Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There was a mass withdrawal event on Oct 2, almost all recent vulnerabilities in GIT are incorrectly withdrawn #2704

Closed
timothee-chauvin opened this issue Oct 4, 2024 · 3 comments
Closed

There was a mass withdrawal event on Oct 2, almost all recent vulnerabilities in GIT are incorrectly withdrawn #2704

timothee-chauvin opened this issue Oct 4, 2024 · 3 comments
Labels
bug Something isn't working priority

Comments

@timothee-chauvin
Copy link

On Oct 2 (two days after the blog post on data quality, which might be related), many vulnerabilities in the GIT ecosystem became incorrectly marked as withdrawn. I count 1,736 vulnerabilities that were marked as withdrawn on 2024-10-02, and only 19 vulnerabilities out of 1,612 since 2024-03-01 are not marked as withdrawn.

Steps to reproduce:

$ cd /tmp
$ wget https://osv-vulnerabilities.storage.googleapis.com/GIT/all.zip
$ unzip all.zip -d GIT
$ cd GIT
$ grep -r '"withdrawn": "2024-10-02' | wc -l
1736
$ # By the way, there was another mass withdrawal event on 2024-05-15, but I haven't looked into it:
$ grep -r '"withdrawn": "2024-05-15' | wc -l
1818

A random example of a vulnerability marked as withdrawn in OSV but not in e.g. cvelistV5: CVE-2024-46978.

$ grep "withdrawn" CVE-2024-46978.json
  "withdrawn": "2024-10-02T01:21:06.482138Z",

The corresponding file on cvelistV5 hasn't been updated since September 20 and isn't marked as withdrawn.

This might be an issue with an upstream provider of data, but I don't know which one it is for GIT, so I'm reporting here.

The only 19 vulnerabilities since March 1st which aren't marked as withdrawn are: ['CURL-CVE-2024-7264', 'CURL-CVE-2024-2466', 'PSF-2024-10', 'CURL-CVE-2024-2379', 'PSF-2024-9', 'PSF-2024-11', 'PSF-2024-8', 'CURL-CVE-2024-8096', 'CURL-CVE-2024-6197', 'PSF-2024-4', 'PSF-2024-2', 'PSF-2024-7', 'CURL-CVE-2024-6874', 'CURL-CVE-2024-2004', 'CURL-CVE-2024-2398', 'PSF-2024-1', 'PSF-2024-3', 'PSF-2024-6', 'PSF-2024-5'] (no mention of CVE-*)

Personally, I won't be able to update the eyeballvul benchmark until this is fixed, since almost all recent vulnerabilities are now marked as withdrawn.

Do you know where this could be coming from?
@michaelkedar
Copy link
Member

Sorry for the delay - we've just come back from a long weekend.

The problem seems to coincide with last week's deployment, so I'm going to revert that while we look into it further.

@michaelkedar michaelkedar added bug Something isn't working priority under-investigation Under investigation by the team. labels Oct 7, 2024
@michaelkedar michaelkedar mentioned this issue Oct 8, 2024
Merged
michaelkedar added a commit that referenced this issue Oct 8, 2024
@michaelkedar
fix(nvd-cve-osv): check for nil when logging VendorProduct (#2706)
dbe3aa6 
The log line added in #2678 was causing a panic when `vp` is nil (that
we didn't notice 🤦).

I believe it's causing processing to stop early, so we end up missing
records and marking them as 'withdrawn' #2704
Also adding some checks elsewhere where vp might be dereferenced.

Also added the `-e` flag to the run bash script so any other failures
stop it from uploading (thanks @another-rex for pointing this out)
@michaelkedar
Copy link
Member

To give an update:
This seems to have been caused by a bug on our end, not the upstream data source (NVD).

Rolling back the release has un-withdrawn many of these vulnerabilities. It might take a little bit more time for it to fully propagate through to the bucket - I'll take another look tomorrow.

I've pushed a fix for the bug, which should hopefully prevent this happening in the future. That should be deployed sometime this week.

Thanks for your detailed report! Let us know if there's still a problem.

@hogo6002
Copy link
Contributor

hogo6002 commented Oct 9, 2024

We have fixed this issue:

/tmp/GIT$ grep -r '"withdrawn": "2024-10-02' | wc -l
$ 7

@hogo6002 hogo6002 closed this as completed Oct 9, 2024
@andrewpollock andrewpollock removed the under-investigation Under investigation by the team. label Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andrewpollock @michaelkedar @hogo6002 @timothee-chauvin