Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VCIO-next: Vulnerability is missing KEV data [was: VCID-3hng-483x-aaar is incomplete] #1532

Closed
DennisClark opened this issue Aug 1, 2024 · 5 comments · Fixed by #1685
Closed

VCIO-next: Vulnerability is missing KEV data [was: VCID-3hng-483x-aaar is incomplete] #1532

DennisClark opened this issue Aug 1, 2024 · 5 comments · Fixed by #1685
Assignees
@ziadhany @keshav-space
Labels
3-next bug data-quality
Milestone
v36.0.0 - 3-next

Comments

@DennisClark
Copy link
Member

See https://public.vulnerablecode.io/vulnerabilities/VCID-3hng-483x-aaar?search=CVE-2024-39891

Vulnerability VCID-3hng-483x-aaar shows a relationship to CVE-2024-39891 but there are no Packages and there is no KEV reference to the corresponding entry in the Known Exploited Vulnerabilities Catalog. The KEV was published with the title Twilio Authy Information Disclosure Vulnerability on 2024-07-23. See https://www.cisa.gov/known-exploited-vulnerabilities-catalog

A vulnerability without at least one affected package does not make a lot of sense to me in VCIO.

I am also concerned that we are not keeping KEV data up-to-date. See related #1028 and #1422
@ziadhany
Copy link
Collaborator

ziadhany commented Aug 2, 2024

@DennisClark

This vulnerability data is linked to the NVD importer, as indicated in the history tab, so I ran the NVD importer locally and obtained the same result:

Fixed by packages (0) 
Affected packages (0)

This issue seems to be related to how we import data from the NVD. I find it confusing for a vulnerability to lack at least one affected package, but sometimes the description still makes sense.

The improver ran successfully and fetched the KEV data on my computer, so it’s likely that it hasn’t yet run on the server. When was the last update to the server? I think we should wait to merge some pending pull requests before releasing and updating the server.

Screenshot from 2024-08-02 17-08-53

@DennisClark
Copy link
Member Author

@ziadhany thanks for investigating this. I agree that "we should wait to merge some pending pull requests before releasing and updating the server."

@pombredanne pombredanne mentioned this issue Aug 15, 2024
Closed
@DennisClark
Copy link
Member Author

Here is another example: https://public.vulnerablecode.io/vulnerabilities/VCID-aub5-9vuw-aaah?search=CVE-2024-36971

That CVE, CVE-2024-36971 , appears in the KEV https://www.cisa.gov/known-exploited-vulnerabilities-catalog but there is no evidence of that in VCIO.

@DennisClark
Copy link
Member Author

Another example: https://public.vulnerablecode.io/vulnerabilities/VCID-rqea-u6nh-aaaj?search=CVE-2024-32113

That CVE, https://nvd.nist.gov/vuln/detail/CVE-2018-0824 appears in the KEV https://www.cisa.gov/known-exploited-vulnerabilities-catalog but there is no evidence of that in VCIO.

@pombredanne pombredanne added 2-next and removed 9-next labels Oct 15, 2024
@pombredanne pombredanne assigned keshav-space and unassigned TG1999 Oct 15, 2024
@pombredanne pombredanne added this to the v35.0.0 - 2-next milestone Oct 15, 2024
@pombredanne pombredanne changed the title VCID-3hng-483x-aaar is incomplete Vulnerability is missing KEV data [was: VCID-3hng-483x-aaar is incomplete] Oct 15, 2024
@keshav-space
Copy link
Member

keshav-space commented Nov 8, 2024
edited by pombredanne
Loading

Related core issue:

@TG1999 TG1999 added 3-next and removed 2-next labels Nov 12, 2024
@keshav-space keshav-space mentioned this issue Dec 2, 2024
Merged
@pombredanne pombredanne changed the title Vulnerability is missing KEV data [was: VCID-3hng-483x-aaar is incomplete] VCIO-next: Vulnerability is missing KEV data [was: VCID-3hng-483x-aaar is incomplete] Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ziadhany ziadhany

@keshav-space keshav-space

Labels
3-next bug data-quality
Projects
04-VulnerableCode Data Quality and next
Status: Done
Milestone
v36.0.0 - 3-next
Development

Successfully merging a pull request may close this issue.

Use AboutCode mirror for collecting CISA KEV aboutcode-org/vulnerablecode
5 participants
@pombredanne @DennisClark @ziadhany @TG1999 @keshav-space