Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "severity" to vuln/core JSON vulnerability feed #1372

Closed
srmish-jfrog opened this issue Sep 2, 2024 · 7 comments
Closed

Add "severity" to vuln/core JSON vulnerability feed #1372

srmish-jfrog opened this issue Sep 2, 2024 · 7 comments

Comments

@srmish-jfrog
Copy link
Contributor

It would be great to include the vulnerability's severity in the JSON files generated under vuln/core.

For example for 146.json -

{
    "cve": [
        "CVE-2024-37372"
    ],
+  "severity": "low",
    "vulnerable": "20.x || 22.x",
    "patched": "^20.15.1 || ^22.4.1",
    "ref": "https://nodejs.org/en/blog/vulnerability/july-2024-security-releases/",
    "overview": "The Permission Model assumes that any path starting with two backslashes \\\\ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.\n\nThis vulnerability affects Windows users of the Node.js Permission Model in version v20.x and v22.x",
    "affectedEnvironments": ["all"]
}
@RafaelGSS
Copy link
Member

SGTM. Would you like to update the current database and I'll make sure to update our security release process to include severity for the next ones?

@srmish-jfrog
Copy link
Contributor Author

Sounds good, I'll create a PR shortly. Note that also index.json would have to be updated each time

@RafaelGSS
Copy link
Member

index.json is automatically updated by an action.

@srmish-jfrog
Copy link
Contributor Author

Ah ok great.
I just noticed that "cve" is a list, so we need a severity for each.
I guess we have two options -
A - Nicer option but breaks the current schema -

{
    "cve":
    [
        {
            "id": "CVE-2020-1234",
            "severity": "low"
        },
        {
            "id": "CVE-2020-5678",
            "severity": "medium"
        }
    ]
}

B - Less nice, but doesn't break the schema -

{
    "cve":
    [
        "CVE-2020-1234",
        "CVE-2020-5678"
    ],
    "severity":
    {
        "CVE-2020-1234": "low",
        "CVE-2020-5678": "medium"
    }
}

What would you prefer?

@RafaelGSS
Copy link
Member

cve is a list because sometimes we include a previous CVE to this new vulnerability. Most of the time, they will have the same severity. So, using "severity": "low" should fit for us. In any case, we should always use the highest severity.

@srmish-jfrog
Copy link
Contributor Author

Gotcha, ok great I will add a single value with the highest severity

@RafaelGSS
Copy link
Member

Fixed in #1374

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RafaelGSS @srmish-jfrog