ROX-19862: Add manual entry for CVE-2023-32697 #1464
Conversation
RTann
added
the
generate-dumps-on-pr
|
@dcaravel can you add your sample image to |
Excellent idea, will do. |
|
Hrm, failure confuses me, works outside of CI... |
|
/retest |
|
Manual entry not making it into the image, assuming with the PR label the image should have a fresh genesis dump baked in (notice missing additional CPE below): docker save quay.io/rhacs-eng/scanner:2.33.x-29-g2dfc5cc703 > img.tar
tar -xvf img.tar
# find layer with `dive`
cd 8707d58bc14c1fa3dd569c241faf81fbfc0b2d5490af5928450200c0bf1a0dea
tar -xvf layer.tar
cd nvd_definitions{
"cve": {
"affects": null,
"CVE_data_meta": {
"ASSIGNER": "",
"ID": "CVE-2023-32697"
},
"data_format": "",
"data_type": "",
"data_version": "",
"description": {
"description_data": [
{
"lang": "en",
"value": "SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2.\n"
}
]
},
"problemtype": null,
"references": null
},
"configurations": {
"CVE_data_version": "",
"nodes": [
{
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sqlite_jdbc_project:sqlite_jdbc:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.41.2.2",
"versionStartIncluding": "3.6.14.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-05-31T18:10Z",
"publishedDate": "2023-05-23T23:15Z"
}
|
|
Looks like made it into the genesis dump (https://github.com/stackrox/scanner/actions/runs/8575012414/artifacts/1389590520) [
{
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sqlite_jdbc_project:sqlite_jdbc:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.41.2.2",
"versionStartIncluding": "3.6.14.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:xerial:sqlite-jdbc:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.41.2.2",
"versionStartIncluding": "3.6.14.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
|
|
Hrm, perhaps this is the cause, in More context: @BradLugo Seen this before? Looks like this job isn't able to detect the |
|
/retest |
pkg/vulnloader/nvdloader/manual.go
Outdated
| LastModifiedDate: "2024-04-04T00:00Z", | ||
| PublishedDate: "2024-04-04T00:00Z", |
There was a problem hiding this comment.
maybe change these to the NVD dates since this CVE was published back in 2023
There was a problem hiding this comment.
Updated the published date to be in sync with NVD, LastModifiedDate needs to be more recent then the last genesis dump or it will not appear in diff dumps (ran into this before in #1211). In that last PR it was requested to update PublishedDate as well which is why I did that here, but I agree keeping the PublishedDate in sync with NVD will be less confusing.
|
/retest |
CVE-2023-32697 was not being detected for
sqlite-jdbc-3.41.2.1.jardue to an inaccurate CPE URI on the NVD entry.To fix the match a manual entry was created with
cpe:2.3:a:xerial:sqlite-jdbc:*:*:*:*:*:*:*:*added.You'll notice some information appears missing when comparing the
updateroutput to the NVD page and API, such as references and CWE. This appears to be because the updater omits data that was not provided by NVD, such as other CNA's, in this case GitHub. Consider this while reviewing the PR - if the additional data is used by Scanner / ACS it may be worthwhile adding it, unless there is a reason not to (such as licensing).JSON output from Scanner updater
Output from:
./bin/updater generate-dump...{ "cve": { "affects": null, "CVE_data_meta": { "ASSIGNER": "", "ID": "CVE-2023-32697" }, "data_format": "", "data_type": "", "data_version": "", "description": { "description_data": [ { "lang": "en", "value": "SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2.\n" } ] }, "problemtype": null, "references": null }, "configurations": { "CVE_data_version": "", "nodes": [ { "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:sqlite_jdbc_project:sqlite_jdbc:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.41.2.2", "versionStartIncluding": "3.6.14.1", "vulnerable": true } ], "operator": "OR" } ] }, "impact": { "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 5.9 } }, "lastModifiedDate": "2023-05-31T18:10Z", "publishedDate": "2023-05-23T23:15Z" },JSON output from NVD API
Output from:
curl -sS -H "apiKey: $NVD_API_KEY" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-32697 | jq{ "resultsPerPage": 1, "startIndex": 0, "totalResults": 1, "format": "NVD_CVE", "version": "2.0", "timestamp": "2024-04-04T16:46:42.043", "vulnerabilities": [ { "cve": { "id": "CVE-2023-32697", "sourceIdentifier": "security-advisories@github.com", "published": "2023-05-23T23:15:09.337", "lastModified": "2023-05-31T18:10:04.943", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2.\n" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL" }, "exploitabilityScore": 3.9, "impactScore": 5.9 }, { "source": "security-advisories@github.com", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH" }, "exploitabilityScore": 2.8, "impactScore": 5.9 } ] }, "weaknesses": [ { "source": "security-advisories@github.com", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-94" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:sqlite_jdbc_project:sqlite_jdbc:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6.14.1", "versionEndExcluding": "3.41.2.2", "matchCriteriaId": "47BF8145-F503-4906-B97C-F58153E21309" } ] } ] } ], "references": [ { "url": "https://github.com/xerial/sqlite-jdbc/releases/tag/3.41.2.2", "source": "security-advisories@github.com", "tags": [ "Release Notes" ] }, { "url": "https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2", "source": "security-advisories@github.com", "tags": [ "Vendor Advisory" ] } ] } } ] }Testing
Created image
quay.io/rhacs-eng/qa:sqlite-jdbc-CVE-2023-32697and added E2E test:Also verified via the local dev utility
Before adding manual entry:
After adding manual entry and re-running updater: