Merge branch 'master' into safety_check_nvd_conversion

google · Oct 17, 2024 · fcb002d · fcb002d
2 parents 33f9fd1 + 9363f92
commit fcb002d
Show file tree

Hide file tree

Showing 28 changed files with 2,855 additions and 38 deletions.
diff --git a/deployment/clouddeploy/gke-workers/environments/oss-vdb-test/importer-deleter.yaml b/deployment/clouddeploy/gke-workers/environments/oss-vdb-test/importer-deleter.yaml
@@ -15,5 +15,5 @@ spec:
             image: importer
             args:
               - --delete
-              - --delete_threshold_pct=20
+              - --delete_threshold_pct=2
               - --public_log_bucket=osv-test-public-import-logs
diff --git a/deployment/clouddeploy/gke-workers/environments/oss-vdb/importer-deleter.yaml b/deployment/clouddeploy/gke-workers/environments/oss-vdb/importer-deleter.yaml
@@ -15,5 +15,5 @@ spec:
             image: importer
             args:
               - --delete
-              - --delete_threshold_pct=20
+              - --delete_threshold_pct=2
               - --public_log_bucket=osv-public-import-logs
diff --git a/docs/faq.md b/docs/faq.md
@@ -130,7 +130,7 @@ If you work on a project (like a Linux distribution) and would like to contribut
 1. Version enumeration (for non-SemVer ecosystems where [supporting version enumeration code](https://github.com/google/osv.dev/tree/master/osv/ecosystems) exists)
 2. [Package URL](https://github.com/package-url/purl-spec) [computation](https://github.com/google/osv.dev/blob/a751ceb26522f093edf26c0ad167cfd0967716d9/osv/models.py#L361-L365) (if necessary)
 3. [Git affected commit enumeration and commit to tag mapping](https://github.com/google/osv.dev/blob/a751ceb26522f093edf26c0ad167cfd0967716d9/osv/impact.py#L422)
-4. [Batch](https://github.com/google/osv.dev/blob/master/deployment/clouddeploy/gke-workers/base/alias-computation.yaml) [computation](https://github.com/google/osv.dev/tree/master/docker/alias) of [aliases](https://ossf.github.io/osv-schema/#aliases-field)
+4. Repeat [batch](https://github.com/google/osv.dev/blob/master/deployment/clouddeploy/gke-workers/base/alias-computation.yaml) [computation](https://github.com/google/osv.dev/tree/master/docker/alias) of [aliases](https://ossf.github.io/osv-schema/#aliases-field) (**Note**: any time the `aliases` field changes, the record's [`modified`](https://ossf.github.io/osv-schema/#id-modified-fields) field is updated)
 
 Both version and commit enumeration populate the [`affected.versions[]`](https://ossf.github.io/osv-schema/#affectedversions-field) field, which assists with precise version matching.
 

diff --git a/gcp/api/integration_tests.py b/gcp/api/integration_tests.py
@@ -344,11 +344,13 @@ def test_query_comparing_version(self):
     alsa_2023_7109 = self._get('ALSA-2023:7109')
     alsa_2024_3178 = self._get('ALSA-2024:3178')
     alsa_2024_4262 = self._get('ALSA-2024:4262')
+    alsa_2024_7481 = self._get('ALSA-2024:7481')
 
     expected_vulns = [
         alsa_2023_7109,
         alsa_2024_3178,
         alsa_2024_4262,
+        alsa_2024_7481,
     ]
 
     response = requests.post(

diff --git a/osv/models.py b/osv/models.py
@@ -680,6 +680,8 @@ def to_vulnerability(self, include_source=False, include_alias=True):
 
     details = self.details
 
+    # Note that there is further possible mutation of this field below when
+    # `include_alias` is True
     if self.last_modified:
       modified = timestamp_pb2.Timestamp()
       modified.FromDatetime(self.last_modified)
@@ -735,7 +737,7 @@ def to_vulnerability(self, include_source=False, include_alias=True):
         schema_version=SCHEMA_VERSION,
         id=self.id(),
         published=published,
-        modified=modified,
+        modified=modified,  # Note the two places above where this can be set.
         aliases=aliases,
         related=related,
         withdrawn=withdrawn,

diff --git a/tools/datafix/delete_bugs.py b/tools/datafix/delete_bugs.py
@@ -69,10 +69,6 @@ def main() -> None:
 
   result = list(query.fetch())
 
-  print(f"Retrieved {len(result)} bugs to examine for deletion")
-
-  result = list(query.fetch())
-
   print(f"There are {len(result)} bugs to delete...")
 
   # Chunk the results to delete in acceptibly sized batches for the API.

diff --git a/vulnfeeds/test_data/nvdcve-2.0/CVE-2018-1000500.json b/vulnfeeds/test_data/nvdcve-2.0/CVE-2018-1000500.json
@@ -1 +1,130 @@
-{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2024-03-25T05:17:38.960","vulnerabilities":[{"cve":{"id":"CVE-2018-1000500","sourceIdentifier":"cve@mitre.org","published":"2018-06-26T16:29:00.353","lastModified":"2020-09-24T20:15:12.350","vulnStatus":"Modified","descriptions":[{"lang":"en","value":"Busybox contains a Missing SSL certificate validation vulnerability in The \"busybox wget\" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using \"busybox wget https:\/\/compromised-domain.com\/important-file\"."},{"lang":"es","value":"Busybox contiene una vulnerabilidad de falta de validación de certificados SSL en el applet \"busybox wget\" que puede resultar en la ejecución de código arbitrario. El ataque parece ser explotable mediante la descarga de cualquier archivo por HTTPS mediante \"busybox wget https:\/\/compromised-domain.com\/important-file\"."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N\/AC:M\/Au:N\/C:P\/I:P\/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-295"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*","versionEndExcluding":"1.32.0","matchCriteriaId":"8E01D2F2-60BE-4135-B94B-76D34EC75060"}]}]}],"references":[{"url":"http:\/\/lists.busybox.net\/pipermail\/busybox\/2018-May\/086462.html","source":"cve@mitre.org","tags":["Mailing List","Vendor Advisory"]},{"url":"https:\/\/git.busybox.net\/busybox\/commit\/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91","source":"cve@mitre.org","tags":["Patch","Vendor Advisory"]},{"url":"https:\/\/usn.ubuntu.com\/4531-1\/","source":"cve@mitre.org"}]}}]}
+{
+  "resultsPerPage": 1,
+  "startIndex": 0,
+  "totalResults": 1,
+  "format": "NVD_CVE",
+  "version": "2.0",
+  "timestamp": "2024-03-25T05:17:38.960",
+  "vulnerabilities": [
+    {
+      "cve": {
+        "id": "CVE-2018-1000500",
+        "sourceIdentifier": "cve@mitre.org",
+        "published": "2018-06-26T16:29:00.353",
+        "lastModified": "2020-09-24T20:15:12.350",
+        "vulnStatus": "Modified",
+        "descriptions": [
+          {
+            "lang": "en",
+            "value": "Busybox contains a Missing SSL certificate validation vulnerability in The \"busybox wget\" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using \"busybox wget https:\/\/compromised-domain.com\/important-file\"."
+          },
+          {
+            "lang": "es",
+            "value": "Busybox contiene una vulnerabilidad de falta de validación de certificados SSL en el applet \"busybox wget\" que puede resultar en la ejecución de código arbitrario. El ataque parece ser explotable mediante la descarga de cualquier archivo por HTTPS mediante \"busybox wget https:\/\/compromised-domain.com\/important-file\"."
+          }
+        ],
+        "metrics": {
+          "cvssMetricV31": [
+            {
+              "source": "nvd@nist.gov",
+              "type": "Primary",
+              "cvssData": {
+                "version": "3.1",
+                "vectorString": "CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H",
+                "attackVector": "NETWORK",
+                "attackComplexity": "HIGH",
+                "privilegesRequired": "NONE",
+                "userInteraction": "NONE",
+                "scope": "UNCHANGED",
+                "confidentialityImpact": "HIGH",
+                "integrityImpact": "HIGH",
+                "availabilityImpact": "HIGH",
+                "baseScore": 8.1,
+                "baseSeverity": "HIGH"
+              },
+              "exploitabilityScore": 2.2,
+              "impactScore": 5.9
+            }
+          ],
+          "cvssMetricV2": [
+            {
+              "source": "nvd@nist.gov",
+              "type": "Primary",
+              "cvssData": {
+                "version": "2.0",
+                "vectorString": "AV:N\/AC:M\/Au:N\/C:P\/I:P\/A:P",
+                "accessVector": "NETWORK",
+                "accessComplexity": "MEDIUM",
+                "authentication": "NONE",
+                "confidentialityImpact": "PARTIAL",
+                "integrityImpact": "PARTIAL",
+                "availabilityImpact": "PARTIAL",
+                "baseScore": 6.8
+              },
+              "baseSeverity": "MEDIUM",
+              "exploitabilityScore": 8.6,
+              "impactScore": 6.4,
+              "acInsufInfo": false,
+              "obtainAllPrivilege": false,
+              "obtainUserPrivilege": false,
+              "obtainOtherPrivilege": false,
+              "userInteractionRequired": false
+            }
+          ]
+        },
+        "weaknesses": [
+          {
+            "source": "nvd@nist.gov",
+            "type": "Primary",
+            "description": [
+              {
+                "lang": "en",
+                "value": "CWE-295"
+              }
+            ]
+          }
+        ],
+        "configurations": [
+          {
+            "nodes": [
+              {
+                "operator": "OR",
+                "negate": false,
+                "cpeMatch": [
+                  {
+                    "vulnerable": true,
+                    "criteria": "cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*",
+                    "versionEndExcluding": "1.32.0",
+                    "matchCriteriaId": "8E01D2F2-60BE-4135-B94B-76D34EC75060"
+                  }
+                ]
+              }
+            ]
+          }
+        ],
+        "references": [
+          {
+            "url": "http:\/\/lists.busybox.net\/pipermail\/busybox\/2018-May\/086462.html",
+            "source": "cve@mitre.org",
+            "tags": [
+              "Mailing List",
+              "Vendor Advisory"
+            ]
+          },
+          {
+            "url": "https:\/\/git.busybox.net\/busybox\/commit\/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91",
+            "source": "cve@mitre.org",
+            "tags": [
+              "Patch",
+              "Vendor Advisory"
+            ]
+          },
+          {
+            "url": "https:\/\/usn.ubuntu.com\/4531-1\/",
+            "source": "cve@mitre.org"
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/vulnfeeds/test_data/nvdcve-2.0/CVE-2020-13595.json b/vulnfeeds/test_data/nvdcve-2.0/CVE-2020-13595.json
@@ -1 +1,144 @@
-{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2023-11-26T23:14:57.970","vulnerabilities":[{"cve":{"id":"CVE-2020-13595","sourceIdentifier":"cve@mitre.org","published":"2020-08-31T15:15:10.680","lastModified":"2020-09-08T21:09:33.517","vulnStatus":"Analyzed","descriptions":[{"lang":"en","value":"The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target's BLE stack) by sending a crafted sequence of BLE packets."},{"lang":"es","value":"La implementación del controlador Bluetooth Low Energy (BLE) en Espressif ESP-IDF versiones 4.0 hasta 4.2 (para dispositivos ESP32) devuelve el número errado de paquetes BLE completados y desencadena una aserción alcanzable en la pila del host cuando está recibiendo un paquete con un fallo de MIC. Un atacante dentro del radio de alcance puede desencadenar silenciosamente la aserción (que deshabilita la pila BLE del objetivo) al enviar una secuencia de paquetes BLE diseñada"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:A\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:A\/AC:L\/Au:N\/C:N\/I:N\/A:P","accessVector":"ADJACENT_NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":3.3},"baseSeverity":"LOW","exploitabilityScore":6.5,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-617"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndIncluding":"4.2","matchCriteriaId":"F8034F36-3371-4111-AE71-573B85934B20"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*","matchCriteriaId":"D1024B06-380B-4116-B7F9-A21A03534B0C"}]}]}],"references":[{"url":"https:\/\/asset-group.github.io\/cves.html","source":"cve@mitre.org","tags":["Third Party Advisory"]},{"url":"https:\/\/asset-group.github.io\/disclosures\/sweyntooth\/","source":"cve@mitre.org","tags":["Third Party Advisory"]},{"url":"https:\/\/github.com\/espressif\/esp32-bt-lib","source":"cve@mitre.org","tags":["Third Party Advisory"]}]}}]}
+{
+  "resultsPerPage": 1,
+  "startIndex": 0,
+  "totalResults": 1,
+  "format": "NVD_CVE",
+  "version": "2.0",
+  "timestamp": "2023-11-26T23:14:57.970",
+  "vulnerabilities": [
+    {
+      "cve": {
+        "id": "CVE-2020-13595",
+        "sourceIdentifier": "cve@mitre.org",
+        "published": "2020-08-31T15:15:10.680",
+        "lastModified": "2020-09-08T21:09:33.517",
+        "vulnStatus": "Analyzed",
+        "descriptions": [
+          {
+            "lang": "en",
+            "value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target's BLE stack) by sending a crafted sequence of BLE packets."
+          },
+          {
+            "lang": "es",
+            "value": "La implementación del controlador Bluetooth Low Energy (BLE) en Espressif ESP-IDF versiones 4.0 hasta 4.2 (para dispositivos ESP32) devuelve el número errado de paquetes BLE completados y desencadena una aserción alcanzable en la pila del host cuando está recibiendo un paquete con un fallo de MIC. Un atacante dentro del radio de alcance puede desencadenar silenciosamente la aserción (que deshabilita la pila BLE del objetivo) al enviar una secuencia de paquetes BLE diseñada"
+          }
+        ],
+        "metrics": {
+          "cvssMetricV31": [
+            {
+              "source": "nvd@nist.gov",
+              "type": "Primary",
+              "cvssData": {
+                "version": "3.1",
+                "vectorString": "CVSS:3.1\/AV:A\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H",
+                "attackVector": "ADJACENT_NETWORK",
+                "attackComplexity": "LOW",
+                "privilegesRequired": "NONE",
+                "userInteraction": "NONE",
+                "scope": "UNCHANGED",
+                "confidentialityImpact": "NONE",
+                "integrityImpact": "NONE",
+                "availabilityImpact": "HIGH",
+                "baseScore": 6.5,
+                "baseSeverity": "MEDIUM"
+              },
+              "exploitabilityScore": 2.8,
+              "impactScore": 3.6
+            }
+          ],
+          "cvssMetricV2": [
+            {
+              "source": "nvd@nist.gov",
+              "type": "Primary",
+              "cvssData": {
+                "version": "2.0",
+                "vectorString": "AV:A\/AC:L\/Au:N\/C:N\/I:N\/A:P",
+                "accessVector": "ADJACENT_NETWORK",
+                "accessComplexity": "LOW",
+                "authentication": "NONE",
+                "confidentialityImpact": "NONE",
+                "integrityImpact": "NONE",
+                "availabilityImpact": "PARTIAL",
+                "baseScore": 3.3
+              },
+              "baseSeverity": "LOW",
+              "exploitabilityScore": 6.5,
+              "impactScore": 2.9,
+              "acInsufInfo": false,
+              "obtainAllPrivilege": false,
+              "obtainUserPrivilege": false,
+              "obtainOtherPrivilege": false,
+              "userInteractionRequired": false
+            }
+          ]
+        },
+        "weaknesses": [
+          {
+            "source": "nvd@nist.gov",
+            "type": "Primary",
+            "description": [
+              {
+                "lang": "en",
+                "value": "CWE-617"
+              }
+            ]
+          }
+        ],
+        "configurations": [
+          {
+            "operator": "AND",
+            "nodes": [
+              {
+                "operator": "OR",
+                "negate": false,
+                "cpeMatch": [
+                  {
+                    "vulnerable": true,
+                    "criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
+                    "versionStartIncluding": "4.0.0",
+                    "versionEndIncluding": "4.2",
+                    "matchCriteriaId": "F8034F36-3371-4111-AE71-573B85934B20"
+                  }
+                ]
+              },
+              {
+                "operator": "OR",
+                "negate": false,
+                "cpeMatch": [
+                  {
+                    "vulnerable": false,
+                    "criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*",
+                    "matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C"
+                  }
+                ]
+              }
+            ]
+          }
+        ],
+        "references": [
+          {
+            "url": "https:\/\/asset-group.github.io\/cves.html",
+            "source": "cve@mitre.org",
+            "tags": [
+              "Third Party Advisory"
+            ]
+          },
+          {
+            "url": "https:\/\/asset-group.github.io\/disclosures\/sweyntooth\/",
+            "source": "cve@mitre.org",
+            "tags": [
+              "Third Party Advisory"
+            ]
+          },
+          {
+            "url": "https:\/\/github.com\/espressif\/esp32-bt-lib",
+            "source": "cve@mitre.org",
+            "tags": [
+              "Third Party Advisory"
+            ]
+          }
+        ]
+      }
+    }
+  ]
+}