bitnami / vulndb Goto Github PK
View Code? Open in Web Editor NEWThe Bitnami Vulnerability Database
License: Apache License 2.0
The Bitnami Vulnerability Database
License: Apache License 2.0
Minor OSV discrepancy
Current bitnami advisories seem to encode the ecosystem name as "bitnami" (all lowercase).
e.g.
vulndb/data/activemq/BIT-2020-11998.json
Line 11 in 32679c1
The ecosystem names in the OSV schema (https://ossf.github.io/osv-schema/#affectedpackage-field) are case sensitive. The ecosystem string should be encoded with an uppercase B.
e.g.
"package": {
"ecosystem": "Bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
},
"package": {
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
},
No response
The Bitnami advisory has a wrong introduced versions here.
"events": [
{
"introduced": "0"
},
{
"fixed": "20.8.0"
}
]
However, according the Node team, only Node 20 users are affected:
Path traversal through path stored in Uint8Array (High) - (CVE-2023-39332)
...
Impacts:
- This vulnerability affects all users using the experimental permission model in Node.js 20.x.
Please note that at the time this CVE is issued, the permission model is an experimental feature of Node.js.
Ideally, it should have a better introduced version:
"events": [
{
"introduced": "20.0.0"
},
{
"fixed": "20.8.0"
}
]
"events": [
{
"introduced": "0"
},
{
"fixed": "20.8.0"
}
]
Same issue for CVE-2023-39331, also affected only Node 20 users.
CVE-2020-12603
The Bitnami advisory has only introduced
versions here.
vulndb/data/envoy/BIT-2020-12603.json
Lines 33 to 48 in c75104a
However, the vulnerability should be fixed by 1.14.3 and 1.13.3.
GHSA-pc38-4q6c-85p6
https://groups.google.com/g/envoy-announce/c/qrrF8klFl-I/m/nz12XtqmAAAJ?pli=1
NVD pins the exact version.
https://nvd.nist.gov/vuln/detail/CVE-2020-12603
cpe:2.3:a:envoyproxy:envoy:1.13.2:::::::*
cpe:2.3:a:envoyproxy:envoy:1.14.2:::::::*
There are two problems.
Ideally, it should have the fixed version.
{
"type": "SEMVER",
"events": [
{
"introduced": "1.13.2"
}
{
"fixed": "1.13.3"
}
]
},
At least, it should pin the affected version.
{
"type": "SEMVER",
"events": [
{
"introduced": "1.13.2"
}
{
"last_affected": "1.13.2"
}
]
},
or
versions:
- 1.13.2
I gave an example of 1.13.x, but 1.14.x is the same.
{
"type": "SEMVER",
"events": [
{
"introduced": "1.13.2"
}
]
},
No response
Same vulnerability IDs used for distinct entries.
For instance, there's two versions of BIT-2023-39999:
Vulnerability IDs should be unique.
These two entries should be either consolidated into a single entry (with different affected ranges referring to the distinct packages), or have different IDs.
There are two instances of e.g. BIT-2023-39999
No response
$ pipenv run python -m osv.analyze_tool --analyze_git=true --format=json /tmp/BIT-rails-2021-44528.json
INFO:root:Analyzing /tmp/BIT-rails-2021-44528.json
Traceback (most recent call last):
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/analyze_tool/__main__.py", line 19, in <module>
main()
File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/analyze_tool/__init__.py", line 88, in main
analyze(path, args.checkout_path, args.key_path, analyze_git,
File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/analyze_tool/__init__.py", line 101, in analyze
result = impact.analyze(
^^^^^^^^^^^^^^^
File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/impact.py", line 648, in analyze
enumerate_versions(affected.package.name, ecosystem_helpers,
File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/impact.py", line 490, in enumerate_versions
sorted_events.sort(key=sort_key)
File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/impact.py", line 482, in sort_key
return ecosystem.sort_key(event.introduced)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/ecosystems/semver_ecosystem_helper.py", line 25, in sort_key
return semver_index.parse(version)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/google/home/apollock/gosst/osv/osv.dev/osv/semver_index.py", line 104, in parse
return semver.Version.parse(coerce(version))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/google/home/apollock/.local/share/virtualenvs/osv.dev-cTOZqQPe/lib/python3.11/site-packages/semver/version.py", line 646, in parse
raise ValueError(f"{version} is not valid SemVer string")
ValueError: 6.0.4.2 is not valid SemVer string
The version used passes SemVer validation
The version does not pass SemVer validation
I have not exhaustively reviewed the remaining records to see how widespread this problem is.
Either the versions should be SemVer compliant, or the ranges[].type
should be ECOSYSTEM
The Bitnami advisory has a partial fixed versions here:
vulndb/data/node/BIT-node-2023-30581.json
Line 29 in 6cc3d1f
"events": [
{
"introduced": "16.0.0"
},
{
"fixed": "20.6.1"
}
]
However, according the Node team, CVE-2023-30581is part of Node 16.20.1:
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
And also Node 18.16.1 : https://nodejs.org/en/blog/release/v18.16.1
Not sure, something like that:
"events": [
{
"introduced": "16.0.0"
},
{
"fixed": "16.20.1"
},
{
"introduced": "18.0.0"
},
{
"fixed": "18.16.1"
},
{
"introduced": "20.0.0"
},
{
"fixed": "20.6.1"
}
]
"events": [
{
"introduced": "16.0.0"
},
{
"fixed": "20.6.1"
}
]
No response
SEMVER ranges could be flattened
Currently, OSV entries with multiple SEMVER ranges are provided separately:
{
"type": "SEMVER",
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.1.38"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.35"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.31"
}
]
},
Instead, it's more concise (and preferred) to flatten these into:
{
"type": "SEMVER",
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.1.38"
},
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.35"
},
...
]
},
Flatten the version ranges.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.