Skip to content

fix: do not skip NVD vulns with just CVSSv3 #1236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 22, 2023
Merged

fix: do not skip NVD vulns with just CVSSv3 #1236

merged 3 commits into from
Aug 22, 2023

Conversation

RTann
Copy link
Collaborator

@RTann RTann commented Aug 15, 2023
edited
Loading

Before updating the condition:

INFO[0130] Obtained metadata for 180078 NVD vulns (skipped 42616)

After:

INFO[0132] Obtained metadata for 209238 NVD vulns (skipped 13309)

We were ignoring a lot of vulnerabilities solely because they lacked CVSSv2 scores.

Note: this change caused some tests to update. This is expected, as we did not have all the vulnerability data as we should have had. Each update is related to this update. You can verify this, if you choose.

@ghost
Copy link

ghost commented Aug 15, 2023
edited by ghost
Loading

Images are ready for the commit at c35805a.

To use the images, use the tag 2.30.x-42-gc35805a043.

@RTann RTann force-pushed the ross/nvd-dont-skip branch from f76a96b to cee9597 Compare August 15, 2023 22:41
@RTann RTann added the generate-dumps-on-pr Generates the image based on dumps from the PR label Aug 15, 2023
@RTann RTann force-pushed the ross/nvd-dont-skip branch 2 times, most recently from 355a4ff to ba648a9 Compare August 16, 2023 00:53
@RTann RTann force-pushed the ross/nvd-dont-skip branch from ba648a9 to a78c60c Compare August 21, 2023 22:22
RTann
RTann commented Aug 21, 2023
View reviewed changes
ext/vulnsrc/manual/manual.go
@@ -13,168 +12,7 @@ type updater struct {
}

// Vulnerabilities lists vulnerabilities which may not already exist in the feeds for other distros.
var Vulnerabilities = []database.Vulnerability{
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These entries are no longer required, as we can fetch their entries from NVD properly now

@RTann RTann requested review from jvdm, daynewlee and dcaravel August 22, 2023 00:19
@RTann RTann force-pushed the ross/nvd-dont-skip branch from 184ef97 to e43c686 Compare August 22, 2023 16:54
@RTann RTann force-pushed the ross/nvd-dont-skip branch from e43c686 to c35805a Compare August 22, 2023 18:34
daynewlee
daynewlee approved these changes Aug 22, 2023
View reviewed changes
Copy link
Contributor

@daynewlee daynewlee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@RTann RTann merged commit ed064ae into master Aug 22, 2023
@RTann RTann deleted the ross/nvd-dont-skip branch August 22, 2023 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daynewlee daynewlee daynewlee approved these changes

@jvdm jvdm Awaiting requested review from jvdm

@dcaravel dcaravel Awaiting requested review from dcaravel

Assignees
No one assigned
Labels
generate-dumps-on-pr Generates the image based on dumps from the PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@RTann @daynewlee