From e376d3ddbb342723cd4a327c0e049bb4fa2a6203 Mon Sep 17 00:00:00 2001 From: Tim Lee Date: Fri, 23 Aug 2024 11:59:25 -0600 Subject: [PATCH] Python Vulnerability False Positive (#21493) --- changes/19562-python-vuln | 1 + server/vulnerabilities/nvd/cpe_matching_rules.go | 9 +++++++++ server/vulnerabilities/nvd/cve_test.go | 10 ++++++++++ 3 files changed, 20 insertions(+) create mode 100644 changes/19562-python-vuln diff --git a/changes/19562-python-vuln b/changes/19562-python-vuln new file mode 100644 index 0000000000..928551bbce --- /dev/null +++ b/changes/19562-python-vuln @@ -0,0 +1 @@ +- Fixed CVE-2024-4030 in Vulncheck feed incorrectly targeting non-Windows hosts \ No newline at end of file diff --git a/server/vulnerabilities/nvd/cpe_matching_rules.go b/server/vulnerabilities/nvd/cpe_matching_rules.go index d7f0e60deb..48821344d0 100644 --- a/server/vulnerabilities/nvd/cpe_matching_rules.go +++ b/server/vulnerabilities/nvd/cpe_matching_rules.go @@ -240,6 +240,15 @@ func GetKnownNVDBugRules() (CPEMatchingRules, error) { }, IgnoreAll: true, }, + // CVE-2024-4030 only targets windows operating systems + CPEMatchingRule{ + CVEs: map[string]struct{}{ + "CVE-2024-4030": {}, + }, + IgnoreIf: func(cpeMeta *wfn.Attributes) bool { + return cpeMeta.TargetSW != "windows" + }, + }, } for i, rule := range rules { diff --git a/server/vulnerabilities/nvd/cve_test.go b/server/vulnerabilities/nvd/cve_test.go index fb8ac08070..e131483327 100644 --- a/server/vulnerabilities/nvd/cve_test.go +++ b/server/vulnerabilities/nvd/cve_test.go @@ -337,6 +337,16 @@ func TestTranslateCPEToCVE(t *testing.T) { excludedCVEs: []string{"CVE-2011-5049"}, // OS vulnerability continuesToUpdate: true, }, + "cpe:2.3:a:python:python:3.9.6:*:*:*:*:macos:*:*": { + excludedCVEs: []string{"CVE-2024-4030"}, + continuesToUpdate: true, + }, + "cpe:2.3:a:python:python:3.9.6:*:*:*:*:windows:*:*": { + includedCVEs: []cve{ + {ID: "CVE-2024-4030", resolvedInVersion: "3.12.4"}, + }, + continuesToUpdate: true, + }, } cveOSTests := []struct {