-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVEs getting reported for git hash, which have been resolved #2183
Comments
Thanks for the report! It looks like the problem is that https://osv.dev/vulnerability/CVE-2016-0728 has an unbounded range with its first range:
Regardless of the fix commits encoded in the other range entries, this means that all commits after these are considered vulnerable. @andrewpollock is there a way we can fix this up? How did we derive these introduced commits in the first place? Through tag matching? Should we skip the tag matching in the case where we can extract a commit from the reference links? |
Some notes for future reference: from https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2016-0728
19f949f52599ba7c3f67a5897ac6be14bfcb1200 is from
64291f7db5bd8150a74ad2036f1037e6a0428df2 is from
afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc is from
I think the current checking for unbounded ranges is too simplistic, and for this particular record is being satisfied by other ranges in the list being closed. I will completely exclude ranges where there has been |
Look at an AffectedVersion's resolution in totality before using any of the commits resolved to avoid situations like in google#2183 where the `introduced` versions were resolved to commits but the `fixed` versions were not, resulting in false positives.
Look at an `AffectedVersion`'s resolution in totality before using any of the commits resolved to avoid situations like in #2183 where the `introduced` versions were resolved to commits but the `fixed` versions were not, resulting in false positives. Revise how overlapping commit ranges are detected to account for this. Improves the conversion story for at least: * CVE-2018-5407 (removes false-positive ranges and corrects invalid range generation) * CVE-2021-23840 (removes false-positive ranges and corrects invalid range generation) * CVE-2022-0778 (removes false-positive ranges and corrects invalid range generation)
Describe the bug
Hi Team,
I am playing with the https://api.osv.dev/v1/vulns/CVE-2016-0728 endpoint for getting git hashes, which contains the fix for
CVE-2016-0728
. I had tried to en-list the vulnerabilities of the kernel repositories containing the git-hash -ffc253263a1375a65fa6c9f62a893e9767fbebfa
using the following command -As
CVE-2016-0728
is getting reported as one of the vulnerabilities, I see that the fix has already been applied as a previous patch as23567fd052a9abb6d67fe8e7a9ccdd9800a540f2
which can be confirmed by checking that it is an ancestor of "ffc253263a1375a65fa6c9f62a893e9767fbebfa
(which is commit-hash for v6.6 tag in kernel repository)", so I am wondering, if the feed should return this vulnerability for the given commit-hash?To Reproduce
Described above
Expected behaviour
The vuln should not be reported.
Screenshots
N/A
Additional context
N/A
The text was updated successfully, but these errors were encountered: