-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open question: vendor / tool name mapping across sources #5
Comments
Follow up question on that: how do we handle vulnerabilities that only apply if multiple products are involved? Example: CVE-2008-0732 {
"cve": {
"id": "CVE-2008-0732",
"sourceIdentifier": "[email protected]",
"published": "2008-02-12T21:00:00.000",
"lastModified": "2008-09-05T21:35:50.617",
"vulnStatus": "Analyzed",
"descriptions": [
{
"lang": "en",
"value": "The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories."
},
{
"lang": "es",
"value": "La secuencia de comandos init de Apache Geronimo sobre SUSE Linux sigue enlaces simbólicos cuando realiza una operación de cambio en la propiedad de ficheros o directorios, que permite a usuarios locales obtener acceso a ficheros y directorios no especificados."
}
],
"metrics": {
"cvssMetricV2": [
{
"source": "[email protected]",
"type": "Primary",
"cvssData": {
"version": "2.0",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"accessVector": "LOCAL",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1
},
"baseSeverity": "LOW",
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
]
},
"weaknesses": [
{
"source": "[email protected]",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-59"
}
]
}
],
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:o:suse:suse_linux:*:*:*:*:*:*:*:*",
"matchCriteriaId": "67527281-81FA-4068-9E0A-7B19FB6A208A"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:apache:geronimo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "67517877-5475-4CDA-A634-4CDE447D41D1"
}
]
}
]
}
],
"references": [
{
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00003.html",
"source": "[email protected]",
"tags": [
"Patch"
]
}
]
}
} If we use the same approach as defined in the existing CVE Search API, we'll have this vulnerability in |
Could we imagine a fuzzy strategy for the different sources? where approximate results are calculated in another set? Like we did for cpe-guesser https://github.com/cve-search/cpe-guesser |
We can do something like that, but I really fear there will be a lot of improper guesses (the CPE refs are super weak). As long as we have a reference to a CVE in whichever vulnerability entry, we automatically get the CPE:
It doesn't really solve the issue with the CPE requiring operators, but it's better than nothing. |
We have a few ways to represent what is affected by a vulnerability.
Let's go through them with a random CVE (CVE-2023-21825).
Other example - CVE CVE-2023-32999
The text was updated successfully, but these errors were encountered: