Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cvss: bug fixes #1232

Merged
merged 10 commits into from
May 10, 2024
Merged

cvss: bug fixes #1232

merged 10 commits into from
May 10, 2024

Conversation

hdonnay
Copy link
Member

@hdonnay hdonnay commented Jan 30, 2024

Fixes for #1230.

Thanks @pandatix for the concise bug report!

@hdonnay hdonnay requested a review from a team as a code owner January 30, 2024 00:13
@hdonnay hdonnay requested review from crozzy and removed request for a team January 30, 2024 00:13
@hdonnay hdonnay mentioned this pull request Jan 30, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Jan 30, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 76.35135% with 35 lines in your changes are missing coverage. Please review.

Project coverage is 56.28%. Comparing base (0831b93) to head (34c3319).
Report is 2 commits behind head on main.

Files Patch % Lines
toolkit/types/cvss/cvss.go 84.00% 9 Missing and 3 partials ⚠️
toolkit/types/cvss/cvss_v3.go 70.37% 4 Missing and 4 partials ⚠️
toolkit/types/cvss/cvss_v4.go 63.63% 4 Missing and 4 partials ⚠️
toolkit/types/cvss/cvss_v2.go 65.00% 4 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1232      +/-   ##
==========================================
+ Coverage   55.76%   56.28%   +0.52%     
==========================================
  Files         266      266              
  Lines       16759    16844      +85     
==========================================
+ Hits         9345     9481     +136     
+ Misses       6445     6400      -45     
+ Partials      969      963       -6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@pandatix
Copy link

Followup here before the review, there are still some issues.

CVSS v2.0

For vector AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:H the current code did not raise an error, despite the documentation (Table 13) define once one metric of a group is defined (!= "ND") the whole group must be part of the vector. (but is not really clear about it...). The expected behavior is to include IR and AR too and only validate vectors that contains them.

CVSS v4.0

For vector CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:L/VI:H/VA:N/SC:N/SA:N/S:X the implementation did not raise any error despite it lacks the mandatory metric SI, as of the CVSS v4.0 specification Table 23.

@hdonnay
Copy link
Member Author

hdonnay commented Jan 31, 2024

For vector AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:H the current code did not raise an error, despite the documentation (Table 13) define once one metric of a group is defined (!= "ND") the whole group must be part of the vector. (but is not really clear about it...). The expected behavior is to include IR and AR too and only validate vectors that contains them.

Oh, I see what you're saying. That is indeed a very indirect way to specify that behavior.

For vector CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:L/VI:H/VA:N/SC:N/SA:N/S:X the implementation did not raise any error despite it lacks the mandatory metric SI, as of the CVSS v4.0 specification Table 23.

Oof, yeah. Missed doing that validation.

hdonnay added a commit to hdonnay/claircore that referenced this pull request Jan 31, 2024
@hdonnay
cvss: verify required metrics for v4 vectors
60d20d4 
See-also: quay#1232
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
@pandatix
Copy link

pandatix commented Feb 2, 2024

CVSS v2.0

One might also say that the environmental group implies the temporal group, but that's quite annoying and the standard should say that if it wants to say that.
That's not true, the environmental group does not imply the temporal one to be included, but I agree it should have been clarified. At least we hope this has been solved in CVSS v4.0 :)

For vector AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:H the current code does not raise an error at parsing despite it does not contain IR and AR both mandatory once one of the group is provided and != ND.

CVSS v4.0

For vector CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:LN/VI:L/VA:N/SC:N/SI:N/SA:N, the current code does not raise an error at parsing despite VC has invalid value LN. Most likely due to L and N being both valid separately.

hdonnay added a commit to hdonnay/claircore that referenced this pull request Mar 26, 2024
@hdonnay
cvss: verify required metrics for v4 vectors
713ebcc 
See-also: quay#1232
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
hdonnay added 7 commits May 9, 2024 13:08
@hdonnay
cvss: enforce v4 vector prefix
4a683a8 
See-also: quay#1230
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
@hdonnay
cvss: enforce v3 vector prefix
a64d794 
See-also: quay#1230
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
@hdonnay
cvss: fix v2 not recognizing non-base metrics
21a61dc 
Got too zealous with switch and didn't have any testcases to exercise
the metrics.

Closes: quay#1230
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
@hdonnay
cvss: coverage increases and bugfixes
273f703 
This adds additional tests driven by coverage numbers, and fixes the
bugs that cropped up while exercising those paths.

Signed-off-by: Hank Donnay <hdonnay@redhat.com>
@hdonnay
cvss: verify required metrics for v4 vectors
2bdff8b 
See-also: quay#1232
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
@hdonnay
cvss: add duplicate prefix tests
7b31028 
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
@hdonnay
cvss: reduce allocations during parsing
18c9792 
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
crozzy
crozzy reviewed May 9, 2024
View reviewed changes
Copy link
Contributor

@crozzy crozzy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM just one comment

toolkit/types/cvss/cvss_v2.go Outdated Show resolved Hide resolved
hdonnay added 3 commits May 9, 2024 19:36
@hdonnay
cvss: add groups method to Vector
8a8722c 
This allows the package to be able to reason about metrics group-wise.

Signed-off-by: Hank Donnay <hdonnay@redhat.com>
@hdonnay
cvss: fix v2 group-wise marshaling behavior
068edb6 
Section 2.4 of the standard implies that a vector should have metrics
with not defined values included if a metric in the group has a defined
value.

One might also say that the environmental group implies the temporal
group, but that's quite annoying and the standard should say that if it
wants to say that.

Signed-off-by: Hank Donnay <hdonnay@redhat.com>
@hdonnay
cvss: add additional check for malformed input
34c3319 
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
@crozzy crozzy self-requested a review May 10, 2024 14:57
@hdonnay
Copy link
Member Author

hdonnay commented May 10, 2024

/fast-forward

@github-actions github-actions bot merged commit 34c3319 into quay:main May 10, 2024
8 checks passed
@pandatix
Copy link

Hey, there are still issues with CVSS v2.0 and v4.0 implementations.
Differential fuzzing did not highlighted other defects in CVSS v3 implementation.

Notice that in v4.0 implementation you export metrics sets to X (Undefined) in the input vector.
For simplicity (there are a lot of metrics in v4.0) I would recommend not to export it if set to X, but this is not an implementation issue 😄

CVSS v2.0

Parsing vector AV:A/AC:L/Au:N/C:C/I:C/A:C/E:C/RL:F/RC:C does not return an error despite metrics E and RL have no valid value C and F (respectively).

From spec Table 13 :

E:[U,POC,F,H,ND]/RL:[OF,TF,W,U,ND]/RC:[UC,UR,C,ND]

CVSS v4.0

1: Parsing vector CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/U:a does not return an error despite metrics does not accept lowercase values AND metric U does not have a valide metric a (even upercased).

From spec Table 23 :

Provider Urgency (U) [X,Clear,Green,Amber,Red]

2: Vector CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:H/CR:X has a score of 4.1 but the implementation return 4.7.

@pandatix
Copy link

pandatix commented Jun 3, 2024

@hdonnay up :)

@hdonnay hdonnay deleted the bug/cvss-misc branch June 12, 2024 18:39
@pandatix pandatix mentioned this pull request Aug 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crozzy crozzy crozzy approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hdonnay @pandatix @crozzy