ROX-12350: Detect CVE-2022-22978 (#930)

Author: RTann

cpe/attributes/java/java.go

@@ -35,6 +35,36 @@ var (
 	immutableIndicators = []string{
 		"agent",
 	}
+
+	knownSpringVendors    = []string{"pivotal", "pivotal_software", "vmware"}
+	knownSpringComponents = set.NewFrozenStringSet(
+		"spring_advanced_message_queuing_protocol",
+		"spring_aop",
+		"spring_beans",
+		"spring_boot",
+		"spring_boot_autoconfigure",
+		"spring_boot_jarmode_layertools",
+		"spring_cloud_function",
+		"spring_cloud_function_core",
+		"spring_cloud_gateway",
+		"spring_cloud_netflix",
+		"spring_cloud_openfeign",
+		"spring_context",
+		"spring_core",
+		"spring_data_mongodb",
+		"spring_data_rest",
+		"spring_expression",
+		"spring_jcl",
+		"spring_security",
+		"spring_security_core",
+		"spring_security_crypto",
+		"spring_security_oath",
+		"spring_security_web",
+		"spring_web",
+		"spring_web_flow",
+		"spring_webflux",
+		"spring_webmvc",
+	)
 )
 
 func isMutableName(name string) bool {
@@ -70,7 +100,7 @@ func ignored(c *component.Component) bool {
 	return false
 }
 
-func getPossibleVendors(origins []string) set.StringSet {
+func getPossibleVendors(origins []string, names set.StringSet) set.StringSet {
 	// Try splitting on periods
 	vendorSet := set.NewStringSet()
 	for _, orig := range origins {
@@ -90,6 +120,15 @@ func getPossibleVendors(origins []string) set.StringSet {
 	if vendorSet.Cardinality() == 0 {
 		vendorSet.Add("apache")
 	}
+
+	// Add Spring-specific vendors.
+	for name := range names {
+		if knownSpringComponents.Contains(name) {
+			vendorSet.AddAll(knownSpringVendors...)
+			break
+		}
+	}
+
 	return vendorSet
 }
 
@@ -109,8 +148,8 @@ func GetJavaAttributes(c *component.Component) []*wfn.Attributes {
 		return nil
 	}
 
-	vendorSet := getPossibleVendors(java.Origins)
 	nameSet := common.GenerateNameKeys(c)
+	vendorSet := getPossibleVendors(java.Origins, nameSet)
 	versionSet := common.GenerateVersionKeys(c)
 	for k := range versionSet {
 		versionSet.Add(extensionRegex.ReplaceAllString(k, ""))

e2etests/testcase_test.go

@@ -3557,4 +3557,50 @@ Bug Fix(es) and Enhancement(s):
 			},
 		},
 	},
+	{
+		image:                   "quay.io/rhacs-eng/qa:spring-CVE-2022-22978",
+		registry:                "https://quay.io",
+		username:                os.Getenv("QUAY_RHACS_ENG_RO_USERNAME"),
+		password:                os.Getenv("QUAY_RHACS_ENG_RO_PASSWORD"),
+		source:                  "NVD",
+		onlyCheckSpecifiedVulns: true,
+		namespace:               "rhel:8",
+		expectedFeatures: []apiV1.Feature{
+			{
+				Name:          "spring-security-web",
+				VersionFormat: component.JavaSourceType.String(),
+				Version:       "5.5.5",
+				Location:      "application/app.jar:BOOT-INF/lib/spring-security-web-5.5.5.jar",
+				Vulnerabilities: []apiV1.Vulnerability{
+					{
+						Name:          "CVE-2022-22978",
+						Description:   `In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers.
+
+Applications using RegexRequestMatcher with '.' in the regular expression are possibly vulnerable to an authorization bypass.`,
+						Link:          "https://nvd.nist.gov/vuln/detail/CVE-2022-22978",
+						Severity:      "Important",
+						Metadata: map[string]interface{}{
+							"NVD": map[string]interface{}{
+								"CVSSv2": map[string]interface{}{
+									"ExploitabilityScore": 0.0,
+									"ImpactScore":         0.0,
+									"Score":               0.0,
+									"Vectors":             "",
+								},
+								"CVSSv3": map[string]interface{}{
+									"ExploitabilityScore": 3.9,
+									"ImpactScore":         4.2,
+									"Score":               8.2,
+									"Vectors":             "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
+								},
+							},
+						},
+						FixedBy: "5.5.7",
+					},
+				},
+				FixedBy: "5.5.7",
+				AddedBy: "sha256:5b6e3ce9721946e142ba43e488385ee4d323204a6052e0f20352d89ac00cafa2",
+			},
+		},
+	},
 }

pkg/vulnloader/nvdloader/manual.go

@@ -454,6 +454,71 @@ var manuallyEnrichedVulns = map[string]*schema.NVDCVEFeedJSON10DefCVEItem{
 		LastModifiedDate: "2022-03-31T00:00Z",
 		PublishedDate:    "2022-03-31T00:00Z",
 	},
+	"CVE-2022-22978": {
+		CVE: &schema.CVEJSON40{
+			CVEDataMeta: &schema.CVEJSON40CVEDataMeta{
+				ID: "CVE-2022-22978",
+			},
+			DataFormat:  "MITRE",
+			DataType:    "CVE",
+			DataVersion: "4.0",
+			Description: &schema.CVEJSON40Description{
+				DescriptionData: []*schema.CVEJSON40LangString{
+					{
+						Lang:  "en",
+						Value: "In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers.\n\nApplications using RegexRequestMatcher with '.' in the regular expression are possibly vulnerable to an authorization bypass.",
+					},
+				},
+			},
+			References: &schema.CVEJSON40References{
+				ReferenceData: []*schema.CVEJSON40Reference{
+					{
+						Name: "https://tanzu.vmware.com/security/cve-2022-22978",
+					},
+				},
+			},
+		},
+		Configurations: &schema.NVDCVEFeedJSON10DefConfigurations{
+			CVEDataVersion: "4.0",
+			Nodes: []*schema.NVDCVEFeedJSON10DefNode{
+				{
+					CPEMatch: []*schema.NVDCVEFeedJSON10DefCPEMatch{
+						{
+							Cpe23Uri:              `cpe:2.3:a:vmware:spring\-security\-web:*:*:*:*:*:*:*:*`,
+							VersionEndExcluding:   "5.6.4",
+							VersionStartIncluding: "5.6.0",
+						},
+						{
+							Cpe23Uri:            `cpe:2.3:a:vmware:spring\-security\-web:*:*:*:*:*:*:*:*`,
+							VersionEndExcluding: "5.5.7",
+						},
+					},
+					Operator: "OR",
+				},
+			},
+		},
+		Impact: &schema.NVDCVEFeedJSON10DefImpact{
+			BaseMetricV3: &schema.NVDCVEFeedJSON10DefImpactBaseMetricV3{
+				CVSSV3: &schema.CVSSV30{
+					AttackComplexity:      "LOW",
+					AttackVector:          "NETWORK",
+					AvailabilityImpact:    "NONE",
+					BaseScore:             8.2,
+					ConfidentialityImpact: "HIGH",
+					IntegrityImpact:       "LOW",
+					PrivilegesRequired:    "NONE",
+					Scope:                 "UNCHANGED",
+					UserInteraction:       "NONE",
+					VectorString:          "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
+					Version:               "3.1",
+				},
+				ExploitabilityScore: 3.9,
+				ImpactScore:         4.2,
+			},
+		},
+		LastModifiedDate: "2022-05-16T00:00Z",
+		PublishedDate:    "2022-05-16T00:00Z",
+	},
 	"CVE-2017-5638": {
 		CVE: &schema.CVEJSON40{
 			CVEDataMeta: &schema.CVEJSON40CVEDataMeta{