Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing vulnerability aliases data in POST /v1/query #1062

Closed
fingeromer opened this issue Feb 22, 2023 · 1 comment
Closed

Missing vulnerability aliases data in POST /v1/query #1062

fingeromer opened this issue Feb 22, 2023 · 1 comment

Comments

@fingeromer
Copy link

Calling to POST https://api.osv.dev/v1/query
with body:

 {
      "version": "1.41.7",
      "package": {
        "name": "github.com/aws/aws-sdk-go",
        "ecosystem": "Go"
      }
}

returns the next paylod:

{
    "vulns": [
        {
            "id": "GO-2022-0646",
            "details": "The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.\n\nFiles encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until reencrypted with the new client.",
            "aliases": [
                "CVE-2020-8911",
                "CVE-2020-8912",
                "GHSA-7f33-f4f5-xwgw",
                "GHSA-f5pg-7wfw-84q9"
            ],
            "modified": "2022-11-21T19:50:45Z",
            "published": "2022-02-11T23:26:26Z",
            "references": [
                {
                    "type": "ADVISORY",
                    "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"
                },
                {
                    "type": "FIX",
                    "url": "https://github.com/aws/aws-sdk-go/pull/3403"
                },
                {
                    "type": "FIX",
                    "url": "https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4"
                }
            ],
            "affected": [
                {
                    "package": {
                        "name": "github.com/aws/aws-sdk-go",
                        "ecosystem": "Go",
                        "purl": "pkg:golang/github.com/aws/aws-sdk-go"
                    },
                    "ranges": [
                        {
                            "type": "SEMVER",
                            "events": [
                                {
                                    "introduced": "0"
                                }
                            ]
                        }
                    ],
                    "ecosystem_specific": {
                        "imports": [
                            {
                                "path": "github.com/aws/aws-sdk-go/service/s3/s3crypto",
                                "symbols": [
                                    "NewDecryptionClient",
                                    "NewEncryptionClient"
                                ]
                            }
                        ]
                    },
                    "database_specific": {
                        "url": "https://pkg.go.dev/vuln/GO-2022-0646",
                        "source": "https://vuln.go.dev/ID/GO-2022-0646.json"
                    }
                }
            ],
            "schema_version": "1.3.0",
            "credits": [
                {
                    "name": "Sophie Schmieg from the Google ISE team"
                }
            ]
        }
    ]
}

The response from the API includes a single vulnerability in the vulns array, identified as GO-2022-0646. However, the response payload does not include any information about the fixed event.

The aliases associated with the vulnerability (GHSA-f5pg-7wfw-84q9, GHSA-7f33-f4f5-xwgw) have fix versions, but they are missing from the response payload.

Since aliases data is usually included in the vulns array, I wonder if they are missing in this case, or is there any reason for this?
@fingeromer fingeromer changed the title Missing vulnerability aliases through REST API Missing vulnerability aliases in POST /v1/query Feb 22, 2023
@fingeromer fingeromer changed the title Missing vulnerability aliases in POST /v1/query Missing vulnerability aliases data in POST /v1/query Feb 22, 2023
@oliverchang
Copy link
Collaborator

Hi! Please see golang/vulndb#1128 (comment) for the rationale on this particular entry does not have the fixed event. It's a bit of a weird edge case, and proper detection of this relies on source-based analysis to ensure the vulnerable/deprecated function is not called (which is in the process of being added in google/osv-scanner#198).

Our API only returns the OSV entries that match a particular query -- all aliases are not returned by default unless they also match the query.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oliverchang @fingeromer