Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compute all transitive aliases for OSV entries #1569

Closed
fingeromer opened this issue Aug 19, 2023 · 5 comments
Closed

Compute all transitive aliases for OSV entries #1569

fingeromer opened this issue Aug 19, 2023 · 5 comments
Assignees
@hogo6002
Labels
data quality Issues with data quality

Comments

@fingeromer
Copy link

It seems like when I search CVE-2023-36258 I got to results - PYSEC & GHSA:
image

but when I search in the API:

{      
    "package": {
       "purl":"pkg:pypi/langchain@0.0.266"
      }
    }

I got only the PYSEC entry:

 {
            "id": "PYSEC-2023-98",
            "details": "An issue in langchain v.0.0.199 allows an attacker to execute arbitrary code via the PALChain in the python exec method.",
            "aliases": [
                "CVE-2023-36258"
            ],
            "modified": "2023-08-18T15:49:49.212164Z",
            "published": "2023-07-03T21:15:00Z",
            "references": [
                {
                    "type": "REPORT",
                    "url": "https://github.com/hwchase17/langchain/issues/5872"
                }
            ],
            "affected": [
                {
                    "package": {
                        "name": "langchain",
                        "ecosystem": "PyPI",
                        "purl": "pkg:pypi/langchain"
                    },
                    "ranges": [
                        {
                            "type": "ECOSYSTEM",
                            "events": [
                                {
                                    "introduced": "0"
                                }
                            ]
                        }
                    ],
                    "versions": [
                        "0.0.1",
                        "0.0.10",
                        "0.0.100",
                        "0.0.101",
                        .
                        .
                        .
                        .
                    ],
                    "database_specific": {
                        "source": "https://github.com/pypa/advisory-database/blob/main/vulns/langchain/PYSEC-2023-98.yaml"
                    }
                }

It means a lot because it seems like for langchain the vulnerabilities in PYSEC are never fixed:
image

While in GHSA they are (or at least include the 'last affected version':
image
@andrewpollock andrewpollock added the data quality Issues with data quality label Aug 20, 2023
@andrewpollock
Copy link
Contributor

In-progress assessment:

PYSEC-2023-98

$ GET https://api.osv.dev/v1/vulns/PYSEC-2023-98 | jq .affected[].package
{
  "name": "langchain",
  "ecosystem": "PyPI",
  "purl": "pkg:pypi/langchain"
}

$ GET https://api.osv.dev/v1/vulns/PYSEC-2023-98 | jq .affected[].ranges
[
  {
    "type": "ECOSYSTEM",
    "events": [
      {
        "introduced": "0"
      }
    ]
  }
]

$ GET https://api.osv.dev/v1/vulns/PYSEC-2023-98 | jq .affected[].versions | grep 0.0.266
  "0.0.266",

GHSA-2qmj-7962-cjq8

$ GET https://api.osv.dev/v1/vulns/GHSA-2qmj-7962-cjq8 | jq .affected[].package
{
  "name": "langchain",
  "ecosystem": "PyPI",
  "purl": "pkg:pypi/langchain"
}

$ GET https://api.osv.dev/v1/vulns/GHSA-2qmj-7962-cjq8 | jq .affected[].ranges
[
  {
    "type": "ECOSYSTEM",
    "events": [
      {
        "introduced": "0"
      },
      {
        "last_affected": "0.0.222"
      }
    ]
  }
]

$ GET https://api.osv.dev/v1/vulns/GHSA-2qmj-7962-cjq8 | jq .affected[].versions | grep 0.0.266

On the face of it, this looks like it may be incomplete version enumeration for GHSA-2qmj-7962-cjq8, but further investigation is required.

@another-rex
Copy link
Contributor

another-rex commented Aug 21, 2023
edited
Loading

Can you clarify what the mismatch is?

This seems like a issue with GHSA not updating their last_affected field they publish, assuming this would be fixed in the newer releases.

The API only returns the PYSEC entry, since 0.0.222 < 0.0.266, so according to the GHSA entry, 0.0.266 is not affected.

@another-rex
Copy link
Contributor

Created github/advisory-database#2640 to resolve this upstream.

@fingeromer
Copy link
Author

Thanks @another-rex, I think I understand.
I this diagram explain my confusion well:
image

I was expecting to see all aliases of the CVE related to version 0.0.266

@another-rex
Copy link
Contributor

We currently are working on a solution to populate the aliases field with all the aliases of the CVE. (Part of #1293)

The API will still return the advisory that's affecting the version of the package you pass in (e.g. PYSEC-123), but at least the aliases field will contain the other advisories (e.g. GHSA-123).

@another-rex another-rex changed the title UI <> API mismatch with CVE-2023-36258 (langchain@0.0.266) Not all aliases of vulnerable packages show up in the API Aug 24, 2023
@oliverchang oliverchang changed the title Not all aliases of vulnerable packages show up in the API Compute all transitive aliases for OSV entries Sep 27, 2023
@hogo6002 hogo6002 mentioned this issue Oct 18, 2023
Merged
hogo6002 added a commit that referenced this issue Nov 1, 2023
@hogo6002
Add OSV alias computation cron job. (#1733)
ea94b13 
Add an alias computation cron job to solve issues like
#1569.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hogo6002 hogo6002

Labels
data quality Issues with data quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andrewpollock @hogo6002 @another-rex @fingeromer