Skip to content

Commit

Permalink
[GithubAdvisory] Fix Matching-cve for allowlist config (#59)
Browse files Browse the repository at this point in the history 
* Fix match-cve for empty allowlist config

* 💅

* Fix `allowlist/by-pass?` with wrong data structure + small refactor

* remove old test
  • Loading branch information
@markomafs
markomafs authored Mar 20, 2024
1 parent b7db445 commit ae20e1e
Show file tree
Hide file tree
Showing 5 changed files with 83 additions and 79 deletions.
4 changes: 2 additions & 2 deletions src/clj_watson/controller/github/vulnerability.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
all-dependency-vulnerabilities (diplomat.gh.advisory/vulnerabilities-by-package dependency-name-for-github)
reported-vulnerabilities (filterv (partial logic.gh.vulnerability/is-version-vulnerable? dependency-info) all-dependency-vulnerabilities)
; not sure how to use it here and avoid always recommend the latest version (logic.gh.vulnerability/version-not-vulnerable all-dependency-vulnerabilities)
filtered-vulnerabilities (remove (partial logic.rules.allowlist/by-pass? allow-list (time/today)) reported-vulnerabilities)
filtered-vulnerabilities (remove (partial logic.rules.allowlist/by-pass? allow-list (time/now)) reported-vulnerabilities)
latest-secure-version (latest-dependency-version dependency all-dependency-vulnerabilities repositories)]
(if (seq filtered-vulnerabilities)
(assoc dependency-info :vulnerabilities filtered-vulnerabilities :secure-version latest-secure-version)
Expand All @@ -38,6 +38,6 @@
(def repositories {:mvn/repos {"central" {:url "https://repo1.maven.org/maven2/"}
"clojars" {:url "https://repo.clojars.org/"}}})

(scan-dependencies [{:dependency 'org.jdom/jdom2 :mvn/version "2.0.6"}] repositories {})
(scan-dependencies [{:dependency 'org.apache.commons/commons-compress :mvn/version "1.21"}] repositories {})

(scan-dependencies [{:dependency 'org.postgresql/postgresql :mvn/version "42.2.10"}] repositories {}))
3 changes: 0 additions & 3 deletions src/clj_watson/diplomat/github/advisory.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,3 @@
(throw (Exception. "environment GITHUB_TOKEN variable not set."))))

(def vulnerabilities-by-package (memoize vulnerabilities-by-package*))

(comment
(vulnerabilities-by-package 'org.postgresql/postgresql))
18 changes: 7 additions & 11 deletions src/clj_watson/logic/rules/allowlist.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,21 +2,17 @@
(:require
[clj-time.core :as time]))

(defn match-cve?
(defn not-expired-bypass?
([allowed-cves as-of]
(partial match-cve? allowed-cves as-of))
([allowed-cves
as-of
{identifier :value}]
(when-let [expire-date (allowed-cves identifier)]
(partial not-expired-bypass? allowed-cves as-of))
([allowed-cves as-of {identifier :value}]
(when-let [expire-date (get allowed-cves identifier)]
(time/after? expire-date as-of))))

(defn by-pass?
[allowed-cves
as-of
vulnerability]
(let [allowed? (comp seq (partial filter (match-cve? allowed-cves as-of)) :identifiers :advisory)]
(->> vulnerability
:vulnerabilities
(remove allowed?)
empty?)))
(let [identifiers (-> vulnerability :advisory :identifiers)
by-passable-cves (filter (not-expired-bypass? allowed-cves as-of) identifiers)]
(boolean (seq by-passable-cves))))
63 changes: 0 additions & 63 deletions test/clj_watson/unit/logic/allowlist_test.clj
View file

This file was deleted.

74 changes: 74 additions & 0 deletions test/clj_watson/unit/logic/rules/allowlist_test.clj
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
(ns clj-watson.unit.logic.rules.allowlist-test
(:require
[clj-time.core :as time]
[clj-watson.logic.rules.allowlist :as logic.rules.allowlist]
[clojure.test :refer :all]))

(def expired-as-of (time/date-time 2023 3 3))
(def as-of (time/date-time 2024 4 4))
(def valid-as-of (time/date-time 2025 5 5))

(deftest empty-bypass?
(is (nil?
(logic.rules.allowlist/not-expired-bypass?
{}
as-of
{:value "GHSA-4265-ccf5-phj5"}))))

(deftest not-expired-bypass?
(is (true?
(logic.rules.allowlist/not-expired-bypass?
{"GHSA-4265-ccf5-phj5" valid-as-of}
as-of
{:value "GHSA-4265-ccf5-phj5"})))
(is (false?
(logic.rules.allowlist/not-expired-bypass?
{"GHSA-4265-ccf5-phj5" expired-as-of}
as-of
{:value "GHSA-4265-ccf5-phj5"}))))

(deftest by-pass?
(is (false? (logic.rules.allowlist/by-pass? {} as-of {:vulnerableVersionRange ">= 1.21, < 1.26.0",
:advisory {:description "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26.
Users are recommended to upgrade to version 1.26, which fixes the issue.
",
:summary "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file",
:severity "HIGH",
:cvss {:score 7.5},
:identifiers [{:value "GHSA-4265-ccf5-phj5"} {:value "CVE-2024-26308"}]},
:firstPatchedVersion {:identifier "1.26.0"}})))
(is (false? (logic.rules.allowlist/by-pass? {"GHSA-4265-ccf5-phj5" expired-as-of} as-of {:vulnerableVersionRange ">= 1.21, < 1.26.0",
:advisory {:description "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26.
Users are recommended to upgrade to version 1.26, which fixes the issue.
",
:summary "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file",
:severity "HIGH",
:cvss {:score 7.5},
:identifiers [{:value "GHSA-4265-ccf5-phj5"} {:value "CVE-2024-26308"}]},
:firstPatchedVersion {:identifier "1.26.0"}})))
(is (true? (logic.rules.allowlist/by-pass? {"GHSA-4265-ccf5-phj5" valid-as-of} as-of {:vulnerableVersionRange ">= 1.21, < 1.26.0",
:advisory {:description "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26.
Users are recommended to upgrade to version 1.26, which fixes the issue.
",
:summary "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file",
:severity "HIGH",
:cvss {:score 7.5},
:identifiers [{:value "GHSA-4265-ccf5-phj5"}]},
:firstPatchedVersion {:identifier "1.26.0"}})))
(is (true? (logic.rules.allowlist/by-pass? {"GHSA-4265-ccf5-phj5" valid-as-of} as-of {:vulnerableVersionRange ">= 1.21, < 1.26.0",
:advisory {:description "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26.
Users are recommended to upgrade to version 1.26, which fixes the issue.
",
:summary "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file",
:severity "HIGH",
:cvss {:score 7.5},
:identifiers [{:value "GHSA-4265-ccf5-phj5"} {:value "CVE-2024-26308"}]},
:firstPatchedVersion {:identifier "1.26.0"}}))))

0 comments on commit ae20e1e

Please sign in to comment.