ROX-19862: Add manual entry for CVE-2023-32697 (#1464)

stackrox · Apr 9, 2024 · ddb1423 · ddb1423
1 parent 80fe4c5
commit ddb1423
Show file tree

Hide file tree

Showing 3 changed files with 137 additions and 6 deletions.
diff --git a/e2etests/testcase_test.go b/e2etests/testcase_test.go
@@ -4231,4 +4231,48 @@ All OpenShift Container Platform 4.10 users are advised to upgrade to these upda
 			},
 		},
 	},
+	{
+		image:                   "quay.io/rhacs-eng/qa:sqlite-jdbc-CVE-2023-32697",
+		registry:                "https://quay.io",
+		username:                os.Getenv("QUAY_RHACS_ENG_RO_USERNAME"),
+		password:                os.Getenv("QUAY_RHACS_ENG_RO_PASSWORD"),
+		source:                  "NVD",
+		namespace:               "rhel:9",
+		onlyCheckSpecifiedVulns: true,
+		expectedFeatures: []apiV1.Feature{
+			{
+				Name:          "sqlite-jdbc",
+				VersionFormat: component.JavaSourceType.String(),
+				Version:       "3.41.2.1",
+				Location:      "sqlite-jdbc-3.41.2.1.jar",
+				Vulnerabilities: []apiV1.Vulnerability{
+					{
+						Name:        "CVE-2023-32697",
+						Description: "SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2.\n",
+						Link:        "https://nvd.nist.gov/vuln/detail/CVE-2023-32697",
+						Severity:    "Critical",
+						FixedBy:     "3.41.2.2",
+						Metadata: map[string]interface{}{
+							"NVD": map[string]interface{}{
+								"CVSSv2": map[string]interface{}{
+									"ExploitabilityScore": 0.0,
+									"ImpactScore":         0.0,
+									"Score":               0.0,
+									"Vectors":             "",
+								},
+								"CVSSv3": map[string]interface{}{
+									"ExploitabilityScore": 3.9,
+									"ImpactScore":         5.9,
+									"Score":               9.8,
+									"Vectors":             "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+								},
+							},
+						},
+					},
+				},
+				FixedBy: "3.41.2.2",
+				AddedBy: "sha256:65801021513c110642748b4d5462a0e123f0b09077cda2844ef97b05135369a2",
+			},
+		},
+	},
 }
diff --git a/pkg/vulnloader/nvdloader/manual.go b/pkg/vulnloader/nvdloader/manual.go
@@ -1266,4 +1266,72 @@ Subsequent use of the cloned handle that does not explicitly set a source to loa
 	//////////////////////////////////
 	// End HTTP/2 Rapid Reset vulns //
 	//////////////////////////////////
+
+	// CVE-2023-32697 was not being detected for `org.xerial.sqlite-jdbc-3.41.2.1.jar`.
+	// This entry adds an additional CPE URI to enable matching.
+	"CVE-2023-32697": {
+		CVE: &schema.CVEJSON40{
+			CVEDataMeta: &schema.CVEJSON40CVEDataMeta{
+				ASSIGNER: "",
+				ID:       "CVE-2023-32697",
+			},
+			DataFormat:  "",
+			DataType:    "",
+			DataVersion: "",
+			Description: &schema.CVEJSON40Description{
+				DescriptionData: []*schema.CVEJSON40LangString{
+					{
+						Lang:  "en",
+						Value: "SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2.\n",
+					},
+				},
+			},
+			Problemtype: nil,
+			References:  nil,
+		},
+		Configurations: &schema.NVDCVEFeedJSON10DefConfigurations{
+			CVEDataVersion: "",
+			Nodes: []*schema.NVDCVEFeedJSON10DefNode{
+				{
+					CPEMatch: []*schema.NVDCVEFeedJSON10DefCPEMatch{
+						{
+							Cpe23Uri:              `cpe:2.3:a:sqlite_jdbc_project:sqlite_jdbc:*:*:*:*:*:*:*:*`,
+							VersionEndExcluding:   "3.41.2.2",
+							VersionStartIncluding: "3.6.14.1",
+							Vulnerable:            true,
+						},
+						{
+							Cpe23Uri:              `cpe:2.3:a:xerial:sqlite-jdbc:*:*:*:*:*:*:*:*`,
+							VersionEndExcluding:   "3.41.2.2",
+							VersionStartIncluding: "3.6.14.1",
+							Vulnerable:            true,
+						},
+					},
+					Operator: "OR",
+				},
+			},
+		},
+		Impact: &schema.NVDCVEFeedJSON10DefImpact{
+			BaseMetricV3: &schema.NVDCVEFeedJSON10DefImpactBaseMetricV3{
+				CVSSV3: &schema.CVSSV30{
+					AttackComplexity:      "LOW",
+					AttackVector:          "NETWORK",
+					AvailabilityImpact:    "HIGH",
+					BaseScore:             9.8,
+					BaseSeverity:          "CRITICAL",
+					ConfidentialityImpact: "HIGH",
+					IntegrityImpact:       "HIGH",
+					PrivilegesRequired:    "NONE",
+					Scope:                 "UNCHANGED",
+					UserInteraction:       "NONE",
+					VectorString:          "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+					Version:               "3.1",
+				},
+				ExploitabilityScore: 3.9,
+				ImpactScore:         5.9,
+			},
+		},
+		LastModifiedDate: "2024-04-04T00:00Z",
+		PublishedDate:    "2023-05-23T23:15Z",
+	},
 }
diff --git a/scripts/ci/lib.sh b/scripts/ci/lib.sh
@@ -337,17 +337,24 @@ pr_has_label() {
 
 # get_pr_details() from GitHub and display the result. Exits 1 if not run in CI in a PR context.
 _PR_DETAILS=""
+_PR_DETAILS_CACHE_FILE="/tmp/PR_DETAILS_CACHE.json"
 get_pr_details() {
     local pull_request
     local org
     local repo
 
     if [[ -n "${_PR_DETAILS}" ]]; then
         echo "${_PR_DETAILS}"
-        return
+        return 0
+    fi
+    if [[ -e "${_PR_DETAILS_CACHE_FILE}" ]]; then
+        _PR_DETAILS="$(cat "${_PR_DETAILS_CACHE_FILE}")"
+        echo "${_PR_DETAILS}"
+        return 0
     fi
 
     _not_a_PR() {
+        echo "This does not appear to be a PR context" >&2
         echo '{ "msg": "this is not a PR" }'
         exit 1
     }
@@ -362,29 +369,41 @@ get_pr_details() {
             org=$(jq -r <<<"$CLONEREFS_OPTIONS" '.refs[0].org')
             repo=$(jq -r <<<"$CLONEREFS_OPTIONS" '.refs[0].repo')
         else
-            echo "Expect a JOB_SPEC or CLONEREFS_OPTIONS"
+            echo "Expect a JOB_SPEC or CLONEREFS_OPTIONS" >&2
             exit 2
         fi
         [[ "${pull_request}" == "null" ]] && _not_a_PR
+    elif is_GITHUB_ACTIONS; then
+        pull_request="$(jq -r .pull_request.number "${GITHUB_EVENT_PATH}")" || _not_a_PR
+        [[ "${pull_request}" == "null" ]] && _not_a_PR
+        org="${GITHUB_REPOSITORY_OWNER}"
+        repo="${GITHUB_REPOSITORY#*/}"
     else
-        echo "Expect OpenShift CI"
+        echo "Unsupported CI" >&2
         exit 2
     fi
 
+    local headers url pr_details
+
     headers=()
     if [[ -n "${GITHUB_TOKEN:-}" ]]; then
         headers+=(-H "Authorization: token ${GITHUB_TOKEN}")
     fi
 
     url="https://api.github.com/repos/${org}/${repo}/pulls/${pull_request}"
-    pr_details=$(curl --retry 5 -sS "${headers[@]}" "${url}")
+
+    if ! pr_details=$(curl --retry 5 -sS "${headers[@]}" "${url}"); then
+        echo "Github API error: $pr_details, exit code: $?" >&2
+        exit 2
+    fi
+
     if [[ "$(jq .id <<<"$pr_details")" == "null" ]]; then
         # A valid PR response is expected at this point
-        echo "Invalid response from GitHub: $pr_details"
+        echo "Invalid response from GitHub: $pr_details" >&2
         exit 2
     fi
     _PR_DETAILS="$pr_details"
-    echo "$pr_details"
+    echo "$pr_details" | tee "${_PR_DETAILS_CACHE_FILE}"
 }
 
 GATE_JOBS_CONFIG="$SCRIPTS_ROOT/scripts/ci/gate-jobs-config.json"