Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Whitelisting of packages affects summary, whitelisting of CVE IDs does not #6

Open
m-ueberall opened this issue Aug 21, 2021 · 0 comments

Comments

@m-ueberall
Copy link

Using the new whitelisting feature for packages and CVE IDs introduced in releases 0.1.19/0.1.20, respectively, only whitelisted packages will affect the summary counts:

[2021-08-21T15:11:38+0200] sys-maint@vserver19<kvm>:/tmp/debcvescan% ls -l ./debcvescan.whitelist
ls: cannot access './debcvescan.whitelist': No such file or directory
[2021-08-21T15:15:17+0200] sys-maint@vserver19<kvm>:/tmp/debcvescan% /usr/bin/debcvescan scan | grep -E 'Summary Total|intel-microcode|CVE-2020-8492|CVE-2019-20907|CVE-2021-27135'
Summary Total:40 Open:24 High: 0 Medium: 0 Low: 3 Unknown: 0 Ignored: 13 
python2.7    LOW    CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by 
python2.7    LOW    CVE-2020-8492: Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server 
xterm        OPEN   CVE-2021-27135: xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via  
intel-microcode OPEN   CVE-2020-24489: Incomplete cleanup in some Intel(R) VT-d products may allow an authenticated user to potentially enable escalation of privilege  
intel-microcode OPEN   CVE-2020-24511: Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable informa 
intel-microcode OPEN   CVE-2020-24512: Observable timing discrepancy in some Intel(R) Processors may allow an authenticated user to potentially enable information disc 
intel-microcode OPEN   CVE-2020-24513: Domain-bypass transient execution vulnerability in some Intel Atom(R) Processors may allow an authenticated user to potentially  
[2021-08-21T15:15:30+0200] sys-maint@vserver19<kvm>:/tmp/debcvescan% /usr/bin/debcvescan pkg intel-microcode --add-whitelist "meaningless inside a virtual machine"
[2021-08-21T15:17:05+0200] sys-maint@vserver19<kvm>:/tmp/debcvescan% /usr/bin/debcvescan scan | grep -E 'Summary Total|intel-microcode|CVE-2020-8492|CVE-2019-20907|CVE-2021-27135'
Summary Total:36 Open:20 High: 0 Medium: 0 Low: 3 Unknown: 0 Ignored: 13 
python2.7    LOW    CVE-2020-8492: Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server 
python2.7    LOW    CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by 
xterm        OPEN   CVE-2021-27135: xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via  
[2021-08-21T15:17:35+0200] sys-maint@vserver19<kvm>:/tmp/debcvescan% for CVEID in CVE-2020-8492 CVE-2019-20907 CVE-2021-27135; do /usr/bin/debcvescan cve $CVEID --add-whitelist "fixed on Ubuntu 20.04 LTS"; done
[2021-08-21T15:18:46+0200] sys-maint@vserver19<kvm>:/tmp/debcvescan% /usr/bin/debcvescan scan | grep -E 'Summary Total|intel-microcode|CVE-2020-8492|CVE-2019-20907|CVE-2021-27135'
Summary Total:36 Open:20 High: 0 Medium: 0 Low: 3 Unknown: 0 Ignored: 13 
[2021-08-21T15:18:55+0200] sys-maint@vserver19<kvm>:/tmp/debcvescan% 

Given that a reason for whitelisting both the package intel-microcode and the individual CVE IDs has been given, I'd expect that the Total/Open/Low counters would also change due to the latter (thereby either increasing the Ignored counter or explicitly being displayed/counted as Whitelisted).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant