Comments (6)
ubuntu_api uses ubuntu cve tracker as a data source, and that data source does not include title information.
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2012-6655
from vuls.
Hi, you use cve tracker since you have switched to the gost DB, making it mandatory for ubuntu (this DB did not exist in previous vuls version and vulnerabilities datas was all there). Are you aware that not having titles for the CVEs anymore is an unacceptable regression? What do you propose to improve this point quickly?
Best regards
from vuls.
Previously, the OVAL used by Vuls had a title like this. Even in the case of gost (ubuntu-cve-tracker), do you want to fill in a title like this?
$ goval-dictionary select --by-package ubuntu 23.10 curl | grep "Title:"
Title: "CVE-2023-28321 on Ubuntu 23.10 (mantic) - low.",
Title: "CVE-2023-28322 on Ubuntu 23.10 (mantic) - low.",
Title: "CVE-2023-38039 on Ubuntu 23.10 (mantic) - medium.",
Title: "CVE-2023-38545 on Ubuntu 23.10 (mantic) - high.",
Title: "CVE-2023-38546 on Ubuntu 23.10 (mantic) - low.",
from vuls.
Previously, the OVAL used by Vuls had a title like this. Even in the case of gost (ubuntu-cve-tracker), do you want to fill in a title like this?
$ goval-dictionary select --by-package ubuntu 23.10 curl | grep "Title:" Title: "CVE-2023-28321 on Ubuntu 23.10 (mantic) - low.", Title: "CVE-2023-28322 on Ubuntu 23.10 (mantic) - low.", Title: "CVE-2023-38039 on Ubuntu 23.10 (mantic) - medium.", Title: "CVE-2023-38545 on Ubuntu 23.10 (mantic) - high.", Title: "CVE-2023-38546 on Ubuntu 23.10 (mantic) - low.",
Hi. If the title field has no information, the field should not be present in the json report, so the client app can react accordingly (it chooses what to do when there is no title field, for example, display part of the the summary field as a title). Or vuls itself must have a pattern like you mentionned to fill the title field with available CVE datas.
We use trivy separately in combination with vuls; trivy gives ubuntu CVE specific titles, for example for CVE-2022-2345, title is:
CVE-2022-2345 (os-pkgs / ubuntu):use-after-free in skipwhite() in charset.c
As you can understand, since the vuls update (with gost DB), our interface displays empty CVE titles, and we cannot keep it as is.
Best regards.
from vuls.
CVE-2022-2345 (os-pkgs / ubuntu):use-after-free in skipwhite() in charset.c
Reference the trivy data source.
CVE-2022-2345 does not have a title for ubuntu data sources.
- ubuntu: https://github.com/aquasecurity/vuln-list/blob/04fbc8912182d1fb7313d3db316337286a360c7e/ubuntu/2022/CVE-2022-2345.json
- nvd: https://github.com/aquasecurity/vuln-list/blob/04fbc8912182d1fb7313d3db316337286a360c7e/nvd/2022/CVE-2022-2345.json
Probably, but it seems that redhat bugzilla has this title information.
First, Trivy combines information from multiple data sources and outputs information on detected CVEs. Therefore, there is no need to think of a title for each data source. However, Vuls maintains information for each data source.
For something like Vuls, which has a data structure that preserves each piece of data source information as much as possible, I don't think it's a good idea to arbitrarily supplement title information that isn't in the data source.
from vuls.
Hi,
ok, if you follow a requirement which is to preserve each piece of your data sources, i understand you don't want to code any aggregation ou transformation processes from these sources.
So the root issue is from datasources themselves. We cannot trust the title field from vuls report, so we will eliminate it from our vuls json report parsing. However we need a title for GUI display, the CVE description ('summary') is too much long, so we have to create our own CVE titles with custom rules.
Thanks.
from vuls.
Related Issues (20)
- Remote scan from Linux to Windows fails
- Results of the scan & report seem odd HOT 3
- Issue in trivy to vuls convertor HOT 1
- How to remove password from the logs ? HOT 1
- Error on json report : err: json: cannot unmarshal object into Go struct field Nvd.Cvss2 of type HOT 2
- A lot of bugs are there
- How is server/json mode expected to work for windows ? HOT 1
- false positive redhat unpatched vulnerability HOT 2
- severity is different for each scan on debian
- failed to get modularitylabel on RedHat HOT 1
- Enhanced kernel package check with multiple versions installed HOT 1
- The enhancement of the amount of cveContents information included in trivy-to-vuls HOT 1
- Difference in cve contents between vuls report and trivy-to-vuls
- Support for alpine is not actually in place despite the OS being listed as supported HOT 1
- Multiple versions are detected in some packages on Debian-based distributions HOT 1
- Support for Gentoo Linux HOT 2
- failed to collect modularitylabel HOT 2
- vuls report fails when openSUSE Leap 15.6 host is added to config HOT 1
- openSUSE Leap 15.6: zypper -q lu Unknown format HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vuls.