-
Notifications
You must be signed in to change notification settings - Fork 19
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Apply heuristics to divine pURLs from CVERecords iff possible.
Fixes #763
- Loading branch information
1 parent
7c65d51
commit ff0fdd0
Showing
4 changed files
with
295 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,165 @@ | ||
{ | ||
"dataType": "CVE_RECORD", | ||
"dataVersion": "5.1", | ||
"cveMetadata": { | ||
"cveId": "CVE-2024-26308", | ||
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", | ||
"state": "PUBLISHED", | ||
"assignerShortName": "apache", | ||
"dateReserved": "2024-02-17T22:08:44.423Z", | ||
"datePublished": "2024-02-19T08:31:50.192Z", | ||
"dateUpdated": "2024-08-02T00:07:19.215Z" | ||
}, | ||
"containers": { | ||
"cna": { | ||
"affected": [ | ||
{ | ||
"collectionURL": "https://repo.maven.apache.org/maven2/", | ||
"defaultStatus": "unaffected", | ||
"packageName": "org.apache.commons:commons-compress", | ||
"product": "Apache Commons Compress", | ||
"vendor": "Apache Software Foundation", | ||
"versions": [ | ||
{ | ||
"lessThan": "1.26.0", | ||
"status": "affected", | ||
"version": "1.21", | ||
"versionType": "semver" | ||
} | ||
] | ||
} | ||
], | ||
"credits": [ | ||
{ | ||
"lang": "en", | ||
"type": "reporter", | ||
"value": "Yakov Shafranovich, Amazon Web Services" | ||
} | ||
], | ||
"descriptions": [ | ||
{ | ||
"lang": "en", | ||
"supportingMedia": [ | ||
{ | ||
"base64": false, | ||
"type": "text/html", | ||
"value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.<p>This issue affects Apache Commons Compress: from 1.21 before 1.26.</p><p>Users are recommended to upgrade to version 1.26, which fixes the issue.</p>" | ||
} | ||
], | ||
"value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.\n\nUsers are recommended to upgrade to version 1.26, which fixes the issue.\n\n" | ||
} | ||
], | ||
"metrics": [ | ||
{ | ||
"other": { | ||
"content": { | ||
"text": "moderate" | ||
}, | ||
"type": "Textual description of severity" | ||
} | ||
} | ||
], | ||
"problemTypes": [ | ||
{ | ||
"descriptions": [ | ||
{ | ||
"cweId": "CWE-770", | ||
"description": "CWE-770 Allocation of Resources Without Limits or Throttling", | ||
"lang": "en", | ||
"type": "CWE" | ||
} | ||
] | ||
} | ||
], | ||
"providerMetadata": { | ||
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", | ||
"shortName": "apache", | ||
"dateUpdated": "2024-02-19T08:31:50.192Z" | ||
}, | ||
"references": [ | ||
{ | ||
"tags": [ | ||
"vendor-advisory" | ||
], | ||
"url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg" | ||
}, | ||
{ | ||
"url": "http://www.openwall.com/lists/oss-security/2024/02/19/2" | ||
}, | ||
{ | ||
"url": "https://security.netapp.com/advisory/ntap-20240307-0009/" | ||
} | ||
], | ||
"source": { | ||
"discovery": "EXTERNAL" | ||
}, | ||
"title": "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file", | ||
"x_generator": { | ||
"engine": "Vulnogram 0.1.0-dev" | ||
} | ||
}, | ||
"adp": [ | ||
{ | ||
"metrics": [ | ||
{ | ||
"other": { | ||
"type": "ssvc", | ||
"content": { | ||
"id": "CVE-2024-26308", | ||
"role": "CISA Coordinator", | ||
"options": [ | ||
{ | ||
"Exploitation": "none" | ||
}, | ||
{ | ||
"Automatable": "no" | ||
}, | ||
{ | ||
"Technical Impact": "partial" | ||
} | ||
], | ||
"version": "2.0.3", | ||
"timestamp": "2024-02-22T17:49:36.910764Z" | ||
} | ||
} | ||
} | ||
], | ||
"title": "CISA ADP Vulnrichment", | ||
"providerMetadata": { | ||
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", | ||
"shortName": "CISA-ADP", | ||
"dateUpdated": "2024-07-05T17:21:56.918Z" | ||
} | ||
}, | ||
{ | ||
"providerMetadata": { | ||
"orgId": "af854a3a-2127-422b-91ae-364da2661108", | ||
"shortName": "CVE", | ||
"dateUpdated": "2024-08-02T00:07:19.215Z" | ||
}, | ||
"title": "CVE Program Container", | ||
"references": [ | ||
{ | ||
"tags": [ | ||
"vendor-advisory", | ||
"x_transferred" | ||
], | ||
"url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg" | ||
}, | ||
{ | ||
"url": "http://www.openwall.com/lists/oss-security/2024/02/19/2", | ||
"tags": [ | ||
"x_transferred" | ||
] | ||
}, | ||
{ | ||
"url": "https://security.netapp.com/advisory/ntap-20240307-0009/", | ||
"tags": [ | ||
"x_transferred" | ||
] | ||
} | ||
] | ||
} | ||
] | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
//! Helpers to try to divine pURLs from arbitrary bits of information. | ||
|
||
use cve::common::Product; | ||
use trustify_common::purl::Purl; | ||
|
||
pub fn divine_purl(product: &Product) -> Option<Purl> { | ||
divine_maven(product) | ||
// add more here as we determine the correct heuristics | ||
} | ||
|
||
fn divine_maven(product: &Product) -> Option<Purl> { | ||
if matches!( &product.collection_url, Some(url) if url == "https://repo.maven.apache.org/maven2/" ) | ||
{ | ||
if let Some(package_name) = &product.package_name { | ||
let parts = package_name.split(':').collect::<Vec<_>>(); | ||
|
||
if parts.len() == 2 { | ||
let group_id = parts[0]; | ||
let artifact_id = parts[1]; | ||
|
||
return Some(Purl { | ||
ty: "maven".to_string(), | ||
namespace: Some(group_id.to_string()), | ||
name: artifact_id.to_string(), | ||
version: None, | ||
qualifiers: Default::default(), | ||
}); | ||
} | ||
} | ||
} | ||
|
||
None | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,3 @@ | ||
pub mod loader; | ||
|
||
pub mod divination; |