Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signature not found #28

Open
h3xstream opened this issue May 4, 2015 · 3 comments
Open

Signature not found #28

h3xstream opened this issue May 4, 2015 · 3 comments

Comments

@h3xstream
Copy link
Member

The enforcer does not catch the following case.

Configuration:

<project ...>

    <dependencies>
        <!-- Struts 2 -->
        <dependency>
            <groupId>org.apache.struts</groupId>
            <artifactId>struts2-core</artifactId>
            <version>2.1.6</version>
        </dependency>

    </dependencies>
</project>

Scan:

$ mvn verify
[...]
[INFO]
+=========================+
|VICTIMS-ENFORCER SETTINGS|
+=========================+
metadata     = warning
fingerprint  = fatal
updates      = auto

[INFO] Last update was on Mon May 04 17:01:16 EDT 2015. Checking for new vulnerabilities at
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 15.542 s
[INFO] Finished at: 2015-05-04T17:05:46-04:00
[INFO] Final Memory: 19M/360M
[INFO] ------------------------------------------------------------------------

It should be marked as vulnerable due to the following CVEs:
2014-0094, 2013-4316, 2013-2251...
@abn
Copy link
Member

abn commented May 5, 2015

@h3xstream, currently the upload of information from CVE DB to EVD is a manual process. The wiring up of both these databases are on the road map, just have not pinned down the 'when' of it yet. We can add those CVE entries manually over the weekend.

@h3xstream
Copy link
Member Author

@abn Ok no hurry. I can wait for the automate solution.

I don't see how manual entry is needed. What data need to be added to the existing CVE DB ?

@abn
Copy link
Member

abn commented May 6, 2015

@h3xstream will try and find some time to do this 'soon', been meaning to automate this for a while. :(

The EVD relies on fingerprints we generate on http://victi.ms/ which is manually maintained and has no awareness currently about the existence of CVE DB. Once we automate things, any commit that gets merged into CVE DB will get a fingerprint generated on the EVD Service. The enforcer relies on the fingerprints and not the GAV in order to identify vulnerable components. This allows us to catch bad jars even if they have JDK/Compile time specific differences.

The manual process involves registering and logging into the service and using the submission form or submitting via the secure API.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abn @h3xstream