.5", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.5", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://www.securityfocus.com/bid/96389", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.5", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + } + ], + "date_published": "2017-10-24T18:33:36+00:00", + "weaknesses": [400], + "url": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/github_osv_test_1.json" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_expected_2.json b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_2.json new file mode 100644 index 000000000..8a23cff27 --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_2.json @@ -0,0 +1,79 @@ +{ + "aliases": [ + "CVE-2022-1036", + "GHSA-3qr6-qrqm-8v86" + ], + "summary": "Integer Overflow or Wraparound in Microweber\nIn Microweber prior to 1.2.12, a user can create an account with a password thousands of characters in length, leading to memory corruption/integer overflow. Version 1.2.2 sets maximum password length at 500 characters.", + "affected_packages": [ + + ], + "references": [ + { + "reference_id": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1036", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/microweber/microweber/commit/82be4f0b4729be870ccefdae99a04833f134aa6a", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/microweber/microweber", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://huntr.dev/bounties/db615581-d5a9-4ca5-a3e9-7a39eceaa424", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + } + ], + "date_published": "2022-03-23T00:00:23+00:00", + "weaknesses": [190], + "url": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/github_osv_test_2.json" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_expected_3.json b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_3.json new file mode 100644 index 000000000..7bfc88189 --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_3.json @@ -0,0 +1,142 @@ +{ + "aliases": [ + "CVE-2020-10688", + "GHSA-29qj-rvv6-qrmv" + ], + "summary": "Cross-site scripting in RESTEasy\nA cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.", + "affected_packages": [ + { + "package": { + "type": "maven", + "namespace": "org.jboss.resteasy", + "name": "resteasy-bom", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": null, + "fixed_version": "3.11.1.Final" + }, + { + "package": { + "type": "maven", + "namespace": "org.jboss.resteasy", + "name": "resteasy-bom", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": null, + "fixed_version": "4.5.3.Final" + }, + { + "package": { + "type": "maven", + "namespace": "org.jboss.resteasy", + "name": "resteasy-core", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": null, + "fixed_version": "3.11.1.Final" + }, + { + "package": { + "type": "maven", + "namespace": "org.jboss.resteasy", + "name": "resteasy-core", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": null, + "fixed_version": "4.5.3.Final" + } + ], + "references": [ + { + "reference_id": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10688", + "severities": [ + { + "system": "cvssv3.1", + "value": "5.4", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/quarkusio/quarkus/issues/7248", + "severities": [ + { + "system": "cvssv3.1", + "value": "5.4", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814974", + "severities": [ + { + "system": "cvssv3.1", + "value": "5.4", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://issues.redhat.com/browse/RESTEASY-2519", + "severities": [ + { + "system": "cvssv3.1", + "value": "5.4", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://security.netapp.com/advisory/ntap-20210706-0008/", + "severities": [ + { + "system": "cvssv3.1", + "value": "5.4", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + } + ], + "date_published": "2021-06-15T16:05:22+00:00", + "weaknesses": [79], + "url": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/github_osv_test_3.json" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_expected_4.json b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_4.json new file mode 100644 index 000000000..a58d9cb0b --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_4.json @@ -0,0 +1,194 @@ +{ + "aliases": [ + "CVE-2011-0447", + "GHSA-24fg-p96v-hxh8" + ], + "summary": "Moderate severity vulnerability that affects rails\nRuby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage \"combinations of browser plugins and HTTP redirects,\" a related issue to CVE-2011-0696.", + "affected_packages": [ + { + "package": { + "type": "gem", + "namespace": null, + "name": "rails", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": null, + "fixed_version": "2.3.11" + }, + { + "package": { + "type": "gem", + "namespace": null, + "name": "rails", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": null, + "fixed_version": "3.0.4" + } + ], + "references": [ + { + "reference_id": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0447", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/advisories/GHSA-24fg-p96v-hxh8", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source&output=gplain", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://secunia.com/advisories/43274", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://secunia.com/advisories/43666", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://www.debian.org/security/2011/dsa-2247", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://www.securityfocus.com/bid/46291", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://www.securitytracker.com/id?1025060", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://www.vupen.com/english/advisories/2011/0587", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://www.vupen.com/english/advisories/2011/0877", + "severities": [ + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + } + ], + "date_published": "2017-10-24T18:33:38+00:00", + "weaknesses": [ + 352 + ], + "url": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/github_osv_test_4.json" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_expected_5.json b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_5.json new file mode 100644 index 000000000..41718243e --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_5.json @@ -0,0 +1,224 @@ +{ + "aliases": [ + "CVE-2023-2727", + "GHSA-qc2g-gmh6-95p4" + ], + "summary": "kube-apiserver vulnerable to policy bypass\nUsers may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.", + "affected_packages": [ + { + "package": { + "type": "golang", + "namespace": "k8s.io", + "name": "kubernetes", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": null, + "fixed_version": "1.27.3" + }, + { + "package": { + "type": "golang", + "namespace": "k8s.io", + "name": "kubernetes", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": null, + "fixed_version": "1.26.6" + }, + { + "package": { + "type": "golang", + "namespace": "k8s.io", + "name": "kubernetes", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": null, + "fixed_version": "1.25.11" + }, + { + "package": { + "type": "golang", + "namespace": "k8s.io", + "name": "kubernetes", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": null, + "fixed_version": "1.24.15" + } + ], + "references": [ + { + "reference_id": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2727", + "severities": [ + { + "system": "cvssv3.1", + "value": "6.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/kubernetes/kubernetes/issues/118640", + "severities": [ + { + "system": "cvssv3.1", + "value": "6.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/kubernetes/kubernetes/pull/118356", + "severities": [ + { + "system": "cvssv3.1", + "value": "6.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/kubernetes/kubernetes/pull/118471", + "severities": [ + { + "system": "cvssv3.1", + "value": "6.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/kubernetes/kubernetes/pull/118473", + "severities": [ + { + "system": "cvssv3.1", + "value": "6.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/kubernetes/kubernetes/pull/118474", + "severities": [ + { + "system": "cvssv3.1", + "value": "6.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/kubernetes/kubernetes/pull/118512", + "severities": [ + { + "system": "cvssv3.1", + "value": "6.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/kubernetes/kubernetes", + "severities": [ + { + "system": "cvssv3.1", + "value": "6.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8", + "severities": [ + { + "system": "cvssv3.1", + "value": "6.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "http://www.openwall.com/lists/oss-security/2023/07/06/2", + "severities": [ + { + "system": "cvssv3.1", + "value": "6.5", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" + }, + { + "system": "generic_textual", + "value": "MODERATE", + "scoring_elements": "" + } + ] + } + ], + "date_published": "2023-07-03T21:30:57+00:00", + "weaknesses": [ + 20 + ], + "url": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/github_osv_test_5.json" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_expected_6.json b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_6.json new file mode 100644 index 000000000..a2aa7984c --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_6.json @@ -0,0 +1,91 @@ +{ + "aliases": [ + "GHSA-pffg-92cg-xf5c" + ], + "summary": "gnark-crypto's exponentiation in the pairing target group GT using GLV can give incorrect results\n### Impact\nWhen the exponent is bigger than `r`, the group order of the pairing target group `GT`, the exponentiation à la GLV (`ExpGLV`) can *sometimes* give incorrect results compared to normal exponentiation (`Exp`). \n\nThe issue impacts all users using `ExpGLV` for exponentiations in `GT`. This does not impact `Exp` and `ExpCyclotomic` which are sound. Also note that GLV methods in G1 and G2 are sound and _not_ impacted.\n\n### Patches\nFix has been implemented in pull request https://github.com/Consensys/gnark-crypto/pull/451 and merged in commit https://github.com/Consensys/gnark-crypto/commit/ec6be1a037f7c496d595c541a8a8d31c47bcfa3d to master branch.\n\nThe fix increased the bounds of the sub-scalars by 1. In fact, since https://github.com/Consensys/gnark-crypto/pull/213, we use a fast scalar decomposition that tradeoffs divisions (needed in the Babai rounding) by right-shifts. We precompute `b=2^m*v/d (m > log2(d))` and then at runtime compute `scalar*b/2^m` (`v` is a lattice vector and `d` the lattice determinant). This increases the bounds on sub-scalars by 1 which we check at runtime before increasing the loop size (we don't target constant-timeness). `m` is chosen to be a machine word twice big than `log2(d)` so that we rarely need to increase the loop size. Hence why the issue happens only *sometimes* if we omit to increase the bounds. This bounds increase was implemented in G1 and G2 but forgot in GT.\n\n### Workarounds\nUpdating to `v0.12.1+`. Alternatively, use `Exp` or `ExpCyclotomic` instead. We are not aware of any users using `ExpGLV` anyway.\n\n### References\n- Fix PR: https://github.com/Consensys/gnark-crypto/pull/451 \n- Fast scalar decomposition PR: https://github.com/Consensys/gnark-crypto/pull/213\n- https://eprint.iacr.org/2015/565 Sec.4.2\n\n### Acknowledgement\nThe vulnerability was reported by [Antonio Sanso](https://github.com/asanso) @ [EF](https://crypto.ethereum.org/).", + "affected_packages": [ + { + "package": { + "type": "golang", + "namespace": "github.com/consensys", + "name": "gnark-crypto", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": null, + "fixed_version": "0.12.1" + } + ], + "references": [ + { + "reference_id": "", + "url": "https://github.com/Consensys/gnark-crypto/security/advisories/GHSA-pffg-92cg-xf5c", + "severities": [ + { + "system": "generic_textual", + "value": "LOW", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/Consensys/gnark-crypto/pull/213", + "severities": [ + { + "system": "generic_textual", + "value": "LOW", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/Consensys/gnark-crypto/pull/451", + "severities": [ + { + "system": "generic_textual", + "value": "LOW", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/Consensys/gnark-crypto/commit/ec6be1a037f7c496d595c541a8a8d31c47bcfa3d", + "severities": [ + { + "system": "generic_textual", + "value": "LOW", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://eprint.iacr.org/2015/565", + "severities": [ + { + "system": "generic_textual", + "value": "LOW", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/Consensys/gnark-crypto", + "severities": [ + { + "system": "generic_textual", + "value": "LOW", + "scoring_elements": "" + } + ] + } + ], + "date_published": "2023-10-05T20:57:20+00:00", + "weaknesses": [], + "url": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/github_osv_test_6.json" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_expected_7.json b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_7.json new file mode 100644 index 000000000..c38362a20 --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_7.json @@ -0,0 +1,150 @@ +{ + "aliases": [ + "CVE-2023-36796", + "GHSA-h7jm-g87p-5935" + ], + "summary": "# Microsoft Security Advisory CVE-2023-36796: .NET Remote Code Execution Vulnerability\n\n## Executive summary\n\nMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.\n\nA vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.\n\n**Note:** The vulnerabilities [CVE-2023-36792]( https://www.cve.org/CVERecord?id=CVE-2023-36792), [CVE-2023-36793]( https://www.cve.org/CVERecord?id=CVE-2023-36793), [CVE-2023-36792]( https://www.cve.org/CVERecord?id=CVE-2023-36794), [CVE-2023-36796]( https://www.cve.org/CVERecord?id=CVE-2023-36796) are all resolved by a single patch. Get [affected software](#affected-software) to resolve all of them.\n\n## Discussion\n\nDiscussion for this issue can be found at https://github.com/dotnet/runtime/issues/91948\n\n### Mitigation factors\n\nMicrosoft has not identified any mitigating factors for this vulnerability.\n\n## Affected software\n\n* Any .NET 7.0 application running on .NET 7.0.10 or earlier.\n* Any .NET 6.0 application running on .NET 6.0.21 or earlier.\n\nIf your application uses the following package versions, ensure you update to the latest version of .NET.\n\n### .NET 7\n\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.NETCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime.win-arm64) | >= 7.0.0, <= 7.0.10 | 7.0.11\n[Microsoft.NETCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime.win-x64) | >= 7.0.0, <= 7.0.10 | 7.0.11\n[Microsoft.NETCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime.win-x86) | >= 7.0.0, <= 7.0.10 | 7.0.11\n\n### .NET 6\n\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.NETCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime.win-arm64) | >= 6.0.0, <= 6.0.21 | 6.0.22\n[Microsoft.NETCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime.win-x64) | >= 6.0.0, <= 6.0.21 | 6.0.22\n[Microsoft.NETCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime.win-x86) | >= 6.0.0, <= 6.0.21 | 6.0.22\n\n\n## Advisory FAQ\n\n### How do I know if I am affected?\n\nIf you have a runtime or SDK with a version listed, or an affected package listed in [affected software](#affected-software), you're exposed to the vulnerability.\n\n### How do I fix the issue?\n\n* To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.\n* If you are using one of the affected packages, please update to the patched version listed above.\n* If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the `dotnet --info` command. You will see output like the following;\n\n```\n.NET Core SDK (reflecting any global.json):\n\n Version: 6.0.300\n Commit: 8473146e7d\n\nRuntime Environment:\n\n OS Name: Windows\n OS Version: 10.0.18363\n OS Platform: Windows\n RID: win10-x64\n Base Path: C:\\Program Files\\dotnet\\sdk\\6.0.300\\\n\nHost (useful for support):\n\n Version: 6.0.5\n Commit: 8473146e7d\n\n.NET Core SDKs installed:\n\n 6.0.300 [C:\\Program Files\\dotnet\\sdk]\n\n.NET Core runtimes installed:\n\n Microsoft.AspNetCore.App 6.0.5 [C:\\Program Files\\dotnet\\shared\\Microsoft.AspNetCore.App]\n Microsoft.NETCore.App 6.0.5 [C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App]\n Microsoft.WindowsDesktop.App 6.0.5 [C:\\Program Files\\dotnet\\shared\\Microsoft.WindowsDesktop.App]\n\nTo install additional .NET Core runtimes or SDKs:\n https://aka.ms/dotnet-download\n```\n\n* If you're using .NET 7.0, you should download and install Runtime 7.0.11 or SDK 7.0.111 (for Visual Studio 2022 v17.4) from https://dotnet.microsoft.com/download/dotnet-core/7.0.\n* If you're using .NET 6.0, you should download and install Runtime 6.0.22 or SDK 6.0.317 (for Visual Studio 2022 v17.2) from https://dotnet.microsoft.com/download/dotnet-core/6.0.\n\n.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type \"Check for updates\" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.\n\nOnce you have installed the updated runtime or SDK, restart your apps for the update to take effect.\n\nAdditionally, if you've deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.\n\n## Other Information\n\n### Reporting Security Issues\n\nIf you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at .\n\n### Support\n\nYou can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.\n\n### Disclaimer\n\nThe information provided in this advisory is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\n\n### External Links\n\n[CVE-2023-36796]( https://www.cve.org/CVERecord?id=CVE-2023-36796)\n\n### Revisions\n\nV1.0 (September 12, 2023): Advisory published.\n\n_Version 1.0_\n\n_Last Updated 2023-09-12_", + "affected_packages": [ + { + "package": { + "type": "nuget", + "namespace": "", + "name": "Microsoft.NETCore.App.Runtime.win-arm64", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "7.0.11" + }, + { + "package": { + "type": "nuget", + "namespace": "", + "name": "Microsoft.NETCore.App.Runtime.win-arm64", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "6.0.22" + }, + { + "package": { + "type": "nuget", + "namespace": "", + "name": "Microsoft.NETCore.App.Runtime.win-x64", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "7.0.11" + }, + { + "package": { + "type": "nuget", + "namespace": "", + "name": "Microsoft.NETCore.App.Runtime.win-x64", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "6.0.22" + }, + { + "package": { + "type": "nuget", + "namespace": "", + "name": "Microsoft.NETCore.App.Runtime.win-x86", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "6.0.22" + }, + { + "package": { + "type": "nuget", + "namespace": "", + "name": "Microsoft.NETCore.App.Runtime.win-x86", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "7.0.11" + } + ], + "references": [ + { + "reference_id": "", + "url": "https://github.com/dotnet/runtime/security/advisories/GHSA-h7jm-g87p-5935", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.8", + "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36796", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.8", + "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://github.com/dotnet/runtime", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.8", + "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36796", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.8", + "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "system": "generic_textual", + "value": "HIGH", + "scoring_elements": "" + } + ] + } + ], + "date_published": "2023-09-12T20:05:18+00:00", + "weaknesses": [], + "url": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/github_osv_test_7.json" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_test_1.json b/vulnerabilities/tests/test_data/github_osv/github_osv_test_1.json new file mode 100644 index 000000000..02583ee61 --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_test_1.json @@ -0,0 +1,71 @@ +{ + "schema_version": "1.3.0", + "id": "GHSA-3fx5-fwvr-xrjg", + "modified": "2021-09-22T20:19:52Z", + "published": "2017-10-24T18:33:36Z", + "aliases": [ + "CVE-2015-8315" + ], + "summary": "Regular Expression Denial of Service in ms", + "details": "Versions of `ms` prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.\n\n## Proof of Concept\n```javascript\nvar ms = require('ms');\nvar genstr = function (len, chr) {\n var result = \"\";\n for (i=0; i<=len; i++) {\n result = result + chr;\n }\n\n return result;\n}\n\nms(genstr(process.argv[2], \"5\") + \" minutea\");\n\n```\n\n### Results\nShowing increase in execution time based on the input string.\n```\n$ time node ms.js 10000\n\nreal\t0m0.758s\nuser\t0m0.724s\nsys\t0m0.031s\n\n$ time node ms.js 20000\n\nreal\t0m2.580s\nuser\t0m2.494s\nsys\t0m0.047s\n\n$ time node ms.js 30000\n\nreal\t0m5.747s\nuser\t0m5.483s\nsys\t0m0.080s\n\n$ time node ms.js 80000\n\nreal\t0m41.022s\nuser\t0m38.894s\nsys\t0m0.529s\n```\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "ms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.7.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8315" + }, + { + "type": "PACKAGE", + "url": "https://github.com/unshiftio/millisecond/" + }, + { + "type": "WEB", + "url": "https://support.f5.com/csp/article/K46337613?utm_source=f5support&utm_medium=RSS" + }, + { + "type": "WEB", + "url": "https://www.npmjs.com/advisories/46" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/96389" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "HIGH", + "github_reviewed": true + } +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_test_2.json b/vulnerabilities/tests/test_data/github_osv/github_osv_test_2.json new file mode 100644 index 000000000..fef8553f2 --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_test_2.json @@ -0,0 +1,63 @@ +{ + "schema_version": "1.3.0", + "id": "GHSA-3qr6-qrqm-8v86", + "modified": "2022-03-30T20:02:35Z", + "published": "2022-03-23T00:00:23Z", + "aliases": [ + "CVE-2022-1036" + ], + "summary": "Integer Overflow or Wraparound in Microweber", + "details": "In Microweber prior to 1.2.12, a user can create an account with a password thousands of characters in length, leading to memory corruption/integer overflow. Version 1.2.2 sets maximum password length at 500 characters.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "microweber/microweber" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.12" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1036" + }, + { + "type": "WEB", + "url": "https://github.com/microweber/microweber/commit/82be4f0b4729be870ccefdae99a04833f134aa6a" + }, + { + "type": "PACKAGE", + "url": "https://github.com/microweber/microweber" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/db615581-d5a9-4ca5-a3e9-7a39eceaa424" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-190" + ], + "severity": "HIGH", + "github_reviewed": true + } +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_test_3.json b/vulnerabilities/tests/test_data/github_osv/github_osv_test_3.json new file mode 100644 index 000000000..f8a3f0f44 --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_test_3.json @@ -0,0 +1,136 @@ +{ + "schema_version": "1.3.0", + "id": "GHSA-29qj-rvv6-qrmv", + "modified": "2021-06-01T20:09:20Z", + "published": "2021-06-15T16:05:22Z", + "aliases": [ + "CVE-2020-10688" + ], + "summary": "Cross-site scripting in RESTEasy", + "details": "A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.jboss.resteasy:resteasy-bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.11.1.Final" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.11.0.Final" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.jboss.resteasy:resteasy-bom" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.5.3.Final" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 4.5.2.Final" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.jboss.resteasy:resteasy-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.11.1.Final" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.11.0.Final" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.jboss.resteasy:resteasy-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.5.3.Final" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 4.5.2.Final" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10688" + }, + { + "type": "WEB", + "url": "https://github.com/quarkusio/quarkus/issues/7248" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814974" + }, + { + "type": "WEB", + "url": "https://issues.redhat.com/browse/RESTEASY-2519" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20210706-0008/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true + } +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_test_4.json b/vulnerabilities/tests/test_data/github_osv/github_osv_test_4.json new file mode 100644 index 000000000..9ce660a2b --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_test_4.json @@ -0,0 +1,119 @@ +{ + "schema_version": "1.3.0", + "id": "GHSA-24fg-p96v-hxh8", + "modified": "2020-06-16T20:51:22Z", + "published": "2017-10-24T18:33:38Z", + "aliases": [ + "CVE-2011-0447" + ], + "summary": "Moderate severity vulnerability that affects rails", + "details": "Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage \"combinations of browser plugins and HTTP redirects,\" a related issue to CVE-2011-0696.", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "rails" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.1.0" + }, + { + "fixed": "2.3.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "RubyGems", + "name": "rails" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.0.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0447" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-24fg-p96v-hxh8" + }, + { + "type": "WEB", + "url": "http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source&output=gplain" + }, + { + "type": "WEB", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html" + }, + { + "type": "WEB", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html" + }, + { + "type": "WEB", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html" + }, + { + "type": "WEB", + "url": "http://secunia.com/advisories/43274" + }, + { + "type": "WEB", + "url": "http://secunia.com/advisories/43666" + }, + { + "type": "WEB", + "url": "http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails" + }, + { + "type": "WEB", + "url": "http://www.debian.org/security/2011/dsa-2247" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/46291" + }, + { + "type": "WEB", + "url": "http://www.securitytracker.com/id?1025060" + }, + { + "type": "WEB", + "url": "http://www.vupen.com/english/advisories/2011/0587" + }, + { + "type": "WEB", + "url": "http://www.vupen.com/english/advisories/2011/0877" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true + } +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_test_5.json b/vulnerabilities/tests/test_data/github_osv/github_osv_test_5.json new file mode 100644 index 000000000..f4e715047 --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_test_5.json @@ -0,0 +1,146 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qc2g-gmh6-95p4", + "modified": "2023-07-05T22:46:57Z", + "published": "2023-07-03T21:30:57Z", + "aliases": [ + "CVE-2023-2727" + ], + "summary": "kube-apiserver vulnerable to policy bypass", + "details": "Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "k8s.io/kubernetes" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.27.0" + }, + { + "fixed": "1.27.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "k8s.io/kubernetes" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.26.0" + }, + { + "fixed": "1.26.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "k8s.io/kubernetes" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.25.0" + }, + { + "fixed": "1.25.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "k8s.io/kubernetes" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.24.15" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2727" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/issues/118640" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118356" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118471" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118473" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118474" + }, + { + "type": "WEB", + "url": "https://github.com/kubernetes/kubernetes/pull/118512" + }, + { + "type": "PACKAGE", + "url": "https://github.com/kubernetes/kubernetes" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/07/06/2" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2023-07-05T22:46:57Z", + "nvd_published_at": "2023-07-03T21:15:09Z" + } +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_test_6.json b/vulnerabilities/tests/test_data/github_osv/github_osv_test_6.json new file mode 100644 index 000000000..f9e97c05f --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_test_6.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pffg-92cg-xf5c", + "modified": "2023-11-08T18:36:33Z", + "published": "2023-10-05T20:57:20Z", + "aliases": [ + + ], + "summary": "gnark-crypto's exponentiation in the pairing target group GT using GLV can give incorrect results", + "details": "### Impact\nWhen the exponent is bigger than `r`, the group order of the pairing target group `GT`, the exponentiation à la GLV (`ExpGLV`) can *sometimes* give incorrect results compared to normal exponentiation (`Exp`). \n\nThe issue impacts all users using `ExpGLV` for exponentiations in `GT`. This does not impact `Exp` and `ExpCyclotomic` which are sound. Also note that GLV methods in G1 and G2 are sound and _not_ impacted.\n\n### Patches\nFix has been implemented in pull request https://github.com/Consensys/gnark-crypto/pull/451 and merged in commit https://github.com/Consensys/gnark-crypto/commit/ec6be1a037f7c496d595c541a8a8d31c47bcfa3d to master branch.\n\nThe fix increased the bounds of the sub-scalars by 1. In fact, since https://github.com/Consensys/gnark-crypto/pull/213, we use a fast scalar decomposition that tradeoffs divisions (needed in the Babai rounding) by right-shifts. We precompute `b=2^m*v/d (m > log2(d))` and then at runtime compute `scalar*b/2^m` (`v` is a lattice vector and `d` the lattice determinant). This increases the bounds on sub-scalars by 1 which we check at runtime before increasing the loop size (we don't target constant-timeness). `m` is chosen to be a machine word twice big than `log2(d)` so that we rarely need to increase the loop size. Hence why the issue happens only *sometimes* if we omit to increase the bounds. This bounds increase was implemented in G1 and G2 but forgot in GT.\n\n### Workarounds\nUpdating to `v0.12.1+`. Alternatively, use `Exp` or `ExpCyclotomic` instead. We are not aware of any users using `ExpGLV` anyway.\n\n### References\n- Fix PR: https://github.com/Consensys/gnark-crypto/pull/451 \n- Fast scalar decomposition PR: https://github.com/Consensys/gnark-crypto/pull/213\n- https://eprint.iacr.org/2015/565 Sec.4.2\n\n### Acknowledgement\nThe vulnerability was reported by [Antonio Sanso](https://github.com/asanso) @ [EF](https://crypto.ethereum.org/).\n", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/consensys/gnark-crypto" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.12.1" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.12.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/Consensys/gnark-crypto/security/advisories/GHSA-pffg-92cg-xf5c" + }, + { + "type": "WEB", + "url": "https://github.com/Consensys/gnark-crypto/pull/213" + }, + { + "type": "WEB", + "url": "https://github.com/Consensys/gnark-crypto/pull/451" + }, + { + "type": "WEB", + "url": "https://github.com/Consensys/gnark-crypto/commit/ec6be1a037f7c496d595c541a8a8d31c47bcfa3d" + }, + { + "type": "WEB", + "url": "https://eprint.iacr.org/2015/565" + }, + { + "type": "PACKAGE", + "url": "https://github.com/Consensys/gnark-crypto" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2023-10-05T20:57:20Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_test_7.json b/vulnerabilities/tests/test_data/github_osv/github_osv_test_7.json new file mode 100644 index 000000000..b7bac4bf0 --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_test_7.json @@ -0,0 +1,178 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h7jm-g87p-5935", + "modified": "2023-09-12T20:05:18Z", + "published": "2023-09-12T20:05:18Z", + "aliases": [ + "CVE-2023-36796" + ], + "summary": "Microsoft Security Advisory CVE-2023-36796: .NET Remote Code Execution Vulnerability", + "details": "# Microsoft Security Advisory CVE-2023-36796: .NET Remote Code Execution Vulnerability\n\n## Executive summary\n\nMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.\n\nA vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.\n\n**Note:** The vulnerabilities [CVE-2023-36792]( https://www.cve.org/CVERecord?id=CVE-2023-36792), [CVE-2023-36793]( https://www.cve.org/CVERecord?id=CVE-2023-36793), [CVE-2023-36792]( https://www.cve.org/CVERecord?id=CVE-2023-36794), [CVE-2023-36796]( https://www.cve.org/CVERecord?id=CVE-2023-36796) are all resolved by a single patch. Get [affected software](#affected-software) to resolve all of them.\n\n## Discussion\n\nDiscussion for this issue can be found at https://github.com/dotnet/runtime/issues/91948\n\n### Mitigation factors\n\nMicrosoft has not identified any mitigating factors for this vulnerability.\n\n## Affected software\n\n* Any .NET 7.0 application running on .NET 7.0.10 or earlier.\n* Any .NET 6.0 application running on .NET 6.0.21 or earlier.\n\nIf your application uses the following package versions, ensure you update to the latest version of .NET.\n\n### .NET 7\n\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.NETCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime.win-arm64) | >= 7.0.0, <= 7.0.10 | 7.0.11\n[Microsoft.NETCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime.win-x64) | >= 7.0.0, <= 7.0.10 | 7.0.11\n[Microsoft.NETCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime.win-x86) | >= 7.0.0, <= 7.0.10 | 7.0.11\n\n### .NET 6\n\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.NETCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime.win-arm64) | >= 6.0.0, <= 6.0.21 | 6.0.22\n[Microsoft.NETCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime.win-x64) | >= 6.0.0, <= 6.0.21 | 6.0.22\n[Microsoft.NETCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime.win-x86) | >= 6.0.0, <= 6.0.21 | 6.0.22\n\n\n## Advisory FAQ\n\n### How do I know if I am affected?\n\nIf you have a runtime or SDK with a version listed, or an affected package listed in [affected software](#affected-software), you're exposed to the vulnerability.\n\n### How do I fix the issue?\n\n* To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.\n* If you are using one of the affected packages, please update to the patched version listed above.\n* If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the `dotnet --info` command. You will see output like the following;\n\n```\n.NET Core SDK (reflecting any global.json):\n\n Version: 6.0.300\n Commit: 8473146e7d\n\nRuntime Environment:\n\n OS Name: Windows\n OS Version: 10.0.18363\n OS Platform: Windows\n RID: win10-x64\n Base Path: C:\\Program Files\\dotnet\\sdk\\6.0.300\\\n\nHost (useful for support):\n\n Version: 6.0.5\n Commit: 8473146e7d\n\n.NET Core SDKs installed:\n\n 6.0.300 [C:\\Program Files\\dotnet\\sdk]\n\n.NET Core runtimes installed:\n\n Microsoft.AspNetCore.App 6.0.5 [C:\\Program Files\\dotnet\\shared\\Microsoft.AspNetCore.App]\n Microsoft.NETCore.App 6.0.5 [C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App]\n Microsoft.WindowsDesktop.App 6.0.5 [C:\\Program Files\\dotnet\\shared\\Microsoft.WindowsDesktop.App]\n\nTo install additional .NET Core runtimes or SDKs:\n https://aka.ms/dotnet-download\n```\n\n* If you're using .NET 7.0, you should download and install Runtime 7.0.11 or SDK 7.0.111 (for Visual Studio 2022 v17.4) from https://dotnet.microsoft.com/download/dotnet-core/7.0.\n* If you're using .NET 6.0, you should download and install Runtime 6.0.22 or SDK 6.0.317 (for Visual Studio 2022 v17.2) from https://dotnet.microsoft.com/download/dotnet-core/6.0.\n\n.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type \"Check for updates\" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.\n\nOnce you have installed the updated runtime or SDK, restart your apps for the update to take effect.\n\nAdditionally, if you've deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.\n\n## Other Information\n\n### Reporting Security Issues\n\nIf you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at .\n\n### Support\n\nYou can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.\n\n### Disclaimer\n\nThe information provided in this advisory is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\n\n### External Links\n\n[CVE-2023-36796]( https://www.cve.org/CVERecord?id=CVE-2023-36796)\n\n### Revisions\n\nV1.0 (September 12, 2023): Advisory published.\n\n_Version 1.0_\n\n_Last Updated 2023-09-12_", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.NETCore.App.Runtime.win-arm64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.0.11" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 7.0.10" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.NETCore.App.Runtime.win-arm64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.22" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.21" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.NETCore.App.Runtime.win-x64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.0.11" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 7.0.10" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.NETCore.App.Runtime.win-x64" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.22" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.21" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.NETCore.App.Runtime.win-x86" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.22" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.0.21" + } + }, + { + "package": { + "ecosystem": "NuGet", + "name": "Microsoft.NETCore.App.Runtime.win-x86" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.0.11" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 7.0.10" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/dotnet/runtime/security/advisories/GHSA-h7jm-g87p-5935" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36796" + }, + { + "type": "PACKAGE", + "url": "https://github.com/dotnet/runtime" + }, + { + "type": "WEB", + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36796" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2023-09-12T20:05:18Z", + "nvd_published_at": "2023-09-12T17:15:15Z" + } +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/pypa/pypa-expected.json b/vulnerabilities/tests/test_data/pypa/pypa-expected.json index bf49770a5..1a907bd05 100644 --- a/vulnerabilities/tests/test_data/pypa/pypa-expected.json +++ b/vulnerabilities/tests/test_data/pypa/pypa-expected.json @@ -67,5 +67,5 @@ ], "date_published": "2022-01-05T00:15:00+00:00", "weaknesses": [], - "url": "https://github.com/pypa/advisory-database" + "url": "https://github.com/pypa/advisory-database/blob/main/vulns/pypa-expected.json" } \ No newline at end of file diff --git a/vulnerabilities/tests/test_github_osv.py b/vulnerabilities/tests/test_github_osv.py new file mode 100644 index 000000000..559ba8d15 --- /dev/null +++ b/vulnerabilities/tests/test_github_osv.py @@ -0,0 +1,113 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/nexB/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# +import json +import os +from unittest import TestCase + +from vulnerabilities.importers.osv import parse_advisory_data +from vulnerabilities.tests import util_tests + +BASE_DIR = os.path.dirname(os.path.abspath(__file__)) +TEST_DATA = os.path.join(BASE_DIR, "test_data/github_osv") + + +class GithubOSVImporter(TestCase): + def test_github_osv_importer1(self): + with open(os.path.join(TEST_DATA, "github_osv_test_1.json")) as f: + mock_response = json.load(f) + expected_file = os.path.join(TEST_DATA, "github_osv_expected_1.json") + imported_data = parse_advisory_data( + mock_response, + supported_ecosystems=["npm"], + advisory_url="https://github.com/github/advisory-database" + "/blob/main/advisories/github-reviewed/github_osv_test_1.json", + ) + result = imported_data.to_dict() + util_tests.check_results_against_json(result, expected_file) + + def test_github_osv_importer2(self): + with open(os.path.join(TEST_DATA, "github_osv_test_2.json")) as f: + mock_response = json.load(f) + expected_file = os.path.join(TEST_DATA, "github_osv_expected_2.json") + # if supported_ecosystems = [] : the expected affected_packages = [] + imported_data = parse_advisory_data( + mock_response, + supported_ecosystems=[], + advisory_url="https://github.com/github/advisory-database" + "/blob/main/advisories/github-reviewed/github_osv_test_2.json", + ) + result = imported_data.to_dict() + util_tests.check_results_against_json(result, expected_file) + + def test_github_osv_importer3(self): + with open(os.path.join(TEST_DATA, "github_osv_test_3.json")) as f: + mock_response = json.load(f) + expected_file = os.path.join(TEST_DATA, "github_osv_expected_3.json") + imported_data = parse_advisory_data( + mock_response, + supported_ecosystems=["maven"], + advisory_url="https://github.com/github/advisory-database" + "/blob/main/advisories/github-reviewed/github_osv_test_3.json", + ) + result = imported_data.to_dict() + util_tests.check_results_against_json(result, expected_file) + + def test_github_osv_importer4(self): + with open(os.path.join(TEST_DATA, "github_osv_test_4.json")) as f: + mock_response = json.load(f) + expected_file = os.path.join(TEST_DATA, "github_osv_expected_4.json") + imported_data = parse_advisory_data( + mock_response, + supported_ecosystems=["gem"], + advisory_url="https://github.com/github/advisory-database" + "/blob/main/advisories/github-reviewed/github_osv_test_4.json", + ) + result = imported_data.to_dict() + util_tests.check_results_against_json(result, expected_file) + + def test_github_osv_importer5(self): + # test golang + with open(os.path.join(TEST_DATA, "github_osv_test_5.json")) as f: + mock_response = json.load(f) + expected_file = os.path.join(TEST_DATA, "github_osv_expected_5.json") + imported_data = parse_advisory_data( + mock_response, + supported_ecosystems=["golang"], + advisory_url="https://github.com/github/advisory-database" + "/blob/main/advisories/github-reviewed/github_osv_test_5.json", + ) + result = imported_data.to_dict() + util_tests.check_results_against_json(result, expected_file) + + def test_github_osv_importer6(self): + # test golang + with open(os.path.join(TEST_DATA, "github_osv_test_6.json")) as f: + mock_response = json.load(f) + expected_file = os.path.join(TEST_DATA, "github_osv_expected_6.json") + imported_data = parse_advisory_data( + mock_response, + supported_ecosystems=["golang"], + advisory_url="https://github.com/github/advisory-database" + "/blob/main/advisories/github-reviewed/github_osv_test_6.json", + ) + result = imported_data.to_dict() + util_tests.check_results_against_json(result, expected_file) + + def test_github_osv_importer7(self): + with open(os.path.join(TEST_DATA, "github_osv_test_7.json")) as f: + mock_response = json.load(f) + expected_file = os.path.join(TEST_DATA, "github_osv_expected_7.json") + imported_data = parse_advisory_data( + mock_response, + supported_ecosystems=["nuget"], + advisory_url="https://github.com/github/advisory-database" + "/blob/main/advisories/github-reviewed/github_osv_test_7.json", + ) + result = imported_data.to_dict() + util_tests.check_results_against_json(result, expected_file) diff --git a/vulnerabilities/tests/test_osv.py b/vulnerabilities/tests/test_osv.py index 3ca50cebf..5779d0589 100644 --- a/vulnerabilities/tests/test_osv.py +++ b/vulnerabilities/tests/test_osv.py @@ -13,6 +13,7 @@ from univers.version_constraint import VersionConstraint from univers.version_range import PypiVersionRange from univers.versions import PypiVersion +from univers.versions import SemverVersion from vulnerabilities.importer import Reference from vulnerabilities.importer import VulnerabilitySeverity @@ -353,12 +354,18 @@ def test_get_affected_version_range(self): assert results == expected def test_get_fixed_versions1(self): - assert get_fixed_versions(fixed_range={}, raw_id="GHSA-j3f7-7rmc-6wqj") == [] + assert ( + get_fixed_versions( + fixed_range={}, raw_id="GHSA-j3f7-7rmc-6wqj", supported_ecosystem="pypi" + ) + == [] + ) def test_get_fixed_versions2(self): results = get_fixed_versions( fixed_range={"type": "ECOSYSTEM", "events": [{"introduced": "0"}, {"fixed": "1.7.0"}]}, raw_id="GHSA-j3f7-7rmc-6wqj", + supported_ecosystem="pypi", ) assert results == [PypiVersion("1.7.0")] @@ -374,6 +381,19 @@ def test_get_fixed_versions3(self): ], }, raw_id="GHSA-j3f7-7rmc-6wqj", + supported_ecosystem="pypi", ) assert results == [PypiVersion("9.0.0"), PypiVersion("9.0.1")] + + def test_get_fixed_versions4(self): + results = get_fixed_versions( + fixed_range={ + "type": "ECOSYSTEM", + "events": [{"introduced": "0"}, {"fixed": "6.5.4"}], + }, + raw_id="GHSA-r9p9-mrjm-926w", + supported_ecosystem="npm", + ) + + assert results == [SemverVersion("6.5.4")] diff --git a/vulnerabilities/tests/test_pypa.py b/vulnerabilities/tests/test_pypa.py index ffd648fac..1a59260e6 100644 --- a/vulnerabilities/tests/test_pypa.py +++ b/vulnerabilities/tests/test_pypa.py @@ -22,9 +22,11 @@ class TestPyPaImporter(TestCase): def test_to_advisories_with_summary(self): with open(os.path.join(TEST_DATA, "pypa_test.yaml")) as f: mock_response = saneyaml.load(f) - expected_file = os.path.join(TEST_DATA, f"pypa-expected.json") + expected_file = os.path.join(TEST_DATA, "pypa-expected.json") imported_data = parse_advisory_data( - mock_response, "pypi", "https://github.com/pypa/advisory-database" + mock_response, + ["pypi"], + "https://github.com/pypa/advisory-database/blob/main/vulns/pypa-expected.json", ) result = imported_data.to_dict() util_tests.check_results_against_json(result, expected_file) diff --git a/vulnerabilities/tests/test_pysec.py b/vulnerabilities/tests/test_pysec.py index f12a6e417..dcba3a776 100644 --- a/vulnerabilities/tests/test_pysec.py +++ b/vulnerabilities/tests/test_pysec.py @@ -22,7 +22,7 @@ class TestPyPIImporter(TestCase): def test_to_advisories_with_summary(self): with open(os.path.join(TEST_DATA, "pysec-advisories_with_summary.json")) as f: mock_response = json.load(f) - results = parse_advisory_data(mock_response, "pypi", "https://test.com").to_dict() + results = parse_advisory_data(mock_response, ["pypi"], "https://test.com").to_dict() expected_file = os.path.join(TEST_DATA, "pysec-advisories_with_summary-expected.json") check_results_against_json( @@ -35,7 +35,7 @@ def test_to_advisories_without_summary(self): with open(os.path.join(TEST_DATA, "pysec-advisories_without_summary.json")) as f: mock_response = json.load(f) - results = parse_advisory_data(mock_response, "pypi", "https://test.com").to_dict() + results = parse_advisory_data(mock_response, ["pypi"], "https://test.com").to_dict() expected_file = os.path.join(TEST_DATA, "pysec-advisories_without_summary-expected.json") check_results_against_json( @@ -49,7 +49,7 @@ def test_to_advisories_with_cwe(self): mock_response = json.load(f) results = parse_advisory_data( - raw_data=mock_response, supported_ecosystem="pypi", advisory_url="https://tes.com" + raw_data=mock_response, supported_ecosystems=["pypi"], advisory_url="https://tes.com" ).to_dict() expected_file = os.path.join(TEST_DATA, "pysec-advisories_with_cwe-expected.json")