Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why all vulnerabilities under Advisories has "NONE" as severity? #278

Closed
carlosthe19916 opened this issue May 14, 2024 · 4 comments · Fixed by #337
Closed

Why all vulnerabilities under Advisories has "NONE" as severity? #278

carlosthe19916 opened this issue May 14, 2024 · 4 comments · Fixed by #337
Assignees
@jcrossley3
Labels
frontend Frontend related code changes

Comments

@carlosthe19916
Copy link
Member

carlosthe19916 commented May 14, 2024
edited
Loading

  • The current endpoint GET /api/v1/advisory returns something like:
{
    "items": [
        {
            "identifier": "RHBA-2022:1352",
            "sha256": "f731216d1e36e974faffb05e55a585da0297a2a1ebff56d98dee5a884a9bc067",
            "issuer": "Red Hat Product Security",
            "published": "2022-04-13T14:30:05Z",
            "modified": "2024-05-02T19:23:44Z",
            "title": "Red Hat Bug Fix Advisory: .NET Core 3.1 on RHEL 7 bugfix update",
            "vulnerabilities": [
                {
                    "identifier": "CVE-2022-0613",
                    "title": null,
                    "published": null,
                    "modified": null,
                    "withdrawn": null,
                    "severity": "none",
                    "score": 0.0
                }
            ]
        }
    ],
    "total": 123
}

  • I noticed that ALL vulnerabilities under the Advisory entity has none as severity. Is it just a coincidence that we don't have other type of severity? I mean, all Red Hat CSAF files we currently import have "none" as severity? If so, that is fine, it just look suspicious.

  • I got the impression that the v1 of Trustification didn't even have a single "none" as severity.

Screenshot from 2024-05-14 09-59-10

I wouldn't consider this as a bug, yet. If anyone can confirm the current "none" severity are actually correct, we can close this issue.
@ctron
Copy link
Contributor

ctron commented May 14, 2024

Indeed NONE is technically possible (https://nvd.nist.gov/vuln-metrics/cvss), however I think in this case it's a bug.

@carlosthe19916 carlosthe19916 added the frontend Frontend related code changes label May 14, 2024
@bobmcwhirter
Copy link
Contributor

Did yesterday PR fix this or still open?

@carlosthe19916
Copy link
Member Author

carlosthe19916 commented May 17, 2024
edited
Loading

Did yesterday PR fix this or still open?

@bobmcwhirter It is still a problem. How to reproduce it:

  • Upload CVE-2023-20862.json
  • Get the list of advisories through GET /api/v1/advisory
  • You will get a response like:
{
    "items": [
        {
            "identifier": "CVE-2023-20862",
            "sha256": "e6a2bc1084c77809af965dc4facb0c28aca67210f054eb8de4778190b8c6347e",
            "issuer": {
                "id": 1,
                "name": "Red Hat Product Security",
                "cpe_key": null,
                "website": null
            },
            "published": "2023-04-19T00:00:00Z",
            "modified": "2023-11-14T22:09:12Z",
            "title": "spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout",
            "average_severity": null,
            "average_score": null,
            "vulnerabilities": [
                {
                    "identifier": "CVE-2023-20862",
                    "severity": "none",
                    "score": 0.0
                }
            ]
        }
    ],
    "total": 1
}

You can see that the severity of the vulnerability within the advisory is none. However, inspecting the advisory file I can confirm it is definitely not "none" but "low"

Screenshot from 2024-05-17 13-57-08

@bobmcwhirter
Copy link
Contributor

Ah, so our CSAF ingestor seems to not be ingesting scores.

https://github.com/trustification/trustify/blob/main/modules/ingestor/src/service/advisory/csaf/loader.rs

@jcrossley3 jcrossley3 self-assigned this May 23, 2024
jcrossley3 added a commit to jcrossley3/trustify that referenced this issue May 23, 2024
@jcrossley3
fix: ingest scores when loading CSAF docs
06f514b 
Fixes: trustification#278

Ported test over from OSV's loader, but commented out quite a bit
since the ingestion of the product statuses seems incomplete.

Signed-off-by: Jim Crossley <jim@crossleys.org>
@jcrossley3 jcrossley3 mentioned this issue May 23, 2024
Merged
github-merge-queue bot pushed a commit that referenced this issue May 23, 2024
@jcrossley3
fix: ingest scores when loading CSAF docs
4719406 
Fixes: #278

Ported test over from OSV's loader, but commented out quite a bit
since the ingestion of the product statuses seems incomplete.

Signed-off-by: Jim Crossley <jim@crossleys.org>
@github-project-automation github-project-automation bot moved this to Done in Trustify May 23, 2024
@carlosthe19916 carlosthe19916 mentioned this issue Jun 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jcrossley3 jcrossley3

Labels
frontend Frontend related code changes
Projects
Trustify
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: ingest scores when loading CSAF docs jcrossley3/trustify
4 participants
@jcrossley3 @bobmcwhirter @ctron @carlosthe19916