Support Advisory Comparison in VulnTotal #1151

keshav-space · 2023-03-16T12:15:46Z

Add debug flag --vers to display equivalent normalized versions for corresponding native ranges.
Add debug flag --no-compare to run the CLI without comparison.
Dynamically adjust text table width based on the terminal width.
Minor bug fixes and improvements in existing DataSources.
Bump univers to v30.12.0
Depends on: Support Normalization of VersionRange univers#108
Fixes Version range normalization for range comparison across different DataSources in VulnTotal #1136
Fixes Cluster analysis of advisory fetched from different DataSource in VulnTotal #822

Note: Workflows is failing as aboutcode-org/univers#108 is not yet merged in univers

keshav-space · 2023-03-16T12:34:51Z

Preview

❯ vulntotal "pkg:pypi/[email protected]" --vers -e github -e vulnerablecode -e safetydb
PURL: pkg:pypi/jinja2@2.4.1
Active DataSources: GITHUB, SAFETYDB, VULNERABLECODE

+-----------------+---------------+---------------+--------------------+--------------------+--------+
|       CVE       |  DATASOURCE   |    ALIASES    |      AFFECTED      |       FIXED        | SCORE  |
+=================+===============+===============+====================+====================+========+
| CVE-2024-22195  | VULNERABLECOD | CVE-2024-     | 2.0  2.0rc1  2.1   | 3.1.3              | 100    |
|                 | E             | 22195         | 2.10  2.10.1       |                    |        |
|                 |               | GHSA-h5c8-    | 2.10.2  2.10.3     |                    |        |
|                 |               | rqwp-cp95     | 2.1.1  2.11.0      |                    |        |
|                 |               |               | 2.11.1  2.11.2     |                    |        |
|                 |               |               | 2.11.3  2.2  2.2.1 |                    |        |
|                 |               |               | 2.3  2.3.1  2.4    |                    |        |
|                 |               |               | 2.4.1  2.5  2.5.1  |                    |        |
|                 |               |               | 2.5.2  2.5.3       |                    |        |
|                 |               |               | 2.5.4  2.5.5  2.6  |                    |        |
|                 |               |               | 2.7  2.7.1  2.7.2  |                    |        |
|                 |               |               | 2.7.3  2.8  2.8.1  |                    |        |
|                 |               |               | 2.9  2.9.1  2.9.2  |                    |        |
|                 |               |               | 2.9.3  2.9.4       |                    |        |
|                 |               |               | 2.9.5  2.9.6       |                    |        |
|                 |               |               | 3.0.0  3.0.0a1     |                    |        |
|                 |               |               | 3.0.0rc1  3.0.0rc2 |                    |        |
|                 |               |               | 3.0.1  3.0.2       |                    |        |
|                 |               |               | 3.0.3  3.1.0       |                    |        |
|                 |               |               | 3.1.1  3.1.2       |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | vers:pypi/3.1.3    |        |
|                 |               |               | |<=3.1.2           |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2024-22195  | SAFETYDB      | CVE-2024-     | <3.1.3             |                    | 67     |
|                 |               | 22195         |                    |                    |        |
|                 |               | pyup.io-64227 |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | []                 |        |
|                 |               |               | |<=3.1.2           |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2024-22195  | GITHUB        | CVE-2024-     | < 3.1.3            | 3.1.3              | 100    |
|                 |               | 22195         |                    |                    |        |
|                 |               | GHSA-h5c8-    |                    |                    |        |
|                 |               | rqwp-cp95     |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | vers:pypi/3.1.3    |        |
|                 |               |               | |<=3.1.2           |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2020-28493  | VULNERABLECOD | CVE-2020-     | 2.0  2.0rc1  2.1   | 2.11.3             | 100    |
|                 | E             | 28493         | 2.10  2.10.1       |                    |        |
|                 |               | GHSA-g3rq-    | 2.10.2  2.10.3     |                    |        |
|                 |               | g295-4j3m     | 2.1.1  2.11.0      |                    |        |
|                 |               | PYSEC-2021-66 | 2.11.1  2.11.2     |                    |        |
|                 |               | SNYK-PYTHON-J | 2.2  2.2.1  2.3    |                    |        |
|                 |               | INJA2-1012994 | 2.3.1  2.4  2.4.1  |                    |        |
|                 |               |               | 2.5  2.5.1  2.5.2  |                    |        |
|                 |               |               | 2.5.3  2.5.4       |                    |        |
|                 |               |               | 2.5.5  2.6  2.7    |                    |        |
|                 |               |               | 2.7.1  2.7.2       |                    |        |
|                 |               |               | 2.7.3  2.8  2.8.1  |                    |        |
|                 |               |               | 2.9  2.9.1  2.9.2  |                    |        |
|                 |               |               | 2.9.3  2.9.4       |                    |        |
|                 |               |               | 2.9.5  2.9.6       |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | vers:pypi/2.11.3   |        |
|                 |               |               | |<=2.11.2          |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2020-28493  | SAFETYDB      | CVE-2020-     | <2.11.3            |                    | 67     |
|                 |               | 28493         |                    |                    |        |
|                 |               | pyup.io-39525 |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | []                 |        |
|                 |               |               | |<=2.11.2          |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2020-28493  | GITHUB        | CVE-2020-     | < 2.11.3           | 2.11.3             | 100    |
|                 |               | 28493         |                    |                    |        |
|                 |               | GHSA-g3rq-    |                    |                    |        |
|                 |               | g295-4j3m     |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | vers:pypi/2.11.3   |        |
|                 |               |               | |<=2.11.2          |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2019-10906  | VULNERABLECOD | CVE-2019-     | 2.0  2.0rc1  2.1   | 2.10.1             | 100    |
|                 | E             | 10906         | 2.10  2.1.1  2.2   |                    |        |
|                 |               | GHSA-462w-    | 2.2.1  2.3  2.3.1  |                    |        |
|                 |               | v97r-4m45     | 2.4  2.4.1  2.5    |                    |        |
|                 |               | PYSEC-2019-   | 2.5.1  2.5.2       |                    |        |
|                 |               | 217           | 2.5.3  2.5.4       |                    |        |
|                 |               |               | 2.5.5  2.6  2.7    |                    |        |
|                 |               |               | 2.7.1  2.7.2       |                    |        |
|                 |               |               | 2.7.3  2.8  2.8.1  |                    |        |
|                 |               |               | 2.9  2.9.1  2.9.2  |                    |        |
|                 |               |               | 2.9.3  2.9.4       |                    |        |
|                 |               |               | 2.9.5  2.9.6       |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | vers:pypi/2.10.1   |        |
|                 |               |               | |<=2.10            |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2019-10906  | SAFETYDB      | CVE-2019-     | >=0,<2.10.1        |                    | 67     |
|                 |               | 10906         |                    |                    |        |
|                 |               | pyup.io-54679 |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | []                 |        |
|                 |               |               | |<=2.10            |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2019-10906  | GITHUB        | CVE-2019-     | < 2.10.1           | 2.10.1             | 100    |
|                 |               | 10906         |                    |                    |        |
|                 |               | GHSA-462w-    |                    |                    |        |
|                 |               | v97r-4m45     |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | vers:pypi/2.10.1   |        |
|                 |               |               | |<=2.10            |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2016-10745  | VULNERABLECOD | CVE-2016-     | 2.0  2.0rc1  2.1   | 2.8.1              | 100    |
|                 | E             | 10745         | 2.1.1  2.2  2.2.1  |                    |        |
|                 |               | GHSA-         | 2.3  2.3.1  2.4    |                    |        |
|                 |               | hj2j-77xm-    | 2.4.1  2.5  2.5.1  |                    |        |
|                 |               | mc5v          | 2.5.2  2.5.3       |                    |        |
|                 |               | PYSEC-2019-   | 2.5.4  2.5.5  2.6  |                    |        |
|                 |               | 220           | 2.7  2.7.1  2.7.2  |                    |        |
|                 |               |               | 2.7.3  2.8         |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | vers:pypi/2.8.1    |        |
|                 |               |               | |<=2.8             |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2016-10745  | SAFETYDB      | CVE-2016-     | <2.8.1             |                    | 67     |
|                 |               | 10745         |                    |                    |        |
|                 |               | pyup.io-47572 |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | []                 |        |
|                 |               |               | |<=2.8             |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2016-10745  | GITHUB        | CVE-2016-     | < 2.8.1            | 2.8.1              | 100    |
|                 |               | 10745         |                    |                    |        |
|                 |               | GHSA-         |                    |                    |        |
|                 |               | hj2j-77xm-    |                    |                    |        |
|                 |               | mc5v          |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | vers:pypi/2.8.1    |        |
|                 |               |               | |<=2.8             |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2014-1402   | VULNERABLECOD | CVE-2014-1402 | 2.0  2.0rc1  2.1   | 2.7.2              | 100    |
|                 | E             | GHSA-8r7q-    | 2.1.1  2.2  2.2.1  |                    |        |
|                 |               | cvjq-x353     | 2.3  2.3.1  2.4    |                    |        |
|                 |               | PYSEC-2014-8  | 2.4.1  2.5  2.5.1  |                    |        |
|                 |               |               | 2.5.2  2.5.3       |                    |        |
|                 |               |               | 2.5.4  2.5.5  2.6  |                    |        |
|                 |               |               | 2.7  2.7.1         |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | vers:pypi/2.7.2    |        |
|                 |               |               | |<=2.7.1           |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2014-1402   | SAFETYDB      | CVE-2014-1402 | <2.7.2             |                    | 67     |
|                 |               | pyup.io-25866 |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | []                 |        |
|                 |               |               | |<=2.7.1           |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2014-1402   | GITHUB        | CVE-2014-1402 | < 2.7.2            | 2.7.2              | 100    |
|                 |               | GHSA-8r7q-    |                    |                    |        |
|                 |               | cvjq-x353     |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | vers:pypi/2.7.2    |        |
|                 |               |               | |<=2.7.1           |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2014-0012   | VULNERABLECOD | CVE-2014-0012 | 2.0  2.0rc1  2.1   | 2.7.3              | 100    |
|                 | E             | GHSA-fqh9-    | 2.1.1  2.2  2.2.1  |                    |        |
|                 |               | 2qgg-h84h     | 2.3  2.3.1  2.4    |                    |        |
|                 |               | PYSEC-2014-82 | 2.4.1  2.5  2.5.1  |                    |        |
|                 |               |               | 2.5.2  2.5.3       |                    |        |
|                 |               |               | 2.5.4  2.5.5  2.6  |                    |        |
|                 |               |               | 2.7  2.7.1  2.7.2  |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | vers:pypi/2.7.3    |        |
|                 |               |               | |<=2.7.2           |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2014-0012   | SAFETYDB      | CVE-2014-0012 | >=0,<2.7.3         |                    | 100    |
|                 |               | pyup.io-54674 |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | []                 |        |
|                 |               |               | |<=2.7.2           |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2014-0012   | GITHUB        | CVE-2014-0012 | < 2.7.2            | 2.7.2              | 0      |
|                 |               | GHSA-fqh9-    |                    |                    |        |
|                 |               | 2qgg-h84h     |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | vers:pypi/2.7.2    |        |
|                 |               |               | |<=2.7.1           |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2024-34064  | SAFETYDB      | CVE-2024-     | <3.1.4             |                    | 100    |
|                 |               | 34064         |                    |                    |        |
|                 |               | pyup.io-71591 |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | []                 |        |
|                 |               |               | |<=3.1.3           |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2024-34064  | GITHUB        | CVE-2024-     | < 3.1.4            | 3.1.4              | 100    |
|                 |               | 34064         |                    |                    |        |
|                 |               | GHSA-h75v-    |                    |                    |        |
|                 |               | 3vvj-5mfj     |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | vers:pypi/3.1.4    |        |
|                 |               |               | |<=3.1.3           |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
| CVE-2019-8341   | SAFETYDB      | CVE-2019-8341 | >=0                |                    | NA     |
|                 |               | pyup.io-70612 |                    |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+
|                 |               |               | vers:pypi/>=2.0rc1 | []                 |        |
|                 |               |               | |<=3.1.4           |                    |        |
+-----------------+---------------+---------------+--------------------+--------------------+--------+

pombredanne · 2024-03-07T10:11:55Z

@keshav-space we should merge this soon enough IMHO :)

keshav-space · 2024-03-07T13:16:22Z

@keshav-space we should merge this soon enough IMHO :)

ack

pombredanne · 2024-07-16T11:02:15Z

@keshav-space can you help merge the latest main and then merge?

TG1999 · 2024-07-22T15:11:57Z

@keshav-space if this PR is ready to be merged, feel free to merge. If it's WIP feel free to close this and open it once it's ready

Signed-off-by: Keshav Priyadarshi <[email protected]>

- Add debug flag --vers to display equivalent normalized versions for corresponding native ranges. - Add debug flag --no-compare to run the CLI without comparison. - Auto-adjust text table width based on the terminal width. Signed-off-by: Keshav Priyadarshi <[email protected]>

Signed-off-by: Keshav Priyadarshi <[email protected]>

pombredanne

Looking fine.

keshav-space added the VulnTotal Tool for cross-validating vulnerability label Mar 16, 2023

keshav-space force-pushed the advisory_compare branch from 18ca142 to 947fceb Compare March 17, 2023 15:51

keshav-space force-pushed the advisory_compare branch from 947fceb to 170c21e Compare April 3, 2023 12:10

keshav-space marked this pull request as draft November 19, 2023 18:01

keshav-space changed the title ~~Support Advisory Comparison in VulnTotal~~ [WIP] Support Advisory Comparison in VulnTotal Jan 9, 2024

keshav-space added 9 commits July 26, 2024 13:04

Skip unsupported PURLs in Deps

dfff7f9

Signed-off-by: Keshav Priyadarshi <[email protected]>

Report unmodified affected versions

9cd44ad

Signed-off-by: Keshav Priyadarshi <[email protected]>

Fix function name in recursive path resolver

8728e05

Signed-off-by: Keshav Priyadarshi <[email protected]>

Handle Snyk advisory with missing CVE

7ad42b7

Signed-off-by: Keshav Priyadarshi <[email protected]>

Bump univers to v30.12.0

31830fd

Signed-off-by: Keshav Priyadarshi <[email protected]>

Properly parse Snyk fixed versions

85d3234

Signed-off-by: Keshav Priyadarshi <[email protected]>

Support cargo and pub in Snyk

964275b

Signed-off-by: Keshav Priyadarshi <[email protected]>

Use VersionRange.normalize to compare advisory

96299a4

Signed-off-by: Keshav Priyadarshi <[email protected]>

keshav-space force-pushed the advisory_compare branch from 170c21e to 96299a4 Compare July 26, 2024 12:44

keshav-space added 2 commits July 26, 2024 18:16

Merge branch 'main' into advisory_compare

66da08f

Use integer column to display score

243f849

Signed-off-by: Keshav Priyadarshi <[email protected]>

keshav-space changed the title ~~[WIP] Support Advisory Comparison in VulnTotal~~ Support Advisory Comparison in VulnTotal Jul 26, 2024

keshav-space marked this pull request as ready for review July 26, 2024 14:56

pombredanne approved these changes Jul 31, 2024

View reviewed changes

keshav-space merged commit 574d06e into aboutcode-org:main Jul 31, 2024
7 checks passed

keshav-space deleted the advisory_compare branch July 31, 2024 11:05

keshav-space self-assigned this Jul 31, 2024

pombredanne added the 1-next label Sep 24, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support Advisory Comparison in VulnTotal #1151

Support Advisory Comparison in VulnTotal #1151

keshav-space commented Mar 16, 2023 •

edited by pombredanne

Loading

keshav-space commented Mar 16, 2023 •

edited

Loading

pombredanne commented Mar 7, 2024

keshav-space commented Mar 7, 2024

pombredanne commented Jul 16, 2024

TG1999 commented Jul 22, 2024

pombredanne left a comment

Support Advisory Comparison in VulnTotal #1151

Support Advisory Comparison in VulnTotal #1151

Conversation

keshav-space commented Mar 16, 2023 • edited by pombredanne Loading

keshav-space commented Mar 16, 2023 • edited Loading

Preview

pombredanne commented Mar 7, 2024

keshav-space commented Mar 7, 2024

pombredanne commented Jul 16, 2024

TG1999 commented Jul 22, 2024

pombredanne left a comment

Choose a reason for hiding this comment

keshav-space commented Mar 16, 2023 •

edited by pombredanne

Loading

keshav-space commented Mar 16, 2023 •

edited

Loading