Feat/data enhancement spike #417
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-prp9-9gxw-38j8", | ||
| "modified": "2023-01-29T05:06:34Z", | ||
| "published": "2022-05-24T19:05:32Z", | ||
| "aliases": [ | ||
| "CVE-2020-9493" | ||
| ], | ||
| "summary": "Apache Chainsaw deserialization flaw", | ||
| "details": "A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "log4j:apache-chainsaw" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "2.1.0" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9493" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/apache/logging-chainsaw" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://lists.apache.org/thread.html/r50d389c613ba6062a26aa57e163c09bfee4ff2d95d67331d75265b83@%3Cannounce.apache.org%3E" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://www.openwall.com/lists/oss-security/2021/06/16/1" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "http://www.openwall.com/lists/oss-security/2021/06/16/1" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "http://www.openwall.com/lists/oss-security/2022/01/18/5" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-502" | ||
| ], | ||
| "severity": "CRITICAL", | ||
| "github_reviewed": false, | ||
| "github_reviewed_at": null, | ||
| "nvd_published_at": "2021-06-16T08:15:00Z" | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # pretend the following PRs were merged | ||
| include-prs: | ||
| - https://github.com/github/advisory-database/pull/2630 | ||
|
There was a problem hiding this comment. From Josh: This probably isn't needed; if we need to update GitHub's data, it's probably because they refused an update, not because they're being slow. And this really solves the "being slow" problem rather than the "we have a change they don't want" problem. |
||
|
|
||
| # assuming the following GHSAs were reviewed, even if they | ||
| # are not returned by the API | ||
| assume-reviewed: | ||
|
There was a problem hiding this comment. From Josh: This mechanism probably isn't needed. If we're going to include an unreviewed GHSA, we're going to have to change it anyway. So just have a mechanism for changing fetched GHSA data, and assume any changed GHSA should be included in our output, regardless of whether GHSA has reviewed it. |
||
| - GHSA-some-asdf | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| { | ||
| "comment": "upstream has incorrect CPEs; change configurations array to be correct", | ||
| "changes": { | ||
| "configurations": [ | ||
| { | ||
| "operator": "AND", | ||
| "nodes": [ | ||
| { | ||
| "operator": "OR", | ||
| "negate": false, | ||
| "cpeMatch": [ | ||
| { | ||
| "vulnerable": true, | ||
| "criteria": "cpe:2.3:a:postgresql:postgresql:-:*:*:*:*:debian:*:*", | ||
| "matchCriteriaId": "0C9B105E-91CA-4D33-B60B-6CF6BFFEEB55" | ||
| }, | ||
| { | ||
| "vulnerable": true, | ||
| "criteria": "cpe:2.3:a:postgresql:postgresql:-:*:*:*:*:ubuntu:*:*", | ||
| "matchCriteriaId": "297620F7-BBB5-43EC-B792-1DE5097052AC" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "operator": "OR", | ||
| "negate": false, | ||
| "cpeMatch": [ | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", | ||
| "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084" | ||
| }, | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", | ||
| "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B" | ||
| }, | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.04:*:*:*:*:*:*:*", | ||
| "matchCriteriaId": "588D4F37-0A56-47A4-B710-4D5F3D214FB9" | ||
| }, | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", | ||
| "matchCriteriaId": "9070C9D8-A14A-467F-8253-33B966C16886" | ||
| }, | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", | ||
| "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43" | ||
| }, | ||
| { | ||
| "vulnerable": false, | ||
| "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", | ||
| "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could also be in GHSA's graphQL or rest API format.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From Josh: But whatever we do, we should only record changes, not all the data. Otherwise it's too hard to read what we changed.