diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index 53f3455d707..743c18c1042 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -1682,12 +1682,9 @@ Scanned /fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX S Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded OSS-Fuzz local db from /osv-scanner/OSS-Fuzz/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -16 unimportant vulnerabilities have been filtered out. -Filtered 16 vulnerabilities from output +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ -| https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -1849,6 +1846,25 @@ Filtered 16 vulnerabilities from output | https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ +| Uncalled vulnerabilities | | | | | | ++-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ +| https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2019-18276 | 7.8 | Debian | bash | 4.4-5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-18018 | 4.7 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-6829 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-1000654 | 5.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2020-24977 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-34459 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2011-4116 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-48522 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-31486 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2005-2541 | | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2019-9923 | 7.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2021-20193 | 3.3 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-48303 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-7738 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-0563 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | ++-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ --- @@ -1862,12 +1878,9 @@ Scanned /fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX S Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded OSS-Fuzz local db from /osv-scanner/OSS-Fuzz/all.zip Loaded Go local db from /osv-scanner/Go/all.zip -16 unimportant vulnerabilities have been filtered out. -Filtered 16 vulnerabilities from output +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ -| https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -2029,6 +2042,25 @@ Filtered 16 vulnerabilities from output | https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ +| Uncalled vulnerabilities | | | | | | ++-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ +| https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2019-18276 | 7.8 | Debian | bash | 4.4-5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2017-18018 | 4.7 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-6829 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-1000654 | 5.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2020-24977 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2024-34459 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2011-4116 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-48522 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2023-31486 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2005-2541 | | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2019-9923 | 7.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2021-20193 | 3.3 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-48303 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2018-7738 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/CVE-2022-0563 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | ++-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ --- diff --git a/internal/output/__snapshots__/machinejson_test.snap b/internal/output/__snapshots__/machinejson_test.snap index 3628c088e8c..e07d8a010f0 100755 --- a/internal/output/__snapshots__/machinejson_test.snap +++ b/internal/output/__snapshots__/machinejson_test.snap @@ -879,7 +879,8 @@ "aliases": null, "experimentalAnalysis": { "OSV-1": { - "called": false + "called": false, + "unimportant": false } }, "max_severity": "" @@ -927,7 +928,8 @@ "aliases": null, "experimentalAnalysis": { "OSV-2": { - "called": true + "called": true, + "unimportant": false } }, "max_severity": "" @@ -995,7 +997,8 @@ "aliases": null, "experimentalAnalysis": { "OSV-1": { - "called": false + "called": false, + "unimportant": false } }, "max_severity": "" @@ -1224,7 +1227,8 @@ "aliases": null, "experimentalAnalysis": { "OSV-1": { - "called": true + "called": true, + "unimportant": false } }, "max_severity": "" @@ -1288,7 +1292,8 @@ "aliases": null, "experimentalAnalysis": { "OSV-1": { - "called": false + "called": false, + "unimportant": false } }, "max_severity": "" @@ -2273,7 +2278,8 @@ "aliases": null, "experimentalAnalysis": { "OSV-1": { - "called": false + "called": false, + "unimportant": false } }, "max_severity": "" @@ -2285,7 +2291,8 @@ "aliases": null, "experimentalAnalysis": { "OSV-5": { - "called": true + "called": true, + "unimportant": false } }, "max_severity": "" @@ -2402,7 +2409,8 @@ "aliases": null, "experimentalAnalysis": { "OSV-3": { - "called": true + "called": true, + "unimportant": false } }, "max_severity": "" @@ -2574,7 +2582,8 @@ "aliases": null, "experimentalAnalysis": { "OSV-1": { - "called": true + "called": true, + "unimportant": false } }, "max_severity": "" @@ -2586,7 +2595,8 @@ "aliases": null, "experimentalAnalysis": { "GHSA-123": { - "called": false + "called": false, + "unimportant": false } }, "max_severity": "" @@ -2642,7 +2652,8 @@ "aliases": null, "experimentalAnalysis": { "OSV-1": { - "called": true + "called": true, + "unimportant": false } }, "max_severity": "" @@ -2698,7 +2709,8 @@ "aliases": null, "experimentalAnalysis": { "OSV-1": { - "called": false + "called": false, + "unimportant": false } }, "max_severity": "" @@ -2877,7 +2889,8 @@ ], "experimentalAnalysis": { "OSV-1": { - "called": false + "called": false, + "unimportant": false } }, "max_severity": "" diff --git a/internal/sourceanalysis/__snapshots__/go_test.snap b/internal/sourceanalysis/__snapshots__/go_test.snap index b3175b804d7..d9bf45c4d72 100755 --- a/internal/sourceanalysis/__snapshots__/go_test.snap +++ b/internal/sourceanalysis/__snapshots__/go_test.snap @@ -160,7 +160,8 @@ "aliases": null, "experimentalAnalysis": { "GO-2021-0053": { - "called": false + "called": false, + "unimportant": false } }, "max_severity": "" @@ -313,7 +314,8 @@ "aliases": null, "experimentalAnalysis": { "GO-2023-1558": { - "called": true + "called": true, + "unimportant": false } }, "max_severity": "" @@ -467,7 +469,8 @@ "aliases": null, "experimentalAnalysis": { "GO-2023-1572": { - "called": false + "called": false, + "unimportant": false } }, "max_severity": "" diff --git a/pkg/models/results.go b/pkg/models/results.go index e510ca10b67..5ffe7a60a4d 100644 --- a/pkg/models/results.go +++ b/pkg/models/results.go @@ -131,6 +131,10 @@ func (groupInfo *GroupInfo) IsCalled() bool { if analysis.Called { return true } + // TODO(gongh@): For v2, create a separate function `isGroupUnimportant()` to encapsulate this check. + if analysis.Unimportant { + return false + } } return false @@ -164,7 +168,8 @@ func (v *Vulnerability) FixedVersions() map[Package][]string { } type AnalysisInfo struct { - Called bool `json:"called"` + Called bool `json:"called"` + Unimportant bool `json:"unimportant"` } // Specific package information diff --git a/pkg/osvscanner/__snapshots__/osvscanner_internal_test.snap b/pkg/osvscanner/__snapshots__/osvscanner_internal_test.snap index e7f7bd4ea1e..5b63a8a962c 100755 --- a/pkg/osvscanner/__snapshots__/osvscanner_internal_test.snap +++ b/pkg/osvscanner/__snapshots__/osvscanner_internal_test.snap @@ -1491,6 +1491,65 @@ "type": "lockfile" }, "packages": [ + { + "package": { + "name": "unixodbc", + "version": "2.3.11-2", + "ecosystem": "Debian:10" + }, + "vulnerabilities": [ + { + "modified": "2024-03-18T12:38:25Z", + "published": "2024-03-18T11:15:09Z", + "id": "CVE-2024-1013", + "details": "An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.", + "affected": [ + { + "package": { + "ecosystem": "Debian:10", + "name": "unixodbc" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "urgency": "unimportant" + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260823" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-1013" + }, + { + "type": "WEB", + "url": "https://github.com/lurcher/unixODBC/pull/157" + } + ] + } + ], + "groups": [ + { + "ids": [ + "CVE-2024-1013" + ], + "aliases": null, + "max_severity": "" + } + ] + }, { "package": { "name": "chromium", diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go index 29112cc1e22..6d4ad03ca61 100644 --- a/pkg/osvscanner/osvscanner.go +++ b/pkg/osvscanner/osvscanner.go @@ -717,13 +717,12 @@ func scanDebianDocker(r reporter.Reporter, dockerImageName string) ([]scannedPac // Filters results according to config, preserving order. Returns total number of vulnerabilities removed. func filterResults(r reporter.Reporter, results *models.VulnerabilityResults, configManager *config.Manager, allPackages bool) int { removedCount := 0 - unimportantCount := 0 newResults := []models.PackageSource{} // Want 0 vulnerabilities to show in JSON as an empty list, not null. for _, pkgSrc := range results.Results { configToUse := configManager.Get(r, pkgSrc.Source.Path) var newPackages []models.PackageVulns for _, pkgVulns := range pkgSrc.Packages { - newVulns := filterPackageVulns(r, pkgVulns, configToUse, &unimportantCount) + newVulns := filterPackageVulns(r, pkgVulns, configToUse) removedCount += len(pkgVulns.Vulnerabilities) - len(newVulns.Vulnerabilities) if allPackages || len(newVulns.Vulnerabilities) > 0 || len(pkgVulns.LicenseViolations) > 0 { newPackages = append(newPackages, newVulns) @@ -737,26 +736,13 @@ func filterResults(r reporter.Reporter, results *models.VulnerabilityResults, co } results.Results = newResults - if unimportantCount > 0 { - r.Infof("%d unimportant vulnerabilities have been filtered out.\n", unimportantCount) - } - return removedCount } // Filters package-grouped vulnerabilities according to config, preserving ordering. Returns filtered package vulnerabilities. -func filterPackageVulns(r reporter.Reporter, pkgVulns models.PackageVulns, configToUse config.Config, unimportantCount *int) models.PackageVulns { +func filterPackageVulns(r reporter.Reporter, pkgVulns models.PackageVulns, configToUse config.Config) models.PackageVulns { ignoredVulns := map[string]struct{}{} - // Ignores all unimportant vulnerabilities. - for _, vuln := range pkgVulns.Vulnerabilities { - if isUnimportant(pkgVulns.Package.Ecosystem, vuln.Affected) { - // Track the count of all unimportant vulnerabilities, including duplicate vulnerabilities from different packages. - *unimportantCount++ - ignoredVulns[vuln.ID] = struct{}{} - } - } - // Iterate over groups first to remove all aliases of ignored vulnerabilities. var newGroups []models.GroupInfo for _, group := range pkgVulns.Groups { @@ -786,11 +772,6 @@ func filterPackageVulns(r reporter.Reporter, pkgVulns models.PackageVulns, confi break } - - if _, unimportant := ignoredVulns[id]; unimportant { - r.Verbosef("%s has been filtered out due to its unimportance.\n", id) - ignore = true - } } if !ignore { newGroups = append(newGroups, group) @@ -813,23 +794,6 @@ func filterPackageVulns(r reporter.Reporter, pkgVulns models.PackageVulns, confi return pkgVulns } -// isUnimportant checks if a Debian vulnerability is tagged with an "unimportant" urgency tag -// Urgency levels are defined here: https://security-team.debian.org/security_tracker.html#severity-levels -func isUnimportant(ecosystem string, affectedPackages []models.Affected) bool { - // Debian ecosystems may be listed with a version number, such as "Debian:10". - if !strings.HasPrefix(ecosystem, string(models.EcosystemDebian)) { - return false - } - - for _, affected := range affectedPackages { - if affected.EcosystemSpecific["urgency"] == "unimportant" { - return true - } - } - - return false -} - func parseLockfilePath(lockfileElem string) (string, string) { if !strings.Contains(lockfileElem, ":") { lockfileElem = ":" + lockfileElem diff --git a/pkg/osvscanner/osvscanner_internal_test.go b/pkg/osvscanner/osvscanner_internal_test.go index ec2e5b071c2..d2c72c927c8 100644 --- a/pkg/osvscanner/osvscanner_internal_test.go +++ b/pkg/osvscanner/osvscanner_internal_test.go @@ -33,7 +33,7 @@ func Test_filterResults(t *testing.T) { { name: "filter_partially", path: "fixtures/filter/some", - want: 11, + want: 10, }, } for _, tt := range tests { diff --git a/pkg/osvscanner/vulnerability_result.go b/pkg/osvscanner/vulnerability_result.go index 298488763e8..79efa4e3534 100644 --- a/pkg/osvscanner/vulnerability_result.go +++ b/pkg/osvscanner/vulnerability_result.go @@ -69,6 +69,13 @@ func buildVulnerabilityResults( } } } + + // For Debian-based ecosystems, mark unimportant vulnerabilities within the package. + // Debian ecosystems may be listed with a version number, such as "Debian:10". + if strings.HasPrefix(pkg.Package.Ecosystem, string(models.EcosystemDebian)) { + setUnimportant(&pkg) + } + if actions.ScanLicensesSummary || len(actions.ScanLicensesAllowlist) > 0 { configToUse := configManager.Get(r, rawPkg.Source.Path) if override, entry := configToUse.ShouldOverridePackageLicense(pkg); override { @@ -134,3 +141,41 @@ func buildVulnerabilityResults( return results } + +// setUnimportant marks vulnerabilities in a PackageVulns as unimportant +// within their respective groups' experimental analysis. +func setUnimportant(pkg *models.PackageVulns) { + for _, vuln := range pkg.Vulnerabilities { + if !isUnimportant(vuln.Affected) { + continue + } + for i, group := range pkg.Groups { + if slices.Contains(group.IDs, vuln.ID) { + if group.ExperimentalAnalysis == nil { + pkg.Groups[i].ExperimentalAnalysis = make(map[string]models.AnalysisInfo) + } + // Set unimportant vulns as uncalled + pkg.Groups[i].ExperimentalAnalysis[vuln.ID] = models.AnalysisInfo{ + Unimportant: true, + // TODO(gongh@): Currently, call analysis is not supported for Linux distribution vulnerabilities. + // The `Called` configuration is set to false by default. + // Update this behavior when call analysis for Linux distributions is implemented. + } + + break + } + } + } +} + +// isUnimportant checks if a Debian vulnerability is tagged with an "unimportant" urgency tag +// Urgency levels are defined here: https://security-team.debian.org/security_tracker.html#severity-levels +func isUnimportant(affectedPackages []models.Affected) bool { + for _, affected := range affectedPackages { + if affected.EcosystemSpecific["urgency"] == "unimportant" { + return true + } + } + + return false +}