-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: use new platform logic even for only one platform (#386)
* test: failing unit test for platform cpe ordering issue Signed-off-by: Weston Steimel <[email protected]> * fix: no longer fall back on single platform Signed-off-by: Will Murphy <[email protected]> * refactor: remove legacy platform CPE determination logic Signed-off-by: Weston Steimel <[email protected]> --------- Signed-off-by: Weston Steimel <[email protected]> Signed-off-by: Will Murphy <[email protected]> Co-authored-by: Weston Steimel <[email protected]>
- Loading branch information
1 parent
0b0bff4
commit cec1ab3
Showing
5 changed files
with
492 additions
and
18 deletions.
There are no files selected for viewing
148 changes: 148 additions & 0 deletions
148
pkg/process/v5/transformers/nvd/test-fixtures/CVE-2023-45283-platform-cpe-first.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,148 @@ | ||
| { | ||
| "cve": { | ||
| "id": "CVE-2023-45283", | ||
| "sourceIdentifier": "[email protected]", | ||
| "published": "2023-11-09T17:15:08.757", | ||
| "lastModified": "2023-12-14T10:15:07.947", | ||
| "vulnStatus": "Modified", | ||
| "cveTags": [], | ||
| "descriptions": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored." | ||
| }, | ||
| { | ||
| "lang": "es", | ||
| "value": "El paquete filepath no reconoce las rutas con el prefijo \\??\\ como especiales. En Windows, una ruta que comienza con \\??\\ es una ruta de dispositivo local raíz equivalente a una ruta que comienza con \\\\?\\. Se pueden utilizar rutas con un prefijo \\??\\ para acceder a ubicaciones arbitrarias en el sistema. Por ejemplo, la ruta \\??\\c:\\x es equivalente a la ruta más común c:\\x. Antes de la solución, Clean podía convertir una ruta raíz como \\a\\..\\??\\b en la ruta raíz del dispositivo local \\??\\b. Clean ahora convertirá esto a .\\??\\b. De manera similar, Join(\\, ??, b) podría convertir una secuencia aparentemente inocente de elementos de ruta en la ruta del dispositivo local raíz \\??\\b. Unirse ahora convertirá esto a \\.\\??\\b. Además, con la solución, IsAbs ahora informa correctamente las rutas que comienzan con \\??\\ como absolutas, y VolumeName informa correctamente el prefijo \\??\\ como nombre de volumen." | ||
| } | ||
| ], | ||
| "metrics": { | ||
| "cvssMetricV31": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "cvssData": { | ||
| "version": "3.1", | ||
| "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", | ||
| "attackVector": "NETWORK", | ||
| "attackComplexity": "LOW", | ||
| "privilegesRequired": "NONE", | ||
| "userInteraction": "NONE", | ||
| "scope": "UNCHANGED", | ||
| "confidentialityImpact": "HIGH", | ||
| "integrityImpact": "NONE", | ||
| "availabilityImpact": "NONE", | ||
| "baseScore": 7.5, | ||
| "baseSeverity": "HIGH" | ||
| }, | ||
| "exploitabilityScore": 3.9, | ||
| "impactScore": 3.6 | ||
| } | ||
| ] | ||
| }, | ||
| "weaknesses": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "description": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "CWE-22" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "configurations": [ | ||
| { | ||
| "operator": "AND", | ||
| "nodes": [ | ||
| { | ||
| "operator": "OR", | ||
| "negate": false, | ||
| "cpeMatch": [ | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", | ||
| "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "operator": "OR", | ||
| "negate": false, | ||
| "cpeMatch": [ | ||
| { | ||
| "vulnerable": true, | ||
| "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", | ||
| "versionEndExcluding": "1.20.11", | ||
| "matchCriteriaId": "C1E7C289-7484-4AA8-A96B-07D2E2933258" | ||
| }, | ||
| { | ||
| "vulnerable": true, | ||
| "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", | ||
| "versionStartIncluding": "1.21.0-0", | ||
| "versionEndExcluding": "1.21.4", | ||
| "matchCriteriaId": "4E3FC16C-41B2-4900-901F-48BDA3DC9ED2" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "url": "http://www.openwall.com/lists/oss-security/2023/12/05/2", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://go.dev/cl/540277", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Issue Tracking", | ||
| "Vendor Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://go.dev/cl/541175", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://go.dev/issue/63713", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Issue Tracking", | ||
| "Vendor Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://go.dev/issue/64028", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Issue Tracking", | ||
| "Mailing List", | ||
| "Vendor Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://pkg.go.dev/vuln/GO-2023-2185", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Issue Tracking", | ||
| "Vendor Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://security.netapp.com/advisory/ntap-20231214-0008/", | ||
| "source": "[email protected]" | ||
| } | ||
| ] | ||
| } | ||
| } |
147 changes: 147 additions & 0 deletions
147
pkg/process/v5/transformers/nvd/test-fixtures/CVE-2023-45283-platform-cpe-last.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,147 @@ | ||
| { | ||
| "cve": { | ||
| "id": "CVE-2023-45283", | ||
| "sourceIdentifier": "[email protected]", | ||
| "published": "2023-11-09T17:15:08.757", | ||
| "lastModified": "2023-12-14T10:15:07.947", | ||
| "vulnStatus": "Modified", | ||
| "descriptions": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored." | ||
| }, | ||
| { | ||
| "lang": "es", | ||
| "value": "El paquete filepath no reconoce las rutas con el prefijo \\??\\ como especiales. En Windows, una ruta que comienza con \\??\\ es una ruta de dispositivo local raíz equivalente a una ruta que comienza con \\\\?\\. Se pueden utilizar rutas con un prefijo \\??\\ para acceder a ubicaciones arbitrarias en el sistema. Por ejemplo, la ruta \\??\\c:\\x es equivalente a la ruta más común c:\\x. Antes de la solución, Clean podía convertir una ruta raíz como \\a\\..\\??\\b en la ruta raíz del dispositivo local \\??\\b. Clean ahora convertirá esto a .\\??\\b. De manera similar, Join(\\, ??, b) podría convertir una secuencia aparentemente inocente de elementos de ruta en la ruta del dispositivo local raíz \\??\\b. Unirse ahora convertirá esto a \\.\\??\\b. Además, con la solución, IsAbs ahora informa correctamente las rutas que comienzan con \\??\\ como absolutas, y VolumeName informa correctamente el prefijo \\??\\ como nombre de volumen." | ||
| } | ||
| ], | ||
| "metrics": { | ||
| "cvssMetricV31": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "cvssData": { | ||
| "version": "3.1", | ||
| "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", | ||
| "attackVector": "NETWORK", | ||
| "attackComplexity": "LOW", | ||
| "privilegesRequired": "NONE", | ||
| "userInteraction": "NONE", | ||
| "scope": "UNCHANGED", | ||
| "confidentialityImpact": "HIGH", | ||
| "integrityImpact": "NONE", | ||
| "availabilityImpact": "NONE", | ||
| "baseScore": 7.5, | ||
| "baseSeverity": "HIGH" | ||
| }, | ||
| "exploitabilityScore": 3.9, | ||
| "impactScore": 3.6 | ||
| } | ||
| ] | ||
| }, | ||
| "weaknesses": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "description": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "CWE-22" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "configurations": [ | ||
| { | ||
| "operator": "AND", | ||
| "nodes": [ | ||
| { | ||
| "operator": "OR", | ||
| "negate": false, | ||
| "cpeMatch": [ | ||
| { | ||
| "vulnerable": true, | ||
| "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", | ||
| "versionEndExcluding": "1.20.11", | ||
| "matchCriteriaId": "C1E7C289-7484-4AA8-A96B-07D2E2933258" | ||
| }, | ||
| { | ||
| "vulnerable": true, | ||
| "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", | ||
| "versionStartIncluding": "1.21.0-0", | ||
| "versionEndExcluding": "1.21.4", | ||
| "matchCriteriaId": "4E3FC16C-41B2-4900-901F-48BDA3DC9ED2" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "operator": "OR", | ||
| "negate": false, | ||
| "cpeMatch": [ | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", | ||
| "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "url": "http://www.openwall.com/lists/oss-security/2023/12/05/2", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://go.dev/cl/540277", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Issue Tracking", | ||
| "Vendor Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://go.dev/cl/541175", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://go.dev/issue/63713", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Issue Tracking", | ||
| "Vendor Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://go.dev/issue/64028", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Issue Tracking", | ||
| "Mailing List", | ||
| "Vendor Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://pkg.go.dev/vuln/GO-2023-2185", | ||
| "source": "[email protected]", | ||
| "tags": [ | ||
| "Issue Tracking", | ||
| "Vendor Advisory" | ||
| ] | ||
| }, | ||
| { | ||
| "url": "https://security.netapp.com/advisory/ntap-20231214-0008/", | ||
| "source": "[email protected]" | ||
| } | ||
| ] | ||
| } | ||
| } |
Oops, something went wrong.