Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suse scores importer should support version 4 #1592

Open
nnobelis opened this issue Sep 16, 2024 · 8 comments
Open

Suse scores importer should support version 4 #1592

nnobelis opened this issue Sep 16, 2024 · 8 comments

Comments

@nnobelis
Copy link

Given a sample Suse score https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml:

CVE-2024-35255:
  cvss:
    - version: 3.1
      score: 5.5
      vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    - version: 4
      score: 6.8
      vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

The version 4 cvss is not imported because the importer does not support version 4:

vulnerablecode/vulnerabilities/importers/suse_scores.py

Lines 34 to 38 in ed17dbd

systems_by_version = {
"2.0": severity_systems.CVSSV2,
"3": severity_systems.CVSSV3,
"3.1": severity_systems.CVSSV31,
}

Additional questions:

Our VulnerableCode instance contains some weird values for this source:

image

  1. Can the cvssv2 and cvssv3 be old values from previous imports ?
  2. Why the cvsv3.1 has a score of 0 ?
  3. We noticed the public instance does not list suse.com as a source. Should we disable this importer ?
    https://public.vulnerablecode.io/vulnerabilities/VCID-p3vk-v2au-aaaa?search=CVE-2024-35255
@keshav-space
Copy link
Member

The version 4 cvss is not imported because the importer does not support version 4:

@ziadhany has recently added support for CVSSv4 #1473, and we need to make sure we collect them in each importers.

1. Can the cvssv2 and cvssv3 be old values from previous imports ?

Suse doesn't have CVSSv2 and CVSSv3 scores for CVE-2024-35255. This could be coming from other importer(s). Can you confirm this in the History tab in your local VCIO instance?

2. Why the cvsv3.1 has a score of 0 ?

This looks like a bug, either in the data or in the importer itself. We would need the history to confirm it.

3. We noticed the public instance does not list suse.com as a source. Should we disable this importer ?
https://public.vulnerablecode.io/vulnerabilities/VCID-p3vk-v2au-aaaa?search=CVE-2024-35255

We do run the suse_scores importer in our public.vulnerablecode.io instance, but we haven't run our importers in the last few weeks since we were fixing some data quality bugs. That's why we don't see the Suse scores for CVE-2024-35255 which is fairly recent (we're running the importers now, so we should get the Suse scores in the coming days).

@keshav-space keshav-space changed the title Suce scores importer should support version 4 Suse scores importer should support version 4 Sep 17, 2024
@nnobelis
Copy link
Author

Suse doesn't have CVSSv2 and CVSSv3 scores for CVE-2024-35255. This could be coming from other importer(s). Can you confirm this in the History tab in your local VCIO instance?

This looks like a bug, either in the data or in the importer itself. We would need the history to confirm it.

Unfortunately, the history tab of the CVE-2024-35255 is empty in our VulnerableCode instance 😞

@keshav-space
Copy link
Member

Unfortunately, the history tab of the CVE-2024-35255 is empty in our VulnerableCode instance 😞

This doesn't feel right. Can you share which version/commit of VulnerableCode you're running locally?

@nnobelis
Copy link
Author

image

Hmm I checked again today and the "0" is gone, but the cvssv2 and cvssv3 scores are still here.

We are using version v34.0.0rc4.

@keshav-space
Copy link
Member

We started our importers yesterday, and today we do have a suse score for CVE-2024-35255 in our public VCIO instance. The CVSSv3.1 corresponds to what is provided in https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml.

Screenshot from 2024-09-18 21-17-20

@nnobelis
Copy link
Author

nnobelis commented Sep 19, 2024
edited
Loading

You get the entries for cvssv2 and cvssv3 too ! Any idea why ?

@keshav-space
Copy link
Member

You get the entries for cvsv2 and vcsv3 too ! Any idea why ?

@nnobelis Thanks for reporting this. It took some time to reproduce the issue, and after much digging it turns out this is a bug.

The bug is in how we handle the VulnerabilityReference. Each VulnerabilityReference has a URL that is set to be unique. The hierarchical relationship is Vulnerability → VulnerabilityReference → VulnerabilitySeverity. To store a severity for vulnerability, we create a VulnerabilityReference (using the source URL of score) and then create a VulnerabilitySeverity (with severity details and ForeignKey relationship to VulnerabilityReference created earlier). Since the URL field is set to unique, things get complicated in the case of SUSE as all the scores come from the same URL i.e. "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml." This results in a single SUSE VulnerabilityReference linked to all vulnerabilities, which leads to a same set SUSE severity score for all vulnerabilities.

See the SUSE scores CVE-2023-33204 and CVE-2024-35255 they are identical.

Screenshot from 2024-09-23 14-01-15
Screenshot from 2024-09-23 14-01-02

@nnobelis
Copy link
Author

Great find, thanks for looking into this !

@keshav-space keshav-space mentioned this issue Sep 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@keshav-space @nnobelis