Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hack: hard-code severity for debian CVE-2023-44487 #448

Merged
merged 3 commits into from
Jan 15, 2024
Merged

hack: hard-code severity for debian CVE-2023-44487 #448

merged 3 commits into from
Jan 15, 2024

Conversation

willmurphyscode
Copy link
Contributor

@willmurphyscode willmurphyscode commented Jan 9, 2024
edited
Loading

The Debian feed contains per-package urgency for CVEs, which Vunnel translates into per-package severity, and the collapses into a single per-CVE serverity by having the most severe severity win. However, unknown severities always lose the comparison. This means that the particular CVE here, CVE-2023-44487, which has a single negligible package and a bunch of unknowns, is treated as negligible severity for every package, which is incorrect. Hard-code it to unknown severity (so that Grype-DB will take severity from NVD's data), while we figure out what schema changes and logic changes are needed put in a lasting fix.

See anchore/grype-db#108 (comment) for more info

Manual testing done

$ make dev providers="debian nvd"
$ make update-db
$ sqlite3 --header --column .cache/grype/5/vulnerability.db \
"select id, severity, namespace from vulnerability_metadata where id = 'CVE-2023-44487' and namespace like '%debian%';"

id              severity  namespace
--------------  --------  -----------------------------
CVE-2023-44487  High      debian:distro:debian:10
CVE-2023-44487  High      debian:distro:debian:11
CVE-2023-44487  High      debian:distro:debian:12
CVE-2023-44487  High      debian:distro:debian:13

Note that these will still come through as high severity in Grype-DB, but it will be because Grype DB will fall back to using NVD to populate that bit of metadata.

@willmurphyscode
hack: hard-code severity for debian CVE-2023-44487
0c5b46c 
The Debian feed contains per-package urgency for CVEs, which Vunnel
translates into per-package severity, and the collapses into a single
per-CVE serverity by having the most severe severity win. However,
unknown severities always lose the comparison. This means that the
particular CVE here, CVE-2023-44487, which has a single negligible
package and a bunch of unknowns, is treated as negligible severity for
every package, which is incorrect. Hard-code it to high severity while
we figure out what schema changes and logic changes are needed put in a
lasting fix.

Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode willmurphyscode added the run-pr-quality-gate Triggers running of quality gate on PRs label Jan 9, 2024
@willmurphyscode willmurphyscode marked this pull request as ready for review January 9, 2024 21:07
@westonsteimel westonsteimel merged commit d5a3b6c into main Jan 15, 2024
11 checks passed
@westonsteimel westonsteimel deleted the fix/cve-2023-44487-not-negligible branch January 15, 2024 18:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zhill zhill zhill left review comments

@westonsteimel westonsteimel westonsteimel approved these changes

Assignees
No one assigned
Labels
run-pr-quality-gate Triggers running of quality gate on PRs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@willmurphyscode @westonsteimel @zhill