suppressing duplicate CVE with osv-scanner 1.5.0 & 1.9.1

[krysopath]

I have problems creating suppression entries for CVE's:

my latest version is

osv-scanner version: 1.9.1
commit: b13f37e1a1e4cb98556c1d34cd3256a876929be1
built at: 2024-10-30T23:38:00Z

my gradle.lockfile contains this line:

io.undertow:undertow-core:2.3.16.Final=productionRuntimeClasspath

my suppression.toml contains:

[[IgnoredVulns]]
id = "CVE-2024-7885"
ignoreUntil = 2024-11-15
reason = "https://domain.domain.net/browse/CVE-127"

the related osv db entry is: https://osv.dev/vulnerability/GHSA-9623-mqmm-5rcf

I run the command like so:

$ ./osv-scanner_linux_amd64 scan --lockfile gradle.lockfile
Scanned gradle.lockfile file and found 217 packages
╭─────────────────────────────────────┬──────┬───────────┬────────────────────────────────────┬──────────────┬─────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE                            │ VERSION      │ SOURCE          │
├─────────────────────────────────────┼──────┼───────────┼────────────────────────────────────┼──────────────┼─────────────────┤
│ https://osv.dev/GHSA-9623-mqmm-5rcf │ 8.7  │ Maven     │ io.undertow:undertow-core          │ 2.3.16.Final │ gradle.lockfile │
│ https://osv.dev/GHSA-4gc7-5j7h-4qph │ 5.3  │ Maven     │ org.springframework:spring-context │ 6.1.13       │ gradle.lockfile │
╰─────────────────────────────────────┴──────┴───────────┴────────────────────────────────────┴──────────────┴─────────────────╯


$ ./osv-scanner_linux_amd64 scan --lockfile gradle.lockfile --config suppressions.toml 
Scanned gradle.lockfile file and found 217 packages
CVE-2024-38820 and 1 alias have been filtered out because: https://domain.domain.net/browse/CVE-127
Filtered 1 vulnerability from output
╭─────────────────────────────────────┬──────┬───────────┬───────────────────────────┬──────────────┬─────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE                   │ VERSION      │ SOURCE          │
├─────────────────────────────────────┼──────┼───────────┼───────────────────────────┼──────────────┼─────────────────┤
│ https://osv.dev/GHSA-9623-mqmm-5rcf │ 8.7  │ Maven     │ io.undertow:undertow-core │ 2.3.16.Final │ gradle.lockfile │
╰─────────────────────────────────────┴──────┴───────────┴───────────────────────────┴──────────────┴─────────────────╯

The content of suppressions.toml:

[[IgnoredVulns]]
id = "CVE-2024-38821"
ignoreUntil = 2024-11-15
reason = "https://domain.domain.net/browse/CVE-127"

[[IgnoredVulns]]
id = "CVE-2024-7885"
ignoreUntil = 2024-11-15
reason = "https://domain.domain.net/browse/CVE-127"

[[IgnoredVulns]]
id = "CVE-2024-38820"
ignoreUntil = 2024-11-15
reason = "https://domain.domain.net/browse/CVE-127"

[krysopath]

After more investigation I found the reason was duplicate cve id, where he first one was expired. I did not post full files for security reason..

I had expected that osv-scanner checks for uniqueness. I found that by creating this code that lints the toml file:

package main

import (
	"flag"
	"fmt"
	"io/ioutil"
	"log"
	"time"

	"github.com/BurntSushi/toml"
)

type SuppressedVulnerability struct {
	ID          string    `toml:"id"`
	Reason      string    `toml:"reason"`
	IgnoreUntil time.Time `toml:"ignoreUntil"`
}

var (
	suppressedVulns map[string][]SuppressedVulnerability
	filePath        *string
)

func validateSuppressedVulns(sv map[string][]SuppressedVulnerability) (error, []string) {
	var errors []string // Slice to hold error messages
	now := time.Now()
	seenIDs := make(map[string]bool) // Track IDs we've encountered

	for key, vulnerabilities := range sv {
		for _, v := range vulnerabilities {
			if v.ID == "" {
				errors = append(errors, fmt.Sprintf("empty ID for %s", key))
			}
			if v.Reason == "" {
				errors = append(errors, fmt.Sprintf("empty Reason for %s", v.ID))
			}
			if !v.IgnoreUntil.IsZero() && v.IgnoreUntil.Before(now) {
				errors = append(errors, fmt.Sprintf("IgnoreUntil %s is in the past for %s", v.IgnoreUntil, v.ID))
			}
			if seenIDs[v.ID] {
				errors = append(errors, fmt.Sprintf("duplicate ID %s found", v.ID)) // Collect duplicate ID error
			}
			seenIDs[v.ID] = true // Mark this ID as seen
		}
	}

	if len(errors) > 0 {
		return fmt.Errorf("validation failed with %d errors", len(errors)), errors
	}

	return nil, nil
}

func init() {
	filePath = flag.String("file", "", "Path to the suppression file")
	flag.Parse()
}

func main() {
	if *filePath == "" {
		log.Fatal("Please provide a file path using the -file flag")
	}
	data, err := ioutil.ReadFile(*filePath)
	if err != nil {
		log.Fatalf("Error reading suppression file: %v", err)
	}
	err = toml.Unmarshal(data, &suppressedVulns)
	if err != nil {
		log.Fatalf("Error unmarshalling suppression file: %v", err)
	}
	if err, all := validateSuppressedVulns(suppressedVulns); err != nil {
		for _, e := range all {
			log.Printf("Error: %v\n", e)
		}
		log.Fatalf("Error Validating suppressions: %v", err)
	}
	fmt.Println("OK")
}

Maybe this still counts as a input validation bug for osv-scanner. We discussed internally, we all had expected an error in he case of duplicate CVE id.

So leave it open for you to decide if it is user error. <3

[another-rex]

@G-Rath Can you take a look at adding validation for duplicate config entries when you have time?