project-kb icon indicating copy to clipboard operation
project-kb copied to clipboard
verified publisher icon SAP

Validate Prospector on existing vulnerability data

Open copernico opened this issue 4 years ago • 1 comments

Select 10-20 CVEs (from project-KB data) and run prospector on them; document the outcome, discussing in particular why prospector was successful or unsuccessful in each example.

Data here: https://github.com/SAP/project-kb/tree/vulnerability-data/statements

These are the 2021 statements available in project-kb at this time, we could start from these and post below our comments about the shortcomings we observe:

  • [x] CVE-2021-22696
  • [x] CVE-2021-27582
  • [x] CVE-2021-29425
  • [x] CVE-2021-30468

(feel free to add more to the list)

copernico avatar Jul 13 '21 07:07 copernico

CVE-2021-29425

python client/cli/main.py CVE-2021-29425 --use-nvd --repository https://github.com/apache/commons-io --report html

Solved easily with rule TOKENS_IN_COMMIT_MSG (got 600+ candidates, but only one commit matches, the right one)

CVE-2021-27582

python client/cli/main.py CVE-2021-27582 --use-nvd --repository https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server --report html

Found 26 candidates, only 1 matches the 3 rules: CH_REL_PATH TOKENS_IN_COMMIT_MSG TOKENS_IN_DIFF

CVE-2021-22696

python client/cli/main.py CVE-2021-22696 --use-nvd --repository https://github.com/apache/cxf --report html

Without further restrictions: ~3400 candidates, too many.

Specifying a version interval (3.3.9:3.3.10, based on the advisory text):

python client/cli/main.py CVE-2021-22696 --use-nvd --repository https://github.com/apache/cxf --report html --version-interval 3.3.9:3.3.10

Got 25 candidates, of which only 2 match TOKENS_IN_DIFF. These two are not the same as the two indicated in https://github.com/advisories/GHSA-7q4h-pj78-j7vg but they have the exact same content (they are cherry-picked).

CVE-2021-30468

Trying python client/cli/main.py CVE-2021-30468 --use-nvd --repository https://github.com/apache/cxf --report html gives too many candidates: 2233.

Instead, specifying version intervals: python client/cli/main.py CVE-2021-30468 --use-nvd --repository https://github.com/apache/cxf --report html --version-interval 3.3.10:3.3.11

we 31 candidates of which only 3 match TOKEN_IN_DIFF, TOKEN_IN_COMMIT_MSG; the correct commit is easy to identify by considering that a DOS vulnerability can be obtained by throwing a program in an endless loop.

copernico avatar Jul 21 '21 13:07 copernico