From 2d125c896653ca54190620507a06028546a82d99 Mon Sep 17 00:00:00 2001 From: rh0dy Date: Thu, 29 Feb 2024 00:21:12 +0000 Subject: [PATCH 1/6] Add support for findings with a GHSA but no CVE --- dojo/tools/bundler_audit/parser.py | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/dojo/tools/bundler_audit/parser.py b/dojo/tools/bundler_audit/parser.py index 39b836711b4..8d567af2ec5 100644 --- a/dojo/tools/bundler_audit/parser.py +++ b/dojo/tools/bundler_audit/parser.py @@ -28,7 +28,7 @@ def get_findings(self, filename, test): for warning in warnings: if not warning.startswith("Name"): continue - advisory_cve = None + advisory_id = None gem_report_fields = warning.split("\n") for field in gem_report_fields: if field.startswith("Name"): @@ -36,9 +36,11 @@ def get_findings(self, filename, test): elif field.startswith("Version"): gem_version = field.replace("Version: ", "") elif field.startswith("Advisory"): - advisory_cve = field.replace("Advisory: ", "") + advisory_id = field.replace("Advisory: ", "") elif field.startswith("CVE"): - advisory_cve = field.replace("CVE: ", "") + advisory_id = field.replace("CVE: ", "") + elif advisory_id is None and field.startswith("GHSA"): + advisory_id = field.replace("GHSA: ", "") elif field.startswith("Criticality"): criticality = field.replace("Criticality: ", "") if criticality.lower() == "unknown": @@ -58,7 +60,7 @@ def get_findings(self, filename, test): + ": " + advisory_title + " [" - + advisory_cve + + advisory_id + "]" ) findingdetail = ( @@ -66,11 +68,11 @@ def get_findings(self, filename, test): ) findingdetail += "**Name**: " + gem_name + "\n" findingdetail += "**Version**: " + gem_version + "\n" - findingdetail += "**Advisory**: " + advisory_cve + "\n" + findingdetail += "**Advisory**: " + advisory_id + "\n" mitigation = advisory_solution references = advisory_url fingerprint = ( - "bundler-audit" + gem_name + gem_version + advisory_cve + sev + "bundler-audit" + gem_name + gem_version + advisory_id + sev ) dupe_key = hashlib.md5(fingerprint.encode("utf-8")).hexdigest() if dupe_key in dupes: @@ -91,8 +93,8 @@ def get_findings(self, filename, test): component_name=gem_name, component_version=gem_version, ) - if advisory_cve: - find.unsaved_vulnerability_ids = [advisory_cve] + if advisory_id: + find.unsaved_vulnerability_ids = [advisory_id] dupes[dupe_key] = find From 2f7fe9ef919a8b6b6547ea7b4ed5521f3a024716 Mon Sep 17 00:00:00 2001 From: rh0dy Date: Thu, 29 Feb 2024 00:22:05 +0000 Subject: [PATCH 2/6] Update unit test to handle case with GHSA but no CVE --- unittests/scans/bundler_audit/version_9.0.json | 2 +- unittests/scans/bundler_audit/version_9.0.txt | 8 ++++++++ unittests/tools/test_bundler_audit_parser.py | 10 +++++++++- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/unittests/scans/bundler_audit/version_9.0.json b/unittests/scans/bundler_audit/version_9.0.json index 2e85c1f3c93..80ac40e7955 100644 --- a/unittests/scans/bundler_audit/version_9.0.json +++ b/unittests/scans/bundler_audit/version_9.0.json @@ -1 +1 @@ -{"version":"0.9.0.1","created_at":"2021-09-16 19:25:23 +0200","results":[{"type":"unpatched_gem","gem":{"name":"rack","version":"1.6.13"},"advisory":{"path":"/home/damien/.local/share/ruby-advisory-db/gems/rack/CVE-2020-8161.yml","id":"CVE-2020-8161","url":"https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA","title":"Directory traversal in Rack::Directory app bundled with Rack","date":"2020-05-12","description":"There was a possible directory traversal vulnerability in the Rack::Directory app\nthat is bundled with Rack.\n\nVersions Affected: rack < 2.2.0\nNot affected: Applications that do not use Rack::Directory.\nFixed Versions: 2.1.3, >= 2.2.0\n\nImpact\n------\n\nIf certain directories exist in a director that is managed by\n`Rack::Directory`, an attacker could, using this vulnerability, read the\ncontents of files on the server that were outside of the root specified in the\nRack::Directory initializer.\n\nWorkarounds\n-----------\n\nUntil such time as the patch is applied or their Rack version is upgraded,\nwe recommend that developers do not use Rack::Directory in their\napplications.\n","cvss_v2":null,"cvss_v3":null,"cve":"2020-8161","osvdb":null,"ghsa":"5f9h-9pjv-v6j7","unaffected_versions":[],"patched_versions":["~> 2.1.3",">= 2.2.0"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"rack","version":"1.6.13"},"advisory":{"path":"/home/damien/.local/share/ruby-advisory-db/gems/rack/CVE-2020-8184.yml","id":"CVE-2020-8184","url":"https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak","title":"Percent-encoded cookies can be used to overwrite existing prefixed cookie names","date":"2020-06-15","description":"It is possible to forge a secure or host-only cookie prefix in Rack using\nan arbitrary cookie write by using URL encoding (percent-encoding) on the\nname of the cookie. This could result in an application that is dependent on\nthis prefix to determine if a cookie is safe to process being manipulated\ninto processing an insecure or cross-origin request.\nThis vulnerability has been assigned the CVE identifier CVE-2020-8184.\n\nVersions Affected: rack < 2.2.3, rack < 2.1.4\nNot affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process\nFixed Versions: rack >= 2.2.3, rack >= 2.1.4\n\nImpact\n------\n\nAn attacker may be able to trick a vulnerable application into processing an\ninsecure (non-SSL) or cross-origin request if they can gain the ability to write\narbitrary cookies that are sent to the application.\n\nWorkarounds\n-----------\n\nIf your application is impacted but you cannot upgrade to the released versions or apply\nthe provided patch, this issue can be temporarily addressed by adding the following workaround:\n\n```\nmodule Rack\n module Utils\n module_function def parse_cookies_header(header)\n return {} unless header\n header.split(/[;] */n).each_with_object({}) do |cookie, cookies|\n next if cookie.empty?\n key, value = cookie.split('=', 2)\n cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)\n end\n end\n end\nend\n```\n","cvss_v2":null,"cvss_v3":null,"cve":"2020-8184","osvdb":null,"ghsa":"j6w9-fv6q-3q52","unaffected_versions":[],"patched_versions":["~> 2.1.4",">= 2.2.3"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"sprockets","version":"2.2.3"},"advisory":{"path":"/home/damien/.local/share/ruby-advisory-db/gems/sprockets/CVE-2018-3760.yml","id":"CVE-2018-3760","url":"https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k","title":"Path Traversal in Sprockets","date":"2018-06-19","description":"Specially crafted requests can be used to access files that exist on\nthe filesystem that is outside an application's root directory, when the\nSprockets server is used in production.\n\nAll users running an affected release should either upgrade or use one of the work arounds immediately.\n\nWorkaround:\nIn Rails applications, work around this issue, set `config.assets.compile = false` and\n`config.public_file_server.enabled = true` in an initializer and precompile the assets.\n\n This work around will not be possible in all hosting environments and upgrading is advised.\n","cvss_v2":null,"cvss_v3":null,"cve":"2018-3760","osvdb":null,"ghsa":"pr3h-jjhj-573x","unaffected_versions":[],"patched_versions":[">= 2.12.5, < 3.0.0",">= 3.7.2, < 4.0.0",">= 4.0.0.beta8"],"criticality":null}}]} \ No newline at end of file +{"version":"0.9.0.1","created_at":"2021-09-16 19:25:23 +0200","results":[{"type":"unpatched_gem","gem":{"name":"rack","version":"1.6.13"},"advisory":{"path":"/home/damien/.local/share/ruby-advisory-db/gems/rack/CVE-2020-8161.yml","id":"CVE-2020-8161","url":"https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA","title":"Directory traversal in Rack::Directory app bundled with Rack","date":"2020-05-12","description":"There was a possible directory traversal vulnerability in the Rack::Directory app\nthat is bundled with Rack.\n\nVersions Affected: rack < 2.2.0\nNot affected: Applications that do not use Rack::Directory.\nFixed Versions: 2.1.3, >= 2.2.0\n\nImpact\n------\n\nIf certain directories exist in a director that is managed by\n`Rack::Directory`, an attacker could, using this vulnerability, read the\ncontents of files on the server that were outside of the root specified in the\nRack::Directory initializer.\n\nWorkarounds\n-----------\n\nUntil such time as the patch is applied or their Rack version is upgraded,\nwe recommend that developers do not use Rack::Directory in their\napplications.\n","cvss_v2":null,"cvss_v3":null,"cve":"2020-8161","osvdb":null,"ghsa":"5f9h-9pjv-v6j7","unaffected_versions":[],"patched_versions":["~> 2.1.3",">= 2.2.0"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"rack","version":"1.6.13"},"advisory":{"path":"/home/damien/.local/share/ruby-advisory-db/gems/rack/CVE-2020-8184.yml","id":"CVE-2020-8184","url":"https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak","title":"Percent-encoded cookies can be used to overwrite existing prefixed cookie names","date":"2020-06-15","description":"It is possible to forge a secure or host-only cookie prefix in Rack using\nan arbitrary cookie write by using URL encoding (percent-encoding) on the\nname of the cookie. This could result in an application that is dependent on\nthis prefix to determine if a cookie is safe to process being manipulated\ninto processing an insecure or cross-origin request.\nThis vulnerability has been assigned the CVE identifier CVE-2020-8184.\n\nVersions Affected: rack < 2.2.3, rack < 2.1.4\nNot affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process\nFixed Versions: rack >= 2.2.3, rack >= 2.1.4\n\nImpact\n------\n\nAn attacker may be able to trick a vulnerable application into processing an\ninsecure (non-SSL) or cross-origin request if they can gain the ability to write\narbitrary cookies that are sent to the application.\n\nWorkarounds\n-----------\n\nIf your application is impacted but you cannot upgrade to the released versions or apply\nthe provided patch, this issue can be temporarily addressed by adding the following workaround:\n\n```\nmodule Rack\n module Utils\n module_function def parse_cookies_header(header)\n return {} unless header\n header.split(/[;] */n).each_with_object({}) do |cookie, cookies|\n next if cookie.empty?\n key, value = cookie.split('=', 2)\n cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)\n end\n end\n end\nend\n```\n","cvss_v2":null,"cvss_v3":null,"cve":"2020-8184","osvdb":null,"ghsa":"j6w9-fv6q-3q52","unaffected_versions":[],"patched_versions":["~> 2.1.4",">= 2.2.3"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"sprockets","version":"2.2.3"},"advisory":{"path":"/home/damien/.local/share/ruby-advisory-db/gems/sprockets/CVE-2018-3760.yml","id":"CVE-2018-3760","url":"https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k","title":"Path Traversal in Sprockets","date":"2018-06-19","description":"Specially crafted requests can be used to access files that exist on\nthe filesystem that is outside an application's root directory, when the\nSprockets server is used in production.\n\nAll users running an affected release should either upgrade or use one of the work arounds immediately.\n\nWorkaround:\nIn Rails applications, work around this issue, set `config.assets.compile = false` and\n`config.public_file_server.enabled = true` in an initializer and precompile the assets.\n\n This work around will not be possible in all hosting environments and upgrading is advised.\n","cvss_v2":null,"cvss_v3":null,"cve":"2018-3760","osvdb":null,"ghsa":"pr3h-jjhj-573x","unaffected_versions":[],"patched_versions":[">= 2.12.5, < 3.0.0",">= 3.7.2, < 4.0.0",">= 4.0.0.beta8"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"nokogiri","version":"1.15.2"},"advisory":{"path":"/home/damien/.local/share/ruby-advisory-db/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml","id":"GHSA-xc9x-jj77-9p9j","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j","title":"Improper Handling of Unexpected Data Type in Nokogiri","date":"2024-02-04","description":"Nokogiri updates packaged libxml2 to v2.12.5 to resolve CVE-2024-25062.\n","cvss_v2":null,"cvss_v3":null,"cve":null,"osvdb":null,"ghsa":"GHSA-xc9x-jj77-9p9j","unaffected_versions":[],"patched_versions":[">= 1.16.2"],"criticality":null}}]} \ No newline at end of file diff --git a/unittests/scans/bundler_audit/version_9.0.txt b/unittests/scans/bundler_audit/version_9.0.txt index b8128857d0d..3a8b5b31119 100644 --- a/unittests/scans/bundler_audit/version_9.0.txt +++ b/unittests/scans/bundler_audit/version_9.0.txt @@ -25,4 +25,12 @@ URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets Solution: upgrade to >= 2.12.5, < 3.0.0, >= 3.7.2, < 4.0.0, >= 4.0.0.beta8 +Name: nokogiri +Version: 1.15.2 +GHSA: GHSA-xc9x-jj77-9p9j +Criticality: Unknown +URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j +Title: Improper Handling of Unexpected Data Type in Nokogiri +Solution: upgrade to '>= 1.16.2' + Vulnerabilities found! diff --git a/unittests/tools/test_bundler_audit_parser.py b/unittests/tools/test_bundler_audit_parser.py index b22a052e380..4e19436a263 100644 --- a/unittests/tools/test_bundler_audit_parser.py +++ b/unittests/tools/test_bundler_audit_parser.py @@ -31,7 +31,7 @@ def test_get_findings_version9(self): with open(path.join(path.dirname(__file__), "../scans/bundler_audit/version_9.0.txt")) as testfile: parser = BundlerAuditParser() findings = parser.get_findings(testfile, Test()) - self.assertEqual(3, len(findings)) + self.assertEqual(4, len(findings)) with self.subTest(i=0): finding = findings[0] self.assertEqual("Gem rack: Directory traversal in Rack::Directory app bundled with Rack [CVE-2020-8161]", finding.title) @@ -56,3 +56,11 @@ def test_get_findings_version9(self): self.assertEqual("CVE-2018-3760", finding.unsaved_vulnerability_ids[0]) self.assertEqual("sprockets", finding.component_name) self.assertEqual("2.2.3", finding.component_version) + with self.subTest(i=3): + finding = findings[3] + self.assertEqual("Gem nokogiri: Improper Handling of Unexpected Data Type in Nokogiri [GHSA-xc9x-jj77-9p9j]", finding.title) + self.assertEqual("Medium", finding.severity) + self.assertEqual(1, len(finding.unsaved_vulnerability_ids)) + self.assertEqual("GHSA-xc9x-jj77-9p9j", finding.unsaved_vulnerability_ids[0]) + self.assertEqual("nokogiri", finding.component_name) + self.assertEqual("1.15.2", finding.component_version) \ No newline at end of file From 26051c883842760cf4302e8358cbcfd2ebae8fb7 Mon Sep 17 00:00:00 2001 From: rh0dy Date: Thu, 29 Feb 2024 09:21:44 +0000 Subject: [PATCH 3/6] Format JSON so it's human readable --- .../scans/bundler_audit/version_9.0.json | 119 +++++++++++++++++- 1 file changed, 118 insertions(+), 1 deletion(-) diff --git a/unittests/scans/bundler_audit/version_9.0.json b/unittests/scans/bundler_audit/version_9.0.json index 80ac40e7955..02e623f64d3 100644 --- a/unittests/scans/bundler_audit/version_9.0.json +++ b/unittests/scans/bundler_audit/version_9.0.json @@ -1 +1,118 @@ -{"version":"0.9.0.1","created_at":"2021-09-16 19:25:23 +0200","results":[{"type":"unpatched_gem","gem":{"name":"rack","version":"1.6.13"},"advisory":{"path":"/home/damien/.local/share/ruby-advisory-db/gems/rack/CVE-2020-8161.yml","id":"CVE-2020-8161","url":"https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA","title":"Directory traversal in Rack::Directory app bundled with Rack","date":"2020-05-12","description":"There was a possible directory traversal vulnerability in the Rack::Directory app\nthat is bundled with Rack.\n\nVersions Affected: rack < 2.2.0\nNot affected: Applications that do not use Rack::Directory.\nFixed Versions: 2.1.3, >= 2.2.0\n\nImpact\n------\n\nIf certain directories exist in a director that is managed by\n`Rack::Directory`, an attacker could, using this vulnerability, read the\ncontents of files on the server that were outside of the root specified in the\nRack::Directory initializer.\n\nWorkarounds\n-----------\n\nUntil such time as the patch is applied or their Rack version is upgraded,\nwe recommend that developers do not use Rack::Directory in their\napplications.\n","cvss_v2":null,"cvss_v3":null,"cve":"2020-8161","osvdb":null,"ghsa":"5f9h-9pjv-v6j7","unaffected_versions":[],"patched_versions":["~> 2.1.3",">= 2.2.0"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"rack","version":"1.6.13"},"advisory":{"path":"/home/damien/.local/share/ruby-advisory-db/gems/rack/CVE-2020-8184.yml","id":"CVE-2020-8184","url":"https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak","title":"Percent-encoded cookies can be used to overwrite existing prefixed cookie names","date":"2020-06-15","description":"It is possible to forge a secure or host-only cookie prefix in Rack using\nan arbitrary cookie write by using URL encoding (percent-encoding) on the\nname of the cookie. This could result in an application that is dependent on\nthis prefix to determine if a cookie is safe to process being manipulated\ninto processing an insecure or cross-origin request.\nThis vulnerability has been assigned the CVE identifier CVE-2020-8184.\n\nVersions Affected: rack < 2.2.3, rack < 2.1.4\nNot affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process\nFixed Versions: rack >= 2.2.3, rack >= 2.1.4\n\nImpact\n------\n\nAn attacker may be able to trick a vulnerable application into processing an\ninsecure (non-SSL) or cross-origin request if they can gain the ability to write\narbitrary cookies that are sent to the application.\n\nWorkarounds\n-----------\n\nIf your application is impacted but you cannot upgrade to the released versions or apply\nthe provided patch, this issue can be temporarily addressed by adding the following workaround:\n\n```\nmodule Rack\n module Utils\n module_function def parse_cookies_header(header)\n return {} unless header\n header.split(/[;] */n).each_with_object({}) do |cookie, cookies|\n next if cookie.empty?\n key, value = cookie.split('=', 2)\n cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)\n end\n end\n end\nend\n```\n","cvss_v2":null,"cvss_v3":null,"cve":"2020-8184","osvdb":null,"ghsa":"j6w9-fv6q-3q52","unaffected_versions":[],"patched_versions":["~> 2.1.4",">= 2.2.3"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"sprockets","version":"2.2.3"},"advisory":{"path":"/home/damien/.local/share/ruby-advisory-db/gems/sprockets/CVE-2018-3760.yml","id":"CVE-2018-3760","url":"https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k","title":"Path Traversal in Sprockets","date":"2018-06-19","description":"Specially crafted requests can be used to access files that exist on\nthe filesystem that is outside an application's root directory, when the\nSprockets server is used in production.\n\nAll users running an affected release should either upgrade or use one of the work arounds immediately.\n\nWorkaround:\nIn Rails applications, work around this issue, set `config.assets.compile = false` and\n`config.public_file_server.enabled = true` in an initializer and precompile the assets.\n\n This work around will not be possible in all hosting environments and upgrading is advised.\n","cvss_v2":null,"cvss_v3":null,"cve":"2018-3760","osvdb":null,"ghsa":"pr3h-jjhj-573x","unaffected_versions":[],"patched_versions":[">= 2.12.5, < 3.0.0",">= 3.7.2, < 4.0.0",">= 4.0.0.beta8"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"nokogiri","version":"1.15.2"},"advisory":{"path":"/home/damien/.local/share/ruby-advisory-db/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml","id":"GHSA-xc9x-jj77-9p9j","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j","title":"Improper Handling of Unexpected Data Type in Nokogiri","date":"2024-02-04","description":"Nokogiri updates packaged libxml2 to v2.12.5 to resolve CVE-2024-25062.\n","cvss_v2":null,"cvss_v3":null,"cve":null,"osvdb":null,"ghsa":"GHSA-xc9x-jj77-9p9j","unaffected_versions":[],"patched_versions":[">= 1.16.2"],"criticality":null}}]} \ No newline at end of file +{ + "version":"0.9.0.1", + "created_at":"2021-09-16 19:25:23 +0200", + "results":[ + { + "type":"unpatched_gem", + "gem":{ + "name":"rack", + "version":"1.6.13" + }, + "advisory":{ + "path":"/home/damien/.local/share/ruby-advisory-db/gems/rack/CVE-2020-8161.yml", + "id":"CVE-2020-8161", + "url":"https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA", + "title":"Directory traversal in Rack::Directory app bundled with Rack", + "date":"2020-05-12", + "description":"There was a possible directory traversal vulnerability in the Rack::Directory app\nthat is bundled with Rack.\n\nVersions Affected: rack < 2.2.0\nNot affected: Applications that do not use Rack::Directory.\nFixed Versions: 2.1.3, >= 2.2.0\n\nImpact\n------\n\nIf certain directories exist in a director that is managed by\n`Rack::Directory`, an attacker could, using this vulnerability, read the\ncontents of files on the server that were outside of the root specified in the\nRack::Directory initializer.\n\nWorkarounds\n-----------\n\nUntil such time as the patch is applied or their Rack version is upgraded,\nwe recommend that developers do not use Rack::Directory in their\napplications.\n", + "cvss_v2":null, + "cvss_v3":null, + "cve":"2020-8161", + "osvdb":null, + "ghsa":"5f9h-9pjv-v6j7", + "unaffected_versions":[ + + ], + "patched_versions":[ + "~> 2.1.3", + ">= 2.2.0" + ], + "criticality":null + } + }, + { + "type":"unpatched_gem", + "gem":{ + "name":"rack", + "version":"1.6.13" + }, + "advisory":{ + "path":"/home/damien/.local/share/ruby-advisory-db/gems/rack/CVE-2020-8184.yml", + "id":"CVE-2020-8184", + "url":"https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak", + "title":"Percent-encoded cookies can be used to overwrite existing prefixed cookie names", + "date":"2020-06-15", + "description":"It is possible to forge a secure or host-only cookie prefix in Rack using\nan arbitrary cookie write by using URL encoding (percent-encoding) on the\nname of the cookie. This could result in an application that is dependent on\nthis prefix to determine if a cookie is safe to process being manipulated\ninto processing an insecure or cross-origin request.\nThis vulnerability has been assigned the CVE identifier CVE-2020-8184.\n\nVersions Affected: rack < 2.2.3, rack < 2.1.4\nNot affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process\nFixed Versions: rack >= 2.2.3, rack >= 2.1.4\n\nImpact\n------\n\nAn attacker may be able to trick a vulnerable application into processing an\ninsecure (non-SSL) or cross-origin request if they can gain the ability to write\narbitrary cookies that are sent to the application.\n\nWorkarounds\n-----------\n\nIf your application is impacted but you cannot upgrade to the released versions or apply\nthe provided patch, this issue can be temporarily addressed by adding the following workaround:\n\n```\nmodule Rack\n module Utils\n module_function def parse_cookies_header(header)\n return {} unless header\n header.split(/[;] */n).each_with_object({}) do |cookie, cookies|\n next if cookie.empty?\n key, value = cookie.split('=', 2)\n cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)\n end\n end\n end\nend\n```\n", + "cvss_v2":null, + "cvss_v3":null, + "cve":"2020-8184", + "osvdb":null, + "ghsa":"j6w9-fv6q-3q52", + "unaffected_versions":[ + + ], + "patched_versions":[ + "~> 2.1.4", + ">= 2.2.3" + ], + "criticality":null + } + }, + { + "type":"unpatched_gem", + "gem":{ + "name":"sprockets", + "version":"2.2.3" + }, + "advisory":{ + "path":"/home/damien/.local/share/ruby-advisory-db/gems/sprockets/CVE-2018-3760.yml", + "id":"CVE-2018-3760", + "url":"https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k", + "title":"Path Traversal in Sprockets", + "date":"2018-06-19", + "description":"Specially crafted requests can be used to access files that exist on\nthe filesystem that is outside an application's root directory, when the\nSprockets server is used in production.\n\nAll users running an affected release should either upgrade or use one of the work arounds immediately.\n\nWorkaround:\nIn Rails applications, work around this issue, set `config.assets.compile = false` and\n`config.public_file_server.enabled = true` in an initializer and precompile the assets.\n\n This work around will not be possible in all hosting environments and upgrading is advised.\n", + "cvss_v2":null, + "cvss_v3":null, + "cve":"2018-3760", + "osvdb":null, + "ghsa":"pr3h-jjhj-573x", + "unaffected_versions":[ + + ], + "patched_versions":[ + ">= 2.12.5, < 3.0.0", + ">= 3.7.2, < 4.0.0", + ">= 4.0.0.beta8" + ], + "criticality":null + } + }, + { + "type":"unpatched_gem", + "gem":{ + "name":"nokogiri", + "version":"1.15.2" + }, + "advisory":{ + "path":"/home/damien/.local/share/ruby-advisory-db/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml", + "id":"GHSA-xc9x-jj77-9p9j", + "url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j", + "title":"Improper Handling of Unexpected Data Type in Nokogiri", + "date":"2024-02-04", + "description":"Nokogiri updates packaged libxml2 to v2.12.5 to resolve CVE-2024-25062.\n", + "cvss_v2":null, + "cvss_v3":null, + "cve":null, + "osvdb":null, + "ghsa":"GHSA-xc9x-jj77-9p9j", + "unaffected_versions":[ + + ], + "patched_versions":[ + ">= 1.16.2" + ], + "criticality":null + } + } + ] +} \ No newline at end of file From 626defd50904b720429a8dd37f0b7891242ee014 Mon Sep 17 00:00:00 2001 From: rh0dy Date: Thu, 29 Feb 2024 09:46:25 +0000 Subject: [PATCH 4/6] Also populate the CVE field to be as flexible as possible --- dojo/tools/bundler_audit/parser.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dojo/tools/bundler_audit/parser.py b/dojo/tools/bundler_audit/parser.py index 8d567af2ec5..3f36b7474ff 100644 --- a/dojo/tools/bundler_audit/parser.py +++ b/dojo/tools/bundler_audit/parser.py @@ -92,6 +92,7 @@ def get_findings(self, filename, test): dynamic_finding=False, component_name=gem_name, component_version=gem_version, + cve=advisory_id, ) if advisory_id: find.unsaved_vulnerability_ids = [advisory_id] From b325c3abe118a91218f32e6180038056ac3201e9 Mon Sep 17 00:00:00 2001 From: rh0dy Date: Thu, 29 Feb 2024 09:49:45 +0000 Subject: [PATCH 5/6] Unit tests to check cve value --- unittests/tools/test_bundler_audit_parser.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/unittests/tools/test_bundler_audit_parser.py b/unittests/tools/test_bundler_audit_parser.py index 4e19436a263..8d203a61046 100644 --- a/unittests/tools/test_bundler_audit_parser.py +++ b/unittests/tools/test_bundler_audit_parser.py @@ -38,6 +38,7 @@ def test_get_findings_version9(self): self.assertEqual("Medium", finding.severity) self.assertEqual(1, len(finding.unsaved_vulnerability_ids)) self.assertEqual("CVE-2020-8161", finding.unsaved_vulnerability_ids[0]) + self.assertEqual("CVE-2020-8161", finding.cve) self.assertEqual("rack", finding.component_name) self.assertEqual("1.6.13", finding.component_version) with self.subTest(i=1): @@ -46,6 +47,7 @@ def test_get_findings_version9(self): self.assertEqual("Medium", finding.severity) self.assertEqual(1, len(finding.unsaved_vulnerability_ids)) self.assertEqual("CVE-2020-8184", finding.unsaved_vulnerability_ids[0]) + self.assertEqual("CVE-2020-8184", finding.cve) self.assertEqual("rack", finding.component_name) self.assertEqual("1.6.13", finding.component_version) with self.subTest(i=2): @@ -54,6 +56,7 @@ def test_get_findings_version9(self): self.assertEqual("Medium", finding.severity) self.assertEqual(1, len(finding.unsaved_vulnerability_ids)) self.assertEqual("CVE-2018-3760", finding.unsaved_vulnerability_ids[0]) + self.assertEqual("CVE-2018-3760", finding.cve) self.assertEqual("sprockets", finding.component_name) self.assertEqual("2.2.3", finding.component_version) with self.subTest(i=3): @@ -62,5 +65,6 @@ def test_get_findings_version9(self): self.assertEqual("Medium", finding.severity) self.assertEqual(1, len(finding.unsaved_vulnerability_ids)) self.assertEqual("GHSA-xc9x-jj77-9p9j", finding.unsaved_vulnerability_ids[0]) + self.assertEqual("GHSA-xc9x-jj77-9p9j", finding.cve) self.assertEqual("nokogiri", finding.component_name) self.assertEqual("1.15.2", finding.component_version) \ No newline at end of file From d03f3ae6f6e82f2d9052e7f5929045b68f1bfa24 Mon Sep 17 00:00:00 2001 From: rh0dy Date: Thu, 29 Feb 2024 10:16:43 +0000 Subject: [PATCH 6/6] Add new line at bottom of file to fix linting issue --- unittests/tools/test_bundler_audit_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/tools/test_bundler_audit_parser.py b/unittests/tools/test_bundler_audit_parser.py index 8d203a61046..a5e4e8919db 100644 --- a/unittests/tools/test_bundler_audit_parser.py +++ b/unittests/tools/test_bundler_audit_parser.py @@ -67,4 +67,4 @@ def test_get_findings_version9(self): self.assertEqual("GHSA-xc9x-jj77-9p9j", finding.unsaved_vulnerability_ids[0]) self.assertEqual("GHSA-xc9x-jj77-9p9j", finding.cve) self.assertEqual("nokogiri", finding.component_name) - self.assertEqual("1.15.2", finding.component_version) \ No newline at end of file + self.assertEqual("1.15.2", finding.component_version)