From 0bde1338316a9c4ec6c8e81ee16022ba1733bbaa Mon Sep 17 00:00:00 2001 From: Tim Lee Date: Fri, 15 Sep 2023 16:38:33 -0600 Subject: [PATCH] add CVE-2013-0340 to ignore list (#13942) --- changes/11926-python-vuln-false-positive | 1 + server/vulnerabilities/nvd/cpe_matching_rule_test.go | 6 ++++++ server/vulnerabilities/nvd/cpe_matching_rules.go | 7 +++++++ 3 files changed, 14 insertions(+) create mode 100644 changes/11926-python-vuln-false-positive diff --git a/changes/11926-python-vuln-false-positive b/changes/11926-python-vuln-false-positive new file mode 100644 index 0000000000..8ba8a8d0ce --- /dev/null +++ b/changes/11926-python-vuln-false-positive @@ -0,0 +1 @@ +- CVE-2013-0340 no longer reports as a valid vulnerability due to NVD recommendations \ No newline at end of file diff --git a/server/vulnerabilities/nvd/cpe_matching_rule_test.go b/server/vulnerabilities/nvd/cpe_matching_rule_test.go index c8565d7294..c5f3abc1ca 100644 --- a/server/vulnerabilities/nvd/cpe_matching_rule_test.go +++ b/server/vulnerabilities/nvd/cpe_matching_rule_test.go @@ -255,4 +255,10 @@ func TestGetKnownNVDBugRules(t *testing.T) { require.True(t, ok) ok = rule.CPEMatches(cpeMeta) require.False(t, ok) + + // Test that CVE-2013-0340 never matches (i.e. is ignored). + rule, ok = cpeMatchingRules.FindMatch("CVE-2013-0340") + require.True(t, ok) + ok = rule.CPEMatches(cpeMeta) + require.False(t, ok) } diff --git a/server/vulnerabilities/nvd/cpe_matching_rules.go b/server/vulnerabilities/nvd/cpe_matching_rules.go index bbdbc75f7b..e2bd2db1dd 100644 --- a/server/vulnerabilities/nvd/cpe_matching_rules.go +++ b/server/vulnerabilities/nvd/cpe_matching_rules.go @@ -140,6 +140,13 @@ func GetKnownNVDBugRules() (CPEMatchingRules, error) { "CVE-2020-10146": {}, }, }, + // #9835 Python expat 2.1.0 CVE recommends rejecting the report, no CVSS score, broad CPE criteria + CPEMatchingRule{ + IgnoreAll: true, + CVEs: map[string]struct{}{ + "CVE-2013-0340": {}, + }, + }, } for i, rule := range rules {