Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVEs getting reported for git hash, which have been resolved #2183

Open
yashrsharma44 opened this issue May 8, 2024 · 2 comments
Open

CVEs getting reported for git hash, which have been resolved #2183

yashrsharma44 opened this issue May 8, 2024 · 2 comments
Assignees
@andrewpollock
Labels
data quality Issues with data quality

Comments

@yashrsharma44
Copy link

Describe the bug
Hi Team,

I am playing with the https://api.osv.dev/v1/vulns/CVE-2016-0728 endpoint for getting git hashes, which contains the fix for CVE-2016-0728. I had tried to en-list the vulnerabilities of the kernel repositories containing the git-hash - ffc253263a1375a65fa6c9f62a893e9767fbebfa using the following command -

~ curl -d '{
    "commit": "ffc253263a1375a65fa6c9f62a893e9767fbebfa",
    "package": {
        "name": "Kernel",
        "ecosystem": "Linux"
    }
}' "https://api.osv.dev/v1/query"  | jq '.vulns | .[] | .id'

"CVE-2016-0728"
"CVE-2016-1583"
"CVE-2016-4805"
"CVE-2016-4913"
"CVE-2016-4997"
"CVE-2017-18017"
"CVE-2018-10675"
"CVE-2018-1068"
"CVE-2018-10926"
"CVE-2018-10927"
"CVE-2018-10928"
"CVE-2018-10929"
"CVE-2018-10930"
"CVE-2018-16871"
"CVE-2018-1751"
"CVE-2019-15902"
"CVE-2019-18282"
"CVE-2019-3876"
"CVE-2020-11884"
"CVE-2020-13143"
"CVE-2020-9391"
"CVE-2021-26932"
"CVE-2021-28039"
"CVE-2021-44142"
"CVE-2022-22954"
"CVE-2023-51780"
"CVE-2023-51781"
"CVE-2023-51782"
"CVE-2023-6915"

As CVE-2016-0728 is getting reported as one of the vulnerabilities, I see that the fix has already been applied as a previous patch as 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 which can be confirmed by checking that it is an ancestor of "ffc253263a1375a65fa6c9f62a893e9767fbebfa(which is commit-hash for v6.6 tag in kernel repository)", so I am wondering, if the feed should return this vulnerability for the given commit-hash?

To Reproduce
Described above
Expected behaviour
The vuln should not be reported.

Screenshots
N/A
Additional context
N/A
@andrewpollock andrewpollock added the data quality Issues with data quality label May 9, 2024
@oliverchang
Copy link
Collaborator

Thanks for the report!

It looks like the problem is that https://osv.dev/vulnerability/CVE-2016-0728 has an unbounded range with its first range:

      "ranges": [
        {
          "type": "GIT",
          "repo": "http://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git",
          "events": [
            {
              "introduced": "19f949f52599ba7c3f67a5897ac6be14bfcb1200"
            },
            {
              "introduced": "64291f7db5bd8150a74ad2036f1037e6a0428df2"
            },
            {
              "introduced": "afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc"
            }
          ]
        },

Regardless of the fix commits encoded in the other range entries, this means that all commits after these are considered vulnerable.

@andrewpollock is there a way we can fix this up? How did we derive these introduced commits in the first place? Through tag matching? Should we skip the tag matching in the case where we can extract a commit from the reference links?

@andrewpollock
Copy link
Contributor

Some notes for future reference:

from https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2016-0728

{
  "cpeMatch": [
    {
      "vulnerable": true,
      "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
      "versionStartIncluding": "3.8",
      "versionEndExcluding": "3.10.95",
      "matchCriteriaId": "EBA7B5CE-5867-4F25-9513-DB28B00EA345"
    },
    {
      "vulnerable": true,
      "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
      "versionStartIncluding": "3.11",
      "versionEndExcluding": "3.12.53",
      "matchCriteriaId": "F7AF3AA1-D6B8-4473-A781-740F7AC7A81F"
    },
    {
      "vulnerable": true,
      "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
      "versionStartIncluding": "3.13",
      "versionEndExcluding": "3.14.59",
      "matchCriteriaId": "B8AC651B-877B-40A1-B0FB-E13C039FBBCF"
    },
    {
      "vulnerable": true,
      "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
      "versionStartIncluding": "3.15",
      "versionEndExcluding": "3.16.35",
      "matchCriteriaId": "7DC4BA70-B111-4D2E-BC78-6601CED68F08"
    },
    {
      "vulnerable": true,
      "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
      "versionStartIncluding": "3.17",
      "versionEndExcluding": "3.18.26",
      "matchCriteriaId": "152B915A-F9A5-4DB5-B0B3-DBF5F092773B"
    },
    {
      "vulnerable": true,
      "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
      "versionStartIncluding": "3.19",
      "versionEndExcluding": "4.1.16",
      "matchCriteriaId": "F829E177-AAF1-4509-964D-48DA8AE2C8BC"
    },
    {
      "vulnerable": true,
      "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
      "versionStartIncluding": "4.2",
      "versionEndExcluding": "4.3.4",
      "matchCriteriaId": "B6B89F94-302A-4313-8FE5-E3C43BD4271E"
    },
    {
      "vulnerable": true,
      "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
      "versionStartIncluding": "4.4",
      "versionEndExcluding": "4.4.1",
      "matchCriteriaId": "E5E05934-78CB-49ED-A2B3-1B4CBCB648AB"
    }
  ]
}

19f949f52599ba7c3f67a5897ac6be14bfcb1200 is from versionStartIncluding, versionEndExcluding failed to resolve. It doesn't look like a legitimate kernel version, based on https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/refs/

{
      "vulnerable": true,
      "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
      "versionStartIncluding": "3.8",
      "versionEndExcluding": "3.10.95",
      "matchCriteriaId": "EBA7B5CE-5867-4F25-9513-DB28B00EA345"
},

64291f7db5bd8150a74ad2036f1037e6a0428df2 is from versionStartIncluding, versionEndExcluding failed to resolve. It doesn't look like a legitimate kernel version, based on https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/refs/

    {
      "vulnerable": true,
      "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
      "versionStartIncluding": "4.2",
      "versionEndExcluding": "4.3.4",
      "matchCriteriaId": "B6B89F94-302A-4313-8FE5-E3C43BD4271E"
    },

afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc is from versionStartIncluding, versionEndExcluding failed to resolve. It doesn't look like a legitimate kernel version, based on https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/refs/

    {
      "vulnerable": true,
      "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
      "versionStartIncluding": "4.4",
      "versionEndExcluding": "4.4.1",
      "matchCriteriaId": "E5E05934-78CB-49ED-A2B3-1B4CBCB648AB"
    }

I think the current checking for unbounded ranges is too simplistic, and for this particular record is being satisfied by other ranges in the list being closed. I will completely exclude ranges where there has been fixed or last_affected version resolution failure.

andrewpollock added a commit to andrewpollock/osv.dev that referenced this issue May 22, 2024
@andrewpollock
Avoid false positives from half-resolved version ranges
1cf6004 
Look at an AffectedVersion's resolution in totality before using any of
the commits resolved to avoid situations like in google#2183 where the
`introduced` versions were resolved to commits but the `fixed` versions
were not, resulting in false positives.
@andrewpollock andrewpollock mentioned this issue May 22, 2024
Merged
@andrewpollock andrewpollock self-assigned this May 22, 2024
andrewpollock added a commit that referenced this issue May 23, 2024
@andrewpollock
Avoid false positives from half-resolved version ranges (#2226)
53d9735 
Look at an `AffectedVersion`'s resolution in totality before using any
of the commits resolved to avoid situations like in #2183 where the
`introduced` versions were resolved to commits but the `fixed` versions
were not, resulting in false positives.

Revise how overlapping commit ranges are detected to account for this.

Improves the conversion story for at least:
* CVE-2018-5407 (removes false-positive ranges and corrects invalid
range generation)
* CVE-2021-23840 (removes false-positive ranges and corrects invalid
range generation)
* CVE-2022-0778 (removes false-positive ranges and corrects invalid
range generation)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewpollock andrewpollock

Labels
data quality Issues with data quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@oliverchang @andrewpollock @yashrsharma44