CVE-2022-30187 is not reported for java and Python SDKs
prabhu opened this issue · comments
Describe the bug
When searching for CVE-2022-30187, there is only a single result belonging to GHSA being presented.
https://osv.dev/vulnerability/GHSA-64x4-9hc6-r2h6
The GHSA entry doesn't include Java and Python SDKs. NVD (!) and MSRC feeds are correct here.
https://nvd.nist.gov/vuln/detail/CVE-2022-30187
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30187
NOTE: While this is a single example, a quick and dirty script that compares NVD data with equivalent OSV shows huge discrepancies (CPE converted to purl and matched against OSV) where it is not clear which database is even correct. Will create a separate ticket for this.
To Reproduce
Steps to reproduce the behaviour:
- search for CVE-2022-30187
Expected behaviour
Package information must match NVD (CPEs belonging to application packages)
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
Hey @prabhu
Thanks for taking a look at our data, I'd love to more broadly explore any gaps you've identified using this CPE to Purl technique you mention.
In the case of this particular CVE, I'm not seeing how there's a discrepancy?
Looking at https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-30187, I can see the following CPEs:
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:.net:*:*",
"versionEndExcluding": "12.13.0",
"matchCriteriaId": "76C885A0-06D7-4573-97BA-FBCA7653F008"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:python:*:*",
"versionEndExcluding": "12.13.0",
"matchCriteriaId": "2E1A488F-D561-4005-AFF8-468860F40816"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_blobs:*:*:*:*:*:java:*:*",
"versionEndExcluding": "12.18.0",
"matchCriteriaId": "153D4518-8E6D-48D0-9BC5-EB482EDBF07B"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_queue:*:*:*:*:*:python:*:*",
"versionEndExcluding": "12.4.0",
"matchCriteriaId": "F765F0A9-3756-4C1E-85B0-1438474B4590"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:microsoft:azure_storage_queue:*:*:*:*:*:.net:*:*",
"versionEndExcluding": "12.11.0",
"matchCriteriaId": "5444CD1F-54C8-4918-8842-5320DE43FDBC"
}
]
}
]
}
],which seems to me to correlate with what is currently available for https://api.osv.dev/v1/vulns/GHSA-64x4-9hc6-r2h6:
"affected": [
{
"package": {
"name": "Azure.Storage.Queues",
"ecosystem": "NuGet",
"purl": "pkg:nuget/Azure.Storage.Queues"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "12.11.0"
}
]
}
],
"versions": [
"12.0.0",
"12.1.0",
"12.1.1",
"12.10.0",
"12.2.0",
"12.3.0",
"12.3.1",
"12.3.2",
"12.4.0",
"12.4.1",
"12.4.2",
"12.5.0",
"12.6.0",
"12.6.1",
"12.6.2",
"12.7.0",
"12.8.0",
"12.9.0"
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-64x4-9hc6-r2h6/GHSA-64x4-9hc6-r2h6.json"
}
},
{
"package": {
"name": "Azure.Storage.Blobs",
"ecosystem": "NuGet",
"purl": "pkg:nuget/Azure.Storage.Blobs"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "12.13.0"
}
]
}
],
"versions": [
"12.0.0",
"12.1.0",
"12.10.0",
"12.11.0",
"12.12.0",
"12.2.0",
"12.3.0",
"12.4.0",
"12.4.1",
"12.4.2",
"12.4.3",
"12.4.4",
"12.5.0",
"12.5.1",
"12.6.0",
"12.7.0",
"12.8.0",
"12.8.1",
"12.8.2",
"12.8.3",
"12.8.4",
"12.9.0",
"12.9.1"
],
"database_specific": {
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-64x4-9hc6-r2h6/GHSA-64x4-9hc6-r2h6.json"
}
}
],i.e., I'm seeing:
- Azure.Storage.Queues
- Azure.Storage.Blobs
The CVE itself isn't converting to a first class OSV record (it's just an alias of GHSA-64x4-9hc6-r2h6 as you note), because our conversion process hasn't been able to derive a Git repository CPEs, and looking at https://github.com/scanoss/purl2cpe/tree/main/data/microsoft, which I've been using as an independent cross-reference, I'm not seeing anything particularly useful there, either.
Could you please elaborate on how the current behaviour is not aligning with what you're expecting?
Thanks @andrewpollock. I will share the script once it's in good shape. It is currently buggy and unreliable.
Regarding the CPE, you can find java and python under target_sw, which is how the package ecosystem is represented. Depscan, for example, can now report these vulnerabilities for the equivalent maven and pypi packages in addition to nuget as well.
Perhaps retain the raw CPE information for NVD under database_specific and ensure both NVD and GHSA information are presented for all CVEs?
Regarding the CPE, you can find
javaandpythonundertarget_sw,which is how the package ecosystem is represented.
Ah, I see. Thanks for highlighting that.
In the case of GHSA-64x4-9hc6-r2h6 specifically, any deficiencies in comprehensiveness need to be taken up with the GitHub Advisory Database, via https://github.com/advisories/GHSA-64x4-9hc6-r2h6/improve