Skip to content

fix: use new platform logic even for only one platform #386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Sep 17, 2024
Merged

fix: use new platform logic even for only one platform #386

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a1b6358
test: failing unit test for platform cpe ordering issue
westonsteimel Sep 17, 2024
09f6e80
fix: no longer fall back on single platform
willmurphyscode Sep 17, 2024
cfc8fe5
refactor: remove legacy platform CPE determination logic
westonsteimel Sep 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
148 changes: 148 additions & 0 deletions pkg/process/v5/transformers/nvd/test-fixtures/CVE-2023-45283-platform-cpe-first.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
{
"cve": {
"id": "CVE-2023-45283",
"sourceIdentifier": "[email protected]",
"published": "2023-11-09T17:15:08.757",
"lastModified": "2023-12-14T10:15:07.947",
"vulnStatus": "Modified",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored."
},
{
"lang": "es",
"value": "El paquete filepath no reconoce las rutas con el prefijo \\??\\ como especiales. En Windows, una ruta que comienza con \\??\\ es una ruta de dispositivo local raíz equivalente a una ruta que comienza con \\\\?\\. Se pueden utilizar rutas con un prefijo \\??\\ para acceder a ubicaciones arbitrarias en el sistema. Por ejemplo, la ruta \\??\\c:\\x es equivalente a la ruta más común c:\\x. Antes de la solución, Clean podía convertir una ruta raíz como \\a\\..\\??\\b en la ruta raíz del dispositivo local \\??\\b. Clean ahora convertirá esto a .\\??\\b. De manera similar, Join(\\, ??, b) podría convertir una secuencia aparentemente inocente de elementos de ruta en la ruta del dispositivo local raíz \\??\\b. Unirse ahora convertirá esto a \\.\\??\\b. Además, con la solución, IsAbs ahora informa correctamente las rutas que comienzan con \\??\\ como absolutas, y VolumeName informa correctamente el prefijo \\??\\ como nombre de volumen."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "[email protected]",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "[email protected]",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-22"
}
]
}
],
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.20.11",
"matchCriteriaId": "C1E7C289-7484-4AA8-A96B-07D2E2933258"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"versionStartIncluding": "1.21.0-0",
"versionEndExcluding": "1.21.4",
"matchCriteriaId": "4E3FC16C-41B2-4900-901F-48BDA3DC9ED2"
}
]
}
]
}
],
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2023/12/05/2",
"source": "[email protected]"
},
{
"url": "https://go.dev/cl/540277",
"source": "[email protected]",
"tags": [
"Issue Tracking",
"Vendor Advisory"
]
},
{
"url": "https://go.dev/cl/541175",
"source": "[email protected]"
},
{
"url": "https://go.dev/issue/63713",
"source": "[email protected]",
"tags": [
"Issue Tracking",
"Vendor Advisory"
]
},
{
"url": "https://go.dev/issue/64028",
"source": "[email protected]"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY",
"source": "[email protected]",
"tags": [
"Issue Tracking",
"Mailing List",
"Vendor Advisory"
]
},
{
"url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ",
"source": "[email protected]"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-2185",
"source": "[email protected]",
"tags": [
"Issue Tracking",
"Vendor Advisory"
]
},
{
"url": "https://security.netapp.com/advisory/ntap-20231214-0008/",
"source": "[email protected]"
}
]
}
}
147 changes: 147 additions & 0 deletions pkg/process/v5/transformers/nvd/test-fixtures/CVE-2023-45283-platform-cpe-last.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
{
"cve": {
"id": "CVE-2023-45283",
"sourceIdentifier": "[email protected]",
"published": "2023-11-09T17:15:08.757",
"lastModified": "2023-12-14T10:15:07.947",
"vulnStatus": "Modified",
"descriptions": [
{
"lang": "en",
"value": "The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored."
},
{
"lang": "es",
"value": "El paquete filepath no reconoce las rutas con el prefijo \\??\\ como especiales. En Windows, una ruta que comienza con \\??\\ es una ruta de dispositivo local raíz equivalente a una ruta que comienza con \\\\?\\. Se pueden utilizar rutas con un prefijo \\??\\ para acceder a ubicaciones arbitrarias en el sistema. Por ejemplo, la ruta \\??\\c:\\x es equivalente a la ruta más común c:\\x. Antes de la solución, Clean podía convertir una ruta raíz como \\a\\..\\??\\b en la ruta raíz del dispositivo local \\??\\b. Clean ahora convertirá esto a .\\??\\b. De manera similar, Join(\\, ??, b) podría convertir una secuencia aparentemente inocente de elementos de ruta en la ruta del dispositivo local raíz \\??\\b. Unirse ahora convertirá esto a \\.\\??\\b. Además, con la solución, IsAbs ahora informa correctamente las rutas que comienzan con \\??\\ como absolutas, y VolumeName informa correctamente el prefijo \\??\\ como nombre de volumen."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "[email protected]",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "[email protected]",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-22"
}
]
}
],
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.20.11",
"matchCriteriaId": "C1E7C289-7484-4AA8-A96B-07D2E2933258"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"versionStartIncluding": "1.21.0-0",
"versionEndExcluding": "1.21.4",
"matchCriteriaId": "4E3FC16C-41B2-4900-901F-48BDA3DC9ED2"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"
}
]
}
]
}
],
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2023/12/05/2",
"source": "[email protected]"
},
{
"url": "https://go.dev/cl/540277",
"source": "[email protected]",
"tags": [
"Issue Tracking",
"Vendor Advisory"
]
},
{
"url": "https://go.dev/cl/541175",
"source": "[email protected]"
},
{
"url": "https://go.dev/issue/63713",
"source": "[email protected]",
"tags": [
"Issue Tracking",
"Vendor Advisory"
]
},
{
"url": "https://go.dev/issue/64028",
"source": "[email protected]"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY",
"source": "[email protected]",
"tags": [
"Issue Tracking",
"Mailing List",
"Vendor Advisory"
]
},
{
"url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ",
"source": "[email protected]"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-2185",
"source": "[email protected]",
"tags": [
"Issue Tracking",
"Vendor Advisory"
]
},
{
"url": "https://security.netapp.com/advisory/ntap-20231214-0008/",
"source": "[email protected]"
}
]
}
}
Loading
Loading