dependency-track
dependency-track copied to clipboard
DependencyTrack
Wrong vulnerabilities reports when logical value NA used in CPE Version
Hi,
I'm facing a issue with the version matching of component and vulnerabilites when CPE and Logical value NA ('-') are involed.
Current Behavior:
A project with a httpd server component identified by the CPE cpe:2.3:a:apache:http_server:2.4.53:*:*:*:*:*:*:* leads to be
vulnerable to the CVE 2007-6420.
The CVE 2007-6420 has the following cpe_match :
"configurations" : {
"CVE_data_version" : "4.0",
"nodes" : [ {
"operator" : "OR",
"children" : [ ],
"cpe_match" : [ {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*",
"cpe_name" : [ ]
} ]
} ]
},
Expected Behavior:
I think the vuln should'nt be reported.
The NVD search doesn't report the vuln: NVD Search
Moreover, according to the "Name Matching Specification Version 2.3" I dont't think the actual implementation in AbstractVulnerableSoftwareAnalysisTask.compareVersions is correct as I understand the table 6-2 fron chap "6.1 from Attribute Comparison Relations" at https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7696.pdf
Steps to Reproduce:
I reproduce the issue with a the test case below:
var project = new Project();
project.setName("acme-app");
project = qm.createProject(project, List.of(), false);
var component = new Component();
component.setProject(project);
component.setName("Apache httpd");
component.setVersion("2.4.53");
component.setCpe("cpe:2.3:a:apache:http_server:2.4.53:*:*:*:*:*:*:*");
component = qm.createComponent(component, false);
var vs1 = new VulnerableSoftware();
vs1.setCpe23("cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*");
vs1.setPart("a");
vs1.setVendor("apache");
vs1.setProduct("http_server");
vs1.setVersion("-");
vs1.setVulnerable(true);
var vs = qm.persist(vs1);
var vulnerability = new Vulnerability();
vulnerability.setVulnId("CVE-2007-6420");
vulnerability.setSource(Vulnerability.Source.NVD);
vulnerability.setVulnerableSoftware(List.of(vs));
qm.createVulnerability(vulnerability, false);
new InternalAnalysisTask().analyze(List.of(component));
final PaginatedResult vulnerabilities = qm.getVulnerabilities(component);
assertThat(vulnerabilities.getTotal()).isEqualTo(1);
assertThat(vulnerabilities.getList(Vulnerability.class).get(0).getVulnId()).isEqualTo("CVE-2007-6420");
Expected
final PaginatedResult vulnerabilities = qm.getVulnerabilities(component);
assertThat(vulnerabilities.getTotal()).isEqualTo(0);
