Skip to content

ROX-18001: add drools CPE for CVE-2021-41411 #1205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Jul 6, 2023
Merged

ROX-18001: add drools CPE for CVE-2021-41411 #1205

merged 9 commits into from
Jul 6, 2023

Conversation

dcaravel
Copy link
Contributor

@dcaravel dcaravel commented Jun 28, 2023
edited
Loading

CVE was not being matched with drool's jars due to vendor name mismatch.

Related ticket: https://issues.redhat.com/browse/ROX-18001

Testing

  • Created new image quay.io/rhacs-eng/qa:drools-CVE-2021-41411 from scratch containing only org.drools.drools-core-6.4.0.Final.jar
  • Added test case to e2etests/testcase_test.go
  • Tested local deploy with modified version of TestGRPCGetImageVulnerabilities to only execute newly added test
    • Verified test failed
  • Added manual entry to pkg/vulnloader/nvdloader/manual.go with additional CPE based on NVD entry from 2021.json in dump
  • Rebuilt build-updater and ran it to produce new dumps
  • Verified 2021.json had new CPE for CVE
  • Rebuilt scanner make image, and deployed locally make deploy-local
  • Retested via modified version of TestGRPCGetImageVulnerabilities
    • Verified test succeeded

@ghost
Copy link

ghost commented Jun 28, 2023
edited by ghost
Loading

Images are ready for the commit at ef4db9e.

To use the images, use the tag 2.30.x-23-gef4db9e6ae.

@RTann RTann added the generate-dumps-on-pr Generates the image based on dumps from the PR label Jun 29, 2023
@RTann
Copy link
Collaborator

RTann commented Jun 29, 2023

@dcaravel for CI to pick up the added vuln, you'd need to add the generate-dumps-on-pr label. I just added it. All you should need to do now is rerun all of CI, and it should get picked up

@dcaravel
Copy link
Contributor Author

dcaravel commented Jul 3, 2023

/retest

1 similar comment
@dcaravel
Copy link
Contributor Author

dcaravel commented Jul 5, 2023

/retest

@dcaravel
Copy link
Contributor Author

dcaravel commented Jul 5, 2023

/retest

@dcaravel
Copy link
Contributor Author

dcaravel commented Jul 5, 2023

/retest ci/prow/images

@openshift-ci
Copy link

openshift-ci bot commented Jul 5, 2023

@dcaravel: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

  • /test images
  • /test push-images
  • /test style-checks
  • /test unit-tests

The following commands are available to trigger optional jobs:

  • /test db-integration-tests
  • /test diff-dumps
  • /test e2e-tests
  • /test scale-tests
  • /test slim-e2e-tests
  • /test store-db-dump
  • /test store-genesis-dump

Use /test all to run all jobs.

In response to this:

/retest ci/prow/images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dcaravel
Copy link
Contributor Author

dcaravel commented Jul 5, 2023

/test images

@dcaravel dcaravel requested review from jvdm, daynewlee and RTann July 5, 2023 20:57
jvdm
jvdm approved these changes Jul 6, 2023
View reviewed changes
Copy link
Contributor

@jvdm jvdm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, there is a comment on FixedBy, but if you confirm it's correct, I am OK to merge. Hence, approving.

e2etests/testcase_test.go
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for adding the test for this.

e2etests/testcase_test.go
Description: "drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.",
Link: "https://nvd.nist.gov/vuln/detail/CVE-2021-41411",
Severity: "Critical",
FixedBy: "7.60.0.Final",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw in NVD that FixedBy excludes 7.6.0. Is this correct?

image

Copy link
Contributor Author

@dcaravel dcaravel Jul 6, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Up to (excluding) I believe is meant to mean all versions prior to 7.6.0 but not including 7.6.0 itself. The NVD data appears bad, the description in NVD contradicts the highlighted section and starts with drools <=7.59.x is affected by ... (notice y version 59 in double digits as opposed to the 6 in the CPE block). The GitHub advisory data appears accurate and uses versions that match the actual package (ie: x.y.z.Final):

image

@dcaravel dcaravel merged commit b75f0eb into master Jul 6, 2023
@dcaravel dcaravel deleted the dc/add-drools-vuln-cpe branch July 6, 2023 14:30
@dcaravel dcaravel mentioned this pull request Jul 7, 2023
Merged
daynewlee pushed a commit that referenced this pull request Jul 17, 2023
@dcaravel @daynewlee
ROX-18001: add drools CPE for CVE-2021-41411 (#1205)
dd0b013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvdm jvdm jvdm approved these changes

@daynewlee daynewlee Awaiting requested review from daynewlee

@RTann RTann Awaiting requested review from RTann

Assignees
No one assigned
Labels
generate-dumps-on-pr Generates the image based on dumps from the PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dcaravel @RTann @jvdm