Matching of unrelated vulnerabilities through nvd-mirror/gitlab-depscan
Summary
Security report of gitlab-depscan/nvd-mirror contains too many FPs due to bad default for nvd-mirror which does only consider the product name when looking for vulnerabilties and ignores the vendor information.
Steps to reproduce
see omnibus-gitlab!4417 (comment 431693313)
What is the current bug behavior?
Too many vulnerabilities are reported. If two products p1
and p2
carry the same name but have different vendors, and product p1
is vulnerable starting from version v
, p2
would be compared against the same version range although it is completely unrelated to p1
.
What is the expected correct behavior?
Given the example, above, p1
and p2
should be treated as separate products if they do hot have different vendors.
Relevant logs and/or screenshots
see omnibus-gitlab!4417 (comment 431693313)
Possible fixes
Change nvd-mirror to consider both vendor and product information and incoroprate the new release into gitlab-depscn.
-
Update nvd-mirror to use vendor
field: https://gitlab.com/gitlab-org/secure/vulnerability-research/advisories/nvd-mirror/-/merge_requests/13 -
Update gitlab-depscan to include the vendor
field in the query: gitlab-org/security-products/gitlab-depscan!19 (merged)