Duplicate output lines
Feelemoon opened this issue · 4 comments
When running bomber, some vulnerabilities are reported more than once.
$ bomber scan cyclonedx.json
[...]
╭───────┬─────────┬─────────┬─────────────┬───────────────────────────────┬────────╮
│ TYPE │ NAME │ VERSION │ SEVERITY │ VULNERABILITY │ EPSS % │
├───────┼─────────┼─────────┼─────────────┼───────────────────────────────┼────────┤
│ cargo │ time │ 0.1.45 │ UNSPECIFIED │ CVE-2020-26235 │ 42% │
│ │ ├─────────┼─────────────┼───────────────────────────────┼────────┤
│ │ │ 0.1.45 │ MODERATE │ CVE-2020-26235 │ 42% │
│ ├─────────┼─────────┼─────────────┼───────────────────────────────┼────────┤
│ │ failure │ 0.1.8 │ UNSPECIFIED │ CVE-2020-25575,CVE-2019-25010 │ N/A │
│ │ ├─────────┼─────────────┼───────────────────────────────┼────────┤
│ │ │ 0.1.8 │ UNSPECIFIED │ CVE-2020-25575 │ 67% │
│ │ ├─────────┼─────────────┼───────────────────────────────┼────────┤
│ │ │ 0.1.8 │ CRITICAL │ CVE-2020-25575 │ 67% │
│ │ ├─────────┼─────────────┼───────────────────────────────┼────────┤
│ │ │ 0.1.8 │ CRITICAL │ CVE-2019-25010 │ 58% │
╰───────┴─────────┴─────────┴─────────────┴───────────────────────────────┴────────╯
Total vulnerabilities found: 6
[...]
From my point of view, there are only 3 different vulnerabilties. How can a vulnerability be UNSPECIFIED
and CRITICAL
at the same time?
bomber
just renders the output of the response coming from the providers. I'll remove duplicates add keep the highest severity.
@Feelemoon do you have the SBOM that generated your output, and which provider did you use?
Looked into this more. This is going to be a "won't fix" issue. Different providers provide different vulnerability responses. You'll rarely if ever see an Undefined if using OSSINDEX or Snyk. That said, if you rendered this to HTML or to JSON instead of the STDOUT you may find different remediation instructions for each specific entry. For example, the Undefined one may have information that the one that has a severity includes. There is no way to safely say that one should be removed over the other.
@djschleen Please think about it another time. You're mixing multiple things here.
- I'm not sure about the wire-format from all of the different vulnerability databases supported, but I think that some of the
UNSPECIFIED
severities should be labeled withUNMAINTAINED
. As this is a little bit off-topic here, perhaps this should be raised in another issue. Does bomber support reporting UNMAINTAINED packages without CVE attached? - As you might agree, bomber supports different output formats with a varying level of detail. While the HTML report seems to be more feature rich, the STDOUT report is lean. You have to distinguish between the responses gathered from the vulnerability databases and the presentation of the results here. So it might be ok to keep all the results for the HTML report, but filter the duplicate results on the STDOUT report. Why bother the user with this redundancy there?