API response for /query/vulnerabilities is missing NVD CVSS scores in some cases
nightfurys opened this issue · comments
Environment
- anchore-engine v1.1.0
- vulnerabilities provider: grype
Problem
/query/vulnerabilities API response contains nvd_data attribute for each vulnerability in the result. The value of the attribute represents the NVD assigned CVSS scores. This field is not correctly populated for a small subset of vulnerabilities in the system. Instead of a list of results, the value is a null reference as noted below. The issue affects only those vulnerabilities that exclusively belong in the nvd namespace with grype as the vulnerabilities provider (v2 scanner). It does not affect the legacy vulnerability provider (v1 scanner)
% curl -u user:password "http://localhost:8228/v1/query/vulnerabilities?id=CVE-2019-15780"
{
"page": "1",
"returned_count": 1,
"total_count": 1,
"vulnerabilities": [
{
"affected_packages": [
{
"name": "formidable_form_builder",
"type": "unknown",
"version": "< 4.02.01",
"will_not_fix": false
}
],
"description": "The formidable plugin before 4.02.01 for WordPress has unsafe deserialization.",
"id": "CVE-2019-15780",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15780",
"namespace": "nvd",
"nvd_data": null,
"references": [
{
"source": "N/A",
"url": "https://wordpress.org/plugins/formidable/#developers"
},
{
"source": "N/A",
"url": "https://raw.githubusercontent.com/Strategy11/formidable-forms/master/changelog.txt"
},
{
"source": "N/A",
"url": "https://pentest.co.uk/labs/advisory/cve-2019-15780/"
},
{
"source": "N/A",
"url": "https://wpvulndb.com/vulnerabilities/9935"
}
],
"severity": "Critical",
"vendor_data": []
}
]
}
Workaround
The API also supports a namespace query parameter to filter results based on the namespace. Supply it with nvd value to view the NVD CVSS scores
% curl -u user:password "http://localhost:8228/v1/query/vulnerabilities?id=CVE-2019-15780&namespace=nvd"
{
"page": "1",
"returned_count": 1,
"total_count": 1,
"vulnerabilities": [
{
"affected_packages": [
{
"name": "formidable_form_builder",
"type": "unknown",
"version": "< 4.02.01",
"will_not_fix": false
}
],
"description": "The formidable plugin before 4.02.01 for WordPress has unsafe deserialization.",
"id": "CVE-2019-15780",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-15780",
"namespace": "nvd",
"nvd_data": [
{
"cvss_v2": {
"base_metrics": {
"base_score": 7.5,
"expolitability_score": 10,
"impact_score": 6.4
},
"severity": "High",
"vector_string": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": null,
"id": "CVE-2019-15780"
},
{
"cvss_v2": null,
"cvss_v3": {
"base_metrics": {
"base_score": 9.8,
"expolitability_score": 3.9,
"impact_score": 5.9
},
"severity": "Critical",
"vector_string": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"id": "CVE-2019-15780"
}
],
"references": [
{
"source": "N/A",
"url": "https://wordpress.org/plugins/formidable/#developers"
},
{
"source": "N/A",
"url": "https://raw.githubusercontent.com/Strategy11/formidable-forms/master/changelog.txt"
},
{
"source": "N/A",
"url": "https://pentest.co.uk/labs/advisory/cve-2019-15780/"
},
{
"source": "N/A",
"url": "https://wpvulndb.com/vulnerabilities/9935"
}
],
"severity": "Critical",
"vendor_data": []
}
]
}