Log4J (CVE-2021-44228) was considered as low severity vulnerability

[kakumanivrn]

I have scanned a vulnerable log4j repo just for testing and found that CVE-2021-44228 is considered as low severity.

Repository used for scanning: https://github.com/christophetd/log4shell-vulnerable-app

Attaching the screenshot for reference:

[prabhu]

Thanks, @kakumanivrn, for raising this issue. This is fixed with 2.1.4

Perhaps a bug or the format of OSV schema had changed recently; severity is now appearing in the root instead of under the affected array in the OSV feed. https://github.com/AppThreat/vulnerability-db/commit/a45fc845257b963f079130d504debae3ea7282ec

[kakumanivrn]

@prabhu thank you so much for the quick fix! Is this because of the static severity or due to using older version of the vulnerability database? I see that you are using static version for the vulnerability database. Can this be automated?

[kakumanivrn]

@prabhu I have updated the dep-scan using pip command but still I am getting the same old issue. Is there anything else I need to update?

[kakumanivrn]

These are the commands I used to update the libraries:

sudo npm install -g @appthreat/cdxgen pip install appthreat-vulnerability-db -U pip install appthreat-depscan -U

[prabhu]

@kakumanivrn Could you remove the existing vulnerability database? The location would be printed by depscan usually $HOME/.local/share/vdb

[kakumanivrn]

Thanks @prabhu! This worked after I deleted db files and cached again.

But I also did --cache and --sync before deleting the files as well, but maybe somehow the files were not really replaced. I think it might be a bug in vdb. I tried understanding the code but I wasn't able to figure out.

[prabhu]

--clean is used to remove the database. Both the --cache and --sync will append to the existing database.