From 625c3c96db478967137343fa0441e4ece8e8862f Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Wed, 6 Dec 2023 16:53:26 -0500 Subject: [PATCH] internal/report: make check for Go CNA more robust in cve-to-report Instead of checking if the CVE is for a first party module, check directly who assigned the CVE. That way we can decide correctly when to populate "cve_metadata" vs. "cves". Change-Id: Ic2ff5fbf0f380b2ae77decc290a341c888624e97 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/547976 LUCI-TryBot-Result: Go LUCI Reviewed-by: Damien Neil --- internal/report/cve.go | 39 ++++++++++++++----- .../cve/TestCVE5ToReport/CVE-2020-9283.txtar | 5 +-- .../cve/TestCVE5ToReport/CVE-2021-27919.txtar | 5 +-- .../cve/TestCVE5ToReport/CVE-2021-3115.txtar | 5 +-- .../cve/TestCVE5ToReport/CVE-2023-29407.txtar | 2 +- .../cve/TestCVE5ToReport/CVE-2023-45283.txtar | 2 +- .../cve/TestCVE5ToReport/CVE-2023-45285.txtar | 2 +- .../cve/TestCVE5ToReport/CVE-2023-45286.txtar | 5 ++- .../cve/TestCVEToReport/CVE-2020-9283.txtar | 5 +-- .../cve/TestCVEToReport/CVE-2021-27919.txtar | 5 +-- .../cve/TestCVEToReport/CVE-2021-3115.txtar | 5 +-- .../cve/TestCVEToReport/CVE-2023-29407.txtar | 2 +- .../cve/TestCVEToReport/CVE-2023-45283.txtar | 2 +- .../cve/TestCVEToReport/CVE-2023-45285.txtar | 2 +- .../cve/TestCVEToReport/CVE-2023-45286.txtar | 5 ++- 15 files changed, 53 insertions(+), 38 deletions(-) diff --git a/internal/report/cve.go b/internal/report/cve.go index c8d23005..b2b4ecc2 100644 --- a/internal/report/cve.go +++ b/internal/report/cve.go @@ -81,22 +81,30 @@ func cveToReport(c *cveschema.CVE, id, modulePath string) *Report { Credits: credits, References: refs, } - r.addCVE(c.Metadata.ID, modulePath) + r.addCVE(c.Metadata.ID, getCWE(c), isGoCNA(c)) return r } -func (r *Report) addCVE(cveID, modulePath string) { - // New standard library and x/ repo CVEs are likely maintained by - // the Go CNA. - if stdlib.IsStdModule(modulePath) || stdlib.IsCmdModule(modulePath) || - stdlib.IsXModule(modulePath) { +func getCWE(c *cveschema.CVE) string { + if len(c.ProblemType.Data) == 0 || len(c.ProblemType.Data[0].Description) == 0 { + return "" + } + return c.ProblemType.Data[0].Description[0].Value +} + +func isGoCNA(c *cveschema.CVE) bool { + return c.Assigner == "security@golang.org" +} + +func (r *Report) addCVE(cveID, cwe string, isGoCNA bool) { + if isGoCNA { r.CVEMetadata = &CVEMeta{ ID: cveID, - CWE: "TODO", + CWE: cwe, } - } else { - r.CVEs = append(r.CVEs, cveID) + return } + r.CVEs = append(r.CVEs, cveID) } func CVE5ToReport(c *cveschema5.CVERecord, id, modulePath string, pc *proxy.Client) *Report { @@ -163,6 +171,17 @@ func cve5ToReport(c *cveschema5.CVERecord, id, modulePath string) *Report { References: refs, } - r.addCVE(c.Metadata.ID, modulePath) + r.addCVE(c.Metadata.ID, getCWE5(&cna), isGoCNA5(&cna)) return r } + +func getCWE5(c *cveschema5.CNAPublishedContainer) string { + if len(c.ProblemTypes) == 0 || len(c.ProblemTypes[0].Descriptions) == 0 { + return "" + } + return c.ProblemTypes[0].Descriptions[0].Description +} + +func isGoCNA5(c *cveschema5.CNAPublishedContainer) bool { + return c.ProviderMetadata.OrgID == GoOrgUUID +} diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2020-9283.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2020-9283.txtar index c09c5f3d..9a1a7045 100644 --- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2020-9283.txtar +++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2020-9283.txtar @@ -12,6 +12,8 @@ modules: - package: n/a description: | golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client. +cves: + - CVE-2020-9283 references: - web: https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY - web: http://packetstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.html @@ -19,6 +21,3 @@ references: - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html - web: https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html -cve_metadata: - id: CVE-2020-9283 - cwe: TODO diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-27919.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-27919.txtar index 6323c919..6d998f8c 100644 --- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-27919.txtar +++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-27919.txtar @@ -12,11 +12,10 @@ modules: - package: archive/zip description: | archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename. +cves: + - CVE-2021-27919 references: - web: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/ - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/ - web: https://security.gentoo.org/glsa/202208-02 -cve_metadata: - id: CVE-2021-27919 - cwe: TODO diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-3115.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-3115.txtar index 574625e9..003879ea 100644 --- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-3115.txtar +++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2021-3115.txtar @@ -12,12 +12,11 @@ modules: - package: cmd/go description: | Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). +cves: + - CVE-2021-3115 references: - web: https://groups.google.com/g/golang-announce/c/mperVMGa98w - web: https://blog.golang.org/path-security - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/ - web: https://security.netapp.com/advisory/ntap-20210219-0001/ - web: https://security.gentoo.org/glsa/202208-02 -cve_metadata: - id: CVE-2021-3115 - cwe: TODO diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-29407.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-29407.txtar index 5b89b1ee..76736b78 100644 --- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-29407.txtar +++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-29407.txtar @@ -25,4 +25,4 @@ references: - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/ cve_metadata: id: CVE-2023-29407 - cwe: TODO + cwe: 'CWE-834: Excessive Iteration' diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45283.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45283.txtar index 6c99a2ff..091fc3d4 100644 --- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45283.txtar +++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45283.txtar @@ -24,4 +24,4 @@ references: - web: http://www.openwall.com/lists/oss-security/2023/12/05/2 cve_metadata: id: CVE-2023-45283 - cwe: TODO + cwe: 'CWE-41: Improper Resolution of Path Equivalence' diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45285.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45285.txtar index af1c41ae..def7af51 100644 --- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45285.txtar +++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45285.txtar @@ -22,4 +22,4 @@ references: - web: https://pkg.go.dev/vuln/GO-2023-2383 cve_metadata: id: CVE-2023-45285 - cwe: TODO + cwe: 'CWE-636: Not Failing Securely (''Failing Open'')' diff --git a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45286.txtar b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45286.txtar index ff76336a..daabb2de 100644 --- a/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45286.txtar +++ b/internal/report/testdata/cve/TestCVE5ToReport/CVE-2023-45286.txtar @@ -13,8 +13,6 @@ modules: summary: HTTP request body disclosure in github.com/go-resty/resty/v2 description: | A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body. -cves: - - CVE-2023-45286 credits: - Logan Attwood (@lattwood) references: @@ -22,3 +20,6 @@ references: - report: https://github.com/go-resty/resty/issues/739 - fix: https://github.com/go-resty/resty/pull/745 - web: https://pkg.go.dev/vuln/GO-2023-2328 +cve_metadata: + id: CVE-2023-45286 + cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2020-9283.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2020-9283.txtar index 901b9be7..8e6dd11a 100644 --- a/internal/report/testdata/cve/TestCVEToReport/CVE-2020-9283.txtar +++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2020-9283.txtar @@ -12,6 +12,8 @@ modules: - package: n/a description: | golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client. +cves: + - CVE-2020-9283 references: - web: https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY - web: http://packetstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.html @@ -19,6 +21,3 @@ references: - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html - web: https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html - web: https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html -cve_metadata: - id: CVE-2020-9283 - cwe: TODO diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2021-27919.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2021-27919.txtar index bb68c341..8aa2f2c4 100644 --- a/internal/report/testdata/cve/TestCVEToReport/CVE-2021-27919.txtar +++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2021-27919.txtar @@ -12,11 +12,10 @@ modules: - package: archive/zip description: | archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename. +cves: + - CVE-2021-27919 references: - web: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/ - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/ - web: https://security.gentoo.org/glsa/202208-02 -cve_metadata: - id: CVE-2021-27919 - cwe: TODO diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2021-3115.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2021-3115.txtar index 10ced81d..3d7bbba4 100644 --- a/internal/report/testdata/cve/TestCVEToReport/CVE-2021-3115.txtar +++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2021-3115.txtar @@ -12,12 +12,11 @@ modules: - package: cmd/go description: | Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). +cves: + - CVE-2021-3115 references: - web: https://groups.google.com/g/golang-announce/c/mperVMGa98w - web: https://blog.golang.org/path-security - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/ - web: https://security.netapp.com/advisory/ntap-20210219-0001/ - web: https://security.gentoo.org/glsa/202208-02 -cve_metadata: - id: CVE-2021-3115 - cwe: TODO diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-29407.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-29407.txtar index 2d6e8a2c..918475f0 100644 --- a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-29407.txtar +++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-29407.txtar @@ -22,4 +22,4 @@ references: - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/ cve_metadata: id: CVE-2023-29407 - cwe: TODO + cwe: 'CWE-834: Excessive Iteration' diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45283.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45283.txtar index f820a6ea..fa03126d 100644 --- a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45283.txtar +++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45283.txtar @@ -23,4 +23,4 @@ references: - web: http://www.openwall.com/lists/oss-security/2023/12/05/2 cve_metadata: id: CVE-2023-45283 - cwe: TODO + cwe: 'CWE-41: Improper Resolution of Path Equivalence' diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45285.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45285.txtar index fc5860b9..f3919a81 100644 --- a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45285.txtar +++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45285.txtar @@ -19,4 +19,4 @@ references: - web: https://pkg.go.dev/vuln/GO-2023-2383 cve_metadata: id: CVE-2023-45285 - cwe: TODO + cwe: 'CWE-636: Not Failing Securely (''Failing Open'')' diff --git a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45286.txtar b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45286.txtar index 7abb5a7e..209c1250 100644 --- a/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45286.txtar +++ b/internal/report/testdata/cve/TestCVEToReport/CVE-2023-45286.txtar @@ -12,10 +12,11 @@ modules: - package: github.com/go-resty/resty/v2 description: | A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body. -cves: - - CVE-2023-45286 references: - report: https://github.com/go-resty/resty/issues/743 - report: https://github.com/go-resty/resty/issues/739 - fix: https://github.com/go-resty/resty/pull/745 - web: https://pkg.go.dev/vuln/GO-2023-2328 +cve_metadata: + id: CVE-2023-45286 + cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'