diff --git a/README.md b/README.md index dc7e5178..f23b2656 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ OWASP dep-scan is a fully open-source security audit tool based on known vulnera - Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization - Package vulnerability scanning is performed locally and is quite fast. No server is used! - Generate Software Bill-of-Materials (SBoM) with Vulnerability Exploitability Exchange (VEX) information +- Generate a Common Security Advisory Framework (CSAF) 2.0 document (check out the [CSAF Readme](contrib/CSAF_README.md)) - Perform deep packages risk audit for dependency confusion attacks and maintenance risks (See risk audit) ![Dependency Tree with Insights](docs/tree1.jpg) @@ -138,24 +139,33 @@ depscan --src $PWD --reports-dir $PWD/reports Full list of options are below: ```bash -usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] -i SRC_DIR - [--reports-dir REPORTS_DIR] [--no-error] [--deep] +usage: depscan [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error] + [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table] [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN] + [--privado-json PRIVADO_JSON] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v] + +Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories. + +options: -h, --help show this help message and exit --no-banner Do not display banner --cache Cache vulnerability information in platform specific user_data_dir + --csaf Generate a CSAF --sync Sync to receive the latest vulnerability data. Should have invoked cache first. + --suggest DEPRECATED: Suggest is the default mode for determining fix version. --risk-audit Perform package risk audit (slow operation). Npm only. --private-ns PRIVATE_NS - Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma - separated values accepted. + Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma separated values accepted. -t PROJECT_TYPE, --type PROJECT_TYPE Override project type if auto-detection is incorrect --bom BOM Examine using the given Software Bill-of-Materials (SBoM) file in CycloneDX format. Use cdxgen command to produce one. - -i SRC_DIR, --src SRC_DIR - Source directory + -i SRC_DIR_IMAGE, --src SRC_DIR_IMAGE + Source directory or container image or binary file + -o REPORT_FILE, --report_file REPORT_FILE + DEPRECATED. Use reports directory since multiple files are created. Report filename with directory --reports-dir REPORTS_DIR Reports directory --no-error Continue on error to prevent build from breaking + --no-license-scan DEPRECATED: dep-scan does not perform license scanning by default --deep Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages. --no-universal Depscan would attempt to perform a single universal scan instead of individual scans per language type. --no-vuln-table Do not print the table with the full list of vulnerabilities. This can help reduce console output. @@ -167,6 +177,16 @@ usage: depscan [-h] [--no-banner] [--cache] [--sync] [--suggest] [--risk-audit] ThreatDB password --threatdb-token THREATDB_TOKEN ThreatDB token for token based submission + --privado-json PRIVADO_JSON + Optional: Enrich the VEX report with information from privado.ai json report. cdxgen can process and include privado info automatically so this argument is usually not required. + --server Run depscan as a server + --server-host SERVER_HOST + depscan server host + --server-port SERVER_PORT + depscan server port + --cdxgen-server CDXGEN_SERVER + cdxgen server url. Eg: http://cdxgen:9090 + -v, --version Display the version ``` ### Scanning containers locally (Python version) diff --git a/contrib/CSAF_README.md b/contrib/CSAF_README.md new file mode 100644 index 00000000..1fdda520 --- /dev/null +++ b/contrib/CSAF_README.md @@ -0,0 +1,70 @@ +# Purpose + +Generate CSAF vex documents populated with vulnerability results from +OWASP dep-scan. + + +## Overview + +1. Run depscan with the --csaf option. +2. Depscan will check if you already have a csaf.toml file in the target + directory before proceeding. +3. If you do not, the template will be downloaded from our repo and you will + be requested to fill it out before running depscan again. +4. You may want to store an extra [copy](csaf.toml) for your reference, as the + comments located in the template will not be present after your first + CSAF generation. +5. To produce a valid CSAF document, a number of fields must be included in + the toml. Some you may choose to set yourself, or we will set them for you. + Please see the official [CSAF 2.0](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html) standard for a full explanation of + requirements. A copy of the schema is available [here](csaf_json_schema. + json). See [TOML Requirements](#toml-requirements) for a brief overview. +6. Run depscan with the --csaf option again. +7. This time, a CSAF document will be written to the reports directory that + you specified using the --reports-dir option (default behavior creates a + reports directory in your current directory). + +### The csaf.toml +The first time you run depscan with the --csaf option against a specific +directory, a csaf.toml template will be placed in your target directory and you +will be requested to fill it out before running depscan again. This is a +configuration file used to set metadata fields outside the vulnerabilities +section. + +#### Requirements + +In order to produce a valid CSAF, certain sections are required. An overview +is below, with required components in bold. +> Where a top level category, such as Note is not bolded, but one of its +> members is, that indicates the bolded are only required if the parent category +> is included, e.g. a note entry must include category and text, but a +> valid CSAF does not require that any notes be included.: + + +| TOML Field | Subcategories | Comments | +|-------------------|-------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **document** | **category
title** | default category is csaf_vex
category must match regex: `^[^\s\-_\.](.*[^\s\-_\.])?$` | +| **publisher** | **name**
**category**
**namespace**
contact_details |
valid categories: coordinator, discoverer, other, translator, user, vendor

e.g. an email address | +| note | **category**
**text**
audience
title | valid categories: description, details, faq, general, legal_disclaimer, other, summary

multiple note entries may be included under additional [note] headings | +| reference | **summary**
**url**
category | multiple reference entries may be included under additional [reference] headings

valid categories: self, external | +| distribution | text
tlp.**label**
tlp.url | If tlp is included, label is required
valid labels: AMBER, GREEN, RED, WHITE | +| product_tree | easy_import | We support importing a product tree from a json file, the path of which should be specified here.
[example](../test/data/product_tree.json) | +| **tracking** | **current_release_date**
**initial_release_date**
**version**
**status**
**id** | Please use ISO date formats if entering dates yourself.

valid statuses: draft, final, interim
We will generate an id consisting of date and version if you do not include this, but id is best set by you | +| tracking.revision | date
number
summary | Leave this section alone. Depscan will add revision entries per final version. | +| depscan_version | | This field is automatically updated for our use to provide backward compatibility if the TOML options change | + +>Although tracking and all of its components are required, if you do + not include them, we will use the current date/time and update the + version as appropriate. + +>Feel free to preserve all fields on the toml if you may want them later. +> Entries without content will be omitted. + +### Validation +Coming soon! For now, you can validate your generated CSAFs using a [JSON +schema +validator](https://www.jsonschemavalidator.net/) and the [csaf 2.0 schema](csaf_json_schema.json). + +### Questions? Comments? Suggestions? +Feel free to reach out to us on [discord](https://discord.gg/DCNxzaeUpd) or start a discussion tagging +@cerrussell on the [OWASP Dep-Scan Repo](https://github.com/owasp-dep-scan/dep-scan). diff --git a/contrib/csaf.toml b/contrib/csaf.toml new file mode 100644 index 00000000..3094fe59 --- /dev/null +++ b/contrib/csaf.toml @@ -0,0 +1,65 @@ +[document] +category = "csaf_vex" +title = "Your Title" + +[publisher] +# Required +# Valid categories are: coordinator, discoverer, other, translator, user, vendor +category = "vendor" +name = "Vendor McVendorson" +namespace = "https://appthreat.com" +# Optional +contact_details = "vendor@mcvendorson.com" + +# Category and text are required to add a note, add as many notes.note as you need +# Valid categories are: description, details, faq, general, legal_disclaimer, other, summary +[[note]] +audience = "" +category = "" +text = "" +title = "" + +[product_tree] +easy_import = "" + +[distribution] +text = "" +# Label is required if tlp included +label = "" +url = "" + +# Summary and url are required, include as many references.ref as you like +# Category can be either "external" or "self" +[[reference]] +category = "" +summary = "" +url = "" + +[[reference]] +category = "" +summary = "" +url = "" + +# An entry for the data in this section will be added to the revision_history if the status is final +# The current date/time is default if not provided +# id is required and best set by the document issuing authority +[tracking] +# Required +current_release_date = "" # ISO 8601 +id = "" +initial_release_date = "" # ISO 8601 +status = "draft" +version = "" + +# Include as many revision entries as you like +[[tracking.revision]] +date = "" +number = "" +summary = "" + + + + + + + diff --git a/depscan/cli.py b/depscan/cli.py index 3bf1adb9..d42ce70a 100644 --- a/depscan/cli.py +++ b/depscan/cli.py @@ -4,6 +4,7 @@ import argparse import json import os +import sys import tempfile from quart import Quart, request @@ -11,7 +12,6 @@ from rich.terminal_theme import MONOKAI from vdb.lib import config from vdb.lib import db as db_lib -from vdb.lib.aqua import AquaSource from vdb.lib.config import data_dir from vdb.lib.gha import GitHubSource from vdb.lib.nvd import NvdSource @@ -20,6 +20,7 @@ import oras.client +from depscan.lib.csaf import export_csaf, write_toml from depscan.lib import privado, utils from depscan.lib.analysis import ( PrepareVexOptions, @@ -31,7 +32,12 @@ summary_stats, ) from depscan.lib.audit import audit, risk_audit, risk_audit_map, type_audit_map -from depscan.lib.bom import create_bom, get_pkg_by_type, get_pkg_list, submit_bom +from depscan.lib.bom import ( + create_bom, + get_pkg_by_type, + get_pkg_list, + submit_bom, +) from depscan.lib.config import ( UNIVERSAL_SCAN_TYPE, license_data_dir, @@ -82,7 +88,15 @@ def build_args(): action="store_true", default=False, dest="cache", - help="Cache vulnerability information in platform specific " "user_data_dir", + help="Cache vulnerability information in platform specific " + "user_data_dir", + ) + parser.add_argument( + "--csaf", + action="store_true", + default=False, + dest="csaf", + help="Generate a CSAF", ) parser.add_argument( "--sync", @@ -97,12 +111,15 @@ def build_args(): action="store_true", default=True, dest="suggest", - help="DEPRECATED: Suggest is the default mode for determining fix " "version.", + help="DEPRECATED: Suggest is the default mode for determining fix " + "version.", ) parser.add_argument( "--risk-audit", action="store_true", - default=True if os.getenv("ENABLE_OSS_RISK", "") in ["true", "1"] else False, + default=True + if os.getenv("ENABLE_OSS_RISK", "") in ["true", "1"] + else False, dest="risk_audit", help="Perform package risk audit (slow operation). Npm only.", ) @@ -142,7 +159,9 @@ def build_args(): ) parser.add_argument( "--reports-dir", - default=os.getenv("DEPSCAN_REPORTS_DIR", os.path.join(os.getcwd(), "reports")), + default=os.getenv( + "DEPSCAN_REPORTS_DIR", os.path.join(os.getcwd(), "reports") + ), dest="reports_dir", help="Reports directory", ) @@ -269,7 +288,9 @@ def scan(db, project_type, pkg_list, suggest_mode): LOG.debug("Empty package search attempted!") else: LOG.debug("Scanning %d oss dependencies for issues", len(pkg_list)) - results, pkg_aliases, purl_aliases = utils.search_pkgs(db, project_type, pkg_list) + results, pkg_aliases, purl_aliases = utils.search_pkgs( + db, project_type, pkg_list + ) # pkg_aliases is a dict that can be used to find the original vendor and # package name This way we consistently use the same names used by the # caller irrespective of how the result was obtained @@ -326,7 +347,9 @@ def scan(db, project_type, pkg_list, suggest_mode): "Re-checking our suggestion to ensure there are no further " "vulnerabilities" ) - override_results, _, _ = utils.search_pkgs(db, project_type, sug_pkg_list) + override_results, _, _ = utils.search_pkgs( + db, project_type, sug_pkg_list + ) if override_results: new_sug_dict = suggest_version(override_results) LOG.debug("Received override results: %s", new_sug_dict) @@ -556,7 +579,8 @@ async def run_scan(): else: return { "error": "true", - "message": "Unable to generate SBoM. Check your input path or " "url.", + "message": "Unable to generate SBoM. Check your input path or " + "url.", }, 500 @@ -567,7 +591,9 @@ def run_server(args): :param args: Command line arguments passed to the function. """ print(at_logo) - console.print(f"Depscan server running on {args.server_host}:{args.server_port}") + console.print( + f"Depscan server running on {args.server_host}:{args.server_port}" + ) app.config["CDXGEN_SERVER_URL"] = args.cdxgen_server app.run( host=args.server_host, @@ -588,9 +614,24 @@ def main(): if not args.no_banner: print(at_logo) src_dir = args.src_dir_image - if not src_dir: + if not src_dir or src_dir == ".": src_dir = os.getcwd() reports_dir = args.reports_dir + if args.csaf: + toml_file_path = os.path.join(src_dir, "csaf.toml") + if not os.path.exists(toml_file_path): + LOG.info("CSAF toml not found, creating template in %s", src_dir) + write_toml(toml_file_path) + LOG.info( + "Please fill out the toml with your details and rerun depscan." + ) + LOG.info("Check out our CSAF documentation for an explanation of " + "this feature. https://github.com/owasp-dep-scan/dep-scan" + "/blob/master/contrib/CSAF_README.md") + LOG.info("If you're just checking out how our generator works, " + "feel free to skip filling out the toml and just rerun " + "depscan.") + sys.exit(0) # Detect the project types and perform the right type of scan if args.project_type: project_types_list = args.project_type.split(",") @@ -628,7 +669,9 @@ def main(): for project_type in project_types_list: results = [] report_file = areport_file.replace(".json", f"-{project_type}.json") - risk_report_file = areport_file.replace(".json", f"-risk.{project_type}.json") + risk_report_file = areport_file.replace( + ".json", f"-risk.{project_type}.json" + ) LOG.info("=" * 80) if args.bom and os.path.exists(args.bom): bom_file = args.bom @@ -665,7 +708,9 @@ def main(): license_report_file = os.path.join( reports_dir, "license-" + project_type + ".json" ) - analyse_licenses(project_type, licenses_results, license_report_file) + analyse_licenses( + project_type, licenses_results, license_report_file + ) if project_type in risk_audit_map: if args.risk_audit: console.print( @@ -713,14 +758,16 @@ def main(): try: audit_results = audit(project_type, pkg_list) if audit_results: - LOG.debug("Remote audit yielded %d results", len(audit_results)) + LOG.debug( + "Remote audit yielded %d results", len(audit_results) + ) results = results + audit_results except Exception as e: LOG.error("Remote audit was not successful") LOG.error(e) results = [] - # In case of docker, bom, or universal type, check if there are any npm packages that can be - # audited remotely + # In case of docker, bom, or universal type, check if there are any + # npm packages that can be audited remotely if project_type in ("podman", "docker", "oci", "bom", "universal"): npm_pkg_list = get_pkg_by_type(pkg_list, "npm") if npm_pkg_list: @@ -739,7 +786,9 @@ def main(): if not db_lib.index_count(db["index_file"]): run_cacher = True else: - LOG.debug("Vulnerability database loaded from %s", config.vdb_bin_file) + LOG.debug( + "Vulnerability database loaded from %s", config.vdb_bin_file + ) sources_list = [OSVSource(), NvdSource()] if os.environ.get("GITHUB_TOKEN"): @@ -750,7 +799,9 @@ def main(): vdb_database_url, ) oras_client = oras.client.OrasClient() - paths_list = oras_client.pull(target=vdb_database_url, outdir=data_dir) + paths_list = oras_client.pull( + target=vdb_database_url, outdir=data_dir + ) LOG.debug("VDB data is stored at: %s", paths_list) run_cacher = False elif args.sync: @@ -767,7 +818,12 @@ def main(): db, project_type, pkg_list, args.suggest ) if vdb_results: - results = results + vdb_results + results += vdb_results + if args.csaf: + new_res = [] + for r in results: + new_res.append(r.to_dict()) + export_csaf(new_res, src_dir, reports_dir) # Summarise and print results summarise( project_type, diff --git a/depscan/lib/csaf.py b/depscan/lib/csaf.py new file mode 100644 index 00000000..462a2182 --- /dev/null +++ b/depscan/lib/csaf.py @@ -0,0 +1,1680 @@ +import json +import logging +import os +import re +from copy import deepcopy +from datetime import datetime +from json import JSONDecodeError + +import toml +from vdb.lib import convert_time + +from depscan.lib.logger import LOG +from depscan.lib.utils import get_version + +TIME_FMT = "%Y-%m-%dT%H:%M:%S" + +CWE_MAP = { + "CWE-5": "J2EE Misconfiguration: Data Transmission Without Encryption", + "CWE-6": "J2EE Misconfiguration: Insufficient Session-ID Length", + "CWE-7": "J2EE Misconfiguration: Missing Custom Error Page", + "CWE-8": "J2EE Misconfiguration: Entity Bean Declared Remote", + "CWE-9": "J2EE Misconfiguration: Weak Access Permissions for EJB Methods", + "CWE-11": "ASP.NET Misconfiguration: Creating Debug Binary", + "CWE-12": "ASP.NET Misconfiguration: Missing Custom Error Page", + "CWE-13": "ASP.NET Misconfiguration: Password in Configuration File", + "CWE-14": "Compiler Removal of Code to Clear Buffers", + "CWE-15": "External Control of System or Configuration Setting", + "CWE-20": "Improper Input Validation", + "CWE-22": "Improper Limitation of a Pathname to a Restricted Directory", + "CWE-23": "Relative Path Traversal", + "CWE-24": "Path Traversal", + "CWE-25": "Path Traversal", + "CWE-26": "Path Traversal", + "CWE-27": "Path Traversal", + "CWE-28": "Path Traversal", + "CWE-29": "Path Traversal", + "CWE-30": "Path Traversal", + "CWE-31": "Path Traversal", + "CWE-32": "Path Traversal", + "CWE-33": "Path Traversal", + "CWE-34": "Path Traversal", + "CWE-35": "Path Traversal", + "CWE-36": "Absolute Path Traversal", + "CWE-37": "Path Traversal", + "CWE-38": "Path Traversal", + "CWE-39": "Path Traversal", + "CWE-40": "Path Traversal", + "CWE-41": "Improper Resolution of Path Equivalence", + "CWE-42": "Path Equivalence", + "CWE-43": "Path Equivalence", + "CWE-44": "Path Equivalence", + "CWE-45": "Path Equivalence", + "CWE-46": "Path Equivalence", + "CWE-47": "Path Equivalence", + "CWE-48": "Path Equivalence", + "CWE-49": "Path Equivalence", + "CWE-50": "Path Equivalence", + "CWE-51": "Path Equivalence", + "CWE-52": "Path Equivalence", + "CWE-53": "Path Equivalence", + "CWE-54": "Path Equivalence", + "CWE-55": "Path Equivalence", + "CWE-56": "Path Equivalence", + "CWE-57": "Path Equivalence", + "CWE-58": "Path Equivalence", + "CWE-59": "Improper Link Resolution Before File Access", + "CWE-61": "UNIX Symbolic Link", + "CWE-62": "UNIX Hard Link", + "CWE-64": "Windows Shortcut Following", + "CWE-65": "Windows Hard Link", + "CWE-66": "Improper Handling of File Names that Identify Virtual Resources", + "CWE-67": "Improper Handling of Windows Device Names", + "CWE-69": "Improper Handling of Windows ::DATA Alternate Data Stream", + "CWE-71": "DEPRECATED: Apple .DS_Store", + "CWE-72": "Improper Handling of Apple HFS+ Alternate Data Stream Path", + "CWE-73": "External Control of File Name or Path", + "CWE-74": "Improper Neutralization of Special Elements in Output Used by " + "a Downstream Component", + "CWE-75": "Failure to Sanitize Special Elements into a Different Plane", + "CWE-76": "Improper Neutralization of Equivalent Special Elements", + "CWE-77": "Improper Neutralization of Special Elements used in a Command", + "CWE-78": "Improper Neutralization of Special Elements used in an OS " + "Command", + "CWE-79": "Improper Neutralization of Input During Web Page Generation", + "CWE-80": "Improper Neutralization of Script-Related HTML Tags in a Web " + "Page", + "CWE-81": "Improper Neutralization of Script in an Error Message Web Page", + "CWE-82": "Improper Neutralization of Script in Attributes of IMG Tags in " + "a Web Page", + "CWE-83": "Improper Neutralization of Script in Attributes in a Web Page", + "CWE-84": "Improper Neutralization of Encoded URI Schemes in a Web Page", + "CWE-85": "Doubled Character XSS Manipulations", + "CWE-86": "Improper Neutralization of Invalid Characters in Identifiers " + "in Web Pages", + "CWE-87": "Improper Neutralization of Alternate XSS Syntax", + "CWE-88": "Improper Neutralization of Argument Delimiters in a Command", + "CWE-89": "Improper Neutralization of Special Elements used in an SQL " + "Command", + "CWE-90": "Improper Neutralization of Special Elements used in an LDAP " + "Query", + "CWE-91": "XML Injection", + "CWE-92": "DEPRECATED: Improper Sanitization of Custom Special Characters", + "CWE-93": "Improper Neutralization of CRLF Sequences", + "CWE-94": "Improper Control of Generation of Code", + "CWE-95": "Improper Neutralization of Directives in Dynamically Evaluated " + "Code", + "CWE-96": "Improper Neutralization of Directives in Statically Saved Code", + "CWE-97": "Improper Neutralization of Server-Side Includes", + "CWE-98": "Improper Control of Filename for Include/Require Statement in " + "PHP Program", + "CWE-99": "Improper Control of Resource Identifiers", + "CWE-102": "Struts: Duplicate Validation Forms", + "CWE-103": "Struts: Incomplete validate", + "CWE-104": "Struts: Form Bean Does Not Extend Validation Class", + "CWE-105": "Struts: Form Field Without Validator", + "CWE-106": "Struts: Plug-in Framework not in Use", + "CWE-107": "Struts: Unused Validation Form", + "CWE-108": "Struts: Unvalidated Action Form", + "CWE-109": "Struts: Validator Turned Off", + "CWE-110": "Struts: Validator Without Form Field", + "CWE-111": "Direct Use of Unsafe JNI", + "CWE-112": "Missing XML Validation", + "CWE-113": "Improper Neutralization of CRLF Sequences in HTTP Headers", + "CWE-114": "Process Control", + "CWE-115": "Misinterpretation of Input", + "CWE-116": "Improper Encoding or Escaping of Output", + "CWE-117": "Improper Output Neutralization for Logs", + "CWE-118": "Incorrect Access of Indexable Resource", + "CWE-119": "Improper Restriction of Operations within the Bounds of a " + "Memory Buffer", + "CWE-120": "Buffer Copy without Checking Size of Input", + "CWE-121": "Stack-based Buffer Overflow", + "CWE-122": "Heap-based Buffer Overflow", + "CWE-123": "Write-what-where Condition", + "CWE-124": "Buffer Underwrite", + "CWE-125": "Out-of-bounds Read", + "CWE-126": "Buffer Over-read", + "CWE-127": "Buffer Under-read", + "CWE-128": "Wrap-around Error", + "CWE-129": "Improper Validation of Array Index", + "CWE-130": "Improper Handling of Length Parameter Inconsistency", + "CWE-131": "Incorrect Calculation of Buffer Size", + "CWE-132": "DEPRECATED: Miscalculated Null Termination", + "CWE-134": "Use of Externally-Controlled Format String", + "CWE-135": "Incorrect Calculation of Multi-Byte String Length", + "CWE-138": "Improper Neutralization of Special Elements", + "CWE-140": "Improper Neutralization of Delimiters", + "CWE-141": "Improper Neutralization of Parameter/Argument Delimiters", + "CWE-142": "Improper Neutralization of Value Delimiters", + "CWE-143": "Improper Neutralization of Record Delimiters", + "CWE-144": "Improper Neutralization of Line Delimiters", + "CWE-145": "Improper Neutralization of Section Delimiters", + "CWE-146": "Improper Neutralization of Expression/Command Delimiters", + "CWE-147": "Improper Neutralization of Input Terminators", + "CWE-148": "Improper Neutralization of Input Leaders", + "CWE-149": "Improper Neutralization of Quoting Syntax", + "CWE-150": "Improper Neutralization of Escape, Meta, or Control Sequences", + "CWE-151": "Improper Neutralization of Comment Delimiters", + "CWE-152": "Improper Neutralization of Macro Symbols", + "CWE-153": "Improper Neutralization of Substitution Characters", + "CWE-154": "Improper Neutralization of Variable Name Delimiters", + "CWE-155": "Improper Neutralization of Wildcards or Matching Symbols", + "CWE-156": "Improper Neutralization of Whitespace", + "CWE-157": "Failure to Sanitize Paired Delimiters", + "CWE-158": "Improper Neutralization of Null Byte or NUL Character", + "CWE-159": "Improper Handling of Invalid Use of Special Elements", + "CWE-160": "Improper Neutralization of Leading Special Elements", + "CWE-161": "Improper Neutralization of Multiple Leading Special Elements", + "CWE-162": "Improper Neutralization of Trailing Special Elements", + "CWE-163": "Improper Neutralization of Multiple Trailing Special Elements", + "CWE-164": "Improper Neutralization of Internal Special Elements", + "CWE-165": "Improper Neutralization of Multiple Internal Special Elements", + "CWE-166": "Improper Handling of Missing Special Element", + "CWE-167": "Improper Handling of Additional Special Element", + "CWE-168": "Improper Handling of Inconsistent Special Elements", + "CWE-170": "Improper Null Termination", + "CWE-172": "Encoding Error", + "CWE-173": "Improper Handling of Alternate Encoding", + "CWE-174": "Double Decoding of the Same Data", + "CWE-175": "Improper Handling of Mixed Encoding", + "CWE-176": "Improper Handling of Unicode Encoding", + "CWE-177": "Improper Handling of URL Encoding", + "CWE-178": "Improper Handling of Case Sensitivity", + "CWE-179": "Incorrect Behavior Order: Early Validation", + "CWE-180": "Incorrect Behavior Order: Validate Before Canonicalize", + "CWE-181": "Incorrect Behavior Order: Validate Before Filter", + "CWE-182": "Collapse of Data into Unsafe Value", + "CWE-183": "Permissive List of Allowed Inputs", + "CWE-184": "Incomplete List of Disallowed Inputs", + "CWE-185": "Incorrect Regular Expression", + "CWE-186": "Overly Restrictive Regular Expression", + "CWE-187": "Partial String Comparison", + "CWE-188": "Reliance on Data/Memory Layout", + "CWE-190": "Integer Overflow or Wraparound", + "CWE-191": "Integer Underflow", + "CWE-192": "Integer Coercion Error", + "CWE-193": "Off-by-one Error", + "CWE-194": "Unexpected Sign Extension", + "CWE-195": "Signed to Unsigned Conversion Error", + "CWE-196": "Unsigned to Signed Conversion Error", + "CWE-197": "Numeric Truncation Error", + "CWE-198": "Use of Incorrect Byte Ordering", + "CWE-200": "Exposure of Sensitive Information to an Unauthorized Actor", + "CWE-201": "Insertion of Sensitive Information Into Sent Data", + "CWE-202": "Exposure of Sensitive Information Through Data Queries", + "CWE-203": "Observable Discrepancy", + "CWE-204": "Observable Response Discrepancy", + "CWE-205": "Observable Behavioral Discrepancy", + "CWE-206": "Observable Internal Behavioral Discrepancy", + "CWE-207": "Observable Behavioral Discrepancy With Equivalent Products", + "CWE-208": "Observable Timing Discrepancy", + "CWE-209": "Generation of Error Message Containing Sensitive Information", + "CWE-210": "Self-generated Error Message Containing Sensitive Information", + "CWE-211": "Externally-Generated Error Message Containing Sensitive " + "Information", + "CWE-212": "Improper Removal of Sensitive Information Before Storage or " + "Transfer", + "CWE-213": "Exposure of Sensitive Information Due to Incompatible Policies", + "CWE-214": "Invocation of Process Using Visible Sensitive Information", + "CWE-215": "Insertion of Sensitive Information Into Debugging Code", + "CWE-216": "DEPRECATED: Containment Errors", + "CWE-217": "DEPRECATED: Failure to Protect Stored Data from Modification", + "CWE-218": "DEPRECATED: Failure to provide confidentiality for stored data", + "CWE-219": "Storage of File with Sensitive Data Under Web Root", + "CWE-220": "Storage of File With Sensitive Data Under FTP Root", + "CWE-221": "Information Loss or Omission", + "CWE-222": "Truncation of Security-relevant Information", + "CWE-223": "Omission of Security-relevant Information", + "CWE-224": "Obscured Security-relevant Information by Alternate Name", + "CWE-225": "DEPRECATED: General Information Management Problems", + "CWE-226": "Sensitive Information in Resource Not Removed Before Reuse", + "CWE-228": "Improper Handling of Syntactically Invalid Structure", + "CWE-229": "Improper Handling of Values", + "CWE-230": "Improper Handling of Missing Values", + "CWE-231": "Improper Handling of Extra Values", + "CWE-232": "Improper Handling of Undefined Values", + "CWE-233": "Improper Handling of Parameters", + "CWE-234": "Failure to Handle Missing Parameter", + "CWE-235": "Improper Handling of Extra Parameters", + "CWE-236": "Improper Handling of Undefined Parameters", + "CWE-237": "Improper Handling of Structural Elements", + "CWE-238": "Improper Handling of Incomplete Structural Elements", + "CWE-239": "Failure to Handle Incomplete Element", + "CWE-240": "Improper Handling of Inconsistent Structural Elements", + "CWE-241": "Improper Handling of Unexpected Data Type", + "CWE-242": "Use of Inherently Dangerous Function", + "CWE-243": "Creation of chroot Jail Without Changing Working Directory", + "CWE-244": "Improper Clearing of Heap Memory Before Release", + "CWE-245": "J2EE Bad Practices: Direct Management of Connections", + "CWE-246": "J2EE Bad Practices: Direct Use of Sockets", + "CWE-247": "DEPRECATED: Reliance on DNS Lookups in a Security Decision", + "CWE-248": "Uncaught Exception", + "CWE-249": "DEPRECATED: Often Misused: Path Manipulation", + "CWE-250": "Execution with Unnecessary Privileges", + "CWE-252": "Unchecked Return Value", + "CWE-253": "Incorrect Check of Function Return Value", + "CWE-256": "Plaintext Storage of a Password", + "CWE-257": "Storing Passwords in a Recoverable Format", + "CWE-258": "Empty Password in Configuration File", + "CWE-259": "Use of Hard-coded Password", + "CWE-260": "Password in Configuration File", + "CWE-261": "Weak Encoding for Password", + "CWE-262": "Not Using Password Aging", + "CWE-263": "Password Aging with Long Expiration", + "CWE-266": "Incorrect Privilege Assignment", + "CWE-267": "Privilege Defined With Unsafe Actions", + "CWE-268": "Privilege Chaining", + "CWE-269": "Improper Privilege Management", + "CWE-270": "Privilege Context Switching Error", + "CWE-271": "Privilege Dropping / Lowering Errors", + "CWE-272": "Least Privilege Violation", + "CWE-273": "Improper Check for Dropped Privileges", + "CWE-274": "Improper Handling of Insufficient Privileges", + "CWE-276": "Incorrect Default Permissions", + "CWE-277": "Insecure Inherited Permissions", + "CWE-278": "Insecure Preserved Inherited Permissions", + "CWE-279": "Incorrect Execution-Assigned Permissions", + "CWE-280": "Improper Handling of Insufficient Permissions or Privileges ", + "CWE-281": "Improper Preservation of Permissions", + "CWE-282": "Improper Ownership Management", + "CWE-283": "Unverified Ownership", + "CWE-284": "Improper Access Control", + "CWE-285": "Improper Authorization", + "CWE-286": "Incorrect User Management", + "CWE-287": "Improper Authentication", + "CWE-288": "Authentication Bypass Using an Alternate Path or Channel", + "CWE-289": "Authentication Bypass by Alternate Name", + "CWE-290": "Authentication Bypass by Spoofing", + "CWE-291": "Reliance on IP Address for Authentication", + "CWE-292": "DEPRECATED: Trusting Self-reported DNS Name", + "CWE-293": "Using Referer Field for Authentication", + "CWE-294": "Authentication Bypass by Capture-replay", + "CWE-295": "Improper Certificate Validation", + "CWE-296": "Improper Following of a Certificates Chain of Trust", + "CWE-297": "Improper Validation of Certificate with Host Mismatch", + "CWE-298": "Improper Validation of Certificate Expiration", + "CWE-299": "Improper Check for Certificate Revocation", + "CWE-300": "Channel Accessible by Non-Endpoint", + "CWE-301": "Reflection Attack in an Authentication Protocol", + "CWE-302": "Authentication Bypass by Assumed-Immutable Data", + "CWE-303": "Incorrect Implementation of Authentication Algorithm", + "CWE-304": "Missing Critical Step in Authentication", + "CWE-305": "Authentication Bypass by Primary Weakness", + "CWE-306": "Missing Authentication for Critical Function", + "CWE-307": "Improper Restriction of Excessive Authentication Attempts", + "CWE-308": "Use of Single-factor Authentication", + "CWE-309": "Use of Password System for Primary Authentication", + "CWE-311": "Missing Encryption of Sensitive Data", + "CWE-312": "Cleartext Storage of Sensitive Information", + "CWE-313": "Cleartext Storage in a File or on Disk", + "CWE-314": "Cleartext Storage in the Registry", + "CWE-315": "Cleartext Storage of Sensitive Information in a Cookie", + "CWE-316": "Cleartext Storage of Sensitive Information in Memory", + "CWE-317": "Cleartext Storage of Sensitive Information in GUI", + "CWE-318": "Cleartext Storage of Sensitive Information in Executable", + "CWE-319": "Cleartext Transmission of Sensitive Information", + "CWE-321": "Use of Hard-coded Cryptographic Key", + "CWE-322": "Key Exchange without Entity Authentication", + "CWE-323": "Reusing a Nonce, Key Pair in Encryption", + "CWE-324": "Use of a Key Past its Expiration Date", + "CWE-325": "Missing Cryptographic Step", + "CWE-326": "Inadequate Encryption Strength", + "CWE-327": "Use of a Broken or Risky Cryptographic Algorithm", + "CWE-328": "Use of Weak Hash", + "CWE-329": "Generation of Predictable IV with CBC Mode", + "CWE-330": "Use of Insufficiently Random Values", + "CWE-331": "Insufficient Entropy", + "CWE-332": "Insufficient Entropy in PRNG", + "CWE-333": "Improper Handling of Insufficient Entropy in TRNG", + "CWE-334": "Small Space of Random Values", + "CWE-335": "Incorrect Usage of Seeds in Pseudo-Random Number Generator", + "CWE-336": "Same Seed in Pseudo-Random Number Generator", + "CWE-337": "Predictable Seed in Pseudo-Random Number Generator", + "CWE-338": "Use of Cryptographically Weak Pseudo-Random Number Generator", + "CWE-339": "Small Seed Space in PRNG", + "CWE-340": "Generation of Predictable Numbers or Identifiers", + "CWE-341": "Predictable from Observable State", + "CWE-342": "Predictable Exact Value from Previous Values", + "CWE-343": "Predictable Value Range from Previous Values", + "CWE-344": "Use of Invariant Value in Dynamically Changing Context", + "CWE-345": "Insufficient Verification of Data Authenticity", + "CWE-346": "Origin Validation Error", + "CWE-347": "Improper Verification of Cryptographic Signature", + "CWE-348": "Use of Less Trusted Source", + "CWE-349": "Acceptance of Extraneous Untrusted Data With Trusted Data", + "CWE-350": "Reliance on Reverse DNS Resolution for a Security-Critical " + "Action", + "CWE-351": "Insufficient Type Distinction", + "CWE-352": "Cross-Site Request Forgery", + "CWE-353": "Missing Support for Integrity Check", + "CWE-354": "Improper Validation of Integrity Check Value", + "CWE-356": "Product UI does not Warn User of Unsafe Actions", + "CWE-357": "Insufficient UI Warning of Dangerous Operations", + "CWE-358": "Improperly Implemented Security Check for Standard", + "CWE-359": "Exposure of Private Personal Information to an Unauthorized " + "Actor", + "CWE-360": "Trust of System Event Data", + "CWE-362": "Concurrent Execution using Shared Resource with Improper " + "Synchronization", + "CWE-363": "Race Condition Enabling Link Following", + "CWE-364": "Signal Handler Race Condition", + "CWE-365": "DEPRECATED: Race Condition in Switch", + "CWE-366": "Race Condition within a Thread", + "CWE-367": "Time-of-check Time-of-use", + "CWE-368": "Context Switching Race Condition", + "CWE-369": "Divide By Zero", + "CWE-370": "Missing Check for Certificate Revocation after Initial Check", + "CWE-372": "Incomplete Internal State Distinction", + "CWE-373": "DEPRECATED: State Synchronization Error", + "CWE-374": "Passing Mutable Objects to an Untrusted Method", + "CWE-375": "Returning a Mutable Object to an Untrusted Caller", + "CWE-377": "Insecure Temporary File", + "CWE-378": "Creation of Temporary File With Insecure Permissions", + "CWE-379": "Creation of Temporary File in Directory with Insecure " + "Permissions", + "CWE-382": "J2EE Bad Practices: Use of System.exit", + "CWE-383": "J2EE Bad Practices: Direct Use of Threads", + "CWE-384": "Session Fixation", + "CWE-385": "Covert Timing Channel", + "CWE-386": "Symbolic Name not Mapping to Correct Object", + "CWE-390": "Detection of Error Condition Without Action", + "CWE-391": "Unchecked Error Condition", + "CWE-392": "Missing Report of Error Condition", + "CWE-393": "Return of Wrong Status Code", + "CWE-394": "Unexpected Status Code or Return Value", + "CWE-395": "Use of NullPointerException Catch to Detect NULL Pointer " + "Dereference", + "CWE-396": "Declaration of Catch for Generic Exception", + "CWE-397": "Declaration of Throws for Generic Exception", + "CWE-400": "Uncontrolled Resource Consumption", + "CWE-401": "Missing Release of Memory after Effective Lifetime", + "CWE-402": "Transmission of Private Resources into a New Sphere", + "CWE-403": "Exposure of File Descriptor to Unintended Control Sphere", + "CWE-404": "Improper Resource Shutdown or Release", + "CWE-405": "Asymmetric Resource Consumption", + "CWE-406": "Insufficient Control of Network Message Volume", + "CWE-407": "Inefficient Algorithmic Complexity", + "CWE-408": "Incorrect Behavior Order: Early Amplification", + "CWE-409": "Improper Handling of Highly Compressed Data", + "CWE-410": "Insufficient Resource Pool", + "CWE-412": "Unrestricted Externally Accessible Lock", + "CWE-413": "Improper Resource Locking", + "CWE-414": "Missing Lock Check", + "CWE-415": "Double Free", + "CWE-416": "Use After Free", + "CWE-419": "Unprotected Primary Channel", + "CWE-420": "Unprotected Alternate Channel", + "CWE-421": "Race Condition During Access to Alternate Channel", + "CWE-422": "Unprotected Windows Messaging Channel", + "CWE-423": "DEPRECATED: Proxied Trusted Channel", + "CWE-424": "Improper Protection of Alternate Path", + "CWE-425": "Direct Request", + "CWE-426": "Untrusted Search Path", + "CWE-427": "Uncontrolled Search Path Element", + "CWE-428": "Unquoted Search Path or Element", + "CWE-430": "Deployment of Wrong Handler", + "CWE-431": "Missing Handler", + "CWE-432": "Dangerous Signal Handler not Disabled During Sensitive " + "Operations", + "CWE-433": "Unparsed Raw Web Content Delivery", + "CWE-434": "Unrestricted Upload of File with Dangerous Type", + "CWE-435": "Improper Interaction Between Multiple Correctly-Behaving " + "Entities", + "CWE-436": "Interpretation Conflict", + "CWE-437": "Incomplete Model of Endpoint Features", + "CWE-439": "Behavioral Change in New Version or Environment", + "CWE-440": "Expected Behavior Violation", + "CWE-441": "Unintended Proxy or Intermediary", + "CWE-443": "DEPRECATED: HTTP response splitting", + "CWE-444": "Inconsistent Interpretation of HTTP Requests", + "CWE-446": "UI Discrepancy for Security Feature", + "CWE-447": "Unimplemented or Unsupported Feature in UI", + "CWE-448": "Obsolete Feature in UI", + "CWE-449": "The UI Performs the Wrong Action", + "CWE-450": "Multiple Interpretations of UI Input", + "CWE-451": "User Interface", + "CWE-453": "Insecure Default Variable Initialization", + "CWE-454": "External Initialization of Trusted Variables or Data Stores", + "CWE-455": "Non-exit on Failed Initialization", + "CWE-456": "Missing Initialization of a Variable", + "CWE-457": "Use of Uninitialized Variable", + "CWE-458": "DEPRECATED: Incorrect Initialization", + "CWE-459": "Incomplete Cleanup", + "CWE-460": "Improper Cleanup on Thrown Exception", + "CWE-462": "Duplicate Key in Associative List", + "CWE-463": "Deletion of Data Structure Sentinel", + "CWE-464": "Addition of Data Structure Sentinel", + "CWE-466": "Return of Pointer Value Outside of Expected Range", + "CWE-467": "Use of sizeof", + "CWE-468": "Incorrect Pointer Scaling", + "CWE-469": "Use of Pointer Subtraction to Determine Size", + "CWE-470": "Use of Externally-Controlled Input to Select Classes or Code", + "CWE-471": "Modification of Assumed-Immutable Data", + "CWE-472": "External Control of Assumed-Immutable Web Parameter", + "CWE-473": "PHP External Variable Modification", + "CWE-474": "Use of Function with Inconsistent Implementations", + "CWE-475": "Undefined Behavior for Input to API", + "CWE-476": "NULL Pointer Dereference", + "CWE-477": "Use of Obsolete Function", + "CWE-478": "Missing Default Case in Multiple Condition Expression", + "CWE-479": "Signal Handler Use of a Non-reentrant Function", + "CWE-480": "Use of Incorrect Operator", + "CWE-481": "Assigning instead of Comparing", + "CWE-482": "Comparing instead of Assigning", + "CWE-483": "Incorrect Block Delimitation", + "CWE-484": "Omitted Break Statement in Switch", + "CWE-486": "Comparison of Classes by Name", + "CWE-487": "Reliance on Package-level Scope", + "CWE-488": "Exposure of Data Element to Wrong Session", + "CWE-489": "Active Debug Code", + "CWE-491": "Public cloneable", + "CWE-492": "Use of Inner Class Containing Sensitive Data", + "CWE-493": "Critical Public Variable Without Final Modifier", + "CWE-494": "Download of Code Without Integrity Check", + "CWE-495": "Private Data Structure Returned From A Public Method", + "CWE-496": "Public Data Assigned to Private Array-Typed Field", + "CWE-497": "Exposure of Sensitive System Information to an Unauthorized " + "Control Sphere", + "CWE-498": "Cloneable Class Containing Sensitive Information", + "CWE-499": "Serializable Class Containing Sensitive Data", + "CWE-500": "Public Static Field Not Marked Final", + "CWE-501": "Trust Boundary Violation", + "CWE-502": "Deserialization of Untrusted Data", + "CWE-506": "Embedded Malicious Code", + "CWE-507": "Trojan Horse", + "CWE-508": "Non-Replicating Malicious Code", + "CWE-509": "Replicating Malicious Code", + "CWE-510": "Trapdoor", + "CWE-511": "Logic/Time Bomb", + "CWE-512": "Spyware", + "CWE-514": "Covert Channel", + "CWE-515": "Covert Storage Channel", + "CWE-516": "DEPRECATED: Covert Timing Channel", + "CWE-520": ".NET Misconfiguration: Use of Impersonation", + "CWE-521": "Weak Password Requirements", + "CWE-522": "Insufficiently Protected Credentials", + "CWE-523": "Unprotected Transport of Credentials", + "CWE-524": "Use of Cache Containing Sensitive Information", + "CWE-525": "Use of Web Browser Cache Containing Sensitive Information", + "CWE-526": "Cleartext Storage of Sensitive Information in an Environment " + "Variable", + "CWE-527": "Exposure of Version-Control Repository to an Unauthorized " + "Control Sphere", + "CWE-528": "Exposure of Core Dump File to an Unauthorized Control Sphere", + "CWE-529": "Exposure of Access Control List Files to an Unauthorized " + "Control Sphere", + "CWE-530": "Exposure of Backup File to an Unauthorized Control Sphere", + "CWE-531": "Inclusion of Sensitive Information in Test Code", + "CWE-532": "Insertion of Sensitive Information into Log File", + "CWE-533": "DEPRECATED: Information Exposure Through Server Log Files", + "CWE-534": "DEPRECATED: Information Exposure Through Debug Log Files", + "CWE-535": "Exposure of Information Through Shell Error Message", + "CWE-536": "Servlet Runtime Error Message Containing Sensitive Information", + "CWE-537": "Java Runtime Error Message Containing Sensitive Information", + "CWE-538": "Insertion of Sensitive Information into Externally-Accessible " + "File or Directory", + "CWE-539": "Use of Persistent Cookies Containing Sensitive Information", + "CWE-540": "Inclusion of Sensitive Information in Source Code", + "CWE-541": "Inclusion of Sensitive Information in an Include File", + "CWE-542": "DEPRECATED: Information Exposure Through Cleanup Log Files", + "CWE-543": "Use of Singleton Pattern Without Synchronization in a " + "Multithreaded Context", + "CWE-544": "Missing Standardized Error Handling Mechanism", + "CWE-545": "DEPRECATED: Use of Dynamic Class Loading", + "CWE-546": "Suspicious Comment", + "CWE-547": "Use of Hard-coded, Security-relevant Constants", + "CWE-548": "Exposure of Information Through Directory Listing", + "CWE-549": "Missing Password Field Masking", + "CWE-550": "Server-generated Error Message Containing Sensitive " + "Information", + "CWE-551": "Incorrect Behavior Order: Authorization Before Parsing and " + "Canonicalization", + "CWE-552": "Files or Directories Accessible to External Parties", + "CWE-553": "Command Shell in Externally Accessible Directory", + "CWE-554": "ASP.NET Misconfiguration: Not Using Input Validation Framework", + "CWE-555": "J2EE Misconfiguration: Plaintext Password in Configuration " + "File", + "CWE-556": "ASP.NET Misconfiguration: Use of Identity Impersonation", + "CWE-558": "Use of getlogin", + "CWE-560": "Use of umask", + "CWE-561": "Dead Code", + "CWE-562": "Return of Stack Variable Address", + "CWE-563": "Assignment to Variable without Use", + "CWE-564": "SQL Injection: Hibernate", + "CWE-565": "Reliance on Cookies without Validation and Integrity Checking", + "CWE-566": "Authorization Bypass Through User-Controlled SQL Primary Key", + "CWE-567": "Unsynchronized Access to Shared Data in a Multithreaded " + "Context", + "CWE-568": "finalize", + "CWE-570": "Expression is Always False", + "CWE-571": "Expression is Always True", + "CWE-572": "Call to Thread run", + "CWE-573": "Improper Following of Specification by Caller", + "CWE-574": "EJB Bad Practices: Use of Synchronization Primitives", + "CWE-575": "EJB Bad Practices: Use of AWT Swing", + "CWE-576": "EJB Bad Practices: Use of Java I/O", + "CWE-577": "EJB Bad Practices: Use of Sockets", + "CWE-578": "EJB Bad Practices: Use of Class Loader", + "CWE-579": "J2EE Bad Practices: Non-serializable Object Stored in Session", + "CWE-580": "clone", + "CWE-581": "Object Model Violation: Just One of Equals and Hashcode " + "Defined", + "CWE-582": "Array Declared Public, Final, and Static", + "CWE-583": "finalize", + "CWE-584": "Return Inside Finally Block", + "CWE-585": "Empty Synchronized Block", + "CWE-586": "Explicit Call to Finalize", + "CWE-587": "Assignment of a Fixed Address to a Pointer", + "CWE-588": "Attempt to Access Child of a Non-structure Pointer", + "CWE-589": "Call to Non-ubiquitous API", + "CWE-590": "Free of Memory not on the Heap", + "CWE-591": "Sensitive Data Storage in Improperly Locked Memory", + "CWE-592": "DEPRECATED: Authentication Bypass Issues", + "CWE-593": "Authentication Bypass: OpenSSL CTX Object Modified after SSL " + "Objects are Created", + "CWE-594": "J2EE Framework: Saving Unserializable Objects to Disk", + "CWE-595": "Comparison of Object References Instead of Object Contents", + "CWE-596": "DEPRECATED: Incorrect Semantic Object Comparison", + "CWE-597": "Use of Wrong Operator in String Comparison", + "CWE-598": "Use of GET Request Method With Sensitive Query Strings", + "CWE-599": "Missing Validation of OpenSSL Certificate", + "CWE-600": "Uncaught Exception in Servlet ", + "CWE-601": "URL Redirection to Untrusted Site", + "CWE-602": "Client-Side Enforcement of Server-Side Security", + "CWE-603": "Use of Client-Side Authentication", + "CWE-605": "Multiple Binds to the Same Port", + "CWE-606": "Unchecked Input for Loop Condition", + "CWE-607": "Public Static Final Field References Mutable Object", + "CWE-608": "Struts: Non-private Field in ActionForm Class", + "CWE-609": "Double-Checked Locking", + "CWE-610": "Externally Controlled Reference to a Resource in Another " + "Sphere", + "CWE-611": "Improper Restriction of XML External Entity Reference", + "CWE-612": "Improper Authorization of Index Containing Sensitive " + "Information", + "CWE-613": "Insufficient Session Expiration", + "CWE-614": "Sensitive Cookie in HTTPS Session Without Secure Attribute", + "CWE-615": "Inclusion of Sensitive Information in Source Code Comments", + "CWE-616": "Incomplete Identification of Uploaded File Variables", + "CWE-617": "Reachable Assertion", + "CWE-618": "Exposed Unsafe ActiveX Method", + "CWE-619": "Dangling Database Cursor", + "CWE-620": "Unverified Password Change", + "CWE-621": "Variable Extraction Error", + "CWE-622": "Improper Validation of Function Hook Arguments", + "CWE-623": "Unsafe ActiveX Control Marked Safe For Scripting", + "CWE-624": "Executable Regular Expression Error", + "CWE-625": "Permissive Regular Expression", + "CWE-626": "Null Byte Interaction Error", + "CWE-627": "Dynamic Variable Evaluation", + "CWE-628": "Function Call with Incorrectly Specified Arguments", + "CWE-636": "Not Failing Securely", + "CWE-637": "Unnecessary Complexity in Protection Mechanism", + "CWE-638": "Not Using Complete Mediation", + "CWE-639": "Authorization Bypass Through User-Controlled Key", + "CWE-640": "Weak Password Recovery Mechanism for Forgotten Password", + "CWE-641": "Improper Restriction of Names for Files and Other Resources", + "CWE-642": "External Control of Critical State Data", + "CWE-643": "Improper Neutralization of Data within XPath Expressions", + "CWE-644": "Improper Neutralization of HTTP Headers for Scripting Syntax", + "CWE-645": "Overly Restrictive Account Lockout Mechanism", + "CWE-646": "Reliance on File Name or Extension of Externally-Supplied File", + "CWE-647": "Use of Non-Canonical URL Paths for Authorization Decisions", + "CWE-648": "Incorrect Use of Privileged APIs", + "CWE-649": "Reliance on Obfuscation or Encryption of Security-Relevant " + "Inputs without Integrity Checking", + "CWE-650": "Trusting HTTP Permission Methods on the Server Side", + "CWE-651": "Exposure of WSDL File Containing Sensitive Information", + "CWE-652": "Improper Neutralization of Data within XQuery Expressions", + "CWE-653": "Improper Isolation or Compartmentalization", + "CWE-654": "Reliance on a Single Factor in a Security Decision", + "CWE-655": "Insufficient Psychological Acceptability", + "CWE-656": "Reliance on Security Through Obscurity", + "CWE-657": "Violation of Secure Design Principles", + "CWE-662": "Improper Synchronization", + "CWE-663": "Use of a Non-reentrant Function in a Concurrent Context", + "CWE-664": "Improper Control of a Resource Through its Lifetime", + "CWE-665": "Improper Initialization", + "CWE-666": "Operation on Resource in Wrong Phase of Lifetime", + "CWE-667": "Improper Locking", + "CWE-668": "Exposure of Resource to Wrong Sphere", + "CWE-669": "Incorrect Resource Transfer Between Spheres", + "CWE-670": "Always-Incorrect Control Flow Implementation", + "CWE-671": "Lack of Administrator Control over Security", + "CWE-672": "Operation on a Resource after Expiration or Release", + "CWE-673": "External Influence of Sphere Definition", + "CWE-674": "Uncontrolled Recursion", + "CWE-675": "Multiple Operations on Resource in Single-Operation Context", + "CWE-676": "Use of Potentially Dangerous Function", + "CWE-680": "Integer Overflow to Buffer Overflow", + "CWE-681": "Incorrect Conversion between Numeric Types", + "CWE-682": "Incorrect Calculation", + "CWE-683": "Function Call With Incorrect Order of Arguments", + "CWE-684": "Incorrect Provision of Specified Functionality", + "CWE-685": "Function Call With Incorrect Number of Arguments", + "CWE-686": "Function Call With Incorrect Argument Type", + "CWE-687": "Function Call With Incorrectly Specified Argument Value", + "CWE-688": "Function Call With Incorrect Variable or Reference as Argument", + "CWE-689": "Permission Race Condition During Resource Copy", + "CWE-690": "Unchecked Return Value to NULL Pointer Dereference", + "CWE-691": "Insufficient Control Flow Management", + "CWE-692": "Incomplete Denylist to Cross-Site Scripting", + "CWE-693": "Protection Mechanism Failure", + "CWE-694": "Use of Multiple Resources with Duplicate Identifier", + "CWE-695": "Use of Low-Level Functionality", + "CWE-696": "Incorrect Behavior Order", + "CWE-697": "Incorrect Comparison", + "CWE-698": "Execution After Redirect", + "CWE-703": "Improper Check or Handling of Exceptional Conditions", + "CWE-704": "Incorrect Type Conversion or Cast", + "CWE-705": "Incorrect Control Flow Scoping", + "CWE-706": "Use of Incorrectly-Resolved Name or Reference", + "CWE-707": "Improper Neutralization", + "CWE-708": "Incorrect Ownership Assignment", + "CWE-710": "Improper Adherence to Coding Standards", + "CWE-732": "Incorrect Permission Assignment for Critical Resource", + "CWE-733": "Compiler Optimization Removal or Modification of " + "Security-critical Code", + "CWE-749": "Exposed Dangerous Method or Function", + "CWE-754": "Improper Check for Unusual or Exceptional Conditions", + "CWE-755": "Improper Handling of Exceptional Conditions", + "CWE-756": "Missing Custom Error Page", + "CWE-757": "Selection of Less-Secure Algorithm During Negotiation", + "CWE-758": "Reliance on Undefined, Unspecified, or Implementation-Defined " + "Behavior", + "CWE-759": "Use of a One-Way Hash without a Salt", + "CWE-760": "Use of a One-Way Hash with a Predictable Salt", + "CWE-761": "Free of Pointer not at Start of Buffer", + "CWE-762": "Mismatched Memory Management Routines", + "CWE-763": "Release of Invalid Pointer or Reference", + "CWE-764": "Multiple Locks of a Critical Resource", + "CWE-765": "Multiple Unlocks of a Critical Resource", + "CWE-766": "Critical Data Element Declared Public", + "CWE-767": "Access to Critical Private Variable via Public Method", + "CWE-768": "Incorrect Short Circuit Evaluation", + "CWE-769": "DEPRECATED: Uncontrolled File Descriptor Consumption", + "CWE-770": "Allocation of Resources Without Limits or Throttling", + "CWE-771": "Missing Reference to Active Allocated Resource", + "CWE-772": "Missing Release of Resource after Effective Lifetime", + "CWE-773": "Missing Reference to Active File Descriptor or Handle", + "CWE-774": "Allocation of File Descriptors or Handles Without Limits or " + "Throttling", + "CWE-775": "Missing Release of File Descriptor or Handle after Effective " + "Lifetime", + "CWE-776": "Improper Restriction of Recursive Entity References in DTDs", + "CWE-777": "Regular Expression without Anchors", + "CWE-778": "Insufficient Logging", + "CWE-779": "Logging of Excessive Data", + "CWE-780": "Use of RSA Algorithm without OAEP", + "CWE-781": "Improper Address Validation in IOCTL with METHOD_NEITHER I/O " + "Control Code", + "CWE-782": "Exposed IOCTL with Insufficient Access Control", + "CWE-783": "Operator Precedence Logic Error", + "CWE-784": "Reliance on Cookies without Validation and Integrity Checking " + "in a Security Decision", + "CWE-785": "Use of Path Manipulation Function without Maximum-sized Buffer", + "CWE-786": "Access of Memory Location Before Start of Buffer", + "CWE-787": "Out-of-bounds Write", + "CWE-788": "Access of Memory Location After End of Buffer", + "CWE-789": "Memory Allocation with Excessive Size Value", + "CWE-790": "Improper Filtering of Special Elements", + "CWE-791": "Incomplete Filtering of Special Elements", + "CWE-792": "Incomplete Filtering of One or More Instances of Special " + "Elements", + "CWE-793": "Only Filtering One Instance of a Special Element", + "CWE-794": "Incomplete Filtering of Multiple Instances of Special Elements", + "CWE-795": "Only Filtering Special Elements at a Specified Location", + "CWE-796": "Only Filtering Special Elements Relative to a Marker", + "CWE-797": "Only Filtering Special Elements at an Absolute Position", + "CWE-798": "Use of Hard-coded Credentials", + "CWE-799": "Improper Control of Interaction Frequency", + "CWE-804": "Guessable CAPTCHA", + "CWE-805": "Buffer Access with Incorrect Length Value", + "CWE-806": "Buffer Access Using Size of Source Buffer", + "CWE-807": "Reliance on Untrusted Inputs in a Security Decision", + "CWE-820": "Missing Synchronization", + "CWE-821": "Incorrect Synchronization", + "CWE-822": "Untrusted Pointer Dereference", + "CWE-823": "Use of Out-of-range Pointer Offset", + "CWE-824": "Access of Uninitialized Pointer", + "CWE-825": "Expired Pointer Dereference", + "CWE-826": "Premature Release of Resource During Expected Lifetime", + "CWE-827": "Improper Control of Document Type Definition", + "CWE-828": "Signal Handler with Functionality that is not " + "Asynchronous-Safe", + "CWE-829": "Inclusion of Functionality from Untrusted Control Sphere", + "CWE-830": "Inclusion of Web Functionality from an Untrusted Source", + "CWE-831": "Signal Handler Function Associated with Multiple Signals", + "CWE-832": "Unlock of a Resource that is not Locked", + "CWE-833": "Deadlock", + "CWE-834": "Excessive Iteration", + "CWE-835": "Loop with Unreachable Exit Condition", + "CWE-836": "Use of Password Hash Instead of Password for Authentication", + "CWE-837": "Improper Enforcement of a Single, Unique Action", + "CWE-838": "Inappropriate Encoding for Output Context", + "CWE-839": "Numeric Range Comparison Without Minimum Check", + "CWE-841": "Improper Enforcement of Behavioral Workflow", + "CWE-842": "Placement of User into Incorrect Group", + "CWE-843": "Access of Resource Using Incompatible Type", + "CWE-862": "Missing Authorization", + "CWE-863": "Incorrect Authorization", + "CWE-908": "Use of Uninitialized Resource", + "CWE-909": "Missing Initialization of Resource", + "CWE-910": "Use of Expired File Descriptor", + "CWE-911": "Improper Update of Reference Count", + "CWE-912": "Hidden Functionality", + "CWE-913": "Improper Control of Dynamically-Managed Code Resources", + "CWE-914": "Improper Control of Dynamically-Identified Variables", + "CWE-915": "Improperly Controlled Modification of Dynamically-Determined " + "Object Attributes", + "CWE-916": "Use of Password Hash With Insufficient Computational Effort", + "CWE-917": "Improper Neutralization of Special Elements used in an " + "Expression Language Statement", + "CWE-918": "Server-Side Request Forgery", + "CWE-920": "Improper Restriction of Power Consumption", + "CWE-921": "Storage of Sensitive Data in a Mechanism without Access " + "Control", + "CWE-922": "Insecure Storage of Sensitive Information", + "CWE-923": "Improper Restriction of Communication Channel to Intended " + "Endpoints", + "CWE-924": "Improper Enforcement of Message Integrity During Transmission " + "in a Communication Channel", + "CWE-925": "Improper Verification of Intent by Broadcast Receiver", + "CWE-926": "Improper Export of Android Application Components", + "CWE-927": "Use of Implicit Intent for Sensitive Communication", + "CWE-939": "Improper Authorization in Handler for Custom URL Scheme", + "CWE-940": "Improper Verification of Source of a Communication Channel", + "CWE-941": "Incorrectly Specified Destination in a Communication Channel", + "CWE-942": "Permissive Cross-domain Policy with Untrusted Domains", + "CWE-943": "Improper Neutralization of Special Elements in Data Query " + "Logic", + "CWE-1004": "Sensitive Cookie Without HttpOnly Flag", + "CWE-1007": "Insufficient Visual Distinction of Homoglyphs Presented to " + "User", + "CWE-1021": "Improper Restriction of Rendered UI Layers or Frames", + "CWE-1022": "Use of Web Link to Untrusted Target with window.opener Access", + "CWE-1023": "Incomplete Comparison with Missing Factors", + "CWE-1024": "Comparison of Incompatible Types", + "CWE-1025": "Comparison Using Wrong Factors", + "CWE-1037": "Processor Optimization Removal or Modification of " + "Security-critical Code", + "CWE-1038": "Insecure Automated Optimizations", + "CWE-1039": "Automated Recognition Mechanism with Inadequate Detection or " + "Handling of Adversarial Input Perturbations", + "CWE-1041": "Use of Redundant Code", + "CWE-1042": "Static Member Data Element outside of a Singleton Class " + "Element", + "CWE-1043": "Data Element Aggregating an Excessively Large Number of " + "Non-Primitive Elements", + "CWE-1044": "Architecture with Number of Horizontal Layers Outside of " + "Expected Range", + "CWE-1045": "Parent Class with a Virtual Destructor and a Child Class " + "without a Virtual Destructor", + "CWE-1046": "Creation of Immutable Text Using String Concatenation", + "CWE-1047": "Modules with Circular Dependencies", + "CWE-1048": "Invokable Control Element with Large Number of Outward Calls", + "CWE-1049": "Excessive Data Query Operations in a Large Data Table", + "CWE-1050": "Excessive Platform Resource Consumption within a Loop", + "CWE-1051": "Initialization with Hard-Coded Network Resource " + "Configuration Data", + "CWE-1052": "Excessive Use of Hard-Coded Literals in Initialization", + "CWE-1053": "Missing Documentation for Design", + "CWE-1054": "Invocation of a Control Element at an Unnecessarily Deep " + "Horizontal Layer", + "CWE-1055": "Multiple Inheritance from Concrete Classes", + "CWE-1056": "Invokable Control Element with Variadic Parameters", + "CWE-1057": "Data Access Operations Outside of Expected Data Manager " + "Component", + "CWE-1058": "Invokable Control Element in Multi-Thread Context with " + "non-Final Static Storable or Member Element", + "CWE-1059": "Insufficient Technical Documentation", + "CWE-1060": "Excessive Number of Inefficient Server-Side Data Accesses", + "CWE-1061": "Insufficient Encapsulation", + "CWE-1062": "Parent Class with References to Child Class", + "CWE-1063": "Creation of Class Instance within a Static Code Block", + "CWE-1064": "Invokable Control Element with Signature Containing an " + "Excessive Number of Parameters", + "CWE-1065": "Runtime Resource Management Control Element in a Component " + "Built to Run on Application Servers", + "CWE-1066": "Missing Serialization Control Element", + "CWE-1067": "Excessive Execution of Sequential Searches of Data Resource", + "CWE-1068": "Inconsistency Between Implementation and Documented Design", + "CWE-1069": "Empty Exception Block", + "CWE-1070": "Serializable Data Element Containing non-Serializable Item " + "Elements", + "CWE-1071": "Empty Code Block", + "CWE-1072": "Data Resource Access without Use of Connection Pooling", + "CWE-1073": "Non-SQL Invokable Control Element with Excessive Number of " + "Data Resource Accesses", + "CWE-1074": "Class with Excessively Deep Inheritance", + "CWE-1075": "Unconditional Control Flow Transfer outside of Switch Block", + "CWE-1076": "Insufficient Adherence to Expected Conventions", + "CWE-1077": "Floating Point Comparison with Incorrect Operator", + "CWE-1078": "Inappropriate Source Code Style or Formatting", + "CWE-1079": "Parent Class without Virtual Destructor Method", + "CWE-1080": "Source Code File with Excessive Number of Lines of Code", + "CWE-1082": "Class Instance Self Destruction Control Element", + "CWE-1083": "Data Access from Outside Expected Data Manager Component", + "CWE-1084": "Invokable Control Element with Excessive File or Data Access " + "Operations", + "CWE-1085": "Invokable Control Element with Excessive Volume of " + "Commented-out Code", + "CWE-1086": "Class with Excessive Number of Child Classes", + "CWE-1087": "Class with Virtual Method without a Virtual Destructor", + "CWE-1088": "Synchronous Access of Remote Resource without Timeout", + "CWE-1089": "Large Data Table with Excessive Number of Indices", + "CWE-1090": "Method Containing Access of a Member Element from Another " + "Class", + "CWE-1091": "Use of Object without Invoking Destructor Method", + "CWE-1092": "Use of Same Invokable Control Element in Multiple " + "Architectural Layers", + "CWE-1093": "Excessively Complex Data Representation", + "CWE-1094": "Excessive Index Range Scan for a Data Resource", + "CWE-1095": "Loop Condition Value Update within the Loop", + "CWE-1096": "Singleton Class Instance Creation without Proper Locking or " + "Synchronization", + "CWE-1097": "Persistent Storable Data Element without Associated " + "Comparison Control Element", + "CWE-1098": "Data Element containing Pointer Item without Proper Copy " + "Control Element", + "CWE-1099": "Inconsistent Naming Conventions for Identifiers", + "CWE-1100": "Insufficient Isolation of System-Dependent Functions", + "CWE-1101": "Reliance on Runtime Component in Generated Code", + "CWE-1102": "Reliance on Machine-Dependent Data Representation", + "CWE-1103": "Use of Platform-Dependent Third Party Components", + "CWE-1104": "Use of Unmaintained Third Party Components", + "CWE-1105": "Insufficient Encapsulation of Machine-Dependent Functionality", + "CWE-1106": "Insufficient Use of Symbolic Constants", + "CWE-1107": "Insufficient Isolation of Symbolic Constant Definitions", + "CWE-1108": "Excessive Reliance on Global Variables", + "CWE-1109": "Use of Same Variable for Multiple Purposes", + "CWE-1110": "Incomplete Design Documentation", + "CWE-1111": "Incomplete I/O Documentation", + "CWE-1112": "Incomplete Documentation of Program Execution", + "CWE-1113": "Inappropriate Comment Style", + "CWE-1114": "Inappropriate Whitespace Style", + "CWE-1115": "Source Code Element without Standard Prologue", + "CWE-1116": "Inaccurate Comments", + "CWE-1117": "Callable with Insufficient Behavioral Summary", + "CWE-1118": "Insufficient Documentation of Error Handling Techniques", + "CWE-1119": "Excessive Use of Unconditional Branching", + "CWE-1120": "Excessive Code Complexity", + "CWE-1121": "Excessive McCabe Cyclomatic Complexity", + "CWE-1122": "Excessive Halstead Complexity", + "CWE-1123": "Excessive Use of Self-Modifying Code", + "CWE-1124": "Excessively Deep Nesting", + "CWE-1125": "Excessive Attack Surface", + "CWE-1126": "Declaration of Variable with Unnecessarily Wide Scope", + "CWE-1127": "Compilation with Insufficient Warnings or Errors", + "CWE-1164": "Irrelevant Code", + "CWE-1173": "Improper Use of Validation Framework", + "CWE-1174": "ASP.NET Misconfiguration: Improper Model Validation", + "CWE-1176": "Inefficient CPU Computation", + "CWE-1177": "Use of Prohibited Code", + "CWE-1187": "DEPRECATED: Use of Uninitialized Resource", + "CWE-1188": "Insecure Default Initialization of Resource", + "CWE-1189": "Improper Isolation of Shared Resources on System-on-a-Chip", + "CWE-1190": "DMA Device Enabled Too Early in Boot Phase", + "CWE-1191": "On-Chip Debug and Test Interface With Improper Access Control", + "CWE-1192": "System-on-Chip", + "CWE-1193": "Power-On of Untrusted Execution Core Before Enabling Fabric " + "Access Control", + "CWE-1204": "Generation of Weak Initialization Vector", + "CWE-1209": "Failure to Disable Reserved Bits", + "CWE-1220": "Insufficient Granularity of Access Control", + "CWE-1221": "Incorrect Register Defaults or Module Parameters", + "CWE-1222": "Insufficient Granularity of Address Regions Protected by " + "Register Locks", + "CWE-1223": "Race Condition for Write-Once Attributes", + "CWE-1224": "Improper Restriction of Write-Once Bit Fields", + "CWE-1229": "Creation of Emergent Resource", + "CWE-1230": "Exposure of Sensitive Information Through Metadata", + "CWE-1231": "Improper Prevention of Lock Bit Modification", + "CWE-1232": "Improper Lock Behavior After Power State Transition", + "CWE-1233": "Security-Sensitive Hardware Controls with Missing Lock Bit " + "Protection", + "CWE-1234": "Hardware Internal or Debug Modes Allow Override of Locks", + "CWE-1235": "Incorrect Use of Autoboxing and Unboxing for Performance " + "Critical Operations", + "CWE-1236": "Improper Neutralization of Formula Elements in a CSV File", + "CWE-1239": "Improper Zeroization of Hardware Register", + "CWE-1240": "Use of a Cryptographic Primitive with a Risky Implementation", + "CWE-1241": "Use of Predictable Algorithm in Random Number Generator", + "CWE-1242": "Inclusion of Undocumented Features or Chicken Bits", + "CWE-1243": "Sensitive Non-Volatile Information Not Protected During Debug", + "CWE-1244": "Internal Asset Exposed to Unsafe Debug Access Level or State", + "CWE-1245": "Improper Finite State Machines", + "CWE-1246": "Improper Write Handling in Limited-write Non-Volatile " + "Memories", + "CWE-1247": "Improper Protection Against Voltage and Clock Glitches", + "CWE-1248": "Semiconductor Defects in Hardware Logic with " + "Security-Sensitive Implications", + "CWE-1249": "Application-Level Admin Tool with Inconsistent View of " + "Underlying Operating System", + "CWE-1250": "Improper Preservation of Consistency Between Independent " + "Representations of Shared State", + "CWE-1251": "Mirrored Regions with Different Values", + "CWE-1252": "CPU Hardware Not Configured to Support Exclusivity of Write " + "and Execute Operations", + "CWE-1253": "Incorrect Selection of Fuse Values", + "CWE-1254": "Incorrect Comparison Logic Granularity", + "CWE-1255": "Comparison Logic is Vulnerable to Power Side-Channel Attacks", + "CWE-1256": "Improper Restriction of Software Interfaces to Hardware " + "Features", + "CWE-1257": "Improper Access Control Applied to Mirrored or Aliased " + "Memory Regions", + "CWE-1258": "Exposure of Sensitive System Information Due to Uncleared " + "Debug Information", + "CWE-1259": "Improper Restriction of Security Token Assignment", + "CWE-1260": "Improper Handling of Overlap Between Protected Memory Ranges", + "CWE-1261": "Improper Handling of Single Event Upsets", + "CWE-1262": "Improper Access Control for Register Interface", + "CWE-1263": "Improper Physical Access Control", + "CWE-1264": "Hardware Logic with Insecure De-Synchronization between " + "Control and Data Channels", + "CWE-1265": "Unintended Reentrant Invocation of Non-reentrant Code Via " + "Nested Calls", + "CWE-1266": "Improper Scrubbing of Sensitive Data from Decommissioned " + "Device", + "CWE-1267": "Policy Uses Obsolete Encoding", + "CWE-1268": "Policy Privileges are not Assigned Consistently Between " + "Control and Data Agents", + "CWE-1269": "Product Released in Non-Release Configuration", + "CWE-1270": "Generation of Incorrect Security Tokens", + "CWE-1271": "Uninitialized Value on Reset for Registers Holding Security " + "Settings", + "CWE-1272": "Sensitive Information Uncleared Before Debug/Power State " + "Transition", + "CWE-1273": "Device Unlock Credential Sharing", + "CWE-1274": "Improper Access Control for Volatile Memory Containing Boot " + "Code", + "CWE-1275": "Sensitive Cookie with Improper SameSite Attribute", + "CWE-1276": "Hardware Child Block Incorrectly Connected to Parent System", + "CWE-1277": "Firmware Not Updateable", + "CWE-1278": "Missing Protection Against Hardware Reverse Engineering " + "Using Integrated Circuit", + "CWE-1279": "Cryptographic Operations are run Before Supporting Units are " + "Ready", + "CWE-1280": "Access Control Check Implemented After Asset is Accessed", + "CWE-1281": "Sequence of Processor Instructions Leads to Unexpected " + "Behavior", + "CWE-1282": "Assumed-Immutable Data is Stored in Writable Memory", + "CWE-1283": "Mutable Attestation or Measurement Reporting Data", + "CWE-1284": "Improper Validation of Specified Quantity in Input", + "CWE-1285": "Improper Validation of Specified Index, Position, or Offset " + "in Input", + "CWE-1286": "Improper Validation of Syntactic Correctness of Input", + "CWE-1287": "Improper Validation of Specified Type of Input", + "CWE-1288": "Improper Validation of Consistency within Input", + "CWE-1289": "Improper Validation of Unsafe Equivalence in Input", + "CWE-1290": "Incorrect Decoding of Security Identifiers ", + "CWE-1291": "Public Key Re-Use for Signing both Debug and Production Code", + "CWE-1292": "Incorrect Conversion of Security Identifiers", + "CWE-1293": "Missing Source Correlation of Multiple Independent Data", + "CWE-1294": "Insecure Security Identifier Mechanism", + "CWE-1295": "Debug Messages Revealing Unnecessary Information", + "CWE-1296": "Incorrect Chaining or Granularity of Debug Components", + "CWE-1297": "Unprotected Confidential Information on Device is Accessible " + "by OSAT Vendors", + "CWE-1298": "Hardware Logic Contains Race Conditions", + "CWE-1299": "Missing Protection Mechanism for Alternate Hardware Interface", + "CWE-1300": "Improper Protection of Physical Side Channels", + "CWE-1301": "Insufficient or Incomplete Data Removal within Hardware " + "Component", + "CWE-1302": "Missing Security Identifier", + "CWE-1303": "Non-Transparent Sharing of Microarchitectural Resources", + "CWE-1304": "Improperly Preserved Integrity of Hardware Configuration " + "State During a Power Save/Restore Operation", + "CWE-1310": "Missing Ability to Patch ROM Code", + "CWE-1311": "Improper Translation of Security Attributes by Fabric Bridge", + "CWE-1312": "Missing Protection for Mirrored Regions in On-Chip Fabric " + "Firewall", + "CWE-1313": "Hardware Allows Activation of Test or Debug Logic at Runtime", + "CWE-1314": "Missing Write Protection for Parametric Data Values", + "CWE-1315": "Improper Setting of Bus Controlling Capability in Fabric " + "End-point", + "CWE-1316": "Fabric-Address Map Allows Programming of Unwarranted " + "Overlaps of Protected and Unprotected Ranges", + "CWE-1317": "Improper Access Control in Fabric Bridge", + "CWE-1318": "Missing Support for Security Features in On-chip Fabrics or " + "Buses", + "CWE-1319": "Improper Protection against Electromagnetic Fault Injection", + "CWE-1320": "Improper Protection for Outbound Error Messages and Alert " + "Signals", + "CWE-1321": "Improperly Controlled Modification of Object Prototype " + "Attributes", + "CWE-1322": "Use of Blocking Code in Single-threaded, Non-blocking Context", + "CWE-1323": "Improper Management of Sensitive Trace Data", + "CWE-1324": "DEPRECATED: Sensitive Information Accessible by Physical " + "Probing of JTAG Interface", + "CWE-1325": "Improperly Controlled Sequential Memory Allocation", + "CWE-1326": "Missing Immutable Root of Trust in Hardware", + "CWE-1327": "Binding to an Unrestricted IP Address", + "CWE-1328": "Security Version Number Mutable to Older Versions", + "CWE-1329": "Reliance on Component That is Not Updateable", + "CWE-1330": "Remanent Data Readable after Memory Erase", + "CWE-1331": "Improper Isolation of Shared Resources in Network On Chip", + "CWE-1332": "Improper Handling of Faults that Lead to Instruction Skips", + "CWE-1333": "Inefficient Regular Expression Complexity", + "CWE-1334": "Unauthorized Error Injection Can Degrade Hardware Redundancy", + "CWE-1335": "Incorrect Bitwise Shift of Integer", + "CWE-1336": "Improper Neutralization of Special Elements Used in a " + "Template Engine", + "CWE-1338": "Improper Protections Against Hardware Overheating", + "CWE-1339": "Insufficient Precision or Accuracy of a Real Number", + "CWE-1341": "Multiple Releases of Same Resource or Handle", + "CWE-1342": "Information Exposure through Microarchitectural State after " + "Transient Execution", + "CWE-1351": "Improper Handling of Hardware Behavior in Exceptionally Cold " + "Environments", + "CWE-1357": "Reliance on Insufficiently Trustworthy Component", + "CWE-1384": "Improper Handling of Physical or Environmental Conditions", + "CWE-1385": "Missing Origin Validation in WebSockets", + "CWE-1386": "Insecure Operation on Windows Junction / Mount Point", + "CWE-1389": "Incorrect Parsing of Numbers with Different Radices", + "CWE-1390": "Weak Authentication", + "CWE-1391": "Use of Weak Credentials", + "CWE-1392": "Use of Default Credentials", + "CWE-1393": "Use of Default Password", + "CWE-1394": "Use of Default Cryptographic Key", + "CWE-1395": "Dependency on Vulnerable Third-Party Component", +} + +TOML_TEMPLATE = { + "depscan_version": get_version(), + "note": [ + {"audience": "", "category": "", "text": "", "title": ""}, + {"audience": "", "category": "", "text": "", "title": ""}, + ], + "reference": [ + {"category": "", "summary": "", "url": ""}, + {"category": "", "summary": "", "url": ""}, + ], + "distribution": {"label": "", "text": "", "url": ""}, + "document": {"category": "csaf_vex", "title": "Your Title"}, + "product_tree": {"easy_import": ""}, + "publisher": { + "category": "vendor", + "contact_details": "vendor@mcvendorson.com", + "name": "Vendor McVendorson", + "namespace": "https://appthreat.com", + }, + "tracking": { + "current_release_date": "", + "id": "", + "initial_release_date": "", + "status": "draft", + "version": "", + "revision": [{"date": "", "number": "", "summary": ""}], + }, +} + +ref_map = { + r"cve-[0-9]{4,}-[0-9]{4,}$": "CVE Record", + r"(?<=bugzilla.)\S+(?=.\w{3}/show_bug.cgi\?id=)": "Bugzilla", + r"https://github.com/([\w\d\-.]+/[\w\d\-.]+/security/)?advisories": + "GitHub Advisory", + r"https://github.com/[\w\d\-.]+/[\w\d\-.]+/pull/\d+": "GitHub Pull Request", + r"https://github.com/[\w\d\-.]+/[\w\d\-.]+/commit": "GitHub Commit", + r"https://github.com/[\w\d\-.]+/[\w\d\-.]+/release": "GitHub Repository " + "Release", + r"https://github.com/[\w\d\-.]+/[\w\d\-.]+/issues/?": "GitHub Issue", + r"https://github.com/[\w\d\-.]+/[\w\d\-.]+/blob": "GitHub Blob Reference", + r"https://github.com/[\w\d\-.]+/[\w\d\-.]+/?$": "GitHub Repository", + "https://gist.github.com": "GitHub Gist", + r"https://github.com/": "GitHub Other", + r"https://access.redhat.com/errata/rhba-\d{4}:\d{4}": "Red Hat Bug Fix " + "Advisory", + r"https://access.redhat.com/errata/rhsa-\d{4}:\d{4}": "Red Hat Security " + "Advisory", + "https://www.npmjs.com/advisories/": "NPM Advisory", + r"https://www.npmjs.com/package/@?\w+/?\w+": "NPM Package Page", + "https://www.oracle.com/security-alerts": "Oracle Security Alert", + "https://security.netapp.com/advisory": "NetApp Security Advisory", + "https://security.snyk.io/vuln": "Snyk Vulnerability Database Entry", + "https://snyk.io/vuln/": "Snyk Vulnerability Database Entry", + "https://www.debian.org/security": "Debian Security Advisory", + "https://security.gentoo.org/glsa": "Gentoo Security Advisory", + ".+advisory.?": "Advisory", +} + +sorted_ref_map = sorted(ref_map.items(), key=lambda x: len(x[0]), reverse=True) +sorted_ref_map = dict(sorted_ref_map) + +compiled_patterns = { + re.compile(pattern): value for pattern, value in sorted_ref_map.items() +} + + +class CsafOccurence: + def __init__(self, res): + self.cve = res["id"] + [self.cwe, self.notes] = parse_cwe(res["problem_type"]) + self.score = res["cvss_score"] + self.cvss_v3 = parse_cvss(res) + self.package_issue = res["package_issue"] + [self.pkg, self.product_status] = get_product_status( + res["package_issue"], res["matched_by"] + ) + self.description = ( + res["short_description"] + .replace("\\n", " ") + .replace("\\t", " ") + .replace("\n", " ") + .replace("\t", " ") + ) + self.references = res["related_urls"] + self.type = (res["type"],) + self.severity = res["severity"] + self.orig_date = res["source_orig_time"] or None + self.update_date = res["source_update_time"] or None + + def to_dict(self): + vuln = {} + if self.cve.startswith("CVE"): + vuln["cve"] = self.cve + vuln["cwe"] = self.cwe + vuln["discovery_date"] = str(self.orig_date) or str(self.update_date) + vuln["product_status"] = self.product_status + [ids, vuln["references"]] = format_references(self.references) + vuln["ids"] = ids + vuln["scores"] = [{"cvss_v3": self.cvss_v3, "products": [self.pkg]}] + self.notes.append( + { + "category": "general", + "text": self.description, + "details": "Vulnerability Description", + } + ) + vuln["notes"] = self.notes + return vuln + + +def get_product_status(issue, matched_by): + """ + Generates the product status based on the given response and package. + + Args: + issue (dict): The response dictionary of information about the product. + matched_by (str): The location data + + Returns: dict: A dictionary containing the product status. The keys + represent different statuses, while the values represent the corresponding + locations. If the product has a fixed location, the key "fixed" will be + present with the fixed location as its value. If the product has an affected + location, the key "known_affected" will be present with the affected + location as its value. + + """ + product_status = {} + pkg = matched_by.split("|") + if len(pkg) == 3: + pkg = matched_by.split("|")[1] + elif len(pkg) == 4: + pkg = matched_by.split("|")[2] + if issue.get("fixed_location"): + product_status["fixed"] = [f"{pkg}:{issue.get('fixed_location')}"] + if issue.get("affected_location"): + try: + loc_dict = issue.get("affected_location") + product_status["known_affected"] = [ + f'{loc_dict.get("package")}:{loc_dict.get("version")}' + ] + except json.JSONDecodeError: + logging.warning("Invalid JSON string for affected_location") + return pkg, product_status + + +def parse_cwe(cwe): + fmt_cwe = None + new_notes = [] + + if not cwe or cwe in ["UNKNOWN", [], "[]"]: + return fmt_cwe, new_notes + + cwe_ids = re.findall(r"CWE-[1-9]\d{0,5}", cwe) + for i in range(len(cwe_ids)): + cwe_name = CWE_MAP.get(cwe_ids[i], "UNABLE TO LOCATE CWE NAME") + if not cwe_name: + LOG.warning( + f"We couldn't locate the name of the CWE with the following " + f"id: {cwe_ids[i]}. Help us out by reporting the id at " + f"https://github.com/owasp-dep-scan/dep-scan/issues." + ) + if i == 0: + fmt_cwe = { + "id": cwe_ids[i], + "name": cwe_name, + } + # CSAF 2.0 only allows a single CWE per vulnerability, so we add + # any additional CWEs to a note entry. + else: + new_notes.append( + { + "title": f"Additional CWE: {cwe_ids[i]}", + "audience": "developers", + "category": "other", + "text": cwe_name, + } + ) + + return fmt_cwe, new_notes + + +def parse_cvss(res): + """ + Parses the CVSS information from the given response. + + Parameters: + res (dict): The response containing the CVSS information. + + Returns: + dict or None: The parsed CVSS information as a dictionary, or None if + the CVSS vector string is empty as it is required for cvss v3. + The dictionary contains the following keys: + - baseScore (float): The base score of the CVSS. + - attackVector (str): The attack vector of the CVSS. + - privilegesRequired (str): Privileges required for the CVSS. + - userInteraction (str): User interaction required for the CVSS. + - scope (str): The scope of the CVSS. + - impactScore (str): The impact score of the CVSS. + - baseSeverity (str): The base severity of the CVSS. + - version (str): The version of the CVSS. + - vectorString (str): The vector string of the CVSS. + If the vector string or base score are missing, or the CVSS + version is not 3.0 or 3.1, None is returned. + """ + cvss_v3 = res.get("cvss_v3") + version = re.findall(r"3.0|3.1", cvss_v3["vector_string"]) + # baseScore, vectorString, and version are required for a valid score + if ( + not cvss_v3 + or not cvss_v3.get("vector_string") + or not version + or not cvss_v3.get("base_score") + ): + return None + version = version[0] + return { + "baseScore": cvss_v3["base_score"], + "attackVector": cvss_v3["attack_vector"], + "privilegesRequired": cvss_v3["privileges_required"], + "userInteraction": cvss_v3["user_interaction"], + "scope": cvss_v3["scope"], + "baseSeverity": res["severity"], + "version": version, + "vectorString": cvss_v3["vector_string"], + } + + +def format_references(ref): + """ + Formats the given references. + + Args: + ref (list): A list of references. + + Returns: + list: A list of dictionaries with the formatted references. + """ + fmt_refs = [{"summary": get_ref_summary(r), "url": r} for r in ref] + ids = [] + github_advisory_regex = re.compile(r"GHSA-\w{4}-\w{4}-\w{4}$") + github_issue_regex = re.compile(r"(?<=issues/)\d+") + bugzilla_regex = re.compile( + r"(?<=bugzilla.)\S+(?=.\w{3}/show_bug.cgi\?id=)" + ) + bugzilla_id_regex = re.compile(r"(?<=show_bug.cgi\?id=)\d+") + redhat_advisory_regex = re.compile(r"RH[BS]A-\d{4}:\d+") + refs = [] + for reference in fmt_refs: + r = reference["url"] + summary = reference["summary"] + if summary == "GitHub Advisory": + ids.append( + { + "system_name": summary, + "text": github_advisory_regex.findall(r)[0], + } + ) + elif summary == "GitHub Issue": + ids.append( + { + "system_name": summary, + "text": github_issue_regex.findall(r)[0], + } + ) + elif summary == "Bugzilla": + new_id = { + "system_name": f"{bugzilla_regex.findall(r)[0].capitalize()}" + f" Bugzilla ID", + "text": bugzilla_id_regex.findall(r)[0], + } + if new_id["system_name"] == "Redhat Bugzilla ID": + new_id["system_name"] = "Red Hat Bugzilla ID" + ids.append(new_id) + elif summary in [ + "Red Hat Security Advisory", + "Red Hat Bug Fix Advisory", + ]: + ids.append( + { + "system_name": summary, + "text": redhat_advisory_regex.findall(r)[0], + } + ) + refs.append(reference) + return ids, refs + + +def get_ref_summary(url): + """ + Returns the summary string associated with a given URL. + + Parameters: + url (str): The URL to match against the patterns in the REF_MAP. + + Returns: + str: The summary string corresponding to the matched pattern in REF_MAP. + If no match is found, an exception is raised. + """ + if type(url) is not str: + raise TypeError("url must be a string") + + return next( + ( + value + for pattern, value in compiled_patterns.items() + if pattern.search(url.lower()) + ), + "Other", + ) + + +def parse_revision_history(tracking): + """ + Parses the revision history of a tracking object. + + Args: + tracking (dict): The tracking object containing the revision history. + + Returns: + dict: The updated tracking object with the parsed revision history. + """ + hx = deepcopy(tracking.get("revision", [])) + if len(hx) > 0: + hx = cleanup_list(hx) + status = tracking.get("status") + if not status or len(status) == 0: + status = "draft" + dt = datetime.now().strftime(TIME_FMT) + tracking = cleanup_dict(tracking) + # Format dates + try: + + tracking["initial_release_date"] = ( + convert_time(tracking.get("initial_release_date", tracking.get( + "current_release_date", dt))) + ).strftime(TIME_FMT) + tracking["current_release_date"] = ( + convert_time(tracking.get("current_release_date", tracking.get( + "initial_release_date"))) + ).strftime(TIME_FMT) + except AttributeError: + LOG.warning("Your dates don't appear to be in ISO format.") + if status == "final" and len(hx) == 0: + hx.append( + { + "date": tracking["initial_release_date"], + "number": "1", + "summary": "Initial", + } + ) + elif status == "final" and len(hx) > 0: + hx = sorted(hx, key=lambda x: x["number"]) + tracking["initial_release_date"] = hx[0]["date"] + if tracking["current_release_date"] == hx[-1]["date"]: + tracking["current_release_date"] = dt + hx.append( + { + "date": tracking["current_release_date"], + "number": str(len(hx) + 1), + "summary": "Update", + } + ) + if len(hx) > 0: + tracking["version"] = str( + max(int(tracking.get("version", 0)), int(hx[-1]["number"])) + ) + else: + tracking["version"] = "1" + if not tracking.get("id") or len(tracking.get("id")) == 0: + LOG.info("No tracking id, generating one.") + tracking["id"] = f"{dt}_v{tracking['version']}" + if (tracking["initial_release_date"]) > (tracking["current_release_date"]): + LOG.warning( + "Your initial release date is later than the current release date." + ) + tracking["revision"] = hx + tracking["status"] = status + return tracking + + +def import_product_tree(tree): + """ + Set the product tree by loading it from a file. + + Parameters: + tree (dict): The dictionary representing the tree. + + Returns: + dict: The product tree loaded from the file, or None if file is empty. + """ + product_tree = None + if len(tree["easy_import"]) > 0: + try: + with open(tree["easy_import"], "r") as f: + product_tree = json.load(f) + except JSONDecodeError: + LOG.warning( + "Unable to load product tree file. Please verify that your " + "product tree is a valid json file. Visit " + "https://github.com/owasp-dep-scan/dep-scan/blob/master/test" + "/data/product_tree.json for an example." + ) + except FileNotFoundError: + LOG.warning( + "Cannot locate product tree at %s. Please verify you " + "have entered the correct filepath in your csaf.toml.", + tree["easy_import"], + ) + return product_tree + + +def parse_toml(metadata): + """ + Parses the given metadata in TOML format and generates an output dictionary. + + Args: + metadata (dict): A dictionary containing the metadata in TOML format. + + Returns: + dict: The generated output dictionary. + + Raises: + Exception: If the 'product_tree' entry is missing in the TOML file. + Exception: If the 'initial_release_date' is later than the + 'current_release_date'. + """ + tracking = parse_revision_history(metadata.get("tracking")) + refs = [] + [refs.append(v) for v in metadata.get("reference")] + notes = [] + [notes.append(v) for v in metadata.get("note")] + product_tree = import_product_tree(metadata["product_tree"]) + return { + "document": { + "aggregate_severity": {}, + "category": metadata["document"]["category"], + "title": metadata["document"]["title"] or "Test", + "csaf_version": "2.0", + "distribution": metadata.get("distribution"), + "lang": "en", + "notes": notes, + "publisher": { + "category": metadata["publisher"]["category"], + "contact_details": metadata["publisher"].get("contact_details"), + "name": metadata["publisher"]["name"], + "namespace": metadata["publisher"]["namespace"], + }, + "references": refs, + "tracking": tracking, + }, + "product_tree": product_tree, + "vulnerabilities": [], + } + + +def export_csaf(results, src_dir, reports_dir): + """ + Generates a CSAF JSON template from the given results. + + Parameters: + results (list): A list of results obtained from the analysis. + src_dir (str): The source directory. + reports_dir (str): The reports directory. + + Returns: + None + """ + toml_file_path = os.path.join(src_dir, "csaf.toml") + metadata = import_csaf_toml(toml_file_path) + template = parse_toml(metadata) + agg_score = set() + severity_ref = { + "CRITICAL": 1, + "HIGH": 2, + "MEDIUM": 3, + "LOW": 4, + } + for r in results: + c = CsafOccurence(r) + new_vuln = c.to_dict() + template["vulnerabilities"].append(new_vuln) + agg_score.add(severity_ref.get(c.severity)) + if agg_score := list(agg_score): + agg_score.sort() + severity_ref = {v: k for k, v in severity_ref.items()} + agg_severity = ( + severity_ref[agg_score[0]][0] + + severity_ref[agg_score[0]][1:].lower() + ) + template["document"]["aggregate_severity"]["text"] = agg_severity + new_results = cleanup_dict(template) + metadata["tracking"] = deepcopy(new_results["document"]["tracking"]) + # Reset the id if it's one we've generated + if re.match( + r"\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}_v", metadata["tracking"]["id"] + ): + metadata["tracking"]["id"] = "" + outfile = os.path.join( + reports_dir, + f"csaf_v{new_results['document']['tracking']['version']}.json", + ) + json.dump(new_results, open(outfile, "w"), indent=4) + LOG.info("CSAF report written to %s", outfile) + write_toml(toml_file_path, metadata) + + +def import_csaf_toml(toml_file_path): + """ + Reads the contents of the "csaf.toml" file, parses it as TOML, and converts + it to JSON format. + + Returns: + dict: A dictionary containing the parsed contents of the csaf.toml + + Raises: + TOMLDecodeError: If the TOML file contains duplicate keys or is invalid. + """ + try: + with open(toml_file_path, "r") as f: + try: + return toml.load(f) + except toml.TomlDecodeError: + LOG.error( + "Invalid TOML. Please make sure you do not have any " + "duplicate keys and that any filepaths are properly escaped" + "if using Windows." + ) + exit(1) + except FileNotFoundError: + write_toml(toml_file_path) + return import_csaf_toml(toml_file_path) + + +def write_toml(toml_file_path, metadata=None): + """ + Retrieves the TOML template file from the given URL and saves it to the + specified file name. + + Parameters: + toml_file_path (str): The filepath to save the TOML template to. + + metadata (dict): A dictionary containing the TOML metadata. + + """ + if not metadata: + metadata = TOML_TEMPLATE + metadata["depscan_version"] = get_version() + with open(toml_file_path, "w") as f: + toml.dump(metadata, f) + LOG.info("The csaf.toml has been updated at %s", toml_file_path) + + +def cleanup_list(d): + """ + Removes empty entries from the input list + + Parameters: + - d (list): The input list to be cleaned up. + + Returns: + - new_lst (list): The cleaned up list, containing only valid entries from + the input list. + """ + new_lst = [] + for i in range(len(d)): + if isinstance(d[i], dict): + if entry := cleanup_dict(d[i]): + new_lst.append(entry) + elif isinstance(d[i], str): + new_lst.append(d[i]) + return new_lst + + +def cleanup_dict(d): + """ + Cleans up a dictionary by removing empty or None values recursively. + + Parameters: + - d (dict): The dictionary to be cleaned up. + + Returns: + - dict or None: The cleaned up dictionary. If the resulting dictionary is + empty, returns None. + """ + new_dict = {} + for key, value in d.items(): + entry = None + if value and str(value) != "": + if isinstance(value, list): + entry = cleanup_list(value) + elif isinstance(value, dict): + entry = cleanup_dict(value) + else: + entry = value + if entry: + new_dict[key] = entry + return new_dict diff --git a/pyproject.toml b/pyproject.toml index e3db16cb..ff82ac74 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,17 +1,18 @@ [project] name = "owasp-depscan" -version = "4.2.9" +version = "4.5.0" description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories." authors = [ {name = "Team AppThreat", email = "cloud@appthreat.com"}, ] dependencies = [ - "appthreat-vulnerability-db>=5.4.2", + "appthreat-vulnerability-db>=5.5.1", "defusedxml", "oras", "PyYAML", "rich", "quart", + "toml", ] requires-python = ">=3.8" diff --git a/test/data/product_tree.json b/test/data/product_tree.json new file mode 100644 index 00000000..9dba39d1 --- /dev/null +++ b/test/data/product_tree.json @@ -0,0 +1,260 @@ +{ "product_tree": { + "branches": [ + { + "branches": [ + { + "branches": [ + { + "category": "product_name", + "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", + "product": { + "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", + "product_id": "7Server-7.6.AUS", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:rhel_aus:7.6::server" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", + "product": { + "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", + "product_id": "7Server-7.6.E4S", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:rhel_e4s:7.6::server" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", + "product": { + "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", + "product_id": "7Server-7.6.TUS", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:rhel_tus:7.6::server" + } + } + } + ], + "category": "product_family", + "name": "Red Hat Enterprise Linux" + }, + { + "branches": [ + { + "category": "product_version", + "name": "telnet-1:0.17-65.el7_6.src", + "product": { + "name": "telnet-1:0.17-65.el7_6.src", + "product_id": "telnet-1:0.17-65.el7_6.src" + } + } + ], + "category": "architecture", + "name": "src" + }, + { + "branches": [ + { + "category": "product_version", + "name": "telnet-1:0.17-65.el7_6.x86_64", + "product": { + "name": "telnet-1:0.17-65.el7_6.x86_64", + "product_id": "telnet-1:0.17-65.el7_6.x86_64" + } + }, + { + "category": "product_version", + "name": "telnet-debuginfo-1:0.17-65.el7_6.x86_64", + "product": { + "name": "telnet-debuginfo-1:0.17-65.el7_6.x86_64", + "product_id": "telnet-debuginfo-1:0.17-65.el7_6.x86_64" + } + }, + { + "category": "product_version", + "name": "telnet-server-1:0.17-65.el7_6.x86_64", + "product": { + "name": "telnet-server-1:0.17-65.el7_6.x86_64", + "product_id": "telnet-server-1:0.17-65.el7_6.x86_64" + } + } + ], + "category": "architecture", + "name": "x86_64" + }, + { + "branches": [ + { + "category": "product_version", + "name": "telnet-1:0.17-65.el7_6.ppc64le", + "product": { + "name": "telnet-1:0.17-65.el7_6.ppc64le", + "product_id": "telnet-1:0.17-65.el7_6.ppc64le" + } + }, + { + "category": "product_version", + "name": "telnet-debuginfo-1:0.17-65.el7_6.ppc64le", + "product": { + "name": "telnet-debuginfo-1:0.17-65.el7_6.ppc64le", + "product_id": "telnet-debuginfo-1:0.17-65.el7_6.ppc64le" + } + }, + { + "category": "product_version", + "name": "telnet-server-1:0.17-65.el7_6.ppc64le", + "product": { + "name": "telnet-server-1:0.17-65.el7_6.ppc64le", + "product_id": "telnet-server-1:0.17-65.el7_6.ppc64le" + } + } + ], + "category": "architecture", + "name": "ppc64le" + } + ], + "category": "vendor", + "name": "Red Hat" + } + ], + "relationships": [ + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-1:0.17-65.el7_6.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", + "product_id": "7Server-7.6.AUS:telnet-1:0.17-65.el7_6.src" + }, + "product_reference": "telnet-1:0.17-65.el7_6.src", + "relates_to_product_reference": "7Server-7.6.AUS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", + "product_id": "7Server-7.6.AUS:telnet-1:0.17-65.el7_6.x86_64" + }, + "product_reference": "telnet-1:0.17-65.el7_6.x86_64", + "relates_to_product_reference": "7Server-7.6.AUS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-debuginfo-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", + "product_id": "7Server-7.6.AUS:telnet-debuginfo-1:0.17-65.el7_6.x86_64" + }, + "product_reference": "telnet-debuginfo-1:0.17-65.el7_6.x86_64", + "relates_to_product_reference": "7Server-7.6.AUS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-server-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", + "product_id": "7Server-7.6.AUS:telnet-server-1:0.17-65.el7_6.x86_64" + }, + "product_reference": "telnet-server-1:0.17-65.el7_6.x86_64", + "relates_to_product_reference": "7Server-7.6.AUS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-1:0.17-65.el7_6.ppc64le as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", + "product_id": "7Server-7.6.E4S:telnet-1:0.17-65.el7_6.ppc64le" + }, + "product_reference": "telnet-1:0.17-65.el7_6.ppc64le", + "relates_to_product_reference": "7Server-7.6.E4S" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-1:0.17-65.el7_6.src as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", + "product_id": "7Server-7.6.E4S:telnet-1:0.17-65.el7_6.src" + }, + "product_reference": "telnet-1:0.17-65.el7_6.src", + "relates_to_product_reference": "7Server-7.6.E4S" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", + "product_id": "7Server-7.6.E4S:telnet-1:0.17-65.el7_6.x86_64" + }, + "product_reference": "telnet-1:0.17-65.el7_6.x86_64", + "relates_to_product_reference": "7Server-7.6.E4S" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-debuginfo-1:0.17-65.el7_6.ppc64le as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", + "product_id": "7Server-7.6.E4S:telnet-debuginfo-1:0.17-65.el7_6.ppc64le" + }, + "product_reference": "telnet-debuginfo-1:0.17-65.el7_6.ppc64le", + "relates_to_product_reference": "7Server-7.6.E4S" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-debuginfo-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", + "product_id": "7Server-7.6.E4S:telnet-debuginfo-1:0.17-65.el7_6.x86_64" + }, + "product_reference": "telnet-debuginfo-1:0.17-65.el7_6.x86_64", + "relates_to_product_reference": "7Server-7.6.E4S" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-server-1:0.17-65.el7_6.ppc64le as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", + "product_id": "7Server-7.6.E4S:telnet-server-1:0.17-65.el7_6.ppc64le" + }, + "product_reference": "telnet-server-1:0.17-65.el7_6.ppc64le", + "relates_to_product_reference": "7Server-7.6.E4S" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-server-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", + "product_id": "7Server-7.6.E4S:telnet-server-1:0.17-65.el7_6.x86_64" + }, + "product_reference": "telnet-server-1:0.17-65.el7_6.x86_64", + "relates_to_product_reference": "7Server-7.6.E4S" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-1:0.17-65.el7_6.src as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", + "product_id": "7Server-7.6.TUS:telnet-1:0.17-65.el7_6.src" + }, + "product_reference": "telnet-1:0.17-65.el7_6.src", + "relates_to_product_reference": "7Server-7.6.TUS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", + "product_id": "7Server-7.6.TUS:telnet-1:0.17-65.el7_6.x86_64" + }, + "product_reference": "telnet-1:0.17-65.el7_6.x86_64", + "relates_to_product_reference": "7Server-7.6.TUS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-debuginfo-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", + "product_id": "7Server-7.6.TUS:telnet-debuginfo-1:0.17-65.el7_6.x86_64" + }, + "product_reference": "telnet-debuginfo-1:0.17-65.el7_6.x86_64", + "relates_to_product_reference": "7Server-7.6.TUS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "telnet-server-1:0.17-65.el7_6.x86_64 as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", + "product_id": "7Server-7.6.TUS:telnet-server-1:0.17-65.el7_6.x86_64" + }, + "product_reference": "telnet-server-1:0.17-65.el7_6.x86_64", + "relates_to_product_reference": "7Server-7.6.TUS" + } + ] + }} \ No newline at end of file diff --git a/test/test_csaf.py b/test/test_csaf.py new file mode 100644 index 00000000..d086eb06 --- /dev/null +++ b/test/test_csaf.py @@ -0,0 +1,537 @@ +import os.path + +from depscan.lib.csaf import ( + CsafOccurence, + format_references, + import_csaf_toml, + parse_cwe, + get_product_status, + get_ref_summary, + parse_cvss, + parse_revision_history, + cleanup_list, + cleanup_dict, + parse_toml, +) + + +def test_parse_revision_history(): + # add revision entry w/existing entries when final + tracking = { + "current_release_date": "2023-10-03T00:21:34.713557", + "id": "ID", + "initial_release_date": "2022-09-22T20:54:06.186927", + "status": "final", + "version": "2", + "revision": [ + { + "date": "2023-10-02T23:50:07.457263", + "number": "2", + "summary": "Update", + }, + { + "date": "2022-09-22T20:54:06.186927", + "number": "1", + "summary": "Initial", + }, + ], + } + assert parse_revision_history(tracking) == { + "current_release_date": "2023-10-03T00:21:34", + "id": "ID", + "initial_release_date": "2022-09-22T20:54:06.186927", + "revision": [ + { + "date": "2022-09-22T20:54:06.186927", + "number": "1", + "summary": "Initial", + }, + { + "date": "2023-10-02T23:50:07.457263", + "number": "2", + "summary": "Update", + }, + {"date": "2023-10-03T00:21:34", "number": "3", "summary": "Update"}, + ], + "status": "final", + "version": "3", + } + # add revision entry w/no existing entries when final + tracking = { + "current_release_date": "2022-09-22T20:54:06.186927", + "id": "ID", + "initial_release_date": "2022-09-22T20:54:06.186927", + "status": "final", + "version": "", + "revision": [], + } + assert parse_revision_history(tracking) == { + "current_release_date": "2022-09-22T20:54:06", + "id": "ID", + "initial_release_date": "2022-09-22T20:54:06", + "revision": [ + {"date": "2022-09-22T20:54:06", "number": "1", "summary": "Initial"} + ], + "status": "final", + "version": "1", + } + # do not add when status is not final + tracking = { + "current_release_date": "2023-10-03T00:21:34.713557", + "id": "ID", + "initial_release_date": "2022-09-22T20:54:06.186927", + "status": "draft", + "version": "2", + "revision": [ + { + "date": "2022-09-22T20:54:06.186927", + "number": "1", + "summary": "Initial", + } + ], + } + + +def test_cleanup_list(): + assert cleanup_list([{}]) == [] + assert cleanup_list([{"a": "a", "b": "b", "c": ""}]) == [ + {"a": "a", "b": "b"} + ] + assert cleanup_list(["test", None]) == ["test"] + + +def test_cleanup_dict(): + assert cleanup_dict({"test": {"a": []}}) == {} + assert cleanup_dict({"test": ""}) == {} + assert cleanup_dict({"test": "", "test2": "test2"}) == {"test2": "test2"} + assert cleanup_dict({"a": "a", "b": "b", "c": ""}) == {"a": "a", "b": "b"} + assert cleanup_dict({"dict": ["test", None]}) == {"dict": ["test"]} + + +def test_get_ref_summary(): + url = "https://nvd.nist.gov/vuln/detail/cve-2021-1234" + assert get_ref_summary(url) == "CVE Record" + url = "https://github.com/advisories" + assert get_ref_summary(url) == "GitHub Advisory" + url = "https://github.com/user/repo/security/advisories" + assert get_ref_summary(url) == "GitHub Advisory" + url = "https://github.com/user/repo/pull/123" + assert get_ref_summary(url) == "GitHub Pull Request" + url = "https://github.com/user/repo/commit/123" + assert get_ref_summary(url) == "GitHub Commit" + url = "" + assert get_ref_summary(url) == "Other" + url = "https://example.com" + assert get_ref_summary(url) == "Other" + url = "https://github.com/user/repo/release" + assert get_ref_summary(url) == "GitHub Repository Release" + url = "https://github.com/user/repo" + assert get_ref_summary(url) == "GitHub Repository" + url = "https://access.redhat.com/security/cve/CVE-2023-26136" + assert get_ref_summary(url) == "CVE Record" + url = "https://access.redhat.com/errata/RHSA-2023:5484" + assert get_ref_summary(url) == "Red Hat Security Advisory" + url = "https://bugzilla.redhat.com/show_bug.cgi?id=2224245" + assert get_ref_summary(url) == "Bugzilla" + + +def test_format_references(): + ref = [ + "https://access.redhat.com/errata/RHSA-2023:5484", + "https://bugzilla.redhat.com/show_bug.cgi?id=2224245", + "https://nvd.nist.gov/vuln/detail/cve-2021-1234", + "https://github.com/advisories/GHSA-1234-1234-1234", + "https://github.com/user/repo/security/advisories/GHSA-5432-5432-5432", + "https://github.com/user/repo/pull/123", + "https://github.com/user/repo/commit/123", + "https://example.com", + "https://github.com/user/repo/release", + "https://github.com/user/repo", + ] + [ids, refs] = format_references(ref) + assert ids == [ + {"system_name": "Red Hat Security Advisory", "text": "RHSA-2023:5484"}, + {"system_name": "Red Hat Bugzilla ID", "text": "2224245"}, + {"system_name": "GitHub Advisory", "text": "GHSA-1234-1234-1234"}, + {"system_name": "GitHub Advisory", "text": "GHSA-5432-5432-5432"}, + ] + assert refs == [ + { + "summary": "Red Hat Security Advisory", + "url": "https://access.redhat.com/errata/RHSA-2023:5484", + }, + { + "summary": "Bugzilla", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224245", + }, + { + "summary": "CVE Record", + "url": "https://nvd.nist.gov/vuln/detail/cve-2021-1234", + }, + { + "summary": "GitHub Advisory", + "url": "https://github.com/advisories/GHSA-1234-1234-1234", + }, + { + "summary": "GitHub Advisory", + "url": "https://github.com/user/repo/security/advisories/GHSA-5432-5432" + "-5432", + }, + { + "summary": "GitHub Pull Request", + "url": "https://github.com/user/repo/pull/123", + }, + { + "summary": "GitHub Commit", + "url": "https://github.com/user/repo/commit/123", + }, + {"summary": "Other", "url": "https://example.com"}, + { + "summary": "GitHub Repository Release", + "url": "https://github.com/user/repo/release", + }, + {"summary": "GitHub Repository", "url": "https://github.com/user/repo"}, + ] + + +def test_parse_cwe(): + assert parse_cwe("['CWE-20', 'CWE-668']") == ( + {"id": "CWE-20", "name": "Improper Input Validation"}, + [ + { + "title": "Additional CWE: CWE-668", + "audience": "developers", + "category": "other", + "text": "Exposure of Resource to Wrong Sphere", + } + ], + ) + assert parse_cwe("CWE-1333") == ( + { + "id": "CWE-1333", + "name": "Inefficient Regular Expression Complexity", + }, + [], + ) + assert parse_cwe("") == (None, []) + assert parse_cwe("CWE-000") == (None, []) + + +def test_parse_toml(): + # If running tests using an IDE such as PyCharm, pytest may execute from + # the test directory rather than the project root. + if os.path.exists(os.path.join(os.getcwd(), "contrib/csaf.toml")): + filepath = os.path.join(os.getcwd(), "contrib/csaf.toml") + else: + filepath = "../contrib/csaf.toml" + metadata = import_csaf_toml(filepath) + # We don't want a dynamically generated ID + metadata["tracking"]["id"] = "1234" + parsed_toml = parse_toml(metadata) + assert parsed_toml["document"]["category"] == "csaf_vex" + assert parsed_toml["document"]["notes"] == [ + {"audience": "", "category": "", "text": "", "title": ""} + ] + assert parsed_toml["document"]["publisher"] == { + "category": "vendor", + "contact_details": "vendor@mcvendorson.com", + "name": "Vendor McVendorson", + "namespace": "https://appthreat.com", + } + + +def test_parse_cvss(): + res = { + "cvss_v3": { + "attack_complexity": "LOW", + "attack_vector": "NETWORK", + "availability_impact": "HIGH", + "base_score": 7.5, + "impact_score": 7.5, + "confidentiality_impact": "NONE", + "integrity_impact": "NONE", + "privileges_required": "NONE", + "scope": "UNCHANGED", + "user_interaction": "NONE", + "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + }, + "severity": "HIGH", + "id": "CVE-2023-37788", + } + assert parse_cvss(res) == { + "baseScore": 7.5, + "attackVector": "NETWORK", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "baseSeverity": "HIGH", + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + } + res["cvss_v3"]["vector_string"] = "" + assert parse_cvss(res) is None + + +def test_get_product_status(): + assert get_product_status( + { + "affected_location": { + "cpe_uri": "cpe:2.3:a:npm:taffydb:*:*:*:*:*:*:*:*", + "package": "taffydb", + "version": "<=2.7.3", + }, + "fixed_location": None, + }, + "1089386|taffydb|2.6.2", + ) == ("taffydb", {"known_affected": ["taffydb:<=2.7.3"]}) + + +def test_csaf_occurence(): + res = [ + { + "id": "CVE-2019-10790", + "problem_type": "['CWE-20', 'CWE-668']", + "type": "npm", + "severity": "HIGH", + "cvss_score": "7.5", + "cvss_v3": { + "base_score": 7.5, + "exploitability_score": 7.5, + "impact_score": 7.5, + "attack_vector": "NETWORK", + "attack_complexity": "LOW", + "privileges_required": "NONE", + "user_interaction": "REQUIRED", + "scope": "UNCHANGED", + "confidentiality_impact": "HIGH", + "integrity_impact": "HIGH", + "availability_impact": "HIGH", + "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + }, + "package_issue": { + "affected_location": { + "cpe_uri": "cpe:2.3:a:npm:taffydb:*:*:*:*:*:*:*:*", + "package": "taffydb", + "version": "<=2.7.3", + }, + "fixed_location": None, + }, + "short_description": "# TaffyDB can allow access to any data items " + "in the DB\nTaffyDB allows attackers to forge " + "adding additional properties into user input " + "processed by taffy which can allow access to " + "any data items in the DB. Taffy sets an " + "internal index for each data item in its DB. " + "However, it is found that the internal index " + "can be forged by adding additional properties " + "into user input. If index is found in the " + "query, TaffyDB will ignore other query " + "conditions and directly return the indexed " + "data item. Moreover, the internal index is in " + "an easily guessable format (e.g., " + "T000002R000001). As such, attackers can use " + "this vulnerability to access any data items in " + "the DB. **Note:** `taffy` and its successor " + "package `taffydb` are not maintained.\nNone", + "long_description": None, + "related_urls": [], + "effective_severity": "HIGH", + "source_update_time": "2023-01-30T19:22:18", + "source_orig_time": "2020-02-19T16:43:42", + "matched_by": "1089386|taffydb|2.6.2", + }, + { + "id": "CVE-2023-36665", + "problem_type": "CWE-1321", + "type": "npm", + "severity": "CRITICAL", + "cvss_score": "9.8", + "cvss_v3": { + "base_score": 9.8, + "exploitability_score": 9.8, + "impact_score": 9.8, + "attack_vector": "NETWORK", + "attack_complexity": "LOW", + "privileges_required": "NONE", + "user_interaction": "REQUIRED", + "scope": "UNCHANGED", + "confidentiality_impact": "CRITICAL", + "integrity_impact": "CRITICAL", + "availability_impact": "CRITICAL", + "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + }, + "package_issue": { + "affected_location": { + "cpe_uri": "cpe:2.3:a:npm:protobufjs:*:*:*:*:*:*:*:*", + "package": "protobufjs", + "version": ">=7.0.0-<7.2.4", + }, + "fixed_location": "7.2.4", + }, + "short_description": "# protobufjs Prototype Pollution " + "vulnerability\nprotobuf.js (" + "aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 " + "allows Prototype Pollution, a different vulnerability than " + "CVE-2022-25878. A user-controlled protobuf message can be used " + "by an attacker to pollute the prototype of Object.prototype by " + "adding and overwriting its data and functions. Exploitation can " + "involve: (1) using the function parse to parse protobuf " + "messages on the fly, (2) loading .proto files by using " + "load/loadSync functions, or (3) providing untrusted input to " + "the functions ReflectionObject.setParsedOption and " + "util.setProperty. NOTE: this CVE Record is about " + "`Object.constructor.prototype. = ...;` whereas " + "CVE-2022-25878 was about `Object.__proto__. = " + "...;` instead.", + "long_description": None, + "related_urls": [ + "https://github.com/markdown-it/markdown-it/security" + "/advisories/GHSA-6vfc-qv3f-vr6c", + "https://nvd.nist.gov/vuln/detail/CVE-2022-21670", + "https://github.com/markdown-it/markdown-it/commit" + "/ffc49ab46b5b751cd2be0aabb146f2ef84986101", + "https://github.com/markdown-it/markdown-it", + ], + "effective_severity": "CRITICAL", + "source_update_time": "2023-08-15T21:16:36", + "source_orig_time": "2023-07-05T15:30:24", + "matched_by": "2499923747_2499958328|npm|protobufjs|7.1.2", + }, + ] + occs = [] + for r in res: + vuln = CsafOccurence(r) + occs.append(vuln) + result = [] + for o in occs: + result.append(o.to_dict()) + assert result == [ + { + "cve": "CVE-2019-10790", + "cwe": {"id": "CWE-20", "name": "Improper Input Validation"}, + "discovery_date": "2020-02-19T16:43:42", + "ids": [], + "notes": [ + { + "audience": "developers", + "category": "other", + "text": "Exposure of Resource to Wrong Sphere", + "title": "Additional CWE: CWE-668", + }, + { + "category": "general", + "details": "Vulnerability Description", + "text": "# TaffyDB can allow access to any data items in " + "the DB " + "TaffyDB allows attackers to forge adding additional " + "properties into user input processed by taffy which can " + "allow access to any data items in the DB. Taffy sets an " + "internal index for each data item in its DB. However, it " + "is found that the internal index can be forged by adding " + "additional properties into user input. If index is found " + "in the query, TaffyDB will ignore other query conditions " + "and directly return the indexed data item. Moreover, the " + "internal index is in an easily guessable format (e.g., " + "T000002R000001). As such, attackers can use this " + "vulnerability to access any data items in the DB. " + "**Note:** `taffy` and its successor package `taffydb` " + "are not maintained. None", + }, + ], + "product_status": {"known_affected": ["taffydb:<=2.7.3"]}, + "references": [], + "scores": [ + { + "cvss_v3": { + "attackVector": "NETWORK", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L" + "/I:L/A:L", + "version": "3.1", + }, + "products": ["taffydb"], + } + ], + }, + { + "cve": "CVE-2023-36665", + "cwe": { + "id": "CWE-1321", + "name": "Improperly Controlled Modification of Object " + "Prototype Attributes", + }, + "discovery_date": "2023-07-05T15:30:24", + "ids": [ + { + "system_name": "GitHub Advisory", + "text": "GHSA-6vfc-qv3f-vr6c", + } + ], + "notes": [ + { + "category": "general", + "details": "Vulnerability Description", + "text": "# protobufjs Prototype Pollution vulnerability " + "protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and " + "7.0.0 until 7.2.4 allows Prototype Pollution, a " + "different vulnerability than CVE-2022-25878. A " + "user-controlled protobuf message can be used by an " + "attacker to pollute the prototype of Object.prototype by " + "adding and overwriting its data and functions. " + "Exploitation can involve: (1) using the function parse " + "to parse protobuf messages on the fly, (2) loading " + ".proto files by using load/loadSync functions, or (3) " + "providing untrusted input to the functions " + "ReflectionObject.setParsedOption and util.setProperty. " + "NOTE: this CVE Record is about " + "`Object.constructor.prototype. = ...;` " + "whereas CVE-2022-25878 was about " + "`Object.__proto__. = ...;` instead.", + } + ], + "product_status": { + "fixed": ["protobufjs:7.2.4"], + "known_affected": ["protobufjs:>=7.0.0-<7.2.4"], + }, + "references": [ + { + "summary": "GitHub Advisory", + "url": "https://github.com/markdown-it/markdown-it" + "/security/advisories/GHSA-6vfc-qv3f-vr6c", + }, + { + "summary": "CVE Record", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21670", + }, + { + "summary": "GitHub Commit", + "url": "https://github.com/markdown-it/markdown-it/commit" + "/ffc49ab46b5b751cd2be0aabb146f2ef84986101", + }, + { + "summary": "GitHub Repository", + "url": "https://github.com/markdown-it/markdown-it", + }, + ], + "scores": [ + { + "cvss_v3": { + "attackVector": "NETWORK", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H" + "/I:H/A:H", + "version": "3.1", + }, + "products": ["protobufjs"], + } + ], + }, + ]