Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

no information in "title" field for vuls scan on ubuntu vm #1855

Open
Viengogo opened this issue Feb 27, 2024 · 6 comments
Open

no information in "title" field for vuls scan on ubuntu vm #1855

Viengogo opened this issue Feb 27, 2024 · 6 comments
Labels
question

Comments

@Viengogo
Copy link

Viengogo commented Feb 27, 2024
edited
Loading

We use vuls in server mode. We observe that since a few last versions (including 0.24.9), we have a lot of CVE with missing title field content in JSON reports.
Configuration :

  • Vuls v0.24.6
  • goval-dictionary v0.9.4
  • go-cve-dictionary v0.9.0

curl -v http://127.0.0.1:5515/vuls -H 'Content-type: text/plain' -H 'X-Vuls-OS-Family: ubuntu' -H 'X-Vuls-OS-Release: 20.04' -H 'X-Vuls-Kernel-Release: 5.4.0-100-generic' --data "libaccountsservice0:amd64,ii ,0.6.55-0ubuntu1220.04.5,accountsservice,0.6.55-0ubuntu1220.04.5"

"scannedCves":{"CVE-2012-6655":{"cveID":"CVE-2012-6655","confidences":[{"score":100,"detectionMethod":"UbuntuAPIMatch"}],"affectedPackages":[{"name":"libaccountsservice0","notFixedYet":true,"fixState":"open"}],"cveContents":{"ubuntu_api":[{"type":"ubuntu_api","cveID":"CVE-2012-6655","title":"","summary":"An issue exists AccountService 0.6.37 in the user_change_password_authorized_cb() function in user.c which could let a local users obtain encrypted passwords.","cvss2Score":0,"cvss2Vector":"","cvss2Severity":"low","cvss3Score":0,"cvss3Vector":"","cvss3Severity":"low" ...

we having : "title":""
@MaineK00n
Copy link
Collaborator

ubuntu_api uses ubuntu cve tracker as a data source, and that data source does not include title information.
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2012-6655

@fredericg78
Copy link

fredericg78 commented Feb 28, 2024
edited
Loading

Hi, you use cve tracker since you have switched to the gost DB, making it mandatory for ubuntu (this DB did not exist in previous vuls version and vulnerabilities datas was all there). Are you aware that not having titles for the CVEs anymore is an unacceptable regression? What do you propose to improve this point quickly?
Best regards

@MaineK00n
Copy link
Collaborator

Previously, the OVAL used by Vuls had a title like this. Even in the case of gost (ubuntu-cve-tracker), do you want to fill in a title like this?

$ goval-dictionary select --by-package ubuntu 23.10 curl | grep "Title:"
    Title:        "CVE-2023-28321 on Ubuntu 23.10 (mantic) - low.",
    Title:        "CVE-2023-28322 on Ubuntu 23.10 (mantic) - low.",
    Title:        "CVE-2023-38039 on Ubuntu 23.10 (mantic) - medium.",
    Title:        "CVE-2023-38545 on Ubuntu 23.10 (mantic) - high.",
    Title:        "CVE-2023-38546 on Ubuntu 23.10 (mantic) - low.",

@fredericg78
Copy link

Previously, the OVAL used by Vuls had a title like this. Even in the case of gost (ubuntu-cve-tracker), do you want to fill in a title like this?

$ goval-dictionary select --by-package ubuntu 23.10 curl | grep "Title:"
    Title:        "CVE-2023-28321 on Ubuntu 23.10 (mantic) - low.",
    Title:        "CVE-2023-28322 on Ubuntu 23.10 (mantic) - low.",
    Title:        "CVE-2023-38039 on Ubuntu 23.10 (mantic) - medium.",
    Title:        "CVE-2023-38545 on Ubuntu 23.10 (mantic) - high.",
    Title:        "CVE-2023-38546 on Ubuntu 23.10 (mantic) - low.",

Hi. If the title field has no information, the field should not be present in the json report, so the client app can react accordingly (it chooses what to do when there is no title field, for example, display part of the the summary field as a title). Or vuls itself must have a pattern like you mentionned to fill the title field with available CVE datas.

We use trivy separately in combination with vuls; trivy gives ubuntu CVE specific titles, for example for CVE-2022-2345, title is:
CVE-2022-2345 (os-pkgs / ubuntu):use-after-free in skipwhite() in charset.c

As you can understand, since the vuls update (with gost DB), our interface displays empty CVE titles, and we cannot keep it as is.

Best regards.

@MaineK00n
Copy link
Collaborator

CVE-2022-2345 (os-pkgs / ubuntu):use-after-free in skipwhite() in charset.c

Reference the trivy data source.
CVE-2022-2345 does not have a title for ubuntu data sources.

Probably, but it seems that redhat bugzilla has this title information.

First, Trivy combines information from multiple data sources and outputs information on detected CVEs. Therefore, there is no need to think of a title for each data source. However, Vuls maintains information for each data source.
For something like Vuls, which has a data structure that preserves each piece of data source information as much as possible, I don't think it's a good idea to arbitrarily supplement title information that isn't in the data source.

@fredericg78
Copy link

Hi,
ok, if you follow a requirement which is to preserve each piece of your data sources, i understand you don't want to code any aggregation ou transformation processes from these sources.
So the root issue is from datasources themselves. We cannot trust the title field from vuls report, so we will eliminate it from our vuls json report parsing. However we need a title for GUI display, the CVE description ('summary') is too much long, so we have to create our own CVE titles with custom rules.
Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MaineK00n @fredericg78 @Viengogo