Visibility of curl CVEs without Git ranges #1926

jess-lowe · 2024-01-21T23:11:27Z

Some of the older curl vulnerabilities have nothing to distinguish their 'package' or ecosystem so aren't being categorized and therefore shown on osv.dev. Despite CVE-2016-8616 existing in datastore, it is not visible on the website.

Possible fixes could include some sort of "reverse git enumeration" where we look up commits from tags (instead of the tags from commits we currently do)

jess-lowe · 2024-01-24T02:48:24Z

Also need to change:

Which can be done in the vulnerability.html file.

andrewpollock · 2024-02-07T00:55:23Z

Despite CVE-2016-8616 existing in datastore, it is not visible on the website.

So I've got a better understanding of what's necessary for future reference:

Some of these Curl records have both a SEMVER range and a GIT range, and some don't:

$ GET https://api.osv.dev/v1/vulns/CURL-CVE-2016-8615 | jq '.affected[] | {affected: .ranges}'
{
  "affected": [
    {
      "type": "SEMVER",
      "events": [
        {
          "introduced": "4.9"
        },
        {
          "fixed": "7.51.0"
        }
      ]
    },
    {
      "type": "GIT",
      "repo": "https://github.com/curl/curl.git",
      "events": [
        {
          "introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"
        },
        {
          "fixed": "cff89bc088b7884098ea0c5378bbda3d49c437bc"
        }
      ]
    }
  ]
}

$ GET https://api.osv.dev/v1/vulns/CURL-CVE-2016-8616 | jq '.affected[] | {affected: .ranges}'
{
  "affected": [
    {
      "type": "SEMVER",
      "events": [
        {
          "introduced": "7.7"
        },
        {
          "fixed": "7.51.0"
        }
      ]
    }
  ]
}

If I'm understanding correctly, the ones without a GIT range are

a) missing from whatever list was screenshotted (@jess-lowe how did you get that list?)
b) getting mis-represented on the individual vulnerability page (because they're lacking an affected[].package?)

Getting the vulnerability page just right for a number of edge cases has proven to be a bit of a gnarly problem...

github-actions · 2024-07-20T18:05:53Z

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions · 2024-09-28T09:05:52Z

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

cuixq added bug Something isn't working data quality Issues with data quality and removed bug Something isn't working labels Jan 21, 2024

github-actions bot added the stale The issue or PR is stale and pending automated closure label Jul 20, 2024

andrewpollock added the backlog Important but currently unprioritized label Jul 23, 2024

oliverchang removed the backlog Important but currently unprioritized label Jul 29, 2024

github-actions bot removed the stale The issue or PR is stale and pending automated closure label Jul 30, 2024

github-actions bot added the stale The issue or PR is stale and pending automated closure label Sep 28, 2024

oliverchang added backlog Important but currently unprioritized and removed stale The issue or PR is stale and pending automated closure labels Oct 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Visibility of curl CVEs without Git ranges #1926

Visibility of curl CVEs without Git ranges #1926

jess-lowe commented Jan 21, 2024

jess-lowe commented Jan 24, 2024

andrewpollock commented Feb 7, 2024

github-actions bot commented Jul 20, 2024

github-actions bot commented Sep 28, 2024

Visibility of curl CVEs without Git ranges #1926

Visibility of curl CVEs without Git ranges #1926

Comments

jess-lowe commented Jan 21, 2024

jess-lowe commented Jan 24, 2024

andrewpollock commented Feb 7, 2024

github-actions bot commented Jul 20, 2024

github-actions bot commented Sep 28, 2024