Chiebot-Mirror
/
data-plane-api
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

dependencies: CVE scanner for repository_locations.bzl metadata. (#13552)

Browse Source 
* dependencies: CVE scanner for repository_locations.bzl metadata.

This is a custom CVE scanner that consumes the NIST CVE database and
heuristically matches against the CPEs, versions and last update stamps
in repository_locations.bzl.

Future PRs will create a CI job that runs this on a periodic basis
(every few hours) to provide a CVE early warning system.

Example output:

Based on heuristic matching with the NIST CVE database, Envoy may be vulnerable to:

  CVE ID: CVE-2019-19391
  CVSS v3 score: 9.1
  Severity: CRITICAL
  Published date: 2019-11-29
  Last modified date: 2019-12-19
  Dependencies: com_github_luajit_luajit
  Description: ** DISPUTED ** In LuaJIT through 2.0.5, as used in Moonjit before
  2.1.2 and other products, debug.getinfo has a type confusion issue
  that leads to arbitrary memory write or read operations, because
  certain cases involving valid stack levels and > options are
  mishandled. NOTE: The LuaJIT project owner states that the debug
  libary is unsafe by definition and that this is not a vulnerability.
  When LuaJIT was originally developed, the expectation was that the
  entire debug library had no security guarantees and thus it made no
  sense to assign CVEs. However, not all users of later LuaJIT
  derivatives share this perspective.
  Affected CPEs:
  - cpe:2.3🅰️moonjit_project:moonjit:*
  - cpe:2.3🅰️luajit:luajit:*

Risk level: Low
Testing: cve_scan_test.py unit tests, manual.

Signed-off-by: Harvey Tuch <htuch@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 7d50518ce44aacc702d252eb05eb603c69461834
pull/622/head
data-plane-api(Azure Pipelines) 5 years ago
parent 6810607ddb
commit 6ff7ba7b46
1 changed files with 2 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      bazel/external_deps.bzl

4
bazel/external_deps.bzl
Unescape View File

@ -101,8 +101,8 @@ def load_repository_locations(repository_locations_spec):
# Starlark doesn't have regexes.
cpe_components = len(cpe.split(":"))
# We allow cpe:2.3:a:foo:* and cpe:2.3.:a:foo:bar:* only.
cpe_components_valid = cpe_components in [5, 6]
# We allow cpe:2.3:a:foo:*:* and cpe:2.3.:a:foo:bar:* only.
cpe_components_valid = (cpe_components == 6)
cpe_matches = (cpe == "N/A" or (cpe.startswith("cpe:2.3:a:") and cpe.endswith(":*") and cpe_components_valid))
if not cpe_matches:
fail("CPE must match cpe:2.3:a:<facet>:<facet>:*: " + cpe)

Write Preview
Loading…
Cancel
Save