New approach for CVE checking

[hohwille]

With story #103 we want to have security checking to warn users before a tool installation as well as after that if a tool with critical CVEs is used/installed and if detected before installation the user shall be asked for confirmation.

We already implemented a lot of this with PR #119 and then created story #190 with some concerns and improvements.
In the end we came to discussions that questioned the entire approach.

With this story we want to do a PoC/MVP on an alternative approach:

• We implement a direct check of a tool with «tool» + «edition» + «version». That most probably needs additional information that PR #103: security warning for CVEs in file tool/edition/security #119 added to URLUpdaters but would then be needed directly in ToolCommandlet. Example from maven:

 @Override
  public String getCpeVendor() {

    return "apache";
  }

  @Override
  public String getCpeProduct() {

    return "maven";
  }

• Before installation we call that check and see if that combination has (critical) CVEs.
• On the long run the user/project can configure a threshold for the severity, also blacklist CVEs, etc. but for PoC we can ignore this.
• Also ideally the check will give us a structured result that also includes the closest (stable) newer version that could be installed instead without critical CVEs if available. Then the installation process could ask the user if he instead wants to install that newer version instead to be safe of the CVEs. However, again for the PoC we do not need this.
• PR #103: security warning for CVEs in file tool/edition/security #119 already contains the code and dependency (org.owasp:dependency-check-core) that we need to implement this CVE check. If that happens inside IDEasy we must ensure that the CVE-DB is reused across multiple projects. Either the tool already creates this in a hidden folder of the users home directory or we can specify a directory so the data would be written somewhere in IDE_ROOT.

Things to analyze:

• How long does it take on the very first run with CVE-DB being downloaded, etc.?
• Would we get all the required information from this (e.g. next version fixing the CVEs) and could we configure threshold, etc. accordingly?
• If that library downloads stuff, can this somehow work together with our progress-bar, online/offline capability, proxy-support? Surely an advanced question that must not be answered with the very first PoC.

[hohwille]

I was doing some more research and came to the impression that the official CVE-DB is designed like a "blockchain": Some large monolithic monster designed to only grow and grow.
There seems to be no existing (free) service to get only the CVEs for a dedicated tool (by CPE).
Since the CVE-DB is very big and we only need less than 1% of that data, it seems waste to make every of our users to download that DB and keep it up-to-date.
I would still like someone to take this story and do an analysis. But if that confirms my concerns, we should stay with the initial approach: We should add ALL CVEs of a tool to its security.json file then. The user/project could configure some priority threshold for the warnings of these CVEs he gets at runtime when using IDEasy.

[hohwille]

https://github.com/cve-search/cve-search

[hohwille]

https://www.pentestfactory.de/en/cve-quick-search-implementing-our-own-vulnerability-database/

[alfeilex]

How long does it take on the very first run with CVE-DB being downloaded, etc.?

The database download without NVD API Key is extremely slow (like an hour) and finally I couldn't even finish the entire download, because of 403 and 406 error. So first of all we need an API key and then the download of the database should take around 20 minutes (https://jeremylong.github.io/DependencyCheck/dependency-check-maven/)

If that happens inside IDEasy we must ensure that the CVE-DB is reused across multiple projects. Either the tool already creates this in a hidden folder of the users home directory or we can specify a directory so the data would be written somewhere in IDE_ROOT

It's possible to configure a central database server so that each user can use that database for checking (see https://jeremylong.github.io/DependencyCheck/data/database.html) or otherwise there is the possibility to cache the database (https://jeremylong.github.io/DependencyCheck/data/cacheh2.html) and share it across difference projects.

[alfeilex]

Can also be interesting: https://github.com/projectdiscovery/cvemap

[alfeilex]

That is promising: https://github.com/aquasecurity/trivy

[alfeilex]

Survey results:

CVE detection tools

• OWASP Dependency Check Core Maven:
  The tool has moved from using the NVD data-feed to the NVD API. Hence an API key is necassary to download and update the NVD database in normal/full speed. In case that we would host an own database server (or use another database provider), we could configure that dependency-check-maven is using one the them instead. There is also a command line tool for dependency-check-core.

  Requirements:

  • Min. Java 11
  • Maven

  Method:

  • Scans the dependencies in the project and check the NVD database

  Benefits:

  • Easy to integrate

  Drawbacks:

  • API key is necassary or own database solution needed
  • There is option to search for CVE's given a specific vendor or product

---

• cve-search:
  A python based tool to import CVE and CPE into a MongoDB and it provied a REST API to query stored vulnerabilites. It is possible to search based on CPE-Notation. Mainly written for Ubuntu LTS.

  Requirements:

  • Dependencies
  • Python
  • MongoDB
  • Redis

  Method:

  • Import CVE's to MongoDB database and the user can query to find vulnerabilites

  Benefits:

  • Fast look up
  • Search by product name, vendor (CPE-Notation)

  Drawbacks:

  • Relative complex setup
  • Mainly for Linux distribution
  • Python is needed
  • MongoDB is needed

---

• cve-map:
  CLI tool that provides a structured and easily navigable interface to various vunerability databases. The query can be done by vendor, product and more. Unfortunately, an API key is needed.

  Requirements:

  • Go 1.21

  Method:

  • Wrapper for CVEMap API to search for vulnerabilities

  Benefits:

  • No database is needed
  • Search by product name, vendor and more

  Drawbacks:

  • Go is needed
  • No offline usage
  • API key needed

---

• trivy:
  A comprehensive and versatile security scanner. It can scan for vulnerabilites in images, git repositories, filesystem, kubernetes etc. A ~500MB database is downloaded after first use and updated every 6 hours. Can probably be used in every of our offered OS's as binaries are available. Unfortunately, there is no option to scan for a specific tool or vendor. Further, the filesytsem option doesn"t scan any file type for vulnerabilities. There is also a Trivy Github Action available.

  Requirements:

  • Binaries are available for Windows, Linux and MacOS

  Method:

  • In the first run a database is built and then the tool can be used to identify vulnerabilites
  • Scanning Coverage
  • Can scan local filesystem

  Benefits:

  • Easy to use
  • Good documentation
  • Binaries for every OS
  • Maintaining own database including NVD, Red Hat, Debian etc. (Maybe we can use it for our use)

  Drawbacks:

  • No query for specific vendor, product

---

• cve-binary-tool:
  A free, open source tool offered by intel to detect vulnerabilities in software. It is designed for Linux distributions in the first place but it's also possible to use it on windows. In general, Python is needed and few feature dependent tools. The good thing about this tool is that the NVD API key is optional for downloading the database on the local system. They use an own mirror of the NVD database. One feature of the tool is to scan vulnerabilites of binary files and requirement files with binary checkers.

  Requirements:
  - List of requirements for Linux and Windows
  - Python

  Method:

  • Download CVE Data (from NVD, Redhat, OSV, can be configured)
  • Binary scanner can be used for directories or files to detect vulnerabilites
  • There are additional tools to scan component lists like .csv, language specific packages, SBOM

  Benefits:

  • Can be used without additional NVD API key because of mirror
  • Offline mode
  • Multiple options e.g output format, filtering by CVSS score
  • Good documenation

  Drawbacks:

  • Python
  • Download of database take some time

---

API's: I List them for the sake of completeness

• There are some API's provider like https://www.cvedetails.com/documentation/apis or https://docs.redhat.com/en/documentation/red_hat_security_data_api/1.0/html/red_hat_security_data_api/cve#list_all_cves but they are restricted by API keys to use it without limitations or they are limited in their database search.

Conclusion

Most of the tools need an API Key for full download and query performance. So they are not feasible to be integrated in IDEasy. A solution could be to create a own database or look for an existing one with better access as the NVD database and use that.

In my opinion trivy is the best tool for our purpose, it is fast, there are binaries and there are a lot of configuration options. Unfortunately, you can't search for specific CVE's by product or vendor. But trivy can scan SBOM or other specific files. A deeper look could possibly show us a way to manage the installed tools in, for example an SBOM, per project and then pass them to the tool.

[alfeilex]

Trivy also offers to create custom plugins https://aquasecurity.github.io/trivy/v0.17.2/plugins/

In the end the custom plugin can be written in any programming language. So if we can connect to the given database by trivy, we could implement our own query to get the needed CVE data for vendor/product.

[alfeilex]

In the end the custom plugin can be written in any programming language. So if we can connect to the given database by trivy, we could implement our own query to get the needed CVE data for vendor/product.

I tried out how far I can get to write a simple query script to get informationout of the trivy database. The database, where the vulnerabilites are included, is ~ 1GB and made by BoltDB. BoltDB is a key/value storage written purely for go.

The value of a CVE key is:

CVE-2024-0057 – {
"Title":"dotnet: X509 Certificates - Validation Bypass across Azure","Description":"NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability",
"Severity":"CRITICAL",
"CweIDs":["CWE-20"],
"VendorSeverity":{"alma":3,"amazon":3,"bitnami":4,"ghsa":4,"nvd":4,"oracle-oval":3,"photon":4,"redhat":3,"rocky":3,"ubuntu":2},
"CVSS":{"bitnami":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","V3Score":9.8},"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","V3Score":9.1},"nvd":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","V3Score":9.8},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","V3Score":9.8}},
"References":["https://access.redhat.com/errata/RHSA-2024:0156","https://access.redhat.com/security/cve/CVE-2024-0057","https://bugzilla.redhat.com/2255384","https://bugzilla.redhat.com/2255386","https://bugzilla.redhat.com/2257566","https://bugzilla.redhat.com/show_bug.cgi?id=2255384","https://bugzilla.redhat.com/show_bug.cgi?id=2255386","https://bugzilla.redhat.com/show_bug.cgi?id=2257566","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0056","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0057","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21319","https://devblogs.microsoft.com/dotnet/january-2024-updates/","https://errata.almalinux.org/9/ALSA-2024-0156.html","https://errata.rockylinux.org/RLSA-2024:0158","https://github.com/NuGet/NuGet.Client","https://github.com/NuGet/NuGet.Client/commit/3333f352ec47f0ebb489f20353dea7017f6cb00c","https://github.com/NuGet/NuGet.Client/commit/5e1ba955cca14328d2cb5723f211d5fbc9bcacb3","https://github.com/NuGet/NuGet.Client/security/advisories/GHSA-68w7-72jg-6qpp","https://github.com/dotnet/core/blob/ce802c56fde3abe2ae14ad09a1b8991b6709c18b/release-notes/6.0/6.0.26/6.0.26.md","https://linux.oracle.com/cve/CVE-2024-0057.html","https://linux.oracle.com/errata/ELSA-2024-0158.html","https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057","https://nvd.nist.gov/vuln/detail/CVE-2024-0057","https://security.netapp.com/advisory/ntap-20240208-0007","https://security.netapp.com/advisory/ntap-20240208-0007/","https://ubuntu.com/security/notices/USN-6578-1","https://www.cve.org/CVERecord?id=CVE-2024-0057"],"PublishedDate":"2024-01-09T18:15:46.98Z","LastModifiedDate":"2024-05-29T00:15:11.08Z"}
assignment

CVE-2024-0072 – {
"Title":"NVIDIA CUDA toolkit for all platforms contains a vulnerability in cuob ...",
"Description":"\nNVIDIA CUDA toolkit for all platforms contains a vulnerability in cuobjdump and nvdisasm where an attacker may cause a crash by tricking a user into reading a malformed ELF file. A successful exploit of this vulnerability may lead to a partial denial of service.\n\n",
"Severity":"UNKNOWN",
"CweIDs":["CWE-476"],
"References":["https://https://nvidia.custhelp.com/app/answers/detail/a_id/5517"],"PublishedDate":"2024-04-05T18:15:08.477Z","LastModifiedDate":"2024-04-08T18:49:25.863Z"}

The question is, is the information from the vulnerability database sufficient for our purpose? We can search the values of each CVE by vendor. product and possibly version and then output the corresponding CVE with severity and references.

In Trivy's database, there are other databases besides the NVD vulnerabilites, which might be interesting, but where the values are different.

[alfeilex]

Further question is, is there a API to use database query for other languages like Java?