Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
This commit is contained in:
master
@@ -5,6 +5,7 @@ using StellaOps.Concelier.Models;
|
||||
using StellaOps.Concelier.Connector.Common.Packages;
|
||||
using StellaOps.Concelier.Storage.Mongo.Documents;
|
||||
using StellaOps.Concelier.Storage.Mongo.Dtos;
|
||||
using StellaOps.Concelier.Normalization.SemVer;
|
||||
|
||||
namespace StellaOps.Concelier.Connector.Vndr.Cisco.Internal;
|
||||
|
||||
@@ -142,8 +143,9 @@ public static class CiscoMapper
|
||||
continue;
|
||||
}
|
||||
|
||||
var range = BuildVersionRange(product, recordedAt);
|
||||
var ranges = BuildVersionRanges(product, recordedAt);
|
||||
var statuses = BuildStatuses(product, recordedAt);
|
||||
var normalizedVersions = BuildNormalizedVersions(product, ranges);
|
||||
var provenance = new[]
|
||||
{
|
||||
new AdvisoryProvenance(
|
||||
@@ -157,10 +159,10 @@ public static class CiscoMapper
|
||||
type: AffectedPackageTypes.Vendor,
|
||||
identifier: product.Name,
|
||||
platform: null,
|
||||
versionRanges: range is null ? Array.Empty<AffectedVersionRange>() : new[] { range },
|
||||
versionRanges: ranges,
|
||||
statuses: statuses,
|
||||
provenance: provenance,
|
||||
normalizedVersions: Array.Empty<NormalizedVersionRule>()));
|
||||
normalizedVersions: normalizedVersions));
|
||||
}
|
||||
|
||||
return packages.Count == 0
|
||||
@@ -168,14 +170,46 @@ public static class CiscoMapper
|
||||
: packages.OrderBy(static p => p.Identifier, StringComparer.OrdinalIgnoreCase).ToArray();
|
||||
}
|
||||
|
||||
private static AffectedVersionRange? BuildVersionRange(CiscoAffectedProductDto product, DateTimeOffset recordedAt)
|
||||
private static IReadOnlyList<AffectedVersionRange> BuildVersionRanges(CiscoAffectedProductDto product, DateTimeOffset recordedAt)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(product.Version))
|
||||
{
|
||||
return null;
|
||||
return Array.Empty<AffectedVersionRange>();
|
||||
}
|
||||
|
||||
var version = product.Version.Trim();
|
||||
var provenance = new AdvisoryProvenance(
|
||||
VndrCiscoConnectorPlugin.SourceName,
|
||||
"range",
|
||||
product.ProductId ?? product.Name,
|
||||
recordedAt);
|
||||
var vendorExtensions = BuildVendorExtensions(product, includeVersion: true);
|
||||
|
||||
var semVerResults = SemVerRangeRuleBuilder.Build(version, patchedVersion: null, provenanceNote: BuildNormalizedVersionNote(product));
|
||||
if (semVerResults.Count > 0)
|
||||
{
|
||||
var ranges = new List<AffectedVersionRange>(semVerResults.Count);
|
||||
foreach (var result in semVerResults)
|
||||
{
|
||||
var semVerPrimitives = new RangePrimitives(
|
||||
SemVer: result.Primitive,
|
||||
Nevra: null,
|
||||
Evr: null,
|
||||
VendorExtensions: vendorExtensions);
|
||||
|
||||
ranges.Add(new AffectedVersionRange(
|
||||
rangeKind: NormalizedVersionSchemes.SemVer,
|
||||
introducedVersion: result.Primitive.Introduced,
|
||||
fixedVersion: result.Primitive.Fixed,
|
||||
lastAffectedVersion: result.Primitive.LastAffected,
|
||||
rangeExpression: result.Expression ?? version,
|
||||
provenance: provenance,
|
||||
primitives: semVerPrimitives));
|
||||
}
|
||||
|
||||
return ranges;
|
||||
}
|
||||
|
||||
RangePrimitives? primitives = null;
|
||||
string rangeKind = "vendor";
|
||||
string? rangeExpression = version;
|
||||
@@ -198,23 +232,20 @@ public static class CiscoMapper
|
||||
}
|
||||
else
|
||||
{
|
||||
primitives = new RangePrimitives(null, null, null, BuildVendorExtensions(product, includeVersion: true));
|
||||
primitives = new RangePrimitives(null, null, null, vendorExtensions);
|
||||
}
|
||||
|
||||
var provenance = new AdvisoryProvenance(
|
||||
VndrCiscoConnectorPlugin.SourceName,
|
||||
"range",
|
||||
product.ProductId ?? product.Name,
|
||||
recordedAt);
|
||||
|
||||
return new AffectedVersionRange(
|
||||
return new[]
|
||||
{
|
||||
new AffectedVersionRange(
|
||||
rangeKind: rangeKind,
|
||||
introducedVersion: null,
|
||||
fixedVersion: null,
|
||||
lastAffectedVersion: null,
|
||||
rangeExpression: rangeExpression,
|
||||
provenance: provenance,
|
||||
primitives: primitives);
|
||||
primitives: primitives),
|
||||
};
|
||||
}
|
||||
|
||||
private static IReadOnlyDictionary<string, string>? BuildVendorExtensions(CiscoAffectedProductDto product, bool includeVersion = false)
|
||||
@@ -233,6 +264,48 @@ public static class CiscoMapper
|
||||
return dictionary.Count == 0 ? null : dictionary;
|
||||
}
|
||||
|
||||
private static IReadOnlyList<NormalizedVersionRule> BuildNormalizedVersions(
|
||||
CiscoAffectedProductDto product,
|
||||
IReadOnlyList<AffectedVersionRange> ranges)
|
||||
{
|
||||
if (ranges.Count == 0)
|
||||
{
|
||||
return Array.Empty<NormalizedVersionRule>();
|
||||
}
|
||||
|
||||
var note = BuildNormalizedVersionNote(product);
|
||||
var rules = new List<NormalizedVersionRule>(ranges.Count);
|
||||
foreach (var range in ranges)
|
||||
{
|
||||
var rule = range.ToNormalizedVersionRule(note);
|
||||
if (rule is not null)
|
||||
{
|
||||
rules.Add(rule);
|
||||
}
|
||||
}
|
||||
|
||||
return rules.Count == 0 ? Array.Empty<NormalizedVersionRule>() : rules.ToArray();
|
||||
}
|
||||
|
||||
private static string? BuildNormalizedVersionNote(CiscoAffectedProductDto product)
|
||||
{
|
||||
if (!string.IsNullOrWhiteSpace(product.ProductId))
|
||||
{
|
||||
return $"cisco:{product.ProductId.Trim().ToLowerInvariant()}";
|
||||
}
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(product.Name))
|
||||
{
|
||||
var normalized = product.Name
|
||||
.Trim()
|
||||
.ToLowerInvariant()
|
||||
.Replace(' ', '-');
|
||||
return $"cisco:{normalized}";
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
private static IReadOnlyList<AffectedPackageStatus> BuildStatuses(CiscoAffectedProductDto product, DateTimeOffset recordedAt)
|
||||
{
|
||||
if (product.Statuses is null || product.Statuses.Count == 0)
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# TASKS
|
||||
| Task | Owner(s) | Depends on | Notes |
|
||||
|---|---|---|---|
|
||||
|FEEDCONN-CISCO-02-009 SemVer range provenance|BE-Conn-Cisco|CONCELIER-LNM-21-001|**TODO (due 2025-10-21)** – Emit Cisco SemVer ranges into `advisory_observations.affected.versions[]` with provenance identifiers (`cisco:{productId}`) and deterministic comparison keys. Update mapper/tests for the Link-Not-Merge schema and replace legacy merge counter checks with observation/linkset validation.|
|
||||
|FEEDCONN-CISCO-02-009 SemVer range provenance|BE-Conn-Cisco|CONCELIER-LNM-21-001|**DOING (2025-11-08)** – Emitting Cisco SemVer ranges into `advisory_observations.affected.versions[]` with provenance identifiers (`cisco:{productId}`) and deterministic comparison keys. Updating mapper/tests for the Link-Not-Merge schema and replacing legacy merge counter checks with observation/linkset validation.|
|
||||
|
||||
Reference in New Issue
Block a user