Skip to content

fix: Gracefully handle CVEs with bad configuration nodes missing CPE match expressions#7125

Merged
jeremylong merged 1 commit intodependency-check:mainfrom
chadlwilson:make-missing-cpematches-safe
Nov 4, 2024
Merged

fix: Gracefully handle CVEs with bad configuration nodes missing CPE match expressions#7125
jeremylong merged 1 commit intodependency-check:mainfrom
chadlwilson:make-missing-cpematches-safe

Conversation

@chadlwilson
Copy link
Copy Markdown
Collaborator

@chadlwilson chadlwilson commented Nov 1, 2024
edited
Loading

Description of Change

The NVD API sometimes returns nodes (OR, AND etc) for configurations that are missing the required cpeMatch array implied by the schema at https://csrc.nist.gov/schema/nvd/api/2.0/cve_api_json_2.0.schema

While the data is bad, it'd probably be better for ODC to be robust to handle these when checking for matches. The change ignores attempting to match configurations which have no cpeMatch array (treats the same as an empty array).

Have test cases been added to cover the new functionality?

yes

@boring-cyborg boring-cyborg Bot added core changes to core tests test cases labels Nov 1, 2024
@chadlwilson chadlwilson mentioned this pull request Nov 1, 2024
Closed
jeremylong
jeremylong approved these changes Nov 4, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jeremylong jeremylong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jeremylong jeremylong merged commit 25606aa into dependency-check:main Nov 4, 2024
@jeremylong jeremylong added this to the 11.1.1 milestone Nov 4, 2024
@jeremylong
Copy link
Copy Markdown
Collaborator

jeremylong commented Nov 4, 2024

Thanks for the PR - I would have merged this sooner but I've been on vacation/holiday. I have some downtime on the train to Brussels so thought I'd get a little work on ODC done.

I will get this released once I get back home in a couple days.

@chadlwilson chadlwilson deleted the make-missing-cpematches-safe branch November 4, 2024 09:17
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Dec 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jeremylong jeremylong jeremylong approved these changes

Assignees

No one assigned

Labels

core changes to core tests test cases

Projects

None yet

Milestone

11.1.1

Development

Successfully merging this pull request may close these issues.

NullPointerException with "Failed to process CVE-2022-38176" when processing NVD API data

2 participants

@chadlwilson @jeremylong