-
Notifications
You must be signed in to change notification settings - Fork 317
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
test(black-duck): Test parsing a vulnerability with CVSS 2 only
This illustrates an issue with parsing the `vector` and `scoring_system`. Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
- Loading branch information
Showing
3 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
43 changes: 43 additions & 0 deletions
43
plugins/advisors/black-duck/src/test/assets/CVE-2015-3996-parsed.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| --- | ||
| id: "CVE-2015-3996" | ||
| description: "The default AFSecurityPolicy.validatesDomainName configuration for AFSSLPinningModeNone\ | ||
| \ in the AFNetworking framework before 2.5.3, as used in the ownCloud iOS Library,\ | ||
| \ disables verification of a server hostname against the domain name in the subject's\ | ||
| \ Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers\ | ||
| \ to spoof SSL servers via an arbitrary valid certificate." | ||
| references: | ||
| - url: "https://zeiss.app.blackduck.com/api/vulnerabilities/CVE-2015-3996" | ||
| scoring_system: "(AV:N" | ||
| severity: "MEDIUM" | ||
| score: 4.3 | ||
| vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" | ||
| - url: "https://zeiss.app.blackduck.com/api/cwes/CWE-254" | ||
| scoring_system: "(AV:N" | ||
| severity: "MEDIUM" | ||
| score: 4.3 | ||
| vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" | ||
| - url: "http://www.securityfocus.com/bid/76242" | ||
| scoring_system: "(AV:N" | ||
| severity: "MEDIUM" | ||
| score: 4.3 | ||
| vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" | ||
| - url: "https://github.com/AFNetworking/AFNetworking/issues/2619" | ||
| scoring_system: "(AV:N" | ||
| severity: "MEDIUM" | ||
| score: 4.3 | ||
| vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" | ||
| - url: "https://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3" | ||
| scoring_system: "(AV:N" | ||
| severity: "MEDIUM" | ||
| score: 4.3 | ||
| vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" | ||
| - url: "https://owncloud.org/security/advisory/?id=oc-sa-2015-012" | ||
| scoring_system: "(AV:N" | ||
| severity: "MEDIUM" | ||
| score: 4.3 | ||
| vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" | ||
| - url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3996" | ||
| scoring_system: "(AV:N" | ||
| severity: "MEDIUM" | ||
| score: 4.3 | ||
| vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" |
59 changes: 59 additions & 0 deletions
59
plugins/advisors/black-duck/src/test/assets/CVE-2015-3996.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| { | ||
| "source": "NVD", | ||
| "name": "CVE-2015-3996", | ||
| "description": "The default AFSecurityPolicy.validatesDomainName configuration for AFSSLPinningModeNone in the AFNetworking framework before 2.5.3, as used in the ownCloud iOS Library, disables verification of a server hostname against the domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", | ||
| "publishedDate": "2015-10-27T16:59:00.100Z", | ||
| "updatedDate": "2015-10-28T18:41:26.763Z", | ||
| "severity": "MEDIUM", | ||
| "cvss2": { | ||
| "baseScore": 4.3, | ||
| "impactSubscore": 2.9, | ||
| "exploitabilitySubscore": 8.6, | ||
| "severity": "MEDIUM", | ||
| "accessVector": "NETWORK", | ||
| "accessComplexity": "MEDIUM", | ||
| "authentication": "NONE", | ||
| "confidentialityImpact": "NONE", | ||
| "integrityImpact": "PARTIAL", | ||
| "availabilityImpact": "NONE", | ||
| "vector": "(AV:N/AC:M/Au:N/C:N/I:P/A:N)" | ||
| }, | ||
| "useCvss3": false, | ||
| "classifications": [], | ||
| "bdsaTags": [], | ||
| "overallScore": 4.3, | ||
| "_meta": { | ||
| "allow": [], | ||
| "href": "https://zeiss.app.blackduck.com/api/vulnerabilities/CVE-2015-3996", | ||
| "links": [ | ||
| { | ||
| "rel": "cwes", | ||
| "href": "https://zeiss.app.blackduck.com/api/cwes/CWE-254" | ||
| }, | ||
| { | ||
| "rel": "reference", | ||
| "href": "http://www.securityfocus.com/bid/76242", | ||
| "label": "Reference" | ||
| }, | ||
| { | ||
| "rel": "reference", | ||
| "href": "https://github.com/AFNetworking/AFNetworking/issues/2619", | ||
| "label": "Reference" | ||
| }, | ||
| { | ||
| "rel": "reference", | ||
| "href": "https://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3", | ||
| "label": "Reference" | ||
| }, | ||
| { | ||
| "rel": "reference", | ||
| "href": "https://owncloud.org/security/advisory/?id=oc-sa-2015-012", | ||
| "label": "Vendor Advisory" | ||
| }, | ||
| { | ||
| "rel": "nist", | ||
| "href": "https://nvd.nist.gov/vuln/detail/CVE-2015-3996" | ||
| } | ||
| ] | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters