osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

Operation system vulnerabilities summary is too generic

Open fingeromer opened this issue 2 years ago • 3 comments

Hi, it seems like the summary field of every OS ecosystem is "{pacakgeName} - security update".

Example:

curl --location 'https://api.osv.dev/v1/query' \
--header 'Content-Type: application/json' \
--data '{      
       "package": {
       "purl":"pkg:deb/debian/openssl"
      }
    }'

Expected: A short description of the vulnerability.

fingeromer avatar Jun 22 '23 11:06 fingeromer

Hi @fingeromer (/cc @another-rex for visibility)

The summary is generated by this code:

https://github.com/ossf/osv-schema/blob/b3ae8f157b7487cdd7fddd63f2e2af7d1760cfa6/tools/debian/convert_debian.py#L232

Looking at the source data, and a sample record, namely:

  • DLA-0003-1
    • sourced from https://security-tracker.debian.org/tracker/CVE-2014-0195

I'm not sure of a better strategy we can use to generate these records?

andrewpollock avatar Jun 26 '23 01:06 andrewpollock

@andrewpollock what do you think about showing the CWE name of the CVE? for example for https://security-tracker.debian.org/tracker/CVE-2014-0195 the CWE is https://cwe.mitre.org/data/definitions/120.html so the summary can be 'Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')'

fingeromer avatar Jun 27 '23 07:06 fingeromer

what do you think about showing the CWE name of the CVE?

I agree that this would provide additional context. This would require a CVE to CWE lookup table or trip through the NVD API to determine the CWE for a CVE. I also think there's a 1:many relationship between CVEs and CWEs, so we'd also have to determine which CWE to use (or just pick the first one when there's more than one).

andrewpollock avatar Jun 29 '23 04:06 andrewpollock

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions[bot] avatar Jul 22 '24 18:07 github-actions[bot]

@andrewpollock what do you think about showing the CWE name of the CVE? for example for https://security-tracker.debian.org/tracker/CVE-2014-0195 the CWE is https://cwe.mitre.org/data/definitions/120.html so the summary can be 'Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')'

Eyeballing the output of:

curl --location 'https://api.osv.dev/v1/query' --header 'Content-Type: application/json' --data '{      
       "package": {
       "purl":"pkg:deb/debian/openssl"
      }
    }' | jq '.vulns | map(select(.id | startswith("CVE-") | not) | {id, related: .related | length, summary})'

I don't think this approach is going to work reliably because I can see many of these advisories aggregate multiple CVEs, so there would be no good way to identify which CWEs were most appropriate put into the summary.

I note that not all of the summaries are as pathologically bad as you quote, too.

andrewpollock avatar Jul 23 '24 03:07 andrewpollock