Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: PURL to CPE conversion results in "UNKOWN" vendor when CPE is given #4700

Open
weichslgartner opened this issue Jan 17, 2025 · 1 comment
Labels
bug Something isn't working higher priority Issues we'd like fixed sooner rather than later, often ones that come directly from users.
Milestone

Comments

@weichslgartner
Copy link
Contributor

Description

I have an SPDX SBOM which contains PURL and CPE data:

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: modules-deps
Creator: Tool: Zephyr SPDX builder
Created: 2025-01-15T16:30:07Z

Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-mbedtls-deps

##### Package: mbedtls-deps

PackageName: mbedtls-deps
SPDXID: SPDXRef-mbedtls-deps
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageDownloadLocation: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:arm:mbed_tls:3.6.0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:github/Mbed-TLS/mbedtls@V3.6.0
FilesAnalyzed: false
PackageComment: Utility target; no files

if I scan this with cve-bin-tool 3.4 I get:

╭─────────────╮
│ CPE SUMMARY │
╰─────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Latest Upstream Stable Version ┃ CRITICAL CVEs Count ┃ HIGH CVEs Count ┃ MEDIUM CVEs Count ┃ LOW CVEs Count ┃ UNKNOWN CVEs Count ┃ TOTAL CVEs Count ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩
└────────┴─────────┴─────────┴────────────────────────────────┴─────────────────────┴─────────────────┴───────────────────┴────────────────┴────────────────────┴──────────────────┘
╭───────────────────────────────────────────────╮
│  Products with No Identified Vulnerabilities  │
╰───────────────────────────────────────────────╯
┏━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━┓
┃ Vendor  ┃ Product      ┃ Version ┃
┡━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━┩
│ UNKNOWN │ mbedtls-deps │ V3.6.0  │
└─────────┴──────────────┴─────────┘

So it seems that the PURL to CPE conversion failed to identify a vendor and overwrote a valid CPE which was present.
If I delete the PURL, it works as expected

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: modules-deps
Creator: Tool: Zephyr SPDX builder
Created: 2025-01-15T16:30:07Z

Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-mbedtls-deps

##### Package: mbedtls-deps

PackageName: mbedtls-deps
SPDXID: SPDXRef-mbedtls-deps
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageDownloadLocation: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:arm:mbed_tls:3.6.0:*:*:*:*:*:*:*
FilesAnalyzed: false
PackageComment: Utility target; no files

Output:

┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ Latest Upstream Stable Version ┃ CRITICAL CVEs Count ┃ HIGH CVEs Count ┃ MEDIUM CVEs Count ┃ LOW CVEs Count ┃ UNKNOWN CVEs Count ┃ TOTAL CVEs Count ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ UNKNOWN (offline mode)         │ 1                   │ 0               │ 1                 │ 0              │ 0                  │ 2                │
└────────┴──────────┴─────────┴────────────────────────────────┴─────────────────────┴─────────────────┴───────────────────┴────────────────┴────────────────────┴──────────────────┘
╭─────────────────╮
│  NewFound CVEs  │
╰─────────────────╯
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ CVE Number     ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45157 │ NVD    │ MEDIUM   │ 5.1 (v3)             │
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45159 │ NVD    │ CRITICAL │ 9.8 (v3)             │
└────────┴──────────┴─────────┴────────────────┴────────┴──────────┴──────────────────────┘
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ Root ┃ Filename ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │      │          │
└────────┴──────────┴─────────┴──────┴──────────┘

With Version 3.3 it also works as expected (I assume there was something changed in the PURL to CPE Logic).

To reproduce

Steps to reproduce the behaviour:

  1. Scan an SBOM which contains CPE and PURL for an component (e.g. cpe:2.3:a:arm:mbed_tls:3.6.0:*:*:*:*:*:*:* and pkg:github/Mbed-TLS/mbedtls@V3.6.0) with e.g. cve-bin-tool --sbom spdx --sbom-file modules-deps.spdx
  2. Vendor will be identified as "UNKNOWN"
  3. No CVEs will be identified

Expected behaviour: CVEs should be matched if CPEs are given in the SBOM
Actual behaviour: PURL to CPE fail to identify the correct vendor and still have a higher priority than the given CPE

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.4
Installed from pypi or github? Pypi
Operating system: Linux Ubuntu (Linux 5.4.0-204-generic #224-Ubuntu SMP)
Python version (e.g. python3 --version): Python 3.11.10
Running in any particular CI environment we should know about? no

Anything else?

Feel free to add any other context here.

@terriko
Copy link
Contributor

terriko commented Jan 17, 2025

Ugh, that is spectacularly not the behaviour we want. I think the correct behaviour here would be to provide both (and collapse appropriately if they yield the same thing so you don't get duplicate CVEs). Not sure when we'll get a fix in since I'm currently having some problems with cache updates that need fixing before any PRs will merge cleanly, but thank you for the report and hopefully we'll get to it soon!

@terriko terriko added the higher priority Issues we'd like fixed sooner rather than later, often ones that come directly from users. label Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working higher priority Issues we'd like fixed sooner rather than later, often ones that come directly from users.
Projects
None yet
Development

No branches or pull requests

2 participants