Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

NVDCVE database has over-broad CPE entries - option to suppress?

See original GitHub issue

Current Behavior:

This is a bom with bash 5.0.16 as a component, in cpe 2.3 format:

<?xml version="1.0" encoding="UTF-8"?><bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:B4DA0FD8-094B-4BE3-B4A1-09C8FA389689" version="1"><components>
<component type="application"><name>bash</name><version>5.0.16</version><cpe>cpe:2.3:a:gnu:bash:5.0.16:*:*:*:*:*:*:*</cpe></component>
</components></bom>

DT shows this is vulnerable to CVE-2016-9401. Apparently the string cpe:2.3:a:gnu:bash:*:*:*:*:*:*:*:* matches all versions of bash, for all time.

A similar CPE can be found in CVE-2016-7543, but it’s not matched because of the "versionEndIncluding": "4.3" entry.

Proposed Behavior:

CVE-2016-9401 appears to be a false positive, which are poison for security monitoring systems: users become conditioned to ignore alerts.

Initially I was thinking of manually suppressing this match, but then found more of these over-broad CPE entries, and felt that this wouldn’t scale.

Could there be an option to detect these over-broad CPE entries, and ignore them if they’re over a year old? E.g. CVE-2018-* and older (assuming this is 2020)?

Here’s a jq script to identify CVEs that have this problem:

cat nvdcve-1.1-*.json  | jq -r '
  .CVE_Items[]
    | (.cve.CVE_data_meta.ID) as $id
    | .configurations.nodes[]
    | select(.cpe_match)
    | .cpe_match[]
    | select(.cpe23Uri | test("cpe:2[.]3:a:[^:]*:[^:]*:[*]"))
    | select(.vulnerable)
    | select(tojson | test("versionEnd") | not)
    | ["https://nvd.nist.gov/vuln/detail/\($id)",tojson]
    | @tsv
    '

There are 6174 of them as of today: cve-list.txt

If you change it to “cpe:2[.]3:[^:]:[^:]:[^:]:[]” (i.e. not just ‘a’ = ‘apps’), you get 17746.

Issue Analytics

State:
Created 3 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

2reactions

PenelopeFuddcommented, Jun 15, 2020

PS: I emailed nvd@nist.gov, and they fixed it:

Good afternoon,

Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. We use the wildcard ‘*’ in the affected version component of the CPE URI when all versions of a product are affected, however, after reviewing this information, all versions are not affected. The vendor does not state which versions are affected, so we have made the appropriate modifications to CVE-2016-9401 to reflect that unknown versions are affected, represented by ‘-‘ in the affected version component of the CPE URI. Please allow up to 24 hours for the changes to be reflected on the website and in the data feeds.

V/r, National Vulnerability Database Team

1reaction

PenelopeFuddcommented, Jun 12, 2020

Incidentally, here’s a script to generate a bom.xml file from the list of packages installed with ‘brew’ on a Mac:

gawk '
  match($0,"cpe:2.3:a:([^:]*):([^:]*):",a){out[a[2]" "a[1]]=1};
  END{for(n in out){print n}}
' nvdcve-1.1-*.json | sort > program-to-provider.txt

join -a1 <(brew list --versions) program-to-provider.txt \
  | gawk -vuuid=$(uuidgen) '
      BEGIN{print "<?xml version=\x221.0\x22 encoding=\x22UTF-8\x22?><bom xmlns=\x22http://cyclonedx.org/schema/bom/1.2\x22 serialNumber=\x22urn:uuid:"uuid"\x22 version=\x221\x22><components>"};

 {printf "<component type=\x22application\x22><name>%s</name><version>%s</version><cpe>cpe:2.3:a:%s:%s:%s:*:*:*:*:*:*:*</cpe></component>\n",$1,$2,$3,$1,$2};

   END{print "</components></bom>"}
' > bom-macos-brew.xml