Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: NVD cpe parser doesn't escape \:'s in product and vendor name #4041

Open
fthdrmzzz opened this issue Apr 17, 2024 · 3 comments
Open

fix: NVD cpe parser doesn't escape \:'s in product and vendor name #4041

fthdrmzzz opened this issue Apr 17, 2024 · 3 comments
Assignees
@fthdrmzzz
Labels
bug Something isn't working

Comments

@fthdrmzzz
Copy link
Contributor

Description

Hello, I think I have noticed a small bug

In nvd_source.py the product data is splitted by :.

 def parse_node(self, node: dict[str, list[dict[str, str]]]) -> list[dict[str, str]]:
        affects_list = []
        if "cpe_match" in node:
            vulnerable_matches = (m for m in node["cpe_match"] if m["vulnerable"])
            for cpe_match in vulnerable_matches:
                cpe_split = cpe_match["cpe23Uri"].split(":") # HERE!!!
                affects = {
                    "vendor": cpe_split[3],
                    "product": cpe_split[4],
                    "version": cpe_split[5],
                }

However, in some cases there is : in the name of the vendor or the product and NVD escapes these :'s by putting a backslash in front. Example here:
image

This results in recording the product as \ in the database. To see it, I have made a simple sql query to the mysql database stored in ~/.cache/cve-bin-tool/cve.db to check and see it:

$ select * from cve_range where product like "\" LIMIT 2;
CVE-2007-4829 | archive\ | \ | tar_project|||1.36||NVD

I don't know what are the effects of this bug on tool's behavior. Maybe it might miss some cve's on binaries that it was supposed to hit.

Please assign me for this.
@fthdrmzzz fthdrmzzz added the bug Something isn't working label Apr 17, 2024
@fthdrmzzz
Copy link
Contributor Author

fthdrmzzz commented Apr 17, 2024
edited
Loading

assign it to me please

@fthdrmzzz fthdrmzzz changed the title fix: [bug description] fix: nvd_source.py doesn't escape \'s in product and vendor name Apr 17, 2024
@fthdrmzzz fthdrmzzz changed the title fix: nvd_source.py doesn't escape \'s in product and vendor name fix: NVD cpe parser doesn't escape \:'s in product and vendor name Apr 17, 2024
@terriko
Copy link
Contributor

terriko commented Apr 17, 2024

good finding, thanks for working on it!

@joydeep049
Copy link
Contributor

Hello @fthdrmzzz
Since you filed the issue and want to work on it, It will most probably be assigned to you. So dw about that.
You can focus on solving the issue
Thanx

fthdrmzzz added a commit to MadriSec/cve-bin-tool that referenced this issue Apr 20, 2024
@fthdrmzzz
fix: parse CPE names correctly intel#4041
292479d 
Signed-off-by: fthdrmzzz <mail.fatih.durmaz@gmail.com>
@fthdrmzzz fthdrmzzz mentioned this issue Apr 20, 2024
Merged
@terriko terriko mentioned this issue Apr 23, 2024
Closed
terriko added a commit that referenced this issue Apr 25, 2024
@fthdrmzzz @terriko
fix: parse CPE names correctly #4041 (#4063)
daea8e4 
Signed-off-by: fthdrmzzz <mail.fatih.durmaz@gmail.com>
Co-authored-by: Terri Oda <terri.oda@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fthdrmzzz fthdrmzzz

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@terriko @fthdrmzzz @joydeep049