Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVSS 3 score mismatch errors shown later than other errors #1209

Open
ElectricNroff opened this issue Mar 15, 2024 · 1 comment
Open

CVSS 3 score mismatch errors shown later than other errors #1209

ElectricNroff opened this issue Mar 15, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@ElectricNroff
Copy link
Contributor

If POST /cve/:id/cna is used to submit a CNA container in which there is a CVSS 3 baseScore/BaseSeverity mismatch and also a second problem (e.g., no references), then the initial submission shows only the latter error. The former error is only shown after the CNA fixes the second problem and re-submits. In some cases, this makes it slower for a CNA to converge on a correct CNA container. (Only CVSS 3 is affected by this issue, not CVSS 4.) For example (here 10.0 is not supposed to be low, and there are no references),

{"cnaContainer":{"affected": [{"vendor": "v","product": "p",
"defaultStatus": "affected"}],
"descriptions": [{"lang": "en","value": "abc def ghi"}],
"metrics": [{"format": "CVSS","scenarios": [{"lang": "en","value": "GENERAL"}],
"cvssV3_1": {
    "baseScore": 10.0,
    "baseSeverity": "LOW",
    "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
    "version": "3.1"
}}]}}

outcome is:

{"error":"INVALID_JSON_SCHEMA","message":"CVE cnaContainer JSON schema validation FAILED.","details":
{"errors":[{"instancePath":"/cnaContainer","schemaPath":
"#/properties/cnaContainer/required","keyword":"required","params":
{"missingProperty":"references"},"message":"must have required property 'references'"}]}}

If the CNA partially corrects this to:

{"cnaContainer":{"affected": [{"vendor": "v","product": "p",
"defaultStatus": "affected"}],
"descriptions": [{"lang": "en","value": "abc def ghi"}],
"metrics": [{"format": "CVSS","scenarios": [{"lang": "en","value": "GENERAL"}],
"cvssV3_1": {
    "baseScore": 10.0,
    "baseSeverity": "LOW",
    "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
    "version": "3.1"
}}],
"references": [{"url": "https://example.com/r"}]}}

then the outcome is a long (but fully acceptable) error message about the various score mappings that were not satisfied:

{"error":"INVALID_JSON_SCHEMA","message":"CVE cnaContainer JSON schema validation FAILED.","details":
{"errors":[{"instancePath":"/containers/cna/metrics/0/cvssV3_1/baseScore",
"schemaPath":
"#/definitions/metrics/items/properties/cvssV4_0/definitions/noneScoreType/maximum",
[etc.]

This two-step situation occurs because score checks only occur during schema validation in src/controller/cve.controller/cve.controller.js whereas other checks (e.g., missing references) occur during the earlier schema validation in src/controller/cve.controller/index.js

This could perhaps be addressed by copying a few lines from src/middleware/schemas/CVE_JSON_5.1_bundled.json to src/middleware/schemas/5.1_published_cna_container.json
@jdaigneau5 jdaigneau5 moved this to Needs Triage in Issue Triage Jul 2, 2024
@jdaigneau5 jdaigneau5 added the bug Something isn't working label Oct 29, 2024
@jdaigneau5
Copy link
Collaborator

Dev Note: Need to confirm that this is fixed as a result of defd2b9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Issue Triage
Status: High Priority
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jdaigneau5 @ElectricNroff