intel
fix: Vulnerabilities being missed in SBOMs
Description
Latest version of cve 3.3.1(dev) is resulting in far fewer vulnerabilities being reported during an SBOM scan.
This appears to be due to changes in the sbom_manager parse_sbom and parse_ext_ref functions.
CPE external reference is taking precedence over PURL. However there is a mismatch between the cpe author names and the vulnerability database vendor name and Purl entries are not decoded.
If PURL is used and not CPE entries, vulnerabilities are reported providing some of the checks in parse_sbom are removed.
The problem arises with both SPDX and CycloneDX SBOMs
To reproduce
Create a SBOM with the following package detail
PackageName: werkzeug
SPDXID: SPDXRrf-Package-werkzeug
PackageVersion: 2.2.2
PackageSupplier: Person: Armin Ronacher ([email protected])
PrimaryPackagePurpose: LIBRARY
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_romancher:werkzeug:2.2.2:*:*:*:*:*:*:*
Run with both ExternalRefs present, no CVEs reported,
Run with only PURL external reference, CVE-2023-23924, CVE-2023-25577, CVE-46136 and others are reported.
Expected behaviour: CVEs are reported regardless of whether PURL or CPEs provided Actual behaviour: No CVEs are reported
Version/platform info
Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.3.1dev0
Installed from pypi or github? github
Operating system: Linux/Windows (other platforms are unsupported but feel free to report issues anyhow)
- On Linux (or Windows Subsystem for Linux) you can run
uname -aLinux Kali - On Windows you can run
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Python version (e.g.python3 --version): 3.10 Running in any particular CI environment we should know about? (e.g. Github Actions)
