diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index baf1e4674a..702d56f85e 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -133,7 +133,6 @@ Loaded filter from: /fixtures/go-project/osv-scanner.toml | https://osv.dev/GO-2024-2609 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod | | https://osv.dev/GO-2024-2610 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod | | https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod | -| https://osv.dev/GO-2024-2824 | | Go | stdlib | 1.21.7 | fixtures/go-project/go.mod | +------------------------------+------+-----------+---------+---------+----------------------------+ --- @@ -431,7 +430,6 @@ Scanned /fixtures/call-analysis-go-project/go.mod file and found 4 pack | https://osv.dev/GO-2024-2598 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | | https://osv.dev/GO-2024-2599 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | | https://osv.dev/GO-2024-2687 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2824 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ | Uncalled vulnerabilities | | | | | | +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ diff --git a/pkg/osvscanner/__snapshots__/osvscanner_internal_test.snap b/pkg/osvscanner/__snapshots__/osvscanner_internal_test.snap index ea81c27671..e7f7bd4ea1 100755 --- a/pkg/osvscanner/__snapshots__/osvscanner_internal_test.snap +++ b/pkg/osvscanner/__snapshots__/osvscanner_internal_test.snap @@ -1485,6 +1485,112 @@ [Test_filterResults/filter_partially - 1] { "results": [ + { + "source": { + "path": "fixtures/filter/some/configs/a/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "chromium", + "version": "73.0.3683.75-1", + "ecosystem": "Debian:10" + }, + "vulnerabilities": [ + { + "modified": "2024-05-03T03:16:29Z", + "published": "2024-04-17T08:15:10Z", + "id": "CVE-2024-3847", + "details": "Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)", + "affected": [ + { + "package": { + "ecosystem": "Debian:10", + "name": "chromium" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "urgency": "low" + } + }, + { + "package": { + "ecosystem": "Debian:11", + "name": "chromium" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "urgency": "low" + } + } + ], + "references": [ + { + "type": "ARTICLE", + "url": "https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html" + }, + { + "type": "WEB", + "url": "https://issues.chromium.org/issues/328690293" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWIVXXSVO5VB3NAZVFJ7CWVBN6W2735T/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDLUD644WEWGOFKMZWC2K7Z4CQOKQYR7/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4PCXKCOVBUUU6GOSN46DCPI4HMER3PJ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCWPUBGTBNT4EW32YNZMRIPB3Y4R6XL6/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOC3HLIZCGMIJLJ6LME5UWUUIFLXEGRN/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEP5NJUWMDRLDQUKU4LFDUHF5PCYAPIO/" + } + ] + } + ], + "groups": [ + { + "ids": [ + "CVE-2024-3847" + ], + "aliases": null, + "max_severity": "" + } + ] + } + ] + }, { "source": { "path": "fixtures/filter/some/configs/b/", @@ -1530,6 +1636,9 @@ ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" + }, + "ecosystem_specific": { + "urgency": "unimportant" } } ], @@ -1618,7 +1727,8 @@ { "path": "net/http" } - ] + ], + "urgency": "low" } }, { diff --git a/pkg/osvscanner/fixtures/filter/some/input.json b/pkg/osvscanner/fixtures/filter/some/input.json index b7e9fd6af9..837fabae9b 100644 --- a/pkg/osvscanner/fixtures/filter/some/input.json +++ b/pkg/osvscanner/fixtures/filter/some/input.json @@ -6,6 +6,159 @@ "type": "lockfile" }, "packages": [ + { + "package": { + "name": "unixodbc", + "version": "2.3.11-2", + "ecosystem": "Debian:10" + }, + "vulnerabilities": [ + { + "id": "CVE-2024-1013", + "details": "An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.", + "affected": [ + { + "package": { + "name": "unixodbc", + "ecosystem": "Debian:10" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "urgency": "unimportant" + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260823" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-1013" + }, + { + "type": "WEB", + "url": "https://github.com/lurcher/unixODBC/pull/157" + } + ], + "modified": "2024-03-18T12:38:25Z", + "published": "2024-03-18T11:15:09Z" + } + ], + "groups": [ + { + "ids": [ + "CVE-2024-1013" + ] + } + ] + }, + { + "package": { + "name": "chromium", + "version": "73.0.3683.75-1", + "ecosystem": "Debian:10" + }, + "vulnerabilities": [ + { + "id": "CVE-2024-3847", + "details": "Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)", + "affected": [ + { + "package": { + "name": "chromium", + "ecosystem": "Debian:10" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "urgency": "low" + } + }, + { + "package": { + "name": "chromium", + "ecosystem": "Debian:11" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "urgency": "low" + } + } + ], + "references": [ + { + "type": "ARTICLE", + "url": "https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html" + }, + { + "type": "WEB", + "url": "https://issues.chromium.org/issues/328690293" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWIVXXSVO5VB3NAZVFJ7CWVBN6W2735T/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDLUD644WEWGOFKMZWC2K7Z4CQOKQYR7/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4PCXKCOVBUUU6GOSN46DCPI4HMER3PJ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCWPUBGTBNT4EW32YNZMRIPB3Y4R6XL6/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOC3HLIZCGMIJLJ6LME5UWUUIFLXEGRN/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEP5NJUWMDRLDQUKU4LFDUHF5PCYAPIO/" + } + ], + "modified": "2024-05-03T03:16:29Z", + "published": "2024-04-17T08:15:10Z" + } + ], + "groups": [ + { + "ids": [ + "CVE-2024-3847" + ] + } + ] + }, { "package": { "name": "remove_dir_all", @@ -717,6 +870,9 @@ ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" + }, + "ecosystem_specific": { + "urgency": "unimportant" } } ], @@ -806,7 +962,8 @@ { "path": "net/http" } - ] + ], + "urgency": "low" } }, { diff --git a/pkg/osvscanner/fixtures/filter/some/want.json b/pkg/osvscanner/fixtures/filter/some/want.json index 4b00059a41..574e3871e2 100644 --- a/pkg/osvscanner/fixtures/filter/some/want.json +++ b/pkg/osvscanner/fixtures/filter/some/want.json @@ -1,5 +1,111 @@ { "results": [ + { + "source": { + "path": "fixtures/filter/some/configs/a/", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "chromium", + "version": "73.0.3683.75-1", + "ecosystem": "Debian:10" + }, + "vulnerabilities": [ + { + "modified": "2024-05-03T03:16:29Z", + "published": "2024-04-17T08:15:10Z", + "id": "CVE-2024-3847", + "details": "Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)", + "affected": [ + { + "package": { + "ecosystem": "Debian:10", + "name": "chromium" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "urgency": "low" + } + }, + { + "package": { + "ecosystem": "Debian:11", + "name": "chromium" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "urgency": "low" + } + } + ], + "references": [ + { + "type": "ARTICLE", + "url": "https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html" + }, + { + "type": "WEB", + "url": "https://issues.chromium.org/issues/328690293" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWIVXXSVO5VB3NAZVFJ7CWVBN6W2735T/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDLUD644WEWGOFKMZWC2K7Z4CQOKQYR7/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4PCXKCOVBUUU6GOSN46DCPI4HMER3PJ/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCWPUBGTBNT4EW32YNZMRIPB3Y4R6XL6/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOC3HLIZCGMIJLJ6LME5UWUUIFLXEGRN/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEP5NJUWMDRLDQUKU4LFDUHF5PCYAPIO/" + } + ] + } + ], + "groups": [ + { + "ids": [ + "CVE-2024-3847" + ], + "aliases": null, + "max_severity": "" + } + ] + } + ] + }, { "source": { "path": "fixtures/filter/some/configs/b/", @@ -133,7 +239,8 @@ { "path": "net/http" } - ] + ], + "urgency": "low" } }, { diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 7b4ace483e..26aefd2812 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -670,11 +670,23 @@ func filterPackageVulns(r reporter.Reporter, pkgVulns models.PackageVulns, confi var newVulns []models.Vulnerability if len(newGroups) > 0 { // If there are no groups left then there would be no vulnerabilities. + unimportantCount := 0 for _, vuln := range pkgVulns.Vulnerabilities { + if isUnimportant(pkgVulns.Package.Ecosystem, vuln.Affected) { + unimportantCount++ + r.Verbosef("%s has been filtered out due to its unimportance.", vuln.ID) + + continue + } + if _, filtered := ignoredVulns[vuln.ID]; !filtered { newVulns = append(newVulns, vuln) } } + + if unimportantCount > 0 { + r.Infof("%d unimportant vulnerabilities have been filtered out.", unimportantCount) + } } // Passed by value. We don't want to alter the original PackageVulns. @@ -684,6 +696,23 @@ func filterPackageVulns(r reporter.Reporter, pkgVulns models.PackageVulns, confi return pkgVulns } +// isUnimportant checks if a Debian vulnerability is tagged with an "unimportant" urgency tag +// Urgency levels are defined here: https://security-team.debian.org/security_tracker.html#severity-levels +func isUnimportant(ecosystem string, affectedPackages []models.Affected) bool { + // Debian ecosystems may be listed with a version number, such as "Debian:10". + if !strings.HasPrefix(ecosystem, string(models.EcosystemDebian)) { + return false + } + + for _, affected := range affectedPackages { + if affected.EcosystemSpecific["urgency"] == "unimportant" { + return true + } + } + + return false +} + func parseLockfilePath(lockfileElem string) (string, string) { if !strings.Contains(lockfileElem, ":") { lockfileElem = ":" + lockfileElem diff --git a/pkg/osvscanner/osvscanner_internal_test.go b/pkg/osvscanner/osvscanner_internal_test.go index 6b2e77b191..d08a99e906 100644 --- a/pkg/osvscanner/osvscanner_internal_test.go +++ b/pkg/osvscanner/osvscanner_internal_test.go @@ -33,7 +33,7 @@ func Test_filterResults(t *testing.T) { { name: "filter_partially", path: "fixtures/filter/some", - want: 10, + want: 11, }, } for _, tt := range tests {