Skip to content

Commit

Permalink
feat: add description field in Vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
@matheusfm
matheusfm committed Sep 21, 2023
1 parent f3ff40d commit a300eb1
Show file tree
Hide file tree
Showing 6 changed files with 50 additions and 24 deletions.
3 changes: 2 additions & 1 deletion api/zora/v1alpha1/vulnerabilityreport_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ type VulnerabilityReportSpec struct {
type Vulnerability struct {
ID string `json:"id"`
Severity string `json:"severity"`
Description string `json:"description"`
Title string `json:"title"`
Description string `json:"description,omitempty"`
Package string `json:"package"`
Version string `json:"version"`
FixVersion string `json:"fixVersion,omitempty"`
Expand Down
4 changes: 3 additions & 1 deletion charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,17 +142,19 @@ spec:
type: string
status:
type: string
title:
type: string
type:
type: string
url:
type: string
version:
type: string
required:
- description
- id
- package
- severity
- title
- version
type: object
type: array
Expand Down
4 changes: 3 additions & 1 deletion config/crd/bases/zora.undistro.io_vulnerabilityreports.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,17 +128,19 @@ spec:
type: string
status:
type: string
title:
type: string
type:
type: string
url:
type: string
version:
type: string
required:
- description
- id
- package
- severity
- title
- version
type: object
type: array
Expand Down
3 changes: 2 additions & 1 deletion pkg/worker/report/trivy/parse.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,8 @@ func newVulnerability(vuln trivytypes.DetectedVulnerability, resultType string)
return v1alpha1.Vulnerability{
ID: vuln.VulnerabilityID,
Severity: vuln.Severity,
Description: vuln.Title,
Title: vuln.Title,
Description: vuln.Description,
Package: vuln.PkgName,
Version: vuln.InstalledVersion,
FixVersion: vuln.FixedVersion,
Expand Down
30 changes: 20 additions & 10 deletions pkg/worker/report/trivy/parse_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,8 @@ func TestParse(t *testing.T) {
{
ID: "CVE-2022-41723",
Severity: "HIGH",
Description: "avoid quadratic complexity in HPACK decoding",
Title: "avoid quadratic complexity in HPACK decoding",
Description: "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.",
Package: "golang.org/x/net",
Version: "v0.0.0-20220722155237-a158d28d115b",
FixVersion: "0.7.0",
Expand All @@ -67,7 +68,8 @@ func TestParse(t *testing.T) {
{
ID: "CVE-2022-4450",
Severity: "HIGH",
Description: "double free after calling PEM_read_bio_ex",
Title: "double free after calling PEM_read_bio_ex",
Description: "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.",
Package: "libssl1.1",
Version: "1.1.1s-r0",
FixVersion: "1.1.1t-r0",
Expand All @@ -79,7 +81,8 @@ func TestParse(t *testing.T) {
{
ID: "CVE-2022-4450",
Severity: "HIGH",
Description: "double free after calling PEM_read_bio_ex",
Title: "double free after calling PEM_read_bio_ex",
Description: "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.",
Package: "libcrypto1.1",
Version: "1.1.1s-r0",
FixVersion: "1.1.1t-r0",
Expand All @@ -91,7 +94,8 @@ func TestParse(t *testing.T) {
{
ID: "CVE-2023-37920",
Severity: "CRITICAL",
Description: "Removal of e-Tugra root certificate",
Title: "Removal of e-Tugra root certificate",
Description: "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store.",
Package: "certifi",
Version: "2022.12.7",
FixVersion: "2023.7.22",
Expand All @@ -111,7 +115,8 @@ func TestParse(t *testing.T) {
{
ID: "DLA-3051-1",
Severity: "UNKNOWN",
Description: "tzdata - new timezone database",
Title: "tzdata - new timezone database",
Description: "",
Package: "tzdata",
Version: "2019c-0+deb9u1",
FixVersion: "2021a-0+deb9u4",
Expand All @@ -122,7 +127,8 @@ func TestParse(t *testing.T) {
{
ID: "CVE-2016-2779",
Severity: "HIGH",
Description: "util-linux: runuser tty hijack via TIOCSTI ioctl",
Title: "util-linux: runuser tty hijack via TIOCSTI ioctl",
Description: "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
Package: "bsdutils",
Version: "1:2.29.2-1+deb9u1",
FixVersion: "",
Expand All @@ -134,7 +140,8 @@ func TestParse(t *testing.T) {
{
ID: "GHSA-jmqm-f2gx-4fjv",
Severity: "MEDIUM",
Description: "Sensitive information exposure through logs in npm-registry-fetch",
Title: "Sensitive information exposure through logs in npm-registry-fetch",
Description: "Affected versions of `npm-registry-fetch` are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like `\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e`. The password value is not redacted and is printed to stdout and also to any generated log files.",
Package: "npm-registry-fetch",
Version: "4.0.4",
FixVersion: "8.1.1, 4.0.5",
Expand All @@ -154,7 +161,8 @@ func TestParse(t *testing.T) {
{
ID: "CVE-2016-2781",
Severity: "LOW",
Description: "coreutils: Non-privileged session can escape to the parent session in chroot",
Title: "coreutils: Non-privileged session can escape to the parent session in chroot",
Description: "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
Package: "coreutils",
Version: "8.30-3",
FixVersion: "",
Expand All @@ -166,7 +174,8 @@ func TestParse(t *testing.T) {
{
ID: "CVE-2023-28755",
Severity: "HIGH",
Description: "ReDoS vulnerability in URI",
Title: "ReDoS vulnerability in URI",
Description: "A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.",
Package: "uri",
Version: "0.10.0",
FixVersion: "~\u003e 0.10.0.1, ~\u003e 0.10.2, ~\u003e 0.11.1, \u003e= 0.12.1",
Expand All @@ -186,7 +195,8 @@ func TestParse(t *testing.T) {
{
ID: "CVE-2023-3446",
Severity: "MEDIUM",
Description: "Excessive time spent checking DH keys and parameters",
Title: "Excessive time spent checking DH keys and parameters",
Description: "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
Package: "openssl",
Version: "1.1.1n-0+deb11u4",
FixVersion: "",
Expand Down
Loading

0 comments on commit a300eb1

Please sign in to comment.