From 15102e4e3a2493aac3b55c49a8d92eeecda1569c Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Wed, 3 Sep 2025 04:37:52 +0000 Subject: [PATCH 01/33] Rewrite Debian conversion to make OSV files instead of PkgInfo #vc4a --- vulnfeeds/cmd/debian/main.go | 189 +++++++++++++++++++---------------- 1 file changed, 103 insertions(+), 86 deletions(-) diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go index 7c5082ed493..98ac5d89cfe 100644 --- a/vulnfeeds/cmd/debian/main.go +++ b/vulnfeeds/cmd/debian/main.go @@ -3,21 +3,24 @@ package main import ( "encoding/csv" "encoding/json" + "flag" "fmt" "net/http" "os" "path" "sort" "strconv" + "time" "github.com/google/osv/vulnfeeds/faulttolerant" "github.com/google/osv/vulnfeeds/models" "github.com/google/osv/vulnfeeds/utility" "github.com/google/osv/vulnfeeds/vulns" + "github.com/ossf/osv-schema/bindings/go/osvschema" ) const ( - debianOutputPathDefault = "parts/debian" + debianOutputPathDefault = "debian_osv" debianDistroInfoURL = "https://debian.pages.debian.net/distro-info-data/debian.csv" debianSecurityTrackerURL = "https://security-tracker.debian.org/tracker/data/json" ) @@ -29,7 +32,10 @@ func main() { Logger, logCleanup = utility.CreateLoggerWrapper("debian-osv") defer logCleanup() - err := os.MkdirAll(debianOutputPathDefault, 0755) + debianOutputPath := flag.String("output_path", debianOutputPathDefault, "Path to output OSV files.") + flag.Parse() + + err := os.MkdirAll(*debianOutputPath, 0755) if err != nil { Logger.Fatalf("Can't create output path: %s", err) } @@ -44,14 +50,97 @@ func main() { Logger.Fatalf("Failed to get Debian distro info data: %s", err) } - cvePkgInfos := generateDebianSecurityTrackerOSV(debianData, debianReleaseMap) - if err = writeToOutput(cvePkgInfos); err != nil { + osvCves := generateOSVFromDebianTracker(debianData, debianReleaseMap) + + if err = writeToOutput(osvCves, *debianOutputPath); err != nil { Logger.Fatalf("Failed to write OSV output file: %s", err) } Logger.Infof("Debian CVE conversion succeeded.") } +// generateOSVFromDebianTracker converts Debian Security Tracker entries to OSV format. +func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianReleaseMap map[string]string) map[string]*vulns.Vulnerability { + Logger.Infof("Converting Debian Security Tracker data to OSV.") + osvCves := make(map[string]*vulns.Vulnerability) + + // Sorts packages to ensure results remain consistent between runs. + var pkgNames []string + for name := range debianData { + pkgNames = append(pkgNames, name) + } + sort.Strings(pkgNames) + + // Sorts releases to ensure pkgInfos remain consistent between runs. + releaseNames := make([]string, 0, len(debianReleaseMap)) + for k := range debianReleaseMap { + releaseNames = append(releaseNames, k) + } + + sort.Slice(releaseNames, func(i, j int) bool { + vi, _ := strconv.ParseFloat(debianReleaseMap[releaseNames[i]], 64) + vj, _ := strconv.ParseFloat(debianReleaseMap[releaseNames[j]], 64) + return vi < vj + }) + + for _, pkgName := range pkgNames { + pkg := debianData[pkgName] + for cveId, cveData := range pkg { + v, ok := osvCves[cveId] + if !ok { + v = &vulns.Vulnerability{ + Vulnerability: osvschema.Vulnerability{ + ID: cveId, + Modified: time.Now().UTC(), + Details: cveData.Description, + References: []osvschema.Reference{ + { + Type: "ADVISORY", + URL: "https://security-tracker.debian.org/tracker/" + cveId, + }, + }, + }, + } + osvCves[cveId] = v + } + + for _, releaseName := range releaseNames { + // For reference on urgency levels, see: https://security-team.debian.org/security_tracker.html#severity-levels + release, ok := cveData.Releases[releaseName] + if !ok { + continue + } + debianVersion, ok := debianReleaseMap[releaseName] + if !ok { + continue + } + + if release.Status == "resolved" && release.FixedVersion == "0" { // not affected + continue + } + + pkgInfo := vulns.PackageInfo{ + PkgName: pkgName, + Ecosystem: "Debian:" + debianVersion, + EcosystemSpecific: map[string]interface{}{ + "urgency": release.Urgency, + }, + // VersionInfo: models.VersionInfo{ + // AffectedVersions: []models.AffectedVersion{{Introduced: "0"}}, + // }, + } + + if release.Status == "resolved" { + pkgInfo.VersionInfo.AffectedVersions = append(pkgInfo.VersionInfo.AffectedVersions, models.AffectedVersion{Fixed: release.FixedVersion}) + } + v.AddPkgInfo(pkgInfo) + } + } + } + + return osvCves +} + // getDebianReleaseMap gets the Debian version number, excluding testing and experimental versions. func getDebianReleaseMap() (map[string]string, error) { releaseMap := make(map[string]string) @@ -98,96 +187,24 @@ func getDebianReleaseMap() (map[string]string, error) { return releaseMap, err } -// updateOSVPkgInfos adds new release entries to osvPkgInfos. -func updateOSVPkgInfos(pkgName string, cveId string, releases map[string]Release, osvPkgInfos map[string][]vulns.PackageInfo, debianReleaseMap map[string]string, releaseNames []string) { - var pkgInfos []vulns.PackageInfo - if value, ok := osvPkgInfos[cveId]; ok { - pkgInfos = value - } - - for _, releaseName := range releaseNames { - // For reference on urgency levels, see: https://security-team.debian.org/security_tracker.html#severity-levels - release, ok := releases[releaseName] - if !ok { - continue - } - debianVersion, ok := debianReleaseMap[releaseName] - if !ok { - continue - } - - pkgInfo := vulns.PackageInfo{ - PkgName: pkgName, - Ecosystem: "Debian:" + debianVersion, - } - pkgInfo.EcosystemSpecific = make(map[string]interface{}) - - pkgInfo.VersionInfo = models.VersionInfo{ - AffectedVersions: []models.AffectedVersion{{Introduced: "0"}}, - } - if release.Status == "resolved" { - if release.FixedVersion == "0" { // not affected - continue - } - pkgInfo.VersionInfo.AffectedVersions = append(pkgInfo.VersionInfo.AffectedVersions, models.AffectedVersion{Fixed: release.FixedVersion}) - } - pkgInfo.EcosystemSpecific["urgency"] = release.Urgency - pkgInfos = append(pkgInfos, pkgInfo) - } - if pkgInfos != nil { - osvPkgInfos[cveId] = pkgInfos - } -} - -// generateDebianSecurityTrackerOSV converts Debian Security Tracker entries to OSV PackageInfo format. -func generateDebianSecurityTrackerOSV(debianData DebianSecurityTrackerData, debianReleaseMap map[string]string) map[string][]vulns.PackageInfo { - Logger.Infof("Converting Debian Security Tracker data to OSV package infos.") - osvPkgInfos := make(map[string][]vulns.PackageInfo) - - // Sorts packages to ensure results remain consistent between runs. - var pkgNames []string - for name := range debianData { - pkgNames = append(pkgNames, name) - } - sort.Strings(pkgNames) - - // Sorts releases to ensure pkgInfos remain consistent between runs. - releaseNames := make([]string, 0, len(debianReleaseMap)) - for k := range debianReleaseMap { - releaseNames = append(releaseNames, k) - } - - sort.Slice(releaseNames, func(i, j int) bool { - vi, _ := strconv.ParseFloat(debianReleaseMap[releaseNames[i]], 64) - vj, _ := strconv.ParseFloat(debianReleaseMap[releaseNames[j]], 64) - return vi < vj - }) - - for _, pkgName := range pkgNames { - pkg := debianData[pkgName] - for cveId, cve := range pkg { - updateOSVPkgInfos(pkgName, cveId, cve.Releases, osvPkgInfos, debianReleaseMap, releaseNames) - } - } - - return osvPkgInfos -} - -func writeToOutput(cvePkgInfos map[string][]vulns.PackageInfo) error { - Logger.Infof("Writing package infos to the output.") - for cveId := range cvePkgInfos { - pkgInfos := cvePkgInfos[cveId] - file, err := os.OpenFile(path.Join(debianOutputPathDefault, cveId+".debian.json"), os.O_CREATE|os.O_RDWR, 0644) +func writeToOutput(osvCves map[string]*vulns.Vulnerability, debianOutputPath string) error { + Logger.Infof("Writing OSV files to the output.") + for cveId, osv := range osvCves { + file, err := os.OpenFile(path.Join(debianOutputPath, cveId+".json"), os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0644) if err != nil { return err } + encoder := json.NewEncoder(file) encoder.SetIndent("", " ") - err = encoder.Encode(&pkgInfos) + err = encoder.Encode(osv) + closeErr := file.Close() if err != nil { return err } - _ = file.Close() + if closeErr != nil { + return closeErr + } } return nil From b8d2774abe540747da75e80578306dd78e8849a6 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Wed, 3 Sep 2025 04:43:45 +0000 Subject: [PATCH 02/33] Change debian id to include prefix and the OG ID as upstream --- vulnfeeds/cmd/debian/main.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go index 98ac5d89cfe..177257d903b 100644 --- a/vulnfeeds/cmd/debian/main.go +++ b/vulnfeeds/cmd/debian/main.go @@ -90,7 +90,8 @@ func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianRe if !ok { v = &vulns.Vulnerability{ Vulnerability: osvschema.Vulnerability{ - ID: cveId, + ID: fmt.Sprintf("DEBIAN-%s", cveId), + Upstream: []string{cveId}, Modified: time.Now().UTC(), Details: cveData.Description, References: []osvschema.Reference{ From 0a4975a7f656c7c080644b0e2a56ad21d5dc247b Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Wed, 3 Sep 2025 05:03:46 +0000 Subject: [PATCH 03/33] remove unused code --- vulnfeeds/cmd/debian/main.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go index 177257d903b..a4a43fa313d 100644 --- a/vulnfeeds/cmd/debian/main.go +++ b/vulnfeeds/cmd/debian/main.go @@ -126,9 +126,6 @@ func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianRe EcosystemSpecific: map[string]interface{}{ "urgency": release.Urgency, }, - // VersionInfo: models.VersionInfo{ - // AffectedVersions: []models.AffectedVersion{{Introduced: "0"}}, - // }, } if release.Status == "resolved" { From a5f5f303bc0dcf0f26f19e4085e17892d11caef8 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Wed, 3 Sep 2025 05:04:04 +0000 Subject: [PATCH 04/33] Rename Debian CVE struct --- vulnfeeds/cmd/debian/debian_security_tracker.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vulnfeeds/cmd/debian/debian_security_tracker.go b/vulnfeeds/cmd/debian/debian_security_tracker.go index e84019302b7..5dbe26430aa 100644 --- a/vulnfeeds/cmd/debian/debian_security_tracker.go +++ b/vulnfeeds/cmd/debian/debian_security_tracker.go @@ -7,11 +7,11 @@ type Release struct { Urgency string `json:"urgency"` } -type CVE struct { +type DebianCVE struct { Description string `json:"description"` DebianBug int Scope string `json:"scope"` Releases map[string]Release `json:"releases"` } -type DebianSecurityTrackerData map[string]map[string]CVE +type DebianSecurityTrackerData map[string]map[string]DebianCVE From f8294eab84b68c4ac182eb6b93fe5327ccec4f01 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Wed, 3 Sep 2025 06:01:51 +0000 Subject: [PATCH 05/33] these tests are testing me. --- vulnfeeds/cmd/debian/main_test.go | 170 ++++++++++++++++++++++++------ 1 file changed, 140 insertions(+), 30 deletions(-) diff --git a/vulnfeeds/cmd/debian/main_test.go b/vulnfeeds/cmd/debian/main_test.go index a6066921366..85efbaf089e 100644 --- a/vulnfeeds/cmd/debian/main_test.go +++ b/vulnfeeds/cmd/debian/main_test.go @@ -2,44 +2,154 @@ package main import ( "encoding/json" - "fmt" - "io" "os" + "sort" "testing" + "time" + "github.com/google/go-cmp/cmp" "github.com/google/osv/vulnfeeds/vulns" + "github.com/ossf/osv-schema/bindings/go/osvschema" ) -func Test_generateDebianSecurityTrackerOSV(t *testing.T) { - var decodedDebianData DebianSecurityTrackerData - - file, _ := os.Open("../../test_data/debian/debian_security_tracker_mock.json") - defer file.Close() - _ = json.NewDecoder(file).Decode(&decodedDebianData) - - debianReleaseMap := make(map[string]string) - debianReleaseMap["sarge"] = "3.1" - debianReleaseMap["stretch"] = "9" - debianReleaseMap["buster"] = "10" - debianReleaseMap["bullseye"] = "11" - debianReleaseMap["bookworm"] = "12" - debianReleaseMap["trixie"] = "13" - - osvPkgInfos := generateDebianSecurityTrackerOSV(decodedDebianData, debianReleaseMap) - expectedCount := 3 - if len(osvPkgInfos) != expectedCount { - t.Errorf("Expected %v Debian OSV entries , got %v", expectedCount, osvPkgInfos) +func mustRead(tb testing.TB, filename string) []byte { + tb.Helper() + data, err := os.ReadFile(filename) + if err != nil { + tb.Fatalf("Failed to read file %s: %v", filename, err) } - for cveId, pkgInfos := range osvPkgInfos { - file, err := os.Open(fmt.Sprintf("../../test_data/parts/debian/%s.debian.json", cveId)) - if err != nil { - t.Errorf("../../test_data/parts/debian/%s.debian.json doesn't exist", cveId) + return data +} + +// sortAffected is a helper to sort affected packages for consistent comparison. +func sortAffected(affected []osvschema.Affected) { + sort.Slice(affected, func(i, j int) bool { + if affected[i].Package.Name != affected[j].Package.Name { + return affected[i].Package.Name < affected[j].Package.Name + } + return affected[i].Package.Ecosystem < affected[j].Package.Ecosystem + }) +} + +func TestGenerateOSVFromDebianTracker(t *testing.T) { + // Mock the time + now := time.Date(2024, 7, 1, 0, 0, 0, 0, time.UTC) + + var trackerData DebianSecurityTrackerData + if err := json.Unmarshal(mustRead(t, "../../test_data/debian/debian_security_tracker_mock.json"), &trackerData); err != nil { + t.Fatalf("Failed to unmarshal test data: %v", err) + } + + releaseMap := map[string]string{ + "sarge": "3.1", + "stretch": "9", + "buster": "10", + "bullseye": "11", + "bookworm": "12", + "trixie": "13", + } + + got := generateOSVFromDebianTracker(trackerData, releaseMap) + + // Define the expected OSV entries. + want := map[string]*vulns.Vulnerability{ + "CVE-2018-1000500": { + Vulnerability: osvschema.Vulnerability{ + ID: "DEBIAN-CVE-2018-1000500", + Upstream: []string{"CVE-2018-1000500"}, + Modified: now, + Details: "Busybox contains a Missing SSL certificate validation vulnerability in The \"busybox wget\" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using \"busybox wget https://compromised-domain.com/important-file\".", + Affected: []osvschema.Affected{ + {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:10"}, EcosystemSpecific: map[string]interface{}{"urgency": "end-of-life"}}, + {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:11"}, EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}}, + {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:12"}, EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}}, + {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:13"}, EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}}, + }, + References: []osvschema.Reference{{Type: "ADVISORY", URL: "https://security-tracker.debian.org/tracker/CVE-2018-1000500"}}, + }, + }, + "CVE-2014-1424": { + Vulnerability: osvschema.Vulnerability{ + ID: "DEBIAN-CVE-2014-1424", + Upstream: []string{"CVE-2014-1424"}, + Modified: now, + Details: "apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a \"miscompilation flaw.\"", + Affected: nil, // Empty because all are resolved at version "0" + References: []osvschema.Reference{{Type: "ADVISORY", URL: "https://security-tracker.debian.org/tracker/CVE-2014-1424"}}, + }, + }, + "CVE-2016-1585": { + Vulnerability: osvschema.Vulnerability{ + ID: "DEBIAN-CVE-2016-1585", + Upstream: []string{"CVE-2016-1585"}, + Modified: now, + Details: "In all versions of AppArmor mount rules are accidentally widened when compiled.", + Affected: []osvschema.Affected{ + {Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:10"}, EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}}, + {Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:11"}, EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}}, + {Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:12"}, EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}}, + { + Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:13"}, + Ranges: []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}, {Fixed: "3.0.12-1"}}}}, + EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}, + }, + }, + References: []osvschema.Reference{{Type: "ADVISORY", URL: "https://security-tracker.debian.org/tracker/CVE-2016-1585"}}, + }, + }, + "CVE-2017-6507": { + Vulnerability: osvschema.Vulnerability{ + ID: "DEBIAN-CVE-2017-6507", + Upstream: []string{"CVE-2017-6507"}, + Modified: now, + Details: "An issue was discovered in AppArmor before 2.12. Incorrect handling of unknown AppArmor profiles in AppArmor init scripts, upstart jobs, and/or systemd unit files allows an attacker to possibly have increased attack surfaces of processes that were intended to be confined by AppArmor. This is due to the common logic to handle 'restart' operations removing AppArmor profiles that aren't found in the typical filesystem locations, such as /etc/apparmor.d/. Userspace projects that manage their own AppArmor profiles in atypical directories, such as what's done by LXD and Docker, are affected by this flaw in the AppArmor init script logic.", + Affected: []osvschema.Affected{ + { + Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:10"}, + Ranges: []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}, {Fixed: "2.11.0-3"}}}}, + EcosystemSpecific: map[string]interface{}{"urgency": "not yet assigned"}, + }, + { + Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:11"}, + Ranges: []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}, {Fixed: "2.11.0-3"}}}}, + EcosystemSpecific: map[string]interface{}{"urgency": "not yet assigned"}, + }, + { + Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:12"}, + Ranges: []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}, {Fixed: "2.11.0-3"}}}}, + EcosystemSpecific: map[string]interface{}{"urgency": "not yet assigned"}, + }, + { + Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:13"}, + Ranges: []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}, {Fixed: "2.11.0-3"}}}}, + EcosystemSpecific: map[string]interface{}{"urgency": "not yet assigned"}, + }, + }, + References: []osvschema.Reference{{Type: "ADVISORY", URL: "https://security-tracker.debian.org/tracker/CVE-2017-6507"}}, + }, + }, + } + + if len(got) != len(want) { + t.Fatalf("generateOSVFromDebianTracker() returned %d CVEs, want %d", len(got), len(want)) + } + + for cveID, wantVuln := range want { + gotVuln, ok := got[cveID] + if !ok { + t.Errorf("generateOSVFromDebianTracker() missing expected CVE %s", cveID) + continue } - expectedResult, _ := io.ReadAll(file) - var expectedPackageInfos []vulns.PackageInfo - json.Unmarshal(expectedResult, &expectedPackageInfos) - if len(pkgInfos) != len(expectedPackageInfos) || pkgInfos[0].EcosystemSpecific["urgency"] != expectedPackageInfos[0].EcosystemSpecific["urgency"] { - t.Errorf("Expected Debian OSV data %v, got %v", expectedPackageInfos, pkgInfos) + + // Ignore Modified time for comparison. + wantVuln.Modified = gotVuln.Modified + + // Sort affected packages for consistent comparison. + sortAffected(gotVuln.Affected) + sortAffected(wantVuln.Affected) + + if diff := cmp.Diff(wantVuln, gotVuln); diff != "" { + t.Errorf("OSV for %s mismatch (-want +got):\n%s", cveID, diff) } } } From 361626aebb0068997413d735643a9a2db736dd55 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Wed, 3 Sep 2025 06:03:56 +0000 Subject: [PATCH 06/33] remove debian from combine-to-osv --- vulnfeeds/cmd/combine-to-osv/README.md | 1 - vulnfeeds/cmd/combine-to-osv/main.go | 10 +------ vulnfeeds/cmd/combine-to-osv/main_test.go | 35 ++++++++++++----------- 3 files changed, 20 insertions(+), 26 deletions(-) diff --git a/vulnfeeds/cmd/combine-to-osv/README.md b/vulnfeeds/cmd/combine-to-osv/README.md index 79829b823d4..e9d1471ba0e 100644 --- a/vulnfeeds/cmd/combine-to-osv/README.md +++ b/vulnfeeds/cmd/combine-to-osv/README.md @@ -9,7 +9,6 @@ Combine [`PackageInfo`](https://github.com/google/osv.dev/blob/2c22e9534a521c6c6 To address the generation of CVE records from multiple disparate sources (all requiring a common record prefix): * Alpine, by [this code](../alpine) -* Debian, by [this code](../debian) * the NVD, by [this code](../nvd-cve-osv) ## How diff --git a/vulnfeeds/cmd/combine-to-osv/main.go b/vulnfeeds/cmd/combine-to-osv/main.go index 40f0b2dbc5d..ae0e30c05f3 100644 --- a/vulnfeeds/cmd/combine-to-osv/main.go +++ b/vulnfeeds/cmd/combine-to-osv/main.go @@ -23,8 +23,6 @@ const ( alpineEcosystem = "Alpine" alpineSecurityTrackerURL = "https://security.alpinelinux.org/vuln" - debianEcosystem = "Debian" - debianSecurityTrackerURL = "https://security-tracker.debian.org/tracker" ) var Logger utility.LoggerWrapper @@ -169,14 +167,10 @@ func combineIntoOSV(loadedCves map[cves.CVEID]cves.Vulnerability, allParts map[c } } - addedDebianURL := false addedAlpineURL := false for _, pkgInfo := range allParts[cveId] { convertedCve.AddPkgInfo(pkgInfo) - if strings.HasPrefix(pkgInfo.Ecosystem, debianEcosystem) && !addedDebianURL { - addReference(string(cveId), debianEcosystem, convertedCve) - addedDebianURL = true - } else if strings.HasPrefix(pkgInfo.Ecosystem, alpineEcosystem) && !addedAlpineURL { + if strings.HasPrefix(pkgInfo.Ecosystem, alpineEcosystem) && !addedAlpineURL { addReference(string(cveId), alpineEcosystem, convertedCve) addedAlpineURL = true } @@ -248,8 +242,6 @@ func addReference(cveId string, ecosystem string, convertedCve *vulns.Vulnerabil securityReference := osvschema.Reference{Type: osvschema.ReferenceAdvisory} if ecosystem == alpineEcosystem { securityReference.URL, _ = url.JoinPath(alpineSecurityTrackerURL, cveId) - } else if ecosystem == debianEcosystem { - securityReference.URL, _ = url.JoinPath(debianSecurityTrackerURL, cveId) } if securityReference.URL == "" { diff --git a/vulnfeeds/cmd/combine-to-osv/main_test.go b/vulnfeeds/cmd/combine-to-osv/main_test.go index bd28e800ed3..15c401022a4 100644 --- a/vulnfeeds/cmd/combine-to-osv/main_test.go +++ b/vulnfeeds/cmd/combine-to-osv/main_test.go @@ -102,31 +102,34 @@ func TestCombineIntoOSV(t *testing.T) { if len(combinedOSV[cve].Affected) != len(allParts[cve]) { t.Errorf("Affected lengths for %s do not match", cve) } - found := false + if cve == "CVE-2018-1000500" { for _, reference := range combinedOSV[cve].References { if reference.Type == "ADVISORY" && reference.URL == "https://security-tracker.debian.org/tracker/CVE-2018-1000500" { - found = true + t.Errorf("Found unexpected Debian advisory URL for %s", cve) } } - } else if cve == "CVE-2022-33745" { - for _, reference := range combinedOSV[cve].References { - if reference.Type == "ADVISORY" && - reference.URL == "https://security.alpinelinux.org/vuln/CVE-2022-33745" { - found = true + } else { + found := false + if cve == "CVE-2022-33745" { + for _, reference := range combinedOSV[cve].References { + if reference.Type == "ADVISORY" && + reference.URL == "https://security.alpinelinux.org/vuln/CVE-2022-33745" { + found = true + } } - } - } else if cve == "CVE-2022-32746" { - for _, reference := range combinedOSV[cve].References { - if reference.Type == "ADVISORY" && - reference.URL == "https://security.alpinelinux.org/vuln/CVE-2022-32746" { - found = true + } else if cve == "CVE-2022-32746" { + for _, reference := range combinedOSV[cve].References { + if reference.Type == "ADVISORY" && + reference.URL == "https://security.alpinelinux.org/vuln/CVE-2022-32746" { + found = true + } } } - } - if !found { - t.Errorf("%s doesn't have all expected references", cve) + if !found { + t.Errorf("%s doesn't have all expected references", cve) + } } } } From 4f4c42fc9cbb66ea5df4d8bf75eaf24d7080d947 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Wed, 3 Sep 2025 06:16:23 +0000 Subject: [PATCH 07/33] update dsa/dla/dtsa conversion to use DEBIAN- upstream --- vulnfeeds/tools/debian/debian_converter/convert_debian.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vulnfeeds/tools/debian/debian_converter/convert_debian.py b/vulnfeeds/tools/debian/debian_converter/convert_debian.py index 68144081af5..eb0158ccf8b 100644 --- a/vulnfeeds/tools/debian/debian_converter/convert_debian.py +++ b/vulnfeeds/tools/debian/debian_converter/convert_debian.py @@ -209,7 +209,9 @@ def parse_security_tracker_file(advisories: Advisories, # {CVE-XXXX-XXXX CVE-XXXX-XXXX} line = line.lstrip() if line.startswith('{'): - advisories[current_advisory].upstream = line.strip('{}').split() + upstreams = line.strip('{}').split() + for u in upstreams: + advisories[current_advisory].upstream.append("DEBIAN"+u) continue if line.startswith('NOTE:'): From d5ce3bcfc246dc83c371676e2bfb8bc74fef9a57 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Thu, 4 Sep 2025 03:34:25 +0000 Subject: [PATCH 08/33] fix missing bracket and other fun things --- vulnfeeds/cmd/combine-to-osv/main.go | 4 +- vulnfeeds/cmd/combine-to-osv/main_test.go | 46 +++++++++++------------ 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/vulnfeeds/cmd/combine-to-osv/main.go b/vulnfeeds/cmd/combine-to-osv/main.go index 16ce70abc74..a48af6ab57e 100644 --- a/vulnfeeds/cmd/combine-to-osv/main.go +++ b/vulnfeeds/cmd/combine-to-osv/main.go @@ -172,7 +172,7 @@ func combineIntoOSV(loadedCves map[cves.CVEID]cves.Vulnerability, allParts map[c for _, pkgInfo := range allParts[cveID] { convertedCve.AddPkgInfo(pkgInfo) if strings.HasPrefix(pkgInfo.Ecosystem, alpineEcosystem) && !addedAlpineURL { - addReference(string(cveId), alpineEcosystem, convertedCve) + addReference(string(cveID), alpineEcosystem, convertedCve) addedAlpineURL = true } } @@ -244,7 +244,7 @@ func loadAllCVEs(cvePath string) map[cves.CVEID]cves.Vulnerability { func addReference(cveID string, ecosystem string, convertedCve *vulns.Vulnerability) { securityReference := osvschema.Reference{Type: osvschema.ReferenceAdvisory} if ecosystem == alpineEcosystem { - securityReference.URL, _ = url.JoinPath(alpineSecurityTrackerURL, cveId) + securityReference.URL, _ = url.JoinPath(alpineSecurityTrackerURL, cveID) } if securityReference.URL == "" { diff --git a/vulnfeeds/cmd/combine-to-osv/main_test.go b/vulnfeeds/cmd/combine-to-osv/main_test.go index 2d40ccf9ecd..e78361ff5df 100644 --- a/vulnfeeds/cmd/combine-to-osv/main_test.go +++ b/vulnfeeds/cmd/combine-to-osv/main_test.go @@ -106,36 +106,36 @@ func TestCombineIntoOSV(t *testing.T) { } if cve == "CVE-2018-1000500" { - found := false - switch cve { - case "CVE-2018-1000500": - for _, reference := range combinedOSV[cve].References { - if reference.Type == "ADVISORY" && - reference.URL == "https://security-tracker.debian.org/tracker/CVE-2018-1000500" { - t.Errorf("Found unexpected Debian advisory URL for %s", cve) + found := false + switch cve { + case "CVE-2018-1000500": + for _, reference := range combinedOSV[cve].References { + if reference.Type == "ADVISORY" && + reference.URL == "https://security-tracker.debian.org/tracker/CVE-2018-1000500" { + t.Errorf("Found unexpected Debian advisory URL for %s", cve) + } } - } - case "CVE-2022-33745": - for _, reference := range combinedOSV[cve].References { - if reference.Type == "ADVISORY" && - reference.URL == "https://security.alpinelinux.org/vuln/CVE-2022-33745" { - found = true + case "CVE-2022-33745": + for _, reference := range combinedOSV[cve].References { + if reference.Type == "ADVISORY" && + reference.URL == "https://security.alpinelinux.org/vuln/CVE-2022-33745" { + found = true + } } - } - case "CVE-2022-32746": - for _, reference := range combinedOSV[cve].References { - if reference.Type == "ADVISORY" && - reference.URL == "https://security.alpinelinux.org/vuln/CVE-2022-32746" { - found = true + case "CVE-2022-32746": + for _, reference := range combinedOSV[cve].References { + if reference.Type == "ADVISORY" && + reference.URL == "https://security.alpinelinux.org/vuln/CVE-2022-32746" { + found = true + } + } + if !found { + t.Errorf("%s doesn't have all expected references", cve) } - } - if !found { - t.Errorf("%s doesn't have all expected references", cve) } } } } - func TestGetModifiedTime(t *testing.T) { _, err := getModifiedTime("../../test_data/parts/debian/CVE-2016-1585.debian.json") if err != nil { From 56e04f324da94ba9f89d4065896f2340a05a11aa Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Thu, 4 Sep 2025 03:38:03 +0000 Subject: [PATCH 09/33] Update output bucket --- vulnfeeds/cmd/debian/run_debian_convert.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/vulnfeeds/cmd/debian/run_debian_convert.sh b/vulnfeeds/cmd/debian/run_debian_convert.sh index 72b1b8942d4..bc4e82037da 100755 --- a/vulnfeeds/cmd/debian/run_debian_convert.sh +++ b/vulnfeeds/cmd/debian/run_debian_convert.sh @@ -8,13 +8,13 @@ set -e -OSV_PARTS_OUTPUT="parts/debian" +OSV_OUTPUT_PATH="/debian" OUTPUT_BUCKET="${OUTPUT_GCS_BUCKET:=cve-osv-conversion}" -echo "Setup initial directories ${OSV_PARTS_OUTPUT}" -rm -rf $OSV_PARTS_OUTPUT && mkdir -p $OSV_PARTS_OUTPUT +echo "Setup initial directories ${OSV_OUTPUT_PATH}" +rm -rf $OSV_OUTPUT_PATH && mkdir -p $OSV_OUTPUT_PATH ./debian-osv echo "Begin Syncing with cloud, GCS bucket: ${OUTPUT_BUCKET}" -gsutil -q -m rsync -c -d $OSV_PARTS_OUTPUT "gs://$OUTPUT_BUCKET/$OSV_PARTS_OUTPUT" +gsutil -q -m rsync -c -d $OSV_OUTPUT_PATH "gs://$OUTPUT_BUCKET/$OSV_OUTPUT_PATH" echo "Successfully synced with cloud" From 938f4dce81ebfe75bb6dbefc1ae01aa5712b618f Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Thu, 4 Sep 2025 04:01:56 +0000 Subject: [PATCH 10/33] liiiiiiiiiiiiiint --- vulnfeeds/cmd/debian/main.go | 15 ++++++++------- vulnfeeds/cmd/debian/main_test.go | 26 ++++++++++++++------------ 2 files changed, 22 insertions(+), 19 deletions(-) diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go index 0ee6c4de3ff..33841ed97c9 100644 --- a/vulnfeeds/cmd/debian/main.go +++ b/vulnfeeds/cmd/debian/main.go @@ -81,29 +81,30 @@ func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianRe sort.Slice(releaseNames, func(i, j int) bool { vi, _ := strconv.ParseFloat(debianReleaseMap[releaseNames[i]], 64) vj, _ := strconv.ParseFloat(debianReleaseMap[releaseNames[j]], 64) + return vi < vj }) for _, pkgName := range pkgNames { pkg := debianData[pkgName] - for cveId, cveData := range pkg { - v, ok := osvCves[cveId] + for cveID, cveData := range pkg { + v, ok := osvCves[cveID] if !ok { v = &vulns.Vulnerability{ Vulnerability: osvschema.Vulnerability{ - ID: fmt.Sprintf("DEBIAN-%s", cveId), - Upstream: []string{cveId}, + ID: fmt.Sprintf("DEBIAN-%s", cveID), + Upstream: []string{cveID}, Modified: time.Now().UTC(), Details: cveData.Description, References: []osvschema.Reference{ { Type: "ADVISORY", - URL: "https://security-tracker.debian.org/tracker/" + cveId, + URL: "https://security-tracker.debian.org/tracker/" + cveID, }, }, }, } - osvCves[cveId] = v + osvCves[cveID] = v } for _, releaseName := range releaseNames { @@ -124,7 +125,7 @@ func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianRe pkgInfo := vulns.PackageInfo{ PkgName: pkgName, Ecosystem: "Debian:" + debianVersion, - EcosystemSpecific: map[string]interface{}{ + EcosystemSpecific: map[string]any{ "urgency": release.Urgency, }, } diff --git a/vulnfeeds/cmd/debian/main_test.go b/vulnfeeds/cmd/debian/main_test.go index 85efbaf089e..ac94a396ceb 100644 --- a/vulnfeeds/cmd/debian/main_test.go +++ b/vulnfeeds/cmd/debian/main_test.go @@ -18,6 +18,7 @@ func mustRead(tb testing.TB, filename string) []byte { if err != nil { tb.Fatalf("Failed to read file %s: %v", filename, err) } + return data } @@ -27,6 +28,7 @@ func sortAffected(affected []osvschema.Affected) { if affected[i].Package.Name != affected[j].Package.Name { return affected[i].Package.Name < affected[j].Package.Name } + return affected[i].Package.Ecosystem < affected[j].Package.Ecosystem }) } @@ -60,10 +62,10 @@ func TestGenerateOSVFromDebianTracker(t *testing.T) { Modified: now, Details: "Busybox contains a Missing SSL certificate validation vulnerability in The \"busybox wget\" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using \"busybox wget https://compromised-domain.com/important-file\".", Affected: []osvschema.Affected{ - {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:10"}, EcosystemSpecific: map[string]interface{}{"urgency": "end-of-life"}}, - {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:11"}, EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}}, - {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:12"}, EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}}, - {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:13"}, EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}}, + {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:10"}, EcosystemSpecific: map[string]any{"urgency": "end-of-life"}}, + {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:11"}, EcosystemSpecific: map[string]any{"urgency": "unimportant"}}, + {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:12"}, EcosystemSpecific: map[string]any{"urgency": "unimportant"}}, + {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:13"}, EcosystemSpecific: map[string]any{"urgency": "unimportant"}}, }, References: []osvschema.Reference{{Type: "ADVISORY", URL: "https://security-tracker.debian.org/tracker/CVE-2018-1000500"}}, }, @@ -85,13 +87,13 @@ func TestGenerateOSVFromDebianTracker(t *testing.T) { Modified: now, Details: "In all versions of AppArmor mount rules are accidentally widened when compiled.", Affected: []osvschema.Affected{ - {Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:10"}, EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}}, - {Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:11"}, EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}}, - {Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:12"}, EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}}, + {Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:10"}, EcosystemSpecific: map[string]any{"urgency": "unimportant"}}, + {Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:11"}, EcosystemSpecific: map[string]any{"urgency": "unimportant"}}, + {Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:12"}, EcosystemSpecific: map[string]any{"urgency": "unimportant"}}, { Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:13"}, Ranges: []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}, {Fixed: "3.0.12-1"}}}}, - EcosystemSpecific: map[string]interface{}{"urgency": "unimportant"}, + EcosystemSpecific: map[string]any{"urgency": "unimportant"}, }, }, References: []osvschema.Reference{{Type: "ADVISORY", URL: "https://security-tracker.debian.org/tracker/CVE-2016-1585"}}, @@ -107,22 +109,22 @@ func TestGenerateOSVFromDebianTracker(t *testing.T) { { Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:10"}, Ranges: []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}, {Fixed: "2.11.0-3"}}}}, - EcosystemSpecific: map[string]interface{}{"urgency": "not yet assigned"}, + EcosystemSpecific: map[string]any{"urgency": "not yet assigned"}, }, { Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:11"}, Ranges: []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}, {Fixed: "2.11.0-3"}}}}, - EcosystemSpecific: map[string]interface{}{"urgency": "not yet assigned"}, + EcosystemSpecific: map[string]any{"urgency": "not yet assigned"}, }, { Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:12"}, Ranges: []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}, {Fixed: "2.11.0-3"}}}}, - EcosystemSpecific: map[string]interface{}{"urgency": "not yet assigned"}, + EcosystemSpecific: map[string]any{"urgency": "not yet assigned"}, }, { Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:13"}, Ranges: []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}, {Fixed: "2.11.0-3"}}}}, - EcosystemSpecific: map[string]interface{}{"urgency": "not yet assigned"}, + EcosystemSpecific: map[string]any{"urgency": "not yet assigned"}, }, }, References: []osvschema.Reference{{Type: "ADVISORY", URL: "https://security-tracker.debian.org/tracker/CVE-2017-6507"}}, From bee5533587c9b8cdf9fdc2a9ba74260d83e77468 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Thu, 4 Sep 2025 04:03:51 +0000 Subject: [PATCH 11/33] string lint thing --- vulnfeeds/cmd/debian/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go index 33841ed97c9..fce4860297b 100644 --- a/vulnfeeds/cmd/debian/main.go +++ b/vulnfeeds/cmd/debian/main.go @@ -92,7 +92,7 @@ func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianRe if !ok { v = &vulns.Vulnerability{ Vulnerability: osvschema.Vulnerability{ - ID: fmt.Sprintf("DEBIAN-%s", cveID), + ID: "DEBIAN-" + cveID, Upstream: []string{cveID}, Modified: time.Now().UTC(), Details: cveData.Description, From 49355acc154b76cc0615af21eaadee0116f1bbd5 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Thu, 4 Sep 2025 04:12:06 +0000 Subject: [PATCH 12/33] fix test --- vulnfeeds/cmd/combine-to-osv/main_test.go | 47 +++++++++++------------ 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/vulnfeeds/cmd/combine-to-osv/main_test.go b/vulnfeeds/cmd/combine-to-osv/main_test.go index e78361ff5df..99c99bad038 100644 --- a/vulnfeeds/cmd/combine-to-osv/main_test.go +++ b/vulnfeeds/cmd/combine-to-osv/main_test.go @@ -105,35 +105,34 @@ func TestCombineIntoOSV(t *testing.T) { t.Errorf("Affected lengths for %s do not match", cve) } - if cve == "CVE-2018-1000500" { - found := false - switch cve { - case "CVE-2018-1000500": - for _, reference := range combinedOSV[cve].References { - if reference.Type == "ADVISORY" && - reference.URL == "https://security-tracker.debian.org/tracker/CVE-2018-1000500" { - t.Errorf("Found unexpected Debian advisory URL for %s", cve) - } + found := false + switch cve { + case "CVE-2018-1000500": + for _, reference := range combinedOSV[cve].References { + if reference.Type == "ADVISORY" && + reference.URL == "https://security-tracker.debian.org/tracker/CVE-2018-1000500" { + t.Errorf("Found unexpected Debian advisory URL for %s", cve) } - case "CVE-2022-33745": - for _, reference := range combinedOSV[cve].References { - if reference.Type == "ADVISORY" && - reference.URL == "https://security.alpinelinux.org/vuln/CVE-2022-33745" { - found = true - } - } - case "CVE-2022-32746": - for _, reference := range combinedOSV[cve].References { - if reference.Type == "ADVISORY" && - reference.URL == "https://security.alpinelinux.org/vuln/CVE-2022-32746" { - found = true - } + } + case "CVE-2022-33745": + for _, reference := range combinedOSV[cve].References { + if reference.Type == "ADVISORY" && + reference.URL == "https://security.alpinelinux.org/vuln/CVE-2022-33745" { + found = true } - if !found { - t.Errorf("%s doesn't have all expected references", cve) + } + case "CVE-2022-32746": + for _, reference := range combinedOSV[cve].References { + if reference.Type == "ADVISORY" && + reference.URL == "https://security.alpinelinux.org/vuln/CVE-2022-32746" { + found = true } } } + if !found && cve != "CVE-2018-1000500" { + t.Errorf("%s doesn't have all expected references", cve) + } + } } func TestGetModifiedTime(t *testing.T) { From 0b7f3889cfbea39cd886eb10de0a8d166c30fd46 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Thu, 4 Sep 2025 04:18:38 +0000 Subject: [PATCH 13/33] L is for lint --- vulnfeeds/cmd/combine-to-osv/main_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/vulnfeeds/cmd/combine-to-osv/main_test.go b/vulnfeeds/cmd/combine-to-osv/main_test.go index 99c99bad038..a653cbd7b17 100644 --- a/vulnfeeds/cmd/combine-to-osv/main_test.go +++ b/vulnfeeds/cmd/combine-to-osv/main_test.go @@ -132,7 +132,6 @@ func TestCombineIntoOSV(t *testing.T) { if !found && cve != "CVE-2018-1000500" { t.Errorf("%s doesn't have all expected references", cve) } - } } func TestGetModifiedTime(t *testing.T) { From da624e6a08ed634119fccca4c738b747f0170223 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Thu, 4 Sep 2025 04:23:22 +0000 Subject: [PATCH 14/33] L is for last one?? --- vulnfeeds/tools/debian/debian_converter/convert_debian.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnfeeds/tools/debian/debian_converter/convert_debian.py b/vulnfeeds/tools/debian/debian_converter/convert_debian.py index eb0158ccf8b..703f43ffbb4 100644 --- a/vulnfeeds/tools/debian/debian_converter/convert_debian.py +++ b/vulnfeeds/tools/debian/debian_converter/convert_debian.py @@ -211,7 +211,7 @@ def parse_security_tracker_file(advisories: Advisories, if line.startswith('{'): upstreams = line.strip('{}').split() for u in upstreams: - advisories[current_advisory].upstream.append("DEBIAN"+u) + advisories[current_advisory].upstream.append("DEBIAN" + u) continue if line.startswith('NOTE:'): From 7e6d36801129dd3d9a02b8bc7a14aa5bb0571b49 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Thu, 4 Sep 2025 23:15:16 +0000 Subject: [PATCH 15/33] just assign affectedVersion --- vulnfeeds/cmd/debian/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go index fce4860297b..4271a1fb074 100644 --- a/vulnfeeds/cmd/debian/main.go +++ b/vulnfeeds/cmd/debian/main.go @@ -131,7 +131,7 @@ func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianRe } if release.Status == "resolved" { - pkgInfo.VersionInfo.AffectedVersions = append(pkgInfo.VersionInfo.AffectedVersions, models.AffectedVersion{Fixed: release.FixedVersion}) + pkgInfo.VersionInfo.AffectedVersions = []models.AffectedVersion{{Fixed: release.FixedVersion}} } v.AddPkgInfo(pkgInfo) } From 6bd6a1d8b68bae841ef7df2a558eb14cedda3d1a Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Thu, 4 Sep 2025 23:18:35 +0000 Subject: [PATCH 16/33] Add published date --- vulnfeeds/cmd/debian/main.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go index 4271a1fb074..8687b015681 100644 --- a/vulnfeeds/cmd/debian/main.go +++ b/vulnfeeds/cmd/debian/main.go @@ -92,10 +92,11 @@ func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianRe if !ok { v = &vulns.Vulnerability{ Vulnerability: osvschema.Vulnerability{ - ID: "DEBIAN-" + cveID, - Upstream: []string{cveID}, - Modified: time.Now().UTC(), - Details: cveData.Description, + ID: "DEBIAN-" + cveID, + Upstream: []string{cveID}, + Modified: time.Now().UTC(), + Published: time.Now().UTC(), + Details: cveData.Description, References: []osvschema.Reference{ { Type: "ADVISORY", From 3dc23b7f39fa896b9a417fe5d4b1fd8d9a9e7422 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Thu, 4 Sep 2025 23:33:57 +0000 Subject: [PATCH 17/33] fix tests --- vulnfeeds/cmd/debian/main_test.go | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/vulnfeeds/cmd/debian/main_test.go b/vulnfeeds/cmd/debian/main_test.go index ac94a396ceb..dc98e3cfa63 100644 --- a/vulnfeeds/cmd/debian/main_test.go +++ b/vulnfeeds/cmd/debian/main_test.go @@ -57,10 +57,11 @@ func TestGenerateOSVFromDebianTracker(t *testing.T) { want := map[string]*vulns.Vulnerability{ "CVE-2018-1000500": { Vulnerability: osvschema.Vulnerability{ - ID: "DEBIAN-CVE-2018-1000500", - Upstream: []string{"CVE-2018-1000500"}, - Modified: now, - Details: "Busybox contains a Missing SSL certificate validation vulnerability in The \"busybox wget\" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using \"busybox wget https://compromised-domain.com/important-file\".", + ID: "DEBIAN-CVE-2018-1000500", + Upstream: []string{"CVE-2018-1000500"}, + Modified: now, + Published: now, + Details: "Busybox contains a Missing SSL certificate validation vulnerability in The \"busybox wget\" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using \"busybox wget https://compromised-domain.com/important-file\".", Affected: []osvschema.Affected{ {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:10"}, EcosystemSpecific: map[string]any{"urgency": "end-of-life"}}, {Package: osvschema.Package{Name: "busybox", Ecosystem: "Debian:11"}, EcosystemSpecific: map[string]any{"urgency": "unimportant"}}, @@ -75,6 +76,7 @@ func TestGenerateOSVFromDebianTracker(t *testing.T) { ID: "DEBIAN-CVE-2014-1424", Upstream: []string{"CVE-2014-1424"}, Modified: now, + Published: now, Details: "apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a \"miscompilation flaw.\"", Affected: nil, // Empty because all are resolved at version "0" References: []osvschema.Reference{{Type: "ADVISORY", URL: "https://security-tracker.debian.org/tracker/CVE-2014-1424"}}, @@ -82,10 +84,11 @@ func TestGenerateOSVFromDebianTracker(t *testing.T) { }, "CVE-2016-1585": { Vulnerability: osvschema.Vulnerability{ - ID: "DEBIAN-CVE-2016-1585", - Upstream: []string{"CVE-2016-1585"}, - Modified: now, - Details: "In all versions of AppArmor mount rules are accidentally widened when compiled.", + ID: "DEBIAN-CVE-2016-1585", + Upstream: []string{"CVE-2016-1585"}, + Modified: now, + Published: now, + Details: "In all versions of AppArmor mount rules are accidentally widened when compiled.", Affected: []osvschema.Affected{ {Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:10"}, EcosystemSpecific: map[string]any{"urgency": "unimportant"}}, {Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:11"}, EcosystemSpecific: map[string]any{"urgency": "unimportant"}}, @@ -101,10 +104,11 @@ func TestGenerateOSVFromDebianTracker(t *testing.T) { }, "CVE-2017-6507": { Vulnerability: osvschema.Vulnerability{ - ID: "DEBIAN-CVE-2017-6507", - Upstream: []string{"CVE-2017-6507"}, - Modified: now, - Details: "An issue was discovered in AppArmor before 2.12. Incorrect handling of unknown AppArmor profiles in AppArmor init scripts, upstart jobs, and/or systemd unit files allows an attacker to possibly have increased attack surfaces of processes that were intended to be confined by AppArmor. This is due to the common logic to handle 'restart' operations removing AppArmor profiles that aren't found in the typical filesystem locations, such as /etc/apparmor.d/. Userspace projects that manage their own AppArmor profiles in atypical directories, such as what's done by LXD and Docker, are affected by this flaw in the AppArmor init script logic.", + ID: "DEBIAN-CVE-2017-6507", + Upstream: []string{"CVE-2017-6507"}, + Modified: now, + Published: now, + Details: "An issue was discovered in AppArmor before 2.12. Incorrect handling of unknown AppArmor profiles in AppArmor init scripts, upstart jobs, and/or systemd unit files allows an attacker to possibly have increased attack surfaces of processes that were intended to be confined by AppArmor. This is due to the common logic to handle 'restart' operations removing AppArmor profiles that aren't found in the typical filesystem locations, such as /etc/apparmor.d/. Userspace projects that manage their own AppArmor profiles in atypical directories, such as what's done by LXD and Docker, are affected by this flaw in the AppArmor init script logic.", Affected: []osvschema.Affected{ { Package: osvschema.Package{Name: "apparmor", Ecosystem: "Debian:10"}, @@ -143,8 +147,9 @@ func TestGenerateOSVFromDebianTracker(t *testing.T) { continue } - // Ignore Modified time for comparison. + // Ignore time for comparison. wantVuln.Modified = gotVuln.Modified + wantVuln.Published = gotVuln.Published // Sort affected packages for consistent comparison. sortAffected(gotVuln.Affected) From ea1c589362cc0224e169aa4cf77826ed7759f31c Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Fri, 5 Sep 2025 02:05:34 +0000 Subject: [PATCH 18/33] Update DSA conversion to include both DEBIAN-CVE and CVE- --- vulnfeeds/tools/debian/debian_converter/convert_debian.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/vulnfeeds/tools/debian/debian_converter/convert_debian.py b/vulnfeeds/tools/debian/debian_converter/convert_debian.py index 703f43ffbb4..704a5019da2 100644 --- a/vulnfeeds/tools/debian/debian_converter/convert_debian.py +++ b/vulnfeeds/tools/debian/debian_converter/convert_debian.py @@ -211,7 +211,10 @@ def parse_security_tracker_file(advisories: Advisories, if line.startswith('{'): upstreams = line.strip('{}').split() for u in upstreams: - advisories[current_advisory].upstream.append("DEBIAN" + u) + # This is not ideal, in the cases that there are missing Debian Security Tracker + # CVEs, but it's better than not having them + advisories[current_advisory].upstream.append("DEBIAN-" + u) + advisories[current_advisory].upstream.append(u) continue if line.startswith('NOTE:'): From 05b56726001ae705ee106fd8630e2afa38bf89a2 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Sun, 7 Sep 2025 23:38:20 +0000 Subject: [PATCH 19/33] fix file name --- vulnfeeds/cmd/debian/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go index 8687b015681..d85053704f8 100644 --- a/vulnfeeds/cmd/debian/main.go +++ b/vulnfeeds/cmd/debian/main.go @@ -192,7 +192,7 @@ func getDebianReleaseMap() (map[string]string, error) { func writeToOutput(osvCves map[string]*vulns.Vulnerability, debianOutputPath string) error { Logger.Infof("Writing OSV files to the output.") for cveID, osv := range osvCves { - file, err := os.OpenFile(path.Join(debianOutputPath, cveID+".json"), os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0644) + file, err := os.OpenFile(path.Join(debianOutputPath, "DEBIAN-"+cveID+".json"), os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0644) if err != nil { return err } From 61e5095f2e55ce372c84001963cd7bc4dd9685d0 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Mon, 8 Sep 2025 00:52:51 +0000 Subject: [PATCH 20/33] Use NVD data for Published date --- vulnfeeds/cmd/combine-to-osv/main.go | 35 +--------------------------- vulnfeeds/cmd/debian/main.go | 14 ++++++++--- vulnfeeds/vulns/vulns.go | 34 +++++++++++++++++++++++++++ 3 files changed, 46 insertions(+), 37 deletions(-) diff --git a/vulnfeeds/cmd/combine-to-osv/main.go b/vulnfeeds/cmd/combine-to-osv/main.go index 374b712c3c4..9ee8ea90c82 100644 --- a/vulnfeeds/cmd/combine-to-osv/main.go +++ b/vulnfeeds/cmd/combine-to-osv/main.go @@ -45,7 +45,7 @@ func main() { logger.Fatalf("Can't create output path: %s", err) } - allCves := loadAllCVEs(*cvePath) + allCves := vulns.LoadAllCVEs(*cvePath) allParts, cveModifiedMap := loadParts(*partsInputPath) combinedData := combineIntoOSV(allCves, allParts, *cveListPath, cveModifiedMap) writeOSVFile(combinedData, *osvOutputPath) @@ -204,39 +204,6 @@ func writeOSVFile(osvData map[cves.CVEID]*vulns.Vulnerability, osvOutputPath str logger.Infof("Successfully written %d OSV files", len(osvData)) } -// loadAllCVEs loads the downloaded CVE's from the NVD database into memory. -func loadAllCVEs(cvePath string) map[cves.CVEID]cves.Vulnerability { - dir, err := os.ReadDir(cvePath) - if err != nil { - logger.Fatalf("Failed to read dir %s: %s", cvePath, err) - } - - result := make(map[cves.CVEID]cves.Vulnerability) - - for _, entry := range dir { - if !strings.HasSuffix(entry.Name(), ".json") { - continue - } - file, err := os.Open(path.Join(cvePath, entry.Name())) - if err != nil { - logger.Fatalf("Failed to open CVE JSON %q: %s", path.Join(cvePath, entry.Name()), err) - } - var nvdcve cves.CVEAPIJSON20Schema - err = json.NewDecoder(file).Decode(&nvdcve) - if err != nil { - logger.Fatalf("Failed to decode JSON in %q: %s", file.Name(), err) - } - - for _, item := range nvdcve.Vulnerabilities { - result[item.CVE.ID] = item - } - logger.Infof("Loaded CVE: %s", entry.Name()) - file.Close() - } - - return result -} - // addReference adds the related security tracker URL to a given vulnerability's references func addReference(cveID string, ecosystem string, convertedCve *vulns.Vulnerability) { securityReference := osvschema.Reference{Type: osvschema.ReferenceAdvisory} diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go index d23a34f1539..2174caf21f4 100644 --- a/vulnfeeds/cmd/debian/main.go +++ b/vulnfeeds/cmd/debian/main.go @@ -12,8 +12,10 @@ import ( "path" "sort" "strconv" + "strings" "time" + "github.com/google/osv/vulnfeeds/cves" "github.com/google/osv/vulnfeeds/faulttolerant" "github.com/google/osv/vulnfeeds/models" "github.com/google/osv/vulnfeeds/utility/logger" @@ -22,6 +24,7 @@ import ( ) const ( + defaultCvePath = "cve_jsons" debianOutputPathDefault = "debian_osv" debianDistroInfoURL = "https://debian.pages.debian.net/distro-info-data/debian.csv" debianSecurityTrackerURL = "https://security-tracker.debian.org/tracker/data/json" @@ -49,7 +52,8 @@ func main() { logger.Fatalf("Failed to get Debian distro info data: %s", err) } - osvCves := generateOSVFromDebianTracker(debianData, debianReleaseMap) + allCVEs := vulns.LoadAllCVEs(defaultCvePath) + osvCves := generateOSVFromDebianTracker(debianData, debianReleaseMap, allCVEs) if err = writeToOutput(osvCves, *debianOutputPath); err != nil { logger.Fatalf("Failed to write OSV output file: %s", err) @@ -59,7 +63,7 @@ func main() { } // generateOSVFromDebianTracker converts Debian Security Tracker entries to OSV format. -func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianReleaseMap map[string]string) map[string]*vulns.Vulnerability { +func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianReleaseMap map[string]string, allCVEs map[cves.CVEID]cves.Vulnerability) map[string]*vulns.Vulnerability { logger.Infof("Converting Debian Security Tracker data to OSV.") osvCves := make(map[string]*vulns.Vulnerability) @@ -86,6 +90,10 @@ func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianRe for _, pkgName := range pkgNames { pkg := debianData[pkgName] for cveID, cveData := range pkg { + // Debian Security Tracker has some 'TEMP-' Records we don't want to convert + if !strings.HasPrefix(cveID, "CVE") { + continue + } v, ok := osvCves[cveID] if !ok { v = &vulns.Vulnerability{ @@ -93,7 +101,7 @@ func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianRe ID: "DEBIAN-" + cveID, Upstream: []string{cveID}, Modified: time.Now().UTC(), - Published: time.Now().UTC(), + Published: allCVEs[cves.CVEID(cveID)].CVE.Published.Time, Details: cveData.Description, References: []osvschema.Reference{ { diff --git a/vulnfeeds/vulns/vulns.go b/vulnfeeds/vulns/vulns.go index f09d563ea16..b6c2945e4b9 100644 --- a/vulnfeeds/vulns/vulns.go +++ b/vulnfeeds/vulns/vulns.go @@ -32,6 +32,7 @@ import ( "github.com/google/osv/vulnfeeds/cves" "github.com/google/osv/vulnfeeds/models" + "github.com/google/osv/vulnfeeds/utility/logger" "github.com/ossf/osv-schema/bindings/go/osvschema" ) @@ -776,6 +777,39 @@ func CheckQuality(text string) QualityCheck { return Success } +// loadAllCVEs loads the downloaded CVE's from the NVD database into memory. +func LoadAllCVEs(cvePath string) map[cves.CVEID]cves.Vulnerability { + dir, err := os.ReadDir(cvePath) + if err != nil { + logger.Fatalf("Failed to read dir %s: %s", cvePath, err) + } + + result := make(map[cves.CVEID]cves.Vulnerability) + + for _, entry := range dir { + if !strings.HasSuffix(entry.Name(), ".json") { + continue + } + file, err := os.Open(path.Join(cvePath, entry.Name())) + if err != nil { + logger.Fatalf("Failed to open CVE JSON %q: %s", path.Join(cvePath, entry.Name()), err) + } + var nvdcve cves.CVEAPIJSON20Schema + err = json.NewDecoder(file).Decode(&nvdcve) + if err != nil { + logger.Fatalf("Failed to decode JSON in %q: %s", file.Name(), err) + } + + for _, item := range nvdcve.Vulnerabilities { + result[item.CVE.ID] = item + } + logger.Infof("Loaded CVE: %s", entry.Name()) + file.Close() + } + + return result +} + func FindSeverity(metricsData []cves.Metrics) osvschema.Severity { bestVectorString, severityType := getBestCVE5Severity(metricsData) severity := osvschema.Severity{} From b524e8b2d61832cd800abc9a33b7510ff8a80e20 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Mon, 8 Sep 2025 00:53:17 +0000 Subject: [PATCH 21/33] fix tests --- vulnfeeds/cmd/debian/main_test.go | 33 +++++++++++++++++-- .../test_data/nvdcve-2.0/CVE-2014-1424.json | 1 + .../test_data/nvdcve-2.0/CVE-2016-1585.json | 1 + .../test_data/nvdcve-2.0/CVE-2017-6507.json | 1 + 4 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 vulnfeeds/test_data/nvdcve-2.0/CVE-2014-1424.json create mode 100644 vulnfeeds/test_data/nvdcve-2.0/CVE-2016-1585.json create mode 100644 vulnfeeds/test_data/nvdcve-2.0/CVE-2017-6507.json diff --git a/vulnfeeds/cmd/debian/main_test.go b/vulnfeeds/cmd/debian/main_test.go index dc98e3cfa63..1c900b725f4 100644 --- a/vulnfeeds/cmd/debian/main_test.go +++ b/vulnfeeds/cmd/debian/main_test.go @@ -2,12 +2,15 @@ package main import ( "encoding/json" + "fmt" + "log" "os" "sort" "testing" "time" "github.com/google/go-cmp/cmp" + "github.com/google/osv/vulnfeeds/cves" "github.com/google/osv/vulnfeeds/vulns" "github.com/ossf/osv-schema/bindings/go/osvschema" ) @@ -33,6 +36,27 @@ func sortAffected(affected []osvschema.Affected) { }) } +func loadTestData2(cveName string) cves.Vulnerability { + fileName := fmt.Sprintf("../../test_data/nvdcve-2.0/%s.json", cveName) + file, err := os.Open(fileName) + if err != nil { + log.Fatalf("Failed to load test data from %q: %#v", fileName, err) + } + var nvdCves cves.CVEAPIJSON20Schema + err = json.NewDecoder(file).Decode(&nvdCves) + if err != nil { + log.Fatalf("Failed to decode %q: %+v", fileName, err) + } + for _, vulnerability := range nvdCves.Vulnerabilities { + if string(vulnerability.CVE.ID) == cveName { + return vulnerability + } + } + log.Fatalf("test data doesn't contain %q", cveName) + + return cves.Vulnerability{} +} + func TestGenerateOSVFromDebianTracker(t *testing.T) { // Mock the time now := time.Date(2024, 7, 1, 0, 0, 0, 0, time.UTC) @@ -50,8 +74,13 @@ func TestGenerateOSVFromDebianTracker(t *testing.T) { "bookworm": "12", "trixie": "13", } - - got := generateOSVFromDebianTracker(trackerData, releaseMap) + cveStuff := map[cves.CVEID]cves.Vulnerability{ + "CVE-2014-1424": loadTestData2("CVE-2014-1424"), + "CVE-2017-6507": loadTestData2("CVE-2017-6507"), + "CVE-2018-1000500": loadTestData2("CVE-2018-1000500"), + "CVE-2016-1585": loadTestData2("CVE-2016-1585"), + } + got := generateOSVFromDebianTracker(trackerData, releaseMap, cveStuff) // Define the expected OSV entries. want := map[string]*vulns.Vulnerability{ diff --git a/vulnfeeds/test_data/nvdcve-2.0/CVE-2014-1424.json b/vulnfeeds/test_data/nvdcve-2.0/CVE-2014-1424.json new file mode 100644 index 00000000000..14f3ce8d25e --- /dev/null +++ b/vulnfeeds/test_data/nvdcve-2.0/CVE-2014-1424.json @@ -0,0 +1 @@ +{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2025-09-08T00:43:09.297","vulnerabilities":[{"cve":{"id":"CVE-2014-1424","sourceIdentifier":"security@ubuntu.com","published":"2014-11-24T15:59:00.090","lastModified":"2025-04-12T10:46:40.837","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a \"miscompilation flaw.\""},{"lang":"es","value":"apparmor_parser en el paquete apparmor anterior a 2.8.95~2430-0ubuntu5.1 en Ubuntu 14.04 permite a atacantes evadir las políticas AppArmor a través de vectores no especificados, relacionado con un 'fallo en miscompilación.'"}],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N\/AC:L\/Au:N\/C:N\/I:P\/A:P","baseScore":6.4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":10.0,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-264"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ubuntu:apparmor:*:*:*:*:*:*:*:*","versionEndIncluding":"2.8.94-0ubuntu1.4","matchCriteriaId":"A060E745-4598-4736-8901-45387CAFB265"},{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:lts:*:*:*","matchCriteriaId":"F5CFE100-7387-4823-BBED-9E932DC808B4"}]}]}],"references":[{"url":"http:\/\/www.ubuntu.com\/usn\/USN-2413-1","source":"security@ubuntu.com","tags":["Patch","Vendor Advisory"]},{"url":"http:\/\/www.ubuntu.com\/usn\/USN-2413-1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Vendor Advisory"]}]}}]} \ No newline at end of file diff --git a/vulnfeeds/test_data/nvdcve-2.0/CVE-2016-1585.json b/vulnfeeds/test_data/nvdcve-2.0/CVE-2016-1585.json new file mode 100644 index 00000000000..fb9f9bb4c00 --- /dev/null +++ b/vulnfeeds/test_data/nvdcve-2.0/CVE-2016-1585.json @@ -0,0 +1 @@ +{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2025-09-08T00:44:30.996","vulnerabilities":[{"cve":{"id":"CVE-2016-1585","sourceIdentifier":"security@ubuntu.com","published":"2019-04-22T16:29:01.303","lastModified":"2025-05-02T14:12:14.837","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In all versions of AppArmor mount rules are accidentally widened when compiled."},{"lang":"es","value":"En todas las versiones de AppArmor, las reglas de montaje se amplían accidentalmente cuando se compilan."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV30":[{"source":"security@ubuntu.com","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0\/AV:L\/AC:H\/PR:H\/UI:N\/S:U\/C:L\/I:L\/A:L","baseScore":3.9,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":0.5,"impactScore":3.4}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N\/AC:L\/Au:N\/C:P\/I:P\/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:canonical:apparmor:*:*:*:*:*:*:*:*","versionEndExcluding":"2.13.10","matchCriteriaId":"BB29454C-443A-42AB-964A-7E697F175160"},{"vulnerable":true,"criteria":"cpe:2.3:a:canonical:apparmor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.0.12","matchCriteriaId":"2B54A239-7CBC-403C-8094-1D2FA09FA2B5"},{"vulnerable":true,"criteria":"cpe:2.3:a:canonical:apparmor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1.0","versionEndExcluding":"3.1.6","matchCriteriaId":"3BE2576D-BF6C-46B0-9786-7A92CEF92F10"}]}]}],"references":[{"url":"https:\/\/bugs.launchpad.net\/apparmor\/+bug\/1597017","source":"security@ubuntu.com","tags":["Issue Tracking","Third Party Advisory"]},{"url":"https:\/\/lists.apache.org\/thread.html\/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E","source":"security@ubuntu.com","tags":["Third Party Advisory"]},{"url":"https:\/\/bugs.launchpad.net\/apparmor\/+bug\/1597017","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Third Party Advisory"]},{"url":"https:\/\/lists.apache.org\/thread.html\/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]} \ No newline at end of file diff --git a/vulnfeeds/test_data/nvdcve-2.0/CVE-2017-6507.json b/vulnfeeds/test_data/nvdcve-2.0/CVE-2017-6507.json new file mode 100644 index 00000000000..e8b1894862a --- /dev/null +++ b/vulnfeeds/test_data/nvdcve-2.0/CVE-2017-6507.json @@ -0,0 +1 @@ +{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2025-09-08T00:44:12.079","vulnerabilities":[{"cve":{"id":"CVE-2017-6507","sourceIdentifier":"cve@mitre.org","published":"2017-03-24T07:59:00.233","lastModified":"2025-04-20T01:37:25.860","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"An issue was discovered in AppArmor before 2.12. Incorrect handling of unknown AppArmor profiles in AppArmor init scripts, upstart jobs, and\/or systemd unit files allows an attacker to possibly have increased attack surfaces of processes that were intended to be confined by AppArmor. This is due to the common logic to handle 'restart' operations removing AppArmor profiles that aren't found in the typical filesystem locations, such as \/etc\/apparmor.d\/. Userspace projects that manage their own AppArmor profiles in atypical directories, such as what's done by LXD and Docker, are affected by this flaw in the AppArmor init script logic."},{"lang":"es","value":"Ha sido descubierto un problema en AppArmor en versiones anteriores a 2.12. El manejo incorrecto de perfiles AppArmor desconocidos en secuencias de comandos init de AppArmor, trabajos upstart, y\/o archivos de unidad systemd permite a un atacante tener posiblemente superficies de ataques incrementadas de procesos que están destinados a ser confinados por AppArmor. Esto se debe a la lógica común para manejar operaciones 'restart' eliminando perfiles AppArmor que no se encuentran en las ubicaciones típicas del sistema de archivos, como \/etc\/apparmor.d\/. Proyectos de espacio de usuario que gestionan sus propios perfiles AppArmor en directorios atípicos, como hacen LXD y Docker, están afectados por esta falla en la lógica de init script de AppArmor."}],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:N\/I:H\/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N\/AC:M\/Au:N\/C:N\/I:P\/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-269"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apparmor:apparmor:*:*:*:*:*:*:*:*","versionEndIncluding":"2.11","matchCriteriaId":"2BFD8316-6A68-4E6A-8498-50A612297817"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu_core:15.04:*:*:*:*:*:*:*","matchCriteriaId":"91DF0C2A-2F5A-4C41-8793-FF132F8072FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu_touch:15.04:*:*:*:*:*:*:*","matchCriteriaId":"A6F2578E-045A-4B94-817A-57F4031D7565"}]}]}],"references":[{"url":"http:\/\/bazaar.launchpad.net\/~apparmor-dev\/apparmor\/master\/revision\/3647","source":"cve@mitre.org","tags":["Issue Tracking","Patch","Third Party Advisory"]},{"url":"http:\/\/bazaar.launchpad.net\/~apparmor-dev\/apparmor\/master\/revision\/3648","source":"cve@mitre.org","tags":["Issue Tracking","Patch","Third Party Advisory"]},{"url":"http:\/\/www.securityfocus.com\/bid\/97223","source":"cve@mitre.org"},{"url":"https:\/\/bugs.launchpad.net\/apparmor\/+bug\/1668892","source":"cve@mitre.org","tags":["Issue Tracking","Patch","Third Party Advisory"]},{"url":"https:\/\/people.canonical.com\/~ubuntu-security\/cve\/2017\/CVE-2017-6507.html","source":"cve@mitre.org","tags":["Third Party Advisory"]},{"url":"http:\/\/bazaar.launchpad.net\/~apparmor-dev\/apparmor\/master\/revision\/3647","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Patch","Third Party Advisory"]},{"url":"http:\/\/bazaar.launchpad.net\/~apparmor-dev\/apparmor\/master\/revision\/3648","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Patch","Third Party Advisory"]},{"url":"http:\/\/www.securityfocus.com\/bid\/97223","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https:\/\/bugs.launchpad.net\/apparmor\/+bug\/1668892","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Patch","Third Party Advisory"]},{"url":"https:\/\/people.canonical.com\/~ubuntu-security\/cve\/2017\/CVE-2017-6507.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]} \ No newline at end of file From b3b6645e130dbb16bfda2183ebdcdd07fbdd8cce Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Mon, 8 Sep 2025 00:53:43 +0000 Subject: [PATCH 22/33] update build script --- vulnfeeds/cmd/debian/run_debian_convert.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/vulnfeeds/cmd/debian/run_debian_convert.sh b/vulnfeeds/cmd/debian/run_debian_convert.sh index bc4e82037da..fd96e346a8b 100755 --- a/vulnfeeds/cmd/debian/run_debian_convert.sh +++ b/vulnfeeds/cmd/debian/run_debian_convert.sh @@ -9,10 +9,18 @@ set -e OSV_OUTPUT_PATH="/debian" +INPUT_BUCKET="${INPUT_GCS_BUCKET:=cve-osv-conversion}" OUTPUT_BUCKET="${OUTPUT_GCS_BUCKET:=cve-osv-conversion}" +CVE_OUTPUT="cve_jsons/" + echo "Setup initial directories ${OSV_OUTPUT_PATH}" rm -rf $OSV_OUTPUT_PATH && mkdir -p $OSV_OUTPUT_PATH +rm -rf $CVE_OUTPUT && mkdir -p $CVE_OUTPUT + +echo "Begin syncing NVD data from GCS bucket ${INPUT_BUCKET}" +gcloud --no-user-output-enabled storage -q cp "gs://${INPUT_BUCKET}/nvd/*-????.json" "${CVE_OUTPUT}" +echo "Successfully synced from GCS bucket" ./debian-osv echo "Begin Syncing with cloud, GCS bucket: ${OUTPUT_BUCKET}" From 9d61ab5c5c6554961cb7922ace64bbddd67c81ad Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Mon, 8 Sep 2025 00:58:00 +0000 Subject: [PATCH 23/33] fix lint --- vulnfeeds/tools/debian/debian_converter/convert_debian.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vulnfeeds/tools/debian/debian_converter/convert_debian.py b/vulnfeeds/tools/debian/debian_converter/convert_debian.py index 704a5019da2..dbcbc83709f 100644 --- a/vulnfeeds/tools/debian/debian_converter/convert_debian.py +++ b/vulnfeeds/tools/debian/debian_converter/convert_debian.py @@ -211,8 +211,8 @@ def parse_security_tracker_file(advisories: Advisories, if line.startswith('{'): upstreams = line.strip('{}').split() for u in upstreams: - # This is not ideal, in the cases that there are missing Debian Security Tracker - # CVEs, but it's better than not having them + # This is not ideal, in the cases that there are missing + # Debian Security Tracker CVEs, but it's better than not having them advisories[current_advisory].upstream.append("DEBIAN-" + u) advisories[current_advisory].upstream.append(u) continue From 617d5e461e1a7acf3cad607a3297eb6c6eb84a3b Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Mon, 8 Sep 2025 01:12:34 +0000 Subject: [PATCH 24/33] Update output path to be the debian-osv bucket in line with DSAs and DLAs etc --- vulnfeeds/cmd/debian/main.go | 2 +- vulnfeeds/cmd/debian/run_debian_convert.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go index 2174caf21f4..bd03d78055e 100644 --- a/vulnfeeds/cmd/debian/main.go +++ b/vulnfeeds/cmd/debian/main.go @@ -25,7 +25,7 @@ import ( const ( defaultCvePath = "cve_jsons" - debianOutputPathDefault = "debian_osv" + debianOutputPathDefault = "debian-cve-osv" debianDistroInfoURL = "https://debian.pages.debian.net/distro-info-data/debian.csv" debianSecurityTrackerURL = "https://security-tracker.debian.org/tracker/data/json" ) diff --git a/vulnfeeds/cmd/debian/run_debian_convert.sh b/vulnfeeds/cmd/debian/run_debian_convert.sh index fd96e346a8b..aeb3b0a607d 100755 --- a/vulnfeeds/cmd/debian/run_debian_convert.sh +++ b/vulnfeeds/cmd/debian/run_debian_convert.sh @@ -8,9 +8,9 @@ set -e -OSV_OUTPUT_PATH="/debian" +OSV_OUTPUT_PATH="/debian-cve-osv" INPUT_BUCKET="${INPUT_GCS_BUCKET:=cve-osv-conversion}" -OUTPUT_BUCKET="${OUTPUT_GCS_BUCKET:=cve-osv-conversion}" +OUTPUT_BUCKET="${OUTPUT_GCS_BUCKET:=debian-osv}" CVE_OUTPUT="cve_jsons/" From 974229b98c6638c3dc00a54596de0a8af000e39d Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Mon, 8 Sep 2025 01:21:35 +0000 Subject: [PATCH 25/33] update cron job output buckets --- .../environments/oss-vdb-test/debian-cve-convert.yaml | 2 +- .../gke-workers/environments/oss-vdb/debian-cve-convert.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/clouddeploy/gke-workers/environments/oss-vdb-test/debian-cve-convert.yaml b/deployment/clouddeploy/gke-workers/environments/oss-vdb-test/debian-cve-convert.yaml index b7cfdbdcaf7..945e03450db 100644 --- a/deployment/clouddeploy/gke-workers/environments/oss-vdb-test/debian-cve-convert.yaml +++ b/deployment/clouddeploy/gke-workers/environments/oss-vdb-test/debian-cve-convert.yaml @@ -13,4 +13,4 @@ spec: - name: GOOGLE_CLOUD_PROJECT value: oss-vdb-test - name: OUTPUT_GCS_BUCKET - value: osv-test-cve-osv-conversion + value: osv-test-debian-osv diff --git a/deployment/clouddeploy/gke-workers/environments/oss-vdb/debian-cve-convert.yaml b/deployment/clouddeploy/gke-workers/environments/oss-vdb/debian-cve-convert.yaml index 2ba13a11b3b..724a9ee2cae 100644 --- a/deployment/clouddeploy/gke-workers/environments/oss-vdb/debian-cve-convert.yaml +++ b/deployment/clouddeploy/gke-workers/environments/oss-vdb/debian-cve-convert.yaml @@ -13,4 +13,4 @@ spec: - name: GOOGLE_CLOUD_PROJECT value: oss-vdb - name: OUTPUT_GCS_BUCKET - value: cve-osv-conversion \ No newline at end of file + value: debian-osv \ No newline at end of file From ddc032bf23aed15c0035c54d7c35fb65e6185732 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Mon, 8 Sep 2025 06:38:57 +0000 Subject: [PATCH 26/33] don't write out files with no affected packages --- vulnfeeds/cmd/debian/main.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go index bd03d78055e..96af4d3c4a9 100644 --- a/vulnfeeds/cmd/debian/main.go +++ b/vulnfeeds/cmd/debian/main.go @@ -198,6 +198,10 @@ func getDebianReleaseMap() (map[string]string, error) { func writeToOutput(osvCves map[string]*vulns.Vulnerability, debianOutputPath string) error { logger.Infof("Writing OSV files to the output.") for cveID, osv := range osvCves { + if len(osv.Vulnerability.Affected) == 0 { + logger.Warnf("Skipping DEBIAN-%s as no affected versions found.", cveID) + continue + } file, err := os.OpenFile(path.Join(debianOutputPath, "DEBIAN-"+cveID+".json"), os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0644) if err != nil { return err From bf73b981b9a1eabe16c5f84acddc175cbdac1c86 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Mon, 8 Sep 2025 06:45:29 +0000 Subject: [PATCH 27/33] fix lint --- vulnfeeds/cmd/debian/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go index 96af4d3c4a9..0c76e894525 100644 --- a/vulnfeeds/cmd/debian/main.go +++ b/vulnfeeds/cmd/debian/main.go @@ -198,7 +198,7 @@ func getDebianReleaseMap() (map[string]string, error) { func writeToOutput(osvCves map[string]*vulns.Vulnerability, debianOutputPath string) error { logger.Infof("Writing OSV files to the output.") for cveID, osv := range osvCves { - if len(osv.Vulnerability.Affected) == 0 { + if len(osv.Affected) == 0 { logger.Warnf("Skipping DEBIAN-%s as no affected versions found.", cveID) continue } From 46af2f45da8803f112210534df82422305bc6724 Mon Sep 17 00:00:00 2001 From: Jess Lowe <86962800+jess-lowe@users.noreply.github.com> Date: Wed, 10 Sep 2025 10:56:12 +1000 Subject: [PATCH 28/33] Update vulnfeeds/vulns/vulns.go Co-authored-by: Rex P <106129829+another-rex@users.noreply.github.com> --- vulnfeeds/vulns/vulns.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnfeeds/vulns/vulns.go b/vulnfeeds/vulns/vulns.go index b6c2945e4b9..3e1518203d0 100644 --- a/vulnfeeds/vulns/vulns.go +++ b/vulnfeeds/vulns/vulns.go @@ -777,7 +777,7 @@ func CheckQuality(text string) QualityCheck { return Success } -// loadAllCVEs loads the downloaded CVE's from the NVD database into memory. +// LoadAllCVEs loads the downloaded CVE's from the NVD database into memory. func LoadAllCVEs(cvePath string) map[cves.CVEID]cves.Vulnerability { dir, err := os.ReadDir(cvePath) if err != nil { From 482073004e715c0a96d1f0b51f39564f793d3c11 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Wed, 10 Sep 2025 01:20:10 +0000 Subject: [PATCH 29/33] Rename loadTestData2 --- vulnfeeds/cmd/debian/main_test.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/vulnfeeds/cmd/debian/main_test.go b/vulnfeeds/cmd/debian/main_test.go index 1c900b725f4..45a274f80b3 100644 --- a/vulnfeeds/cmd/debian/main_test.go +++ b/vulnfeeds/cmd/debian/main_test.go @@ -36,7 +36,7 @@ func sortAffected(affected []osvschema.Affected) { }) } -func loadTestData2(cveName string) cves.Vulnerability { +func loadTestData(cveName string) cves.Vulnerability { fileName := fmt.Sprintf("../../test_data/nvdcve-2.0/%s.json", cveName) file, err := os.Open(fileName) if err != nil { @@ -75,10 +75,10 @@ func TestGenerateOSVFromDebianTracker(t *testing.T) { "trixie": "13", } cveStuff := map[cves.CVEID]cves.Vulnerability{ - "CVE-2014-1424": loadTestData2("CVE-2014-1424"), - "CVE-2017-6507": loadTestData2("CVE-2017-6507"), - "CVE-2018-1000500": loadTestData2("CVE-2018-1000500"), - "CVE-2016-1585": loadTestData2("CVE-2016-1585"), + "CVE-2014-1424": loadTestData("CVE-2014-1424"), + "CVE-2017-6507": loadTestData("CVE-2017-6507"), + "CVE-2018-1000500": loadTestData("CVE-2018-1000500"), + "CVE-2016-1585": loadTestData("CVE-2016-1585"), } got := generateOSVFromDebianTracker(trackerData, releaseMap, cveStuff) From 8eee4965d49dac4e952eec0af2cfbbae986bca93 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Wed, 10 Sep 2025 01:23:45 +0000 Subject: [PATCH 30/33] reformat testdata --- .../test_data/nvdcve-2.0/CVE-2014-1424.json | 111 +++++++++++++++++- 1 file changed, 110 insertions(+), 1 deletion(-) diff --git a/vulnfeeds/test_data/nvdcve-2.0/CVE-2014-1424.json b/vulnfeeds/test_data/nvdcve-2.0/CVE-2014-1424.json index 14f3ce8d25e..1ea8c101dda 100644 --- a/vulnfeeds/test_data/nvdcve-2.0/CVE-2014-1424.json +++ b/vulnfeeds/test_data/nvdcve-2.0/CVE-2014-1424.json @@ -1 +1,110 @@ -{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2025-09-08T00:43:09.297","vulnerabilities":[{"cve":{"id":"CVE-2014-1424","sourceIdentifier":"security@ubuntu.com","published":"2014-11-24T15:59:00.090","lastModified":"2025-04-12T10:46:40.837","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a \"miscompilation flaw.\""},{"lang":"es","value":"apparmor_parser en el paquete apparmor anterior a 2.8.95~2430-0ubuntu5.1 en Ubuntu 14.04 permite a atacantes evadir las políticas AppArmor a través de vectores no especificados, relacionado con un 'fallo en miscompilación.'"}],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N\/AC:L\/Au:N\/C:N\/I:P\/A:P","baseScore":6.4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":10.0,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-264"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ubuntu:apparmor:*:*:*:*:*:*:*:*","versionEndIncluding":"2.8.94-0ubuntu1.4","matchCriteriaId":"A060E745-4598-4736-8901-45387CAFB265"},{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:lts:*:*:*","matchCriteriaId":"F5CFE100-7387-4823-BBED-9E932DC808B4"}]}]}],"references":[{"url":"http:\/\/www.ubuntu.com\/usn\/USN-2413-1","source":"security@ubuntu.com","tags":["Patch","Vendor Advisory"]},{"url":"http:\/\/www.ubuntu.com\/usn\/USN-2413-1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Vendor Advisory"]}]}}]} \ No newline at end of file +{ + "resultsPerPage": 1, + "startIndex": 0, + "totalResults": 1, + "format": "NVD_CVE", + "version": "2.0", + "timestamp": "2025-09-08T00:43:09.297", + "vulnerabilities": [ + { + "cve": { + "id": "CVE-2014-1424", + "sourceIdentifier": "security@ubuntu.com", + "published": "2014-11-24T15:59:00.090", + "lastModified": "2025-04-12T10:46:40.837", + "vulnStatus": "Deferred", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a \"miscompilation flaw.\"" + }, + { + "lang": "es", + "value": "apparmor_parser en el paquete apparmor anterior a 2.8.95~2430-0ubuntu5.1 en Ubuntu 14.04 permite a atacantes evadir las políticas AppArmor a través de vectores no especificados, relacionado con un 'fallo en miscompilación.'" + } + ], + "metrics": { + "cvssMetricV2": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "2.0", + "vectorString": "AV:N\/AC:L\/Au:N\/C:N\/I:P\/A:P", + "baseScore": 6.4, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authentication": "NONE", + "confidentialityImpact": "NONE", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL" + }, + "baseSeverity": "MEDIUM", + "exploitabilityScore": 10.0, + "impactScore": 4.9, + "acInsufInfo": false, + "obtainAllPrivilege": false, + "obtainUserPrivilege": false, + "obtainOtherPrivilege": false, + "userInteractionRequired": false + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-264" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:ubuntu:apparmor:*:*:*:*:*:*:*:*", + "versionEndIncluding": "2.8.94-0ubuntu1.4", + "matchCriteriaId": "A060E745-4598-4736-8901-45387CAFB265" + }, + { + "vulnerable": true, + "criteria": "cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:lts:*:*:*", + "matchCriteriaId": "F5CFE100-7387-4823-BBED-9E932DC808B4" + } + ] + } + ] + } + ], + "references": [ + { + "url": "http:\/\/www.ubuntu.com\/usn\/USN-2413-1", + "source": "security@ubuntu.com", + "tags": [ + "Patch", + "Vendor Advisory" + ] + }, + { + "url": "http:\/\/www.ubuntu.com\/usn\/USN-2413-1", + "source": "af854a3a-2127-422b-91ae-364da2661108", + "tags": [ + "Patch", + "Vendor Advisory" + ] + } + ] + } + } + ] +} \ No newline at end of file From edc8a2d0851016917f0126e118286b41fec18c77 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Wed, 10 Sep 2025 01:29:23 +0000 Subject: [PATCH 31/33] make loadTestData a helper --- vulnfeeds/cmd/debian/main_test.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/vulnfeeds/cmd/debian/main_test.go b/vulnfeeds/cmd/debian/main_test.go index 45a274f80b3..c0502aeb662 100644 --- a/vulnfeeds/cmd/debian/main_test.go +++ b/vulnfeeds/cmd/debian/main_test.go @@ -3,7 +3,6 @@ package main import ( "encoding/json" "fmt" - "log" "os" "sort" "testing" @@ -36,23 +35,24 @@ func sortAffected(affected []osvschema.Affected) { }) } -func loadTestData(cveName string) cves.Vulnerability { +func loadTestData(t *testing.T, cveName string) cves.Vulnerability { + t.Helper() fileName := fmt.Sprintf("../../test_data/nvdcve-2.0/%s.json", cveName) file, err := os.Open(fileName) if err != nil { - log.Fatalf("Failed to load test data from %q: %#v", fileName, err) + t.Fatalf("Failed to load test data from %q: %#v", fileName, err) } var nvdCves cves.CVEAPIJSON20Schema err = json.NewDecoder(file).Decode(&nvdCves) if err != nil { - log.Fatalf("Failed to decode %q: %+v", fileName, err) + t.Fatalf("Failed to decode %q: %+v", fileName, err) } for _, vulnerability := range nvdCves.Vulnerabilities { if string(vulnerability.CVE.ID) == cveName { return vulnerability } } - log.Fatalf("test data doesn't contain %q", cveName) + t.Fatalf("test data doesn't contain %q", cveName) return cves.Vulnerability{} } @@ -75,10 +75,10 @@ func TestGenerateOSVFromDebianTracker(t *testing.T) { "trixie": "13", } cveStuff := map[cves.CVEID]cves.Vulnerability{ - "CVE-2014-1424": loadTestData("CVE-2014-1424"), - "CVE-2017-6507": loadTestData("CVE-2017-6507"), - "CVE-2018-1000500": loadTestData("CVE-2018-1000500"), - "CVE-2016-1585": loadTestData("CVE-2016-1585"), + "CVE-2014-1424": loadTestData(t, "CVE-2014-1424"), + "CVE-2017-6507": loadTestData(t, "CVE-2017-6507"), + "CVE-2018-1000500": loadTestData(t, "CVE-2018-1000500"), + "CVE-2016-1585": loadTestData(t, "CVE-2016-1585"), } got := generateOSVFromDebianTracker(trackerData, releaseMap, cveStuff) From 7e9a0810cdd796df5469ac1167b29dc953a6b6c1 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Wed, 10 Sep 2025 04:10:25 +0000 Subject: [PATCH 32/33] fix mustRead thingy --- vulnfeeds/cmd/debian/main_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vulnfeeds/cmd/debian/main_test.go b/vulnfeeds/cmd/debian/main_test.go index c0502aeb662..ec66312f05c 100644 --- a/vulnfeeds/cmd/debian/main_test.go +++ b/vulnfeeds/cmd/debian/main_test.go @@ -14,11 +14,11 @@ import ( "github.com/ossf/osv-schema/bindings/go/osvschema" ) -func mustRead(tb testing.TB, filename string) []byte { - tb.Helper() +func mustRead(t *testing.T, filename string) []byte { + t.Helper() data, err := os.ReadFile(filename) if err != nil { - tb.Fatalf("Failed to read file %s: %v", filename, err) + t.Fatalf("Failed to read file %s: %v", filename, err) } return data From e3e77b8eaf0145ed3a28b131c8afcf2f4e1fbbe8 Mon Sep 17 00:00:00 2001 From: Jess Lowe Date: Wed, 10 Sep 2025 04:41:13 +0000 Subject: [PATCH 33/33] reformat test files --- .../test_data/nvdcve-2.0/CVE-2016-1585.json | 178 ++++++++++++++- .../test_data/nvdcve-2.0/CVE-2017-6507.json | 208 +++++++++++++++++- 2 files changed, 384 insertions(+), 2 deletions(-) diff --git a/vulnfeeds/test_data/nvdcve-2.0/CVE-2016-1585.json b/vulnfeeds/test_data/nvdcve-2.0/CVE-2016-1585.json index fb9f9bb4c00..f53d022e01f 100644 --- a/vulnfeeds/test_data/nvdcve-2.0/CVE-2016-1585.json +++ b/vulnfeeds/test_data/nvdcve-2.0/CVE-2016-1585.json @@ -1 +1,177 @@ -{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2025-09-08T00:44:30.996","vulnerabilities":[{"cve":{"id":"CVE-2016-1585","sourceIdentifier":"security@ubuntu.com","published":"2019-04-22T16:29:01.303","lastModified":"2025-05-02T14:12:14.837","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In all versions of AppArmor mount rules are accidentally widened when compiled."},{"lang":"es","value":"En todas las versiones de AppArmor, las reglas de montaje se amplían accidentalmente cuando se compilan."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV30":[{"source":"security@ubuntu.com","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0\/AV:L\/AC:H\/PR:H\/UI:N\/S:U\/C:L\/I:L\/A:L","baseScore":3.9,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":0.5,"impactScore":3.4}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N\/AC:L\/Au:N\/C:P\/I:P\/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:canonical:apparmor:*:*:*:*:*:*:*:*","versionEndExcluding":"2.13.10","matchCriteriaId":"BB29454C-443A-42AB-964A-7E697F175160"},{"vulnerable":true,"criteria":"cpe:2.3:a:canonical:apparmor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.0.12","matchCriteriaId":"2B54A239-7CBC-403C-8094-1D2FA09FA2B5"},{"vulnerable":true,"criteria":"cpe:2.3:a:canonical:apparmor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1.0","versionEndExcluding":"3.1.6","matchCriteriaId":"3BE2576D-BF6C-46B0-9786-7A92CEF92F10"}]}]}],"references":[{"url":"https:\/\/bugs.launchpad.net\/apparmor\/+bug\/1597017","source":"security@ubuntu.com","tags":["Issue Tracking","Third Party Advisory"]},{"url":"https:\/\/lists.apache.org\/thread.html\/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E","source":"security@ubuntu.com","tags":["Third Party Advisory"]},{"url":"https:\/\/bugs.launchpad.net\/apparmor\/+bug\/1597017","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Third Party Advisory"]},{"url":"https:\/\/lists.apache.org\/thread.html\/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]} \ No newline at end of file +{ + "resultsPerPage": 1, + "startIndex": 0, + "totalResults": 1, + "format": "NVD_CVE", + "version": "2.0", + "timestamp": "2025-09-08T00:44:30.996", + "vulnerabilities": [ + { + "cve": { + "id": "CVE-2016-1585", + "sourceIdentifier": "security@ubuntu.com", + "published": "2019-04-22T16:29:01.303", + "lastModified": "2025-05-02T14:12:14.837", + "vulnStatus": "Analyzed", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "In all versions of AppArmor mount rules are accidentally widened when compiled." + }, + { + "lang": "es", + "value": "En todas las versiones de AppArmor, las reglas de montaje se amplían accidentalmente cuando se compilan." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH" + }, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + } + ], + "cvssMetricV30": [ + { + "source": "security@ubuntu.com", + "type": "Secondary", + "cvssData": { + "version": "3.0", + "vectorString": "CVSS:3.0\/AV:L\/AC:H\/PR:H\/UI:N\/S:U\/C:L\/I:L\/A:L", + "baseScore": 3.9, + "baseSeverity": "LOW", + "attackVector": "LOCAL", + "attackComplexity": "HIGH", + "privilegesRequired": "HIGH", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "LOW" + }, + "exploitabilityScore": 0.5, + "impactScore": 3.4 + } + ], + "cvssMetricV2": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "2.0", + "vectorString": "AV:N\/AC:L\/Au:N\/C:P\/I:P\/A:P", + "baseScore": 7.5, + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authentication": "NONE", + "confidentialityImpact": "PARTIAL", + "integrityImpact": "PARTIAL", + "availabilityImpact": "PARTIAL" + }, + "baseSeverity": "HIGH", + "exploitabilityScore": 10.0, + "impactScore": 6.4, + "acInsufInfo": false, + "obtainAllPrivilege": false, + "obtainUserPrivilege": false, + "obtainOtherPrivilege": false, + "userInteractionRequired": false + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "NVD-CWE-noinfo" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:canonical:apparmor:*:*:*:*:*:*:*:*", + "versionEndExcluding": "2.13.10", + "matchCriteriaId": "BB29454C-443A-42AB-964A-7E697F175160" + }, + { + "vulnerable": true, + "criteria": "cpe:2.3:a:canonical:apparmor:*:*:*:*:*:*:*:*", + "versionStartIncluding": "3.0.0", + "versionEndExcluding": "3.0.12", + "matchCriteriaId": "2B54A239-7CBC-403C-8094-1D2FA09FA2B5" + }, + { + "vulnerable": true, + "criteria": "cpe:2.3:a:canonical:apparmor:*:*:*:*:*:*:*:*", + "versionStartIncluding": "3.1.0", + "versionEndExcluding": "3.1.6", + "matchCriteriaId": "3BE2576D-BF6C-46B0-9786-7A92CEF92F10" + } + ] + } + ] + } + ], + "references": [ + { + "url": "https:\/\/bugs.launchpad.net\/apparmor\/+bug\/1597017", + "source": "security@ubuntu.com", + "tags": [ + "Issue Tracking", + "Third Party Advisory" + ] + }, + { + "url": "https:\/\/lists.apache.org\/thread.html\/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", + "source": "security@ubuntu.com", + "tags": [ + "Third Party Advisory" + ] + }, + { + "url": "https:\/\/bugs.launchpad.net\/apparmor\/+bug\/1597017", + "source": "af854a3a-2127-422b-91ae-364da2661108", + "tags": [ + "Issue Tracking", + "Third Party Advisory" + ] + }, + { + "url": "https:\/\/lists.apache.org\/thread.html\/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", + "source": "af854a3a-2127-422b-91ae-364da2661108", + "tags": [ + "Third Party Advisory" + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/vulnfeeds/test_data/nvdcve-2.0/CVE-2017-6507.json b/vulnfeeds/test_data/nvdcve-2.0/CVE-2017-6507.json index e8b1894862a..5cfa2098c38 100644 --- a/vulnfeeds/test_data/nvdcve-2.0/CVE-2017-6507.json +++ b/vulnfeeds/test_data/nvdcve-2.0/CVE-2017-6507.json @@ -1 +1,207 @@ -{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2025-09-08T00:44:12.079","vulnerabilities":[{"cve":{"id":"CVE-2017-6507","sourceIdentifier":"cve@mitre.org","published":"2017-03-24T07:59:00.233","lastModified":"2025-04-20T01:37:25.860","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"An issue was discovered in AppArmor before 2.12. Incorrect handling of unknown AppArmor profiles in AppArmor init scripts, upstart jobs, and\/or systemd unit files allows an attacker to possibly have increased attack surfaces of processes that were intended to be confined by AppArmor. This is due to the common logic to handle 'restart' operations removing AppArmor profiles that aren't found in the typical filesystem locations, such as \/etc\/apparmor.d\/. Userspace projects that manage their own AppArmor profiles in atypical directories, such as what's done by LXD and Docker, are affected by this flaw in the AppArmor init script logic."},{"lang":"es","value":"Ha sido descubierto un problema en AppArmor en versiones anteriores a 2.12. El manejo incorrecto de perfiles AppArmor desconocidos en secuencias de comandos init de AppArmor, trabajos upstart, y\/o archivos de unidad systemd permite a un atacante tener posiblemente superficies de ataques incrementadas de procesos que están destinados a ser confinados por AppArmor. Esto se debe a la lógica común para manejar operaciones 'restart' eliminando perfiles AppArmor que no se encuentran en las ubicaciones típicas del sistema de archivos, como \/etc\/apparmor.d\/. Proyectos de espacio de usuario que gestionan sus propios perfiles AppArmor en directorios atípicos, como hacen LXD y Docker, están afectados por esta falla en la lógica de init script de AppArmor."}],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:N\/I:H\/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N\/AC:M\/Au:N\/C:N\/I:P\/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-269"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apparmor:apparmor:*:*:*:*:*:*:*:*","versionEndIncluding":"2.11","matchCriteriaId":"2BFD8316-6A68-4E6A-8498-50A612297817"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu_core:15.04:*:*:*:*:*:*:*","matchCriteriaId":"91DF0C2A-2F5A-4C41-8793-FF132F8072FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu_touch:15.04:*:*:*:*:*:*:*","matchCriteriaId":"A6F2578E-045A-4B94-817A-57F4031D7565"}]}]}],"references":[{"url":"http:\/\/bazaar.launchpad.net\/~apparmor-dev\/apparmor\/master\/revision\/3647","source":"cve@mitre.org","tags":["Issue Tracking","Patch","Third Party Advisory"]},{"url":"http:\/\/bazaar.launchpad.net\/~apparmor-dev\/apparmor\/master\/revision\/3648","source":"cve@mitre.org","tags":["Issue Tracking","Patch","Third Party Advisory"]},{"url":"http:\/\/www.securityfocus.com\/bid\/97223","source":"cve@mitre.org"},{"url":"https:\/\/bugs.launchpad.net\/apparmor\/+bug\/1668892","source":"cve@mitre.org","tags":["Issue Tracking","Patch","Third Party Advisory"]},{"url":"https:\/\/people.canonical.com\/~ubuntu-security\/cve\/2017\/CVE-2017-6507.html","source":"cve@mitre.org","tags":["Third Party Advisory"]},{"url":"http:\/\/bazaar.launchpad.net\/~apparmor-dev\/apparmor\/master\/revision\/3647","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Patch","Third Party Advisory"]},{"url":"http:\/\/bazaar.launchpad.net\/~apparmor-dev\/apparmor\/master\/revision\/3648","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Patch","Third Party Advisory"]},{"url":"http:\/\/www.securityfocus.com\/bid\/97223","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https:\/\/bugs.launchpad.net\/apparmor\/+bug\/1668892","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Patch","Third Party Advisory"]},{"url":"https:\/\/people.canonical.com\/~ubuntu-security\/cve\/2017\/CVE-2017-6507.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]} \ No newline at end of file +{ + "resultsPerPage": 1, + "startIndex": 0, + "totalResults": 1, + "format": "NVD_CVE", + "version": "2.0", + "timestamp": "2025-09-08T00:44:12.079", + "vulnerabilities": [ + { + "cve": { + "id": "CVE-2017-6507", + "sourceIdentifier": "cve@mitre.org", + "published": "2017-03-24T07:59:00.233", + "lastModified": "2025-04-20T01:37:25.860", + "vulnStatus": "Deferred", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in AppArmor before 2.12. Incorrect handling of unknown AppArmor profiles in AppArmor init scripts, upstart jobs, and\/or systemd unit files allows an attacker to possibly have increased attack surfaces of processes that were intended to be confined by AppArmor. This is due to the common logic to handle 'restart' operations removing AppArmor profiles that aren't found in the typical filesystem locations, such as \/etc\/apparmor.d\/. Userspace projects that manage their own AppArmor profiles in atypical directories, such as what's done by LXD and Docker, are affected by this flaw in the AppArmor init script logic." + }, + { + "lang": "es", + "value": "Ha sido descubierto un problema en AppArmor en versiones anteriores a 2.12. El manejo incorrecto de perfiles AppArmor desconocidos en secuencias de comandos init de AppArmor, trabajos upstart, y\/o archivos de unidad systemd permite a un atacante tener posiblemente superficies de ataques incrementadas de procesos que están destinados a ser confinados por AppArmor. Esto se debe a la lógica común para manejar operaciones 'restart' eliminando perfiles AppArmor que no se encuentran en las ubicaciones típicas del sistema de archivos, como \/etc\/apparmor.d\/. Proyectos de espacio de usuario que gestionan sus propios perfiles AppArmor en directorios atípicos, como hacen LXD y Docker, están afectados por esta falla en la lógica de init script de AppArmor." + } + ], + "metrics": { + "cvssMetricV30": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.0", + "vectorString": "CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:N\/I:H\/A:N", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "availabilityImpact": "NONE" + }, + "exploitabilityScore": 2.2, + "impactScore": 3.6 + } + ], + "cvssMetricV2": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "2.0", + "vectorString": "AV:N\/AC:M\/Au:N\/C:N\/I:P\/A:N", + "baseScore": 4.3, + "accessVector": "NETWORK", + "accessComplexity": "MEDIUM", + "authentication": "NONE", + "confidentialityImpact": "NONE", + "integrityImpact": "PARTIAL", + "availabilityImpact": "NONE" + }, + "baseSeverity": "MEDIUM", + "exploitabilityScore": 8.6, + "impactScore": 2.9, + "acInsufInfo": false, + "obtainAllPrivilege": false, + "obtainUserPrivilege": false, + "obtainOtherPrivilege": false, + "userInteractionRequired": false + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-269" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:apparmor:apparmor:*:*:*:*:*:*:*:*", + "versionEndIncluding": "2.11", + "matchCriteriaId": "2BFD8316-6A68-4E6A-8498-50A612297817" + } + ] + } + ] + }, + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:o:canonical:ubuntu_core:15.04:*:*:*:*:*:*:*", + "matchCriteriaId": "91DF0C2A-2F5A-4C41-8793-FF132F8072FD" + }, + { + "vulnerable": true, + "criteria": "cpe:2.3:o:canonical:ubuntu_touch:15.04:*:*:*:*:*:*:*", + "matchCriteriaId": "A6F2578E-045A-4B94-817A-57F4031D7565" + } + ] + } + ] + } + ], + "references": [ + { + "url": "http:\/\/bazaar.launchpad.net\/~apparmor-dev\/apparmor\/master\/revision\/3647", + "source": "cve@mitre.org", + "tags": [ + "Issue Tracking", + "Patch", + "Third Party Advisory" + ] + }, + { + "url": "http:\/\/bazaar.launchpad.net\/~apparmor-dev\/apparmor\/master\/revision\/3648", + "source": "cve@mitre.org", + "tags": [ + "Issue Tracking", + "Patch", + "Third Party Advisory" + ] + }, + { + "url": "http:\/\/www.securityfocus.com\/bid\/97223", + "source": "cve@mitre.org" + }, + { + "url": "https:\/\/bugs.launchpad.net\/apparmor\/+bug\/1668892", + "source": "cve@mitre.org", + "tags": [ + "Issue Tracking", + "Patch", + "Third Party Advisory" + ] + }, + { + "url": "https:\/\/people.canonical.com\/~ubuntu-security\/cve\/2017\/CVE-2017-6507.html", + "source": "cve@mitre.org", + "tags": [ + "Third Party Advisory" + ] + }, + { + "url": "http:\/\/bazaar.launchpad.net\/~apparmor-dev\/apparmor\/master\/revision\/3647", + "source": "af854a3a-2127-422b-91ae-364da2661108", + "tags": [ + "Issue Tracking", + "Patch", + "Third Party Advisory" + ] + }, + { + "url": "http:\/\/bazaar.launchpad.net\/~apparmor-dev\/apparmor\/master\/revision\/3648", + "source": "af854a3a-2127-422b-91ae-364da2661108", + "tags": [ + "Issue Tracking", + "Patch", + "Third Party Advisory" + ] + }, + { + "url": "http:\/\/www.securityfocus.com\/bid\/97223", + "source": "af854a3a-2127-422b-91ae-364da2661108" + }, + { + "url": "https:\/\/bugs.launchpad.net\/apparmor\/+bug\/1668892", + "source": "af854a3a-2127-422b-91ae-364da2661108", + "tags": [ + "Issue Tracking", + "Patch", + "Third Party Advisory" + ] + }, + { + "url": "https:\/\/people.canonical.com\/~ubuntu-security\/cve\/2017\/CVE-2017-6507.html", + "source": "af854a3a-2127-422b-91ae-364da2661108", + "tags": [ + "Third Party Advisory" + ] + } + ] + } + } + ] +} \ No newline at end of file