fix: Update NVD CPE search URLs to match new search interface #7970
Conversation
chadlwilson
force-pushed
the
fix-nvd-search-links
branch
from
06033a4 to
814b30b
Compare
|
|
Thanks @jeremylong - I didn’t look at the 2nd one at all, it turned out a bit messier than i thought and I ran out of time. I couldn’t work out what the urls are used for in the CpeIdentifier object if not used later to actually render the report, so it needed more digging as to the reason for the 404ing URLs and which section of the report those ones appear in. |
|
Understood, the HTML reports contain code like: <p>Vulnerable Software & Versions:<ul>
<li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
</ul></p>ReportTool.java Then in the reports, something like: <p>Vulnerable Software & Versions:<ul>
<li class="vs$vsctr"><a target="_blank" href="$rpt.getNvdSearchURL($vuln.matchedVulnerableSoftware)">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
</ul></p>Some of the generated URLs look like the broad pattern and others the more specific one - so we may need two methods exposed. |
chadlwilson
force-pushed
the
fix-nvd-search-links
branch
2 times, most recently
from
0a7712e to
4c71e20
Compare
|
OK I figured out that a different mechanism was being used for the "Identifiers" vs. the "Vulnerable Software & Versions" sections. Which also had a different URL syntax. Not sure, but suspect the "Vulnerable Software & Versions" links might have been broken for a while. I've made this change now, however needs a bit more testing. I think we don't need to specifically use the broad URLs, because the search syntax just takes a CPE 2.3 formatted string anyway. If from the NVD match we know details such as the version number from the matched software (sometimes it is included, if the affected version is not a range), it should be fine to include it in the search. In most other cases including This new search also allows us to search specficially for all the other pieces of the CPE that have shown up in the NVD match, not just part/vendor/product/version - so behaviour should be better, I think. |
chadlwilson
force-pushed
the
fix-nvd-search-links
branch
2 times, most recently
from
ebead1b to
acf0f85
Compare
Signed-off-by: Chad Wilson <[email protected]>
Since the search function accepts a full CPE 2.3 name, we should be able to use whatever CPE we have, with whatever specificity the CPE has. If it happens to have a version number in it, that will be in the URL. If it does not (due to match being against version ranges, then it will do a broad search). Signed-off-by: Chad Wilson <[email protected]>
chadlwilson
force-pushed
the
fix-nvd-search-links
branch
from
acf0f85 to
66c176d
Compare
|
Added an example HTML report generated with this to the description. |
Description of Change
NVD appear to have updated their search interface in a way that breaks our earlier generated deep links from reports etc.
The new interface is similar, but the URLs build CPE identifiers rather than individual components. The "applicability" mode appears to be correct (otherwise you get matches where a given vuln is running on/with a CPE but not affecting that CPE?)
Version-specific search
https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&cpeName=cpe:2.3:a:vmware:spring_framework:5.0.0:*:*:*:*:*:*:*&resultType=records
Broad search
https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&cpeName=cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*&resultType=records
Open questions
Sort by identifier? descending? ascending?Related issues
Have test cases been added to cover the new functionality?
yes
Example report generated via Gradle plugin locally:
dependency-check-report.html