Vulnerability with Unassigned Severity #2293
Comments
|
I just installed a local copy of Dependency Track v4.7 on my system (pre-built bundled container image) and replicated the same issue. Let the system settle with an sbom and its analysis...then populate Github Adv, Google OSV, and Sonatype. After it starts with the new analysis, some vulns go from high/critical to unassigned. |
|
Here is a sample package that went from all the vulnerabilities assigned (with NVD properly populated in the database) to the majority of them going into an unassigned mode.
Here's an example of a vulnerability identified by GitHub, with the CVSS3.0 severity listed on NVD. However, when you go to the NVD source (which used to have appropriate severity, it no longer has it.
Do you think its this code commit 96268b7
Looks like it just changes anything with an owasp risk rating of unassigned to Unassigned severity in NVD. Not sure why NVD info is being overwritten, but its definitely happening when you enable multiple sources of analyzers/vuln sources. |
|
Hey @melba-lopez , I'll look into it. |
|
FYI the commit you're referencing was only introduced in 4.7 and since your issue date back from 4.6.2, the source should be elsewhere. |
|
thanks @syalioune! First time looking at the actual code and trying to see where it could possibly be happening. I did not notice the versioning for the commit, so thanks for clarifying. |
|
I did a fresh install and I turned on the analyzers/vuln sources one by one. The only one I haven't turned on as of yet is GitHub Advisories. The number of unassigned has not changed, but vulns have gone up. So potentially its the GitHub Advisories source thats causing it to overwrite NVD data. |
|
Hello @melba-lopez, I wasn't able to reproduce 😕 and I don't see any path in the code where NVD data could be overwritten as you described (except from the NVD data mirroring). Some questions and some clarifications below to further the analysis Questions
select * from vulnerability where vulnid in ('CVE-2021-34552','GHSA-7534-mm45-c74v');
select * from vulnerabilityalias where cve_id = 'CVE-2021-34552' or ghsa_id = 'GHSA-7534-mm45-c74v';Clarifications
That is an entirely issue (enhancement) altogether. Current implementation only provide a way to link similar vulnerabilities based on vulnerability intelligence data. Dependency Track does not correlate severity among aliases (see #1642). I kindly suggest to create a distinct issue to log that specific enhancement request. |
|
Hi @syalioune all great questions! The Pillow "fresh install" example and the screenshots in that post was green field (no volumes no containers existed before) on my laptop of 4.7.0 using these 2 commands posted on the website: https://dependencytrack.org/#download I see the same behaviour on the 4.6.3 DT Env with Sep DB, but what is more troubling is that you see it try to correct itself every so often (i.e. NVD severities may be updated in the db) but then it immediately goes to unassigned (see screenshot below). Again weird behaviour, but I've managed to replicate it in 3 different environments with 3 different versions and 3 different deployment configurations. I will try to answer the remaining this evening. (Hoping to do a recording showing a fresh-install and replicate in the video) |
Will do!
I destroyed the instance when i did a new deployment so I can't provide answers for these :( REPRODUCED 2X via GoogleOSV (see details below)I mistakenly thought it was GitHub Adivsories because of the aliasing. However, it looks like it. happens when Google OSV is enabled (which I know is in Beta --- so I def won't turn it on again ;-) ). But, its still odd that it overrides NVD data. I've taken 3 videos. Each video has its own label of which "deployment" and what is enabled. |
|
Thanks for the video, it was super helpful 👍 You're indeed right, the issue that you observe are all due to The vulnerability update logic should be updated to not erase existing data if the vulnerability source is missing some attributes Going into details with
curl --location --request POST 'https://ossindex.sonatype.org/api/v3/component-report' --header 'Authorization: Basic xyz' --header 'Content-Type: application/json' --data-raw '{"coordinates": ["pkg:pypi/[email protected]"]}'
[
{
"coordinates":"pkg:pypi/[email protected]",
"reference":"https://ossindex.sonatype.org/component/pkg:pypi/[email protected]?utm_source=postmanruntime&utm_medium=integration&utm_content=7.30.0",
"vulnerabilities":[
{
"id":"CVE-2021-34552",
"displayName":"CVE-2021-34552",
"title":"[CVE-2021-34552]CWE-120:BufferCopywithoutCheckingSizeofInput('ClassicBufferOverflow')",
"description":"Pillowthrough8.2.0andPIL(akaPythonImagingLibrary)through1.1.7allowanattackertopasscontrolledparametersdirectlyintoaconvertfunctiontotriggerabufferoverflowinConvert.c.",
"cvssScore":9.8,
"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe":"CWE-120",
"cve":"CVE-2021-34552",
"reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-34552?component-type=pypi&component-name=pillow&utm_source=postmanruntime&utm_medium=integration&utm_content=7.30.0",
"externalReferences":[
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34552",
"https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow",
"https://github.com/python-pillow/Pillow/commit/d254e581a1f97c52b3796ddb48d09b48bd16d446",
"https://github.com/python-pillow/Pillow/pull/5567"
]
}
]
}
]
The following resource is used when parsing OSV data from ecosystem You can see that this vulnerability item from |
|
thanks @syalioune for verifying. Is there a reason why any 1 source of vulnerability data would override another? Shouldn't they be completely independent unless adding an alias? Also, I'm sure you saw in the video that the vulns come up duplicated (even though the aliasing is the same). There's a disadvantage for the end users because they want to catch everything possible. However, if they turn everything on then they get tons of duplicates, which causes too much overhead. I know its not there now, but I think it would be great if the project incorporates this logic to allow for all vulnerabilities to be discovered. I've seen an instance where NVD doesn't catch everything, but another source (like OSS Index) catches something extra. |
I guess i'd have to do with the fact that
Yes, there's already #1994 to log that enhancement |
|
Thanks for the analysis @syalioune! OSS Index can only create a CVE vulnerability if it doesn't already exist in DT's local database yet. If it does exist, OSS Index does not modify it. Until we have a good solution to track different vulnerability properties from multiple sources, the data from the authoritative source should always take precedence (for CVE: NVD, for GHSA: GitHub). It looks like for OSV there is currently no check of whether a given vulnerability was created by a different source, and if that source is still enabled. If both conditions are true, OSV should not update the vulnerability details. |
|
@nscuro @syalioune do you happen to know which release these are targeted for? Would love to help if you need a tester ;-) |
|
I can provide a fix by end of this week. I believe it could be available at the very last on 4.8.0 |
…oritative source is enabled DependencyTrack#2293 Signed-off-by: syalioune <[email protected]>
|
@melba-lopez I've made the PR. |
…oritative source is enabled DependencyTrack#2293 Signed-off-by: syalioune <[email protected]>
|
hi @syalioune , i'm interested in testing out the fix with your docker image i tried to run it with the following commands then checked localhost:8080, but instead of seeing the UI I only see this page: any advice on how to run your docker image? thank you |
|
@leec94 The docs will be helpful when trying to run DT: https://docs.dependencytrack.org/getting-started/deploy-docker/ |
|
thanks. i did look at those in trying to run - i'm following "Quickstart (Manual Execution)" steps in my message above. i also tried changing the docker-compose to use the image but it said the version was invalid. which set of steps do you recommend for running the changes in image |
|
Probably something like Not sure if everything is 100% in sync between latest frontend and the fix-2293 images. |
|
I was able to run the changes successfully, thanks for the help! In running @melba-lopez 's sample SBOM, it does look like with the implemented fix that no vulnerabilities are being marked back to "unassigned" severity when OSV is turned on. In my tests, with screenshots below, there are critical vulnerabilities seen when OSV is off, and when it's turned back on the critical vulnerabilities are still there. One other thing I did notice was that when I first imported the SBOM, Sonatype + NVD + Github + OSV was on, and the vulnerability results didn't have the critical vulnerabilities appear, the results looked like the results from @melba-lopez 's video after OSV was turned on. It was only after turning off OSV that the critical vulnerabilities appeared. Is this a known issue? The NVD data should still populate, but looks like it's being affected by OSV data too. With pictures, hope this helps:
|
It can be that your Github database mirroring was still ongoing and was uncomplete at the time you performed the first analysis. I just tested again on my local workstation and vulnerabilities like |
|
that's a good point. i'll try it again and keep an eye on the logs to make sure the GH DB completes. thanks! |
|
After letting it load for longer, the Github vulnerabilities did show up, so everything is all set then. Thanks for the help! |
|
This appears to be resolved, thanks all for the collaboration and special thanks to @syalioune for fixing! |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Current Behavior
I've been seeing some odd issues with an instance of DT lately, where previously imported CVEs with appropriate CVSS Scores are no longer reporting them.
I went through the logs of dependency track and validated that it was consistently getting data properly for the nvd feeds. I went as far as downloading the actual file and validating in the json that the base, severity,and exploitability score were there. After further investigating in another instance of DT (Env B), I noticed that it is backlevel and only has NVD enabled. It is not having these issues and is reporting CVEs properly.
Env A: 4.6.3 DT + OSS Index + NVD + GH Advisories + OSV
Here's an example where the same vulnerability (even with aliasing to eachother) has one showing up as "unassigned severity"
Env B: 4.6.1 DT + NVD
Steps to Reproduce
Expected Behavior
Regardless of how many analyzers we enable, DT should be able to
Dependency-Track Version
4.6.2
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
13
Browser
N/A
Checklist
The text was updated successfully, but these errors were encountered: