vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Vulnerability is missing KEV data [was: VCID-3hng-483x-aaar is incomplete]

Open DennisClark opened this issue 1 year ago • 4 comments

See https://public.vulnerablecode.io/vulnerabilities/VCID-3hng-483x-aaar?search=CVE-2024-39891

Vulnerability VCID-3hng-483x-aaar shows a relationship to CVE-2024-39891 but there are no Packages and there is no KEV reference to the corresponding entry in the Known Exploited Vulnerabilities Catalog. The KEV was published with the title Twilio Authy Information Disclosure Vulnerability on 2024-07-23. See https://www.cisa.gov/known-exploited-vulnerabilities-catalog

A vulnerability without at least one affected package does not make a lot of sense to me in VCIO.

I am also concerned that we are not keeping KEV data up-to-date. See related https://github.com/nexB/vulnerablecode/issues/1028 and https://github.com/nexB/vulnerablecode/pull/1422

DennisClark avatar Aug 01 '24 20:08 DennisClark

@DennisClark

This vulnerability data is linked to the NVD importer, as indicated in the history tab, so I ran the NVD importer locally and obtained the same result:

Fixed by packages (0) 
Affected packages (0)

This issue seems to be related to how we import data from the NVD. I find it confusing for a vulnerability to lack at least one affected package, but sometimes the description still makes sense.

The improver ran successfully and fetched the KEV data on my computer, so it’s likely that it hasn’t yet run on the server. When was the last update to the server? I think we should wait to merge some pending pull requests before releasing and updating the server.

Screenshot from 2024-08-02 17-08-53

ziadhany avatar Aug 02 '24 14:08 ziadhany

@ziadhany thanks for investigating this. I agree that "we should wait to merge some pending pull requests before releasing and updating the server."

DennisClark avatar Aug 02 '24 16:08 DennisClark

Here is another example: https://public.vulnerablecode.io/vulnerabilities/VCID-aub5-9vuw-aaah?search=CVE-2024-36971

That CVE, CVE-2024-36971 , appears in the KEV https://www.cisa.gov/known-exploited-vulnerabilities-catalog but there is no evidence of that in VCIO.

DennisClark avatar Aug 15 '24 16:08 DennisClark

Another example: https://public.vulnerablecode.io/vulnerabilities/VCID-rqea-u6nh-aaaj?search=CVE-2024-32113

That CVE, https://nvd.nist.gov/vuln/detail/CVE-2018-0824 appears in the KEV https://www.cisa.gov/known-exploited-vulnerabilities-catalog but there is no evidence of that in VCIO.

DennisClark avatar Aug 19 '24 15:08 DennisClark

Related core issue:

  • https://github.com/aboutcode-org/vulnerablecode/issues/1643

keshav-space avatar Nov 08 '24 11:11 keshav-space

Completed in https://github.com/aboutcode-org/vulnerablecode/pull/1685, now we maintain mirror for CISA KEV data ( https://github.com/aboutcode-org/aboutcode-mirror-kev ) which is used by VulnerableCode KEV Pipeline.

To test this browse the Exploits tab here https://public.vulnerablecode.io/vulnerabilities/VCID-3hng-483x-aaar?search=CVE-2024-39891

keshav-space avatar Mar 28 '25 15:03 keshav-space