Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE JSON Validation failure of certain CVSS 4 scores #87

Closed
trolldbois opened this issue Jul 1, 2024 · 6 comments · Fixed by #89
Closed

CVE JSON Validation failure of certain CVSS 4 scores #87

trolldbois opened this issue Jul 1, 2024 · 6 comments · Fixed by #89

Comments

@trolldbois
Copy link

The attached file was generated with vulnogram.github.io
CVE-0000-1234.json

cvelib fails when trying to validate that file.

from cvelib import cve_api
import json
filename = 'CVE-0000-1234.json'
record_data_json = json.load(open(filename,'r'))
try:
    cve_api.CveRecord.validate(record_data_json, cve_api.CveRecord.Schemas.V5_SCHEMA)
    print('Success')
except cve_api.CveRecordValidationError as e:
    print('Failure - CVSS base score validation error')
    print(e)

A deep dive seems to point to a failure in the jsonschema dependency ( see python-jsonschema/jsonschema#1274 ) , where jsonschema fails to validate a number in a range.
The error comes back as "7.1 is not a multiple of 0.1"
@trolldbois
Copy link
Author

trolldbois commented Jul 1, 2024
edited
Loading

The issue has a solution here: python-jsonschema/jsonschema#1274 (comment)

The solution is to load json files with parse_float=decimal.Decimal

trolldbois added a commit to trolldbois/cvelib that referenced this issue Jul 1, 2024
@trolldbois
Load json schema with parse_float as decimal
d681987 
Float value in the json schema are used in arithmetic division. They must be loaded as decimal or comparison will fail.
see RedHatProductSecurity#87
trolldbois added a commit to trolldbois/cvelib that referenced this issue Jul 1, 2024
@trolldbois
load json with parse_float=decimal.Decimal
7dfbe32 
see RedHatProductSecurity#87
@trolldbois trolldbois mentioned this issue Jul 1, 2024
Closed
@trolldbois
Copy link
Author

trolldbois commented Jul 1, 2024
edited
Loading

Deep down, the error boils to cvss v4 base Score comparison to being a multiple of 0.1 :

# jsonschema._keywords:L172
# quotient = instance / dB
# where instance == 7.1 and dB == 0.1
>>> 7.1/0.1
70.99999999999999

This fails the verification (L174) that int(70.9999..) == 70.9999...
And therefore the baseScore in CVSS 4 fails validation.

@trolldbois
Copy link
Author

trolldbois commented Jul 3, 2024
edited
Loading

On Apr 18 2024 , CVEProject/cve-schema seems to have partially fixed/avoided this problem by changing the cvssv4 schema scoreType to list all decimal values, instead of using multipleOf
CVEProject/cve-schema@84a2b1e

Conclusion: There is a new json schema for cvss v4 https://github.com/CVEProject/cve-schema/blob/84a2b1ed8bf98218a822843e06236c1e91cae0f8/schema/imports/cvss/cvss-v4.0.json that also fixes this problem by removing the usage of multipleOf, therefore avoiding the "float bug"

https://github.com/CVEProject/cve-schema/releases/tag/v5.1.0

This was referenced Jul 3, 2024
Open
Merged
mprpic added a commit that referenced this issue Jul 8, 2024
@mprpic
Update to final 5.1.0 CVE record schema
6e26294 
Resolves #87
@mprpic mprpic mentioned this issue Jul 8, 2024
Merged
@mprpic
Copy link
Contributor

mprpic commented Jul 8, 2024

Updated to the latest schema files in the linked PR; the 5.1.0 schema that was included in cvelib was I guess still the RC version. I tested the record attached here against the newer schema and it validates correctly.

@mprpic mprpic closed this as completed in 0d0087f Jul 16, 2024
@trolldbois
Copy link
Author

@mprpic would it be possible to has a minor release (pypi) with this fix ?

@mprpic
Copy link
Contributor

mprpic commented Jul 18, 2024

@trolldbois

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@trolldbois @mprpic