Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: discard duplicates reported by OSV with different alias #41

Merged
merged 2 commits into from
Feb 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,22 @@ public boolean hasData() {
return created != null && metrics != null;
}

@Override
public final int hashCode() {
return cveId.hashCode();
}

@Override
public final boolean equals(Object other) {
if(other == null) {
return false;
}
if(other instanceof Vulnerability) {
return cveId.equals(((Vulnerability)other).cveId);
}
return false;
}

public static class Builder {
List<String> aliases;
String cveId;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,9 @@

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;

import org.slf4j.Logger;
Expand Down Expand Up @@ -77,7 +79,6 @@ public void setAliases(List<String> aliases, String cveId) {
aliasCommands.mset(aliases.stream().collect(Collectors.toMap(v -> Alias.getKey(v), v -> new Alias(v, cveId))));
}

//TODO: Can work with mget?
@Override
public List<Vulnerability> list(List<String> cves) {
// Arguments do not match the signature...
Expand Down Expand Up @@ -109,15 +110,32 @@ public List<Vulnerability> list(List<String> cves) {
@Override
public VulnerabilityAlias getByAlias(String aliasId) {
var alias = aliasCommands.get(Alias.getKey(aliasId));
if(alias == null) {
if (alias == null) {
return new VulnerabilityAlias(aliasId, null);
}
return new VulnerabilityAlias(aliasId, get(alias.cveId()));
}

@Override
public List<VulnerabilityAlias> listByAliases(List<String> aliasIds) {
return aliasIds.stream().parallel().map(this::getByAlias).toList();
var aliases = aliasCommands.mget(aliasIds.stream().map(Alias::getKey).toList().toArray(new String[0]));
var vulns = list(aliases.values().stream().filter(Objects::nonNull).map(Alias::cveId).toList()).stream()
.distinct()
.collect(Collectors.toMap(Vulnerability::cveId, v -> v));
var cveIdCount = new HashSet<>();
var results = new ArrayList<VulnerabilityAlias>();

aliasIds.stream().forEach(aliasId -> {
var alias = aliases.get(Alias.getKey(aliasId));
if (alias == null || alias.cveId() == null) {
results.add(new VulnerabilityAlias(aliasId, null));
} else if (!cveIdCount.contains(alias.cveId())) {
cveIdCount.add(alias.cveId());
results.add(new VulnerabilityAlias(aliasId, vulns.get(alias.cveId())));
}
});

return results;
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
import org.eclipse.microprofile.faulttolerance.Retry;
import org.eclipse.microprofile.rest.client.annotation.ClientHeaderParam;
import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
import org.jboss.resteasy.reactive.ClientWebApplicationException;
import org.jboss.resteasy.reactive.RestQuery;

import com.redhat.ecosystemappeng.onguard.model.nvd.NvdResponse;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -78,12 +78,13 @@ void testList() {
assertNull(found.get(1).metrics());
}

@Test
@Test
void testListByAliases() {
var aliases = List.of("GHSA-wmrx-57hm-mw7r", "not_found", "GHSA-526x-rm7j-v389");
// CVE-2022-30324 and GHSA-526x-rm7j-v389 are aliases of the same CVE
var aliases = List.of("GHSA-wmrx-57hm-mw7r", "not_found", "GHSA-526x-rm7j-v389", "CVE-2022-30324");
var found = repository.listByAliases(aliases);
assertEquals(3, found.size());
for(int i = 0; i < aliases.size(); i++) {
for(int i = 0; i < 3; i++) {
assertNotNull(found.get(i));
}
assertNotNull(found.get(0).vulnerability().metrics());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,9 @@
import static org.junit.jupiter.api.Assertions.assertEquals;

import org.eclipse.microprofile.rest.client.inject.RestClient;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

import com.github.tomakehurst.wiremock.WireMockServer;
import com.redhat.ecosystemappeng.onguard.service.nvd.NvdApi;
import com.redhat.ecosystemappeng.onguard.test.InjectWireMock;
import com.redhat.ecosystemappeng.onguard.test.WireMockExtensions;

import io.quarkus.test.common.QuarkusTestResource;
Expand Down
5 changes: 3 additions & 2 deletions src/test/resources/vulnerabilities.redis
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
JSON.SET CVE-2022-24683 $ '{"affected": [{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "0.9.2"},{"fixed": "1.0.18"}],"type": "SEMVER"}]},{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "1.1.0"},{"fixed": "1.1.12"}],"type": "SEMVER"}]},{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "1.2.0"},{"fixed": "1.2.6"}],"type": "SEMVER"}]}],"created": "2024-01-12T08:42:52.166+00:00","cveId": "CVE-2022-24683","description": "Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. There are currently no known workarounds. Users are recommended to upgrade as soon as possible to avoid this issue.","metrics": {"cvssMetricV2": [{"acInsufInfo": false,"baseSeverity": "HIGH","cvssData": {"availabilityImpact": "NONE","baseScore": 7.8,"confidentialityImpact": "COMPLETE","integrityImpact": "NONE","vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N","version": "2.0"},"exploitabilityScore": 10.0,"impactScore": 6.9,"obtainAllPrivilege": false,"obtainOtherPrivilege": false,"obtainUserPrivilege": false,"source": "nvd@nist.gov","type": "Primary","userInteractionRequired": false}],"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "NONE","baseScore": 7.5,"baseSeverity": "HIGH","confidentialityImpact": "HIGH","integrityImpact": "NONE","privilegesRequired": "NONE","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version": "3.1"},"exploitabilityScore": 3.9,"impactScore": 3.6,"source": "nvd@nist.gov","type": "Primary"}]},"summary": "Arbitrary file reads in HashiCorp Nomad"}'
JSON.SET CVE-2022-30324 $ '{"affected": [{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "0.2.0"},{"fixed": "1.1.14"}],"type": "SEMVER"}]},{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "1.2.0"},{"fixed": "1.2.8"}],"type": "SEMVER"}]},{"package": {"ecosystem": "Go","name": "github.com/hashicorp/nomad","purl": "pkg:golang/github.com/hashicorp/nomad"},"ranges": [{"events": [{"introduced": "1.3.0"},{"fixed": "1.3.1"}],"type": "SEMVER"}]}],"created": "2024-01-12T08:42:52.166+00:00","cveId": "CVE-2022-30324","description": "HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1.","metrics": {"cvssMetricV2": [{"acInsufInfo": false,"baseSeverity": "HIGH","cvssData": {"availabilityImpact": "PARTIAL","baseScore": 7.5,"confidentialityImpact": "PARTIAL","integrityImpact": "PARTIAL","vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P","version": "2.0"},"exploitabilityScore": 10.0,"impactScore": 6.4,"obtainAllPrivilege": false,"obtainOtherPrivilege": false,"obtainUserPrivilege": false,"source": "nvd@nist.gov","type": "Primary","userInteractionRequired": false}],"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW","attackVector": "NETWORK","availabilityImpact": "HIGH","baseScore": 9.8,"baseSeverity": "CRITICAL","confidentialityImpact": "HIGH","integrityImpact": "HIGH","privilegesRequired": "NONE","scope": "UNCHANGED","userInteraction": "NONE","vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version": "3.1"},"exploitabilityScore": 3.9,"impactScore": 5.9,"source": "nvd@nist.gov","type": "Primary"}]},"summary": "Privilege escalation in Hashicorp Nomad"}'

SET alias:GHSA-wmrx-57hm-mw7r '{"id": "CVE-2022-24683", "cveId": "CVE-2022-24683"}'
SET alias:GHSA-526x-rm7j-v389 '{"id": "CVE-2022-30324", "cveId": "CVE-2022-30324"}'
SET alias:GHSA-wmrx-57hm-mw7r '{"id": "GHSA-wmrx-57hm-mw7r", "cveId": "CVE-2022-24683"}'
SET alias:GHSA-526x-rm7j-v389 '{"id": "GHSA-526x-rm7j-v389", "cveId": "CVE-2022-30324"}'
SET alias:CVE-2022-30324 '{"id": "CVE-2022-30324", "cveId": "CVE-2022-30324"}'