CVE-2016-5195 not imorted from NVD
18 views
Skip to first unread message
Vít Šesták
Mar 31, 2017, 9:14:50 AM3/31/17
to Dependency Check
Hello,
I have realized that vulnerability https://nvd.nist.gov/vuln/detail/CVE-2016-5195 is not imported from NVD and when inspecting the source code, I haven't got any idea why this happens. Well, maybe I don't need this one to be imported, but I'd like to know why this happens, because it can point to some bug that can affect the overall accuracy (e.g., multiple vulnerabilities might get skipped).
Regards,
Vít Šesták 'v6ak'
I have realized that vulnerability https://nvd.nist.gov/vuln/detail/CVE-2016-5195 is not imported from NVD and when inspecting the source code, I haven't got any idea why this happens. Well, maybe I don't need this one to be imported, but I'd like to know why this happens, because it can point to some bug that can affect the overall accuracy (e.g., multiple vulnerabilities might get skipped).
Regards,
Vít Šesták 'v6ak'
Jeremy Long
Mar 31, 2017, 5:32:48 PM3/31/17
to Vít Šesták, Dependency Check
By default, only application vulnerabilities are imported into the database. If you look at the affected software in the CVE it is all related to "cpe:2.3:o:...". The "o" stands for operating system. As dependency-check is not designed to scan operating systems these CVEs are not imported.
--Jeremy
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Steve Springett
Mar 31, 2017, 10:34:15 PM3/31/17
to Dependency Check
We might want to reconsider this. CPE, to my understanding, supports applications, operating systems, and hardware devices. Although Dependency-Check only has analyzers that support applications, it also ships with an agent that anyone can use to supply their own evidence. The agent is used in Dependency-Track as well as other applications. So although Dependency-Check doesn’t support operating system or hardware device analyzers, doesn’t mean that it should be limited to that.
A scenario I’m thinking of may involve an IoT vendor that wants to use Dependency-Track (or similar app) to catalog the operating system, applications, firmware, etc for multiple versions of their devices. When Dependency-Track calls the Dependency-Check agent to supply the evidence of these assets, there should be no reason why Dependency-Check shouldn’t check on those as well.
— Steve
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
Jeremy Long
Apr 1, 2017, 8:25:34 AM4/1/17
to Steve Springett, Dependency Check
ATM - this functionality can be changed by supplying a configuration value (-Dcve.cpe.startswith.filter=cpe:)
This isn't documented very well; but isn't something a normal user would ever need.
--Jeremy
On Fri, Mar 31, 2017 at 10:34 PM, Steve Springett <st...@springett.us> wrote:
We might want to reconsider this. CPE, to my understanding, supports applications, operating systems, and hardware devices. Although Dependency-Check only has analyzers that support applications, it also ships with an agent that anyone can use to supply their own evidence. The agent is used in Dependency-Track as well as other applications. So although Dependency-Check doesn’t support operating system or hardware device analyzers, doesn’t mean that it should be limited to that.A scenario I’m thinking of may involve an IoT vendor that wants to use Dependency-Track (or similar app) to catalog the operating system, applications, firmware, etc for multiple versions of their devices. When Dependency-Track calls the Dependency-Check agent to supply the evidence of these assets, there should be no reason why Dependency-Check shouldn’t check on those as well.Thoughts?
By default, only application vulnerabilities are imported into the database. If you look at the affected software in the CVE it is all related to "cpe:2.3:o:...". The "o" stands for operating system. As dependency-check is not designed to scan operating systems these CVEs are not imported.--Jeremy
--
On Fri, Mar 31, 2017 at 9:14 AM, Vít Šesták <groups-no-private-mail--contact-me-at--contact.v6ak.c...@v6ak.com> wrote:
Hello,--
I have realized that vulnerability https://nvd.nist.gov/vuln/detail/CVE-2016-5195 is not imported from NVD and when inspecting the source code, I haven't got any idea why this happens. Well, maybe I don't need this one to be imported, but I'd like to know why this happens, because it can point to some bug that can affect the overall accuracy (e.g., multiple vulnerabilities might get skipped).
Regards,
Vít Šesták 'v6ak'
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Vít Šesták
Apr 7, 2017, 10:07:18 AM4/7/17
to Dependency Check, st...@springett.us
Hello,
thanks. Unfortunately, I was unable to make it working. When I configure it as you say, it still skips the CVE I mentioned and command “select * from cpeEntry where cpe NOT LIKE 'cpe:/a:%' LIMIT 10;” returns an empty set. IIUC, when I configure it to a nonsense (e.g., “yycpe:”), it should import nothing, but this is also not the case.
In both cases, I run the commandline ODC 1.4.5 tool against MySQL DB. In both cases, I have removed the whole database, because I assume that it would affect only newly added (or maybe updated) issues, not the past ones. I have checked the verbose log that it contains line like this one:
cve.cpe.startswith.filter='yycpe:'
However, when I look at the code, it seems to be pretty straightforward it must work (at least if it is specified with JAVA_OPTS="-Dcve.cpe.startswith.filter=…"), so I am unsure what happens.
Regards,
Vít Šesták 'v6ak'
thanks. Unfortunately, I was unable to make it working. When I configure it as you say, it still skips the CVE I mentioned and command “select * from cpeEntry where cpe NOT LIKE 'cpe:/a:%' LIMIT 10;” returns an empty set. IIUC, when I configure it to a nonsense (e.g., “yycpe:”), it should import nothing, but this is also not the case.
In both cases, I run the commandline ODC 1.4.5 tool against MySQL DB. In both cases, I have removed the whole database, because I assume that it would affect only newly added (or maybe updated) issues, not the past ones. I have checked the verbose log that it contains line like this one:
cve.cpe.startswith.filter='yycpe:'
However, when I look at the code, it seems to be pretty straightforward it must work (at least if it is specified with JAVA_OPTS="-Dcve.cpe.startswith.filter=…"), so I am unsure what happens.
Regards,
Vít Šesták 'v6ak'
On Saturday, April 1, 2017 at 2:25:34 PM UTC+2, Jeremy Long wrote:
ATM - this functionality can be changed by supplying a configuration value (-Dcve.cpe.startswith.filter=cpe:)This isn't documented very well; but isn't something a normal user would ever need.--Jeremy
On Fri, Mar 31, 2017 at 10:34 PM, Steve Springett <st...@springett.us> wrote:
We might want to reconsider this. CPE, to my understanding, supports applications, operating systems, and hardware devices. Although Dependency-Check only has analyzers that support applications, it also ships with an agent that anyone can use to supply their own evidence. The agent is used in Dependency-Track as well as other applications. So although Dependency-Check doesn’t support operating system or hardware device analyzers, doesn’t mean that it should be limited to that.A scenario I’m thinking of may involve an IoT vendor that wants to use Dependency-Track (or similar app) to catalog the operating system, applications, firmware, etc for multiple versions of their devices. When Dependency-Track calls the Dependency-Check agent to supply the evidence of these assets, there should be no reason why Dependency-Check shouldn’t check on those as well.Thoughts?
By default, only application vulnerabilities are imported into the database. If you look at the affected software in the CVE it is all related to "cpe:2.3:o:...". The "o" stands for operating system. As dependency-check is not designed to scan operating systems these CVEs are not imported.--Jeremy
On Fri, Mar 31, 2017 at 9:14 AM, Vít Šesták <…@v6ak.com> wrote:
Hello,
I have realized that vulnerability https://nvd.nist.gov/vuln/detail/CVE-2016-5195 is not imported from NVD and when inspecting the source code, I haven't got any idea why this happens. Well, maybe I don't need this one to be imported, but I'd like to know why this happens, because it can point to some bug that can affect the overall accuracy (e.g., multiple vulnerabilities might get skipped).
Regards,
Vít Šesták 'v6ak'
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
Jeremy Long
May 14, 2017, 6:07:29 PM5/14/17
to Dependency Check, st...@springett.us
I have opened a github issue to track this: https://github.com/jeremylong/DependencyCheck/issues/733
--Jeremy
Reply all
Reply to author
Forward
0 new messages