Duplicate output lines

Question

Duplicate output lines

Feelemoon opened this issue a year ago · 4 comments

When running bomber, some vulnerabilities are reported more than once.

$ bomber scan cyclonedx.json
[...]
╭───────┬─────────┬─────────┬─────────────┬───────────────────────────────┬────────╮
│ TYPE  │ NAME    │ VERSION │ SEVERITY    │ VULNERABILITY                 │ EPSS % │
├───────┼─────────┼─────────┼─────────────┼───────────────────────────────┼────────┤
│ cargo │ time    │ 0.1.45  │ UNSPECIFIED │ CVE-2020-26235                │ 42%    │
│       │         ├─────────┼─────────────┼───────────────────────────────┼────────┤
│       │         │ 0.1.45  │ MODERATE    │ CVE-2020-26235                │ 42%    │
│       ├─────────┼─────────┼─────────────┼───────────────────────────────┼────────┤
│       │ failure │ 0.1.8   │ UNSPECIFIED │ CVE-2020-25575,CVE-2019-25010 │ N/A    │
│       │         ├─────────┼─────────────┼───────────────────────────────┼────────┤
│       │         │ 0.1.8   │ UNSPECIFIED │ CVE-2020-25575                │ 67%    │
│       │         ├─────────┼─────────────┼───────────────────────────────┼────────┤
│       │         │ 0.1.8   │ CRITICAL    │ CVE-2020-25575                │ 67%    │
│       │         ├─────────┼─────────────┼───────────────────────────────┼────────┤
│       │         │ 0.1.8   │ CRITICAL    │ CVE-2019-25010                │ 58%    │
╰───────┴─────────┴─────────┴─────────────┴───────────────────────────────┴────────╯
Total vulnerabilities found: 6
[...]

From my point of view, there are only 3 different vulnerabilties. How can a vulnerability be UNSPECIFIED and CRITICAL at the same time?

Answer 1 · 2023-04-13T17:12:06.000Z

bomber just renders the output of the response coming from the providers. I'll remove duplicates add keep the highest severity.

Answer 2 · 2023-04-13T18:35:17.000Z

@Feelemoon do you have the SBOM that generated your output, and which provider did you use?

Answer 3 · 2023-04-14T22:14:00.000Z

Looked into this more. This is going to be a "won't fix" issue. Different providers provide different vulnerability responses. You'll rarely if ever see an Undefined if using OSSINDEX or Snyk. That said, if you rendered this to HTML or to JSON instead of the STDOUT you may find different remediation instructions for each specific entry. For example, the Undefined one may have information that the one that has a severity includes. There is no way to safely say that one should be removed over the other.

Answer 4 · 2023-04-28T06:06:06.000Z

@djschleen Please think about it another time. You're mixing multiple things here.

I'm not sure about the wire-format from all of the different vulnerability databases supported, but I think that some of the UNSPECIFIED severities should be labeled with UNMAINTAINED. As this is a little bit off-topic here, perhaps this should be raised in another issue. Does bomber support reporting UNMAINTAINED packages without CVE attached?
As you might agree, bomber supports different output formats with a varying level of detail. While the HTML report seems to be more feature rich, the STDOUT report is lean. You have to distinguish between the responses gathered from the vulnerability databases and the presentation of the results here. So it might be ok to keep all the results for the HTML report, but filter the duplicate results on the STDOUT report. Why bother the user with this redundancy there?