vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Incorrect severity score due to identical Reference URLs

Open keshav-space opened this issue 1 year ago • 3 comments

When multiple distinct scores have the same reference URL, we end up overwriting the VulnerabilitySeverity. See the SUSE example below, where different vulnerabilities have identical sets of severity.

Screenshot from 2024-09-23 14-01-15
Screenshot from 2024-09-23 14-01-02

The bug is in how we handle the VulnerabilityReference. Each VulnerabilityReference has a URL that is set to be unique. To store a severity for vulnerability, we create a VulnerabilityReference (using the source URL of score) and then create a VulnerabilitySeverity (with severity details and ForeignKey relationship to VulnerabilityReference created earlier). Since the URL field is set to unique, things get complicated in the case of SUSE as all the scores come from the same URL i.e. "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml." This results in a single SUSE VulnerabilityReference linked to all vulnerabilities, which leads to a same set SUSE severity score for all vulnerabilities.

This might not be limited to SUSE alone, there is a high chance that other severity scores were also overwritten.

  • Refrence https://github.com/aboutcode-org/vulnerablecode/issues/1592#issuecomment-2367567816

keshav-space avatar Sep 23 '24 11:09 keshav-space

We should have severity on vulnerability and package-vulnerability relationship if we don't have severity on the package-vulnerability relationship then we should use only the vulnerability severity.

TG1999 avatar Sep 24 '24 15:09 TG1999

  • Start with tests to see what's breaking
  • Refactor VulnerabilitySeverity models, disassociate severity from reference. And attach severity on vulnerability and package-vulnerability relationship

TG1999 avatar Sep 24 '24 15:09 TG1999

Blocked by this https://github.com/aboutcode-org/vulnerablecode/pull/1612

TG1999 avatar Oct 15 '24 15:10 TG1999

Here are a few practical todos:

  1. We need to disable the the display of score ranges in the VCIO and DJCD web ui, remove it from the APIs
  2. The "Package vulnerability risk" index designed in https://github.com/aboutcode-org/vulnerablecode/issues/1543 will be the way to go and is under review in https://github.com/aboutcode-org/vulnerablecode/pull/1593

pombredanne avatar Oct 31 '24 15:10 pombredanne

@nnobelis Thanks for pointing this out. This has now been fixed in #1636. The correct SUSE score should be available on https://public.vulnerablecode.io/ after the next release.

Before After
Screenshot from 2024-09-23 14-01-15 Screenshot from 2024-11-13 22-42-15
Before After
Screenshot from 2024-09-23 14-01-02 Screenshot from 2024-11-13 22-42-38

keshav-space avatar Nov 13 '24 17:11 keshav-space