Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create statements for malicious packages #41

Open
henrikplate opened this issue Oct 7, 2020 · 2 comments
Open

Create statements for malicious packages #41

henrikplate opened this issue Oct 7, 2020 · 2 comments
Labels
component/vuln-data

Comments

@henrikplate
Copy link
Contributor

One additional source of statements could be the list of known malicious packages maintained at https://github.com/dasfreak/Backstabbers-Knife-Collection.

It contains a file package_index.csv with the following columns: Type, Package Name, Affected Version, Published, Reported, Sample, Injection Component, Obfuscation, Trigger, Conditional, Targeted OS, Objective, Details, Source, Comment, Typo Target, Campaign, Location of malicious snippet. See here for a detailed description of those columns.

The first three columns can be used to create one or more PURLs for artifacts, (some of) the other columns can be used for the description and references.
@henrikplate
Copy link
Contributor Author

henrikplate commented Oct 12, 2020
edited
Loading

For every CSV entry with a valid URL in field Source and specific versions in field Affected Version (thus, no empty fields or *), a statement shall be generated as follows:

  • Statement ID must be composed as follows: <Package Name>-<yyyy of Published>. Note: Other fields were excluded, since their values might be subject to future change, which would alter the identifiers of existing statements.
  • Statement text will be created out of several fields: Malicious package with objective <Objective> (<Details>). Affects <all operating systems|Targeted OS>. Malicious code is executed [depending on <Conditional>] during <Trigger>. The square brackets are omitted in case the field Conditional==Operating System || Unconditional.

Example statement for nodemailer.js:

vulnerability_id: nodemailer.js-2017
notes:
- text: Malicious package with objective data exfiltration (steals environment variables and sends them to attacker controlled locations). Affects all operating systems. Malicious code is executed during install.
- link: https://www.npmjs.com/advisories/511
- link: https://github.com/dasfreak/Backstabbers-Knife-Collection
artifacts:
- id: pkg:npm/[email protected]
  reason: Backstabber Collection
  affected: true
- id: pkg:npm/[email protected]
  reason: Backstabber Collection
  affected: true

@copernico
Copy link
Contributor

copernico commented Oct 12, 2020
edited
Loading

Re: IDs: fine for me, but I would add a "counter" segment to the name, in case there should be multiple "vulnerabilities" for the same component in a given year.
Something like:

nodemailer.js-001-2017

Also, remember that besides the ID, a statement can indicate alternative identifiers (aliases) which leaves us to flexibility to adapt in the future, if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/vuln-data
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@copernico @henrikplate