From: Nir Ben-Eliezer <nir.ben-eliezer@aquasec.com>
To: Ariadne Conill <ariadne@dereferenced.org>
CC: "~alpine/devel@lists.alpinelinux.org"
	<~alpine/devel@lists.alpinelinux.org>
Subject: RE: Security dispute over nodejs vulnerability in Alpine - Help!
Thread-Topic: Security dispute over nodejs vulnerability in Alpine - Help!
Thread-Index: 
 Adc8ZJoE1wXjMpkARyK94xZIcwCv1wADeZLgAABMCYAAAOd0QAAB85mAAAA47YAAFg838A==
Date: Thu, 29 Apr 2021 09:38:33 +0000
Message-ID: 
 <AM6PR03MB4711BCBD47528BC3DECA7EEDB35F9@AM6PR03MB4711.eurprd03.prod.outlook.com>
References: 
 <AM6PR03MB471180AD19195D25E1BC462AB3409@AM6PR03MB4711.eurprd03.prod.outlook.com>
  <AM6PR03MB47117F359009F8F9A1231595B3409@AM6PR03MB4711.eurprd03.prod.outlook.com>
 <617756a6-b38c-aa47-86bd-269661b85522@dereferenced.org>
  <AM6PR03MB47116AB82476787EBC7881F0B3409@AM6PR03MB4711.eurprd03.prod.outlook.com>
 <f45f3555-d68b-fc8a-17a6-d19e63f734c5@dereferenced.org>
 <1933c278-6817-4ff3-13d9-bbaaaa91da1@dereferenced.org>
In-Reply-To: <1933c278-6817-4ff3-13d9-bbaaaa91da1@dereferenced.org>
Accept-Language: en-US
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3429ed97-1f51-4cde-25e0-08d90af28e1a
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Apr 2021 09:38:33.1727
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bc034cf3-566b-41ca-9f24-5dc49474b05e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 917dmaGwtP5MVD80SRK0Ouq9s9nhS/vEPORafJCaqL14ZFPYkp4ETsKmIcjeSkDN8ce2tZAfZeyk3ck97T3TNyXAsAH5R5q7/Z3q0a+paw0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR03MB3544

Hey,

I checked https://secdb.alpinelinux.org/v3.13/main.json and https://secdb.a=
lpinelinux.org/v3.13/community.json. As you said, this data should be the m=
ost reliable source. Note we are talking about Alpine 3.13.

Here's what I found:
1. "main.json" lists package "nodejs" and lists CVE-2020-8265 as fixed in v=
ersion 14.15.4-r0. This CVE does not appear anywhere else in this json.=20
2. "community.json" lists package "nodejs-current" and lists CVE-2020-8265 =
as fixed in version 15.5.1-r0.=20

Do you know the reason for the difference?

So... I'm a bit confused. At the beginning you said that the fact we find C=
VE-2020-8265 on an Alpine 3.13 image, running nodejs v12.20.1 - is a false =
positive. In your latest message, however, you mention that Alpine 3.13 doe=
s not credit v12.20.1 with the fix for CVE-2020-8265  because that version =
was never published in Alpine 3.13, only Alpine 3.12.=20

And finally, when looking at the Alpine 3.13 branch in secdb, which is supp=
osed to be reliable, I see information which indicates that the scanners ar=
e working correctly. This is what they all do:
1. They identify the OS as Alpine 3.13 - correct. This is the OS the custom=
er is running.
2. They identify a nodejs v12.20.1 APK installed on the machine - correct. =
This is the package the customer installed.
3. They identify it is vulnerable to CVE-2020-8265. Should be correct becau=
se Alpine doesn't credit v12.20.1 with the fix for this CVE, as you said be=
fore.
4. They identify Alpine's recommendation to upgrade nodejs to 14.15.4-r0 in=
 order to fix the problem. This is correct according to secdb.alpinelinux.o=
rg/v3.13/main.json

I am failing to see what the scanners are doing incorrectly and why you con=
sider this a false positive.

I appreciate your help and support on this.=20




-----Original Message-----
From: Ariadne Conill <ariadne@dereferenced.org>=20
Sent: Thursday, April 29, 2021 1:44 AM
To: Ariadne Conill <ariadne@dereferenced.org>
Cc: Nir Ben-Eliezer <nir.ben-eliezer@aquasec.com>; ~alpine/devel@lists.alpi=
nelinux.org
Subject: RE: Security dispute over nodejs vulnerability in Alpine - Help!

Hello,

On Wed, 28 Apr 2021, Ariadne Conill wrote:

> Hello,
>
> On Wed, 28 Apr 2021, Nir Ben-Eliezer wrote:
>
>> Hi Ariadne, and thank you very much for your quick response.
>>=20
>> I am asking this on behalf of one of our customers. I've used three=20
>> different scanners, all yield the same result, identifying nodejs=20
>> v12.20.1 as vulnerable in Alpine 3.13, and recommending to upgrade it=20
>> to v14.15.4-r0, where it is fixed.
>>=20
>> The reason why the scanners behave this way is due to the information=20
>> listed on this=20
>> page:https://eur02.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2=
Fgit.alpinelinux.org%2Faports%2Fblame%2Fmain%2Fnodejs%2FAPKBUILD%3Fh%3D3.13=
-stable&amp;data=3D04%7C01%7Cnir.ben-eliezer%40aquasec.com%7C8a62227e268a45=
00f7de08d90a97252c%7Cbc034cf3566b41ca9f245dc49474b05e%7C0%7C0%7C63755246655=
9824167%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI=
6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=3DcoTcBv%2FszxiKYcSjQ7pIn6MyLLW4Bb=
WytPupW8qBtoQ%3D&amp;reserved=3D0.
>> If you scroll down to rows 18-19, you'll see this:
>> +#   14.15.4-r0:
>> +#     - CVE-2020-8265
>> +#     - CVE-2020-8287
>>=20
>> Indicating that CVE-2020-8265 is fixed in nodejs 14.15.4-r0 on=20
>> Alpine's
>> 3.13 branch. I did not find any place indicating that nodejs v12.20.1=20
>> also contains the fix in Alpine branch 3.13.
>
> It appears that your scanners are probably using our security=20
> databases incorrectly, or at least making the wrong assumptions about=20
> how the version lifecycle works in secfixes land.
>
> To explain: we publish security databases for every branch of Alpine,=20
> these can be fetched at=20
> https://eur02.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fsecd
> b.alpinelinux.org%2F&amp;data=3D04%7C01%7Cnir.ben-eliezer%40aquasec.com%7=
C8a62227e268a4500f7de08d90a97252c%7Cbc034cf3566b41ca9f245dc49474b05e%7C0%7C=
0%7C637552466559824167%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi=
V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=3Daq3vpPQHfiP%2BCOl=
ANUX2ZE3Voa3%2FR0qgnX3Usz5Zqok%3D&amp;reserved=3D0.  These databases are co=
mpiled from the perspective of each branch.  Or in other words, they only d=
escribe versions that are published in that branch.
>
> Incidentally, one or more security companies are presently scraping=20
> our cgit instance for this information.  It may be that you have stale=20
> information about the v3.13 branch if your security scanners were=20
> doing this, as we have recently taken action to stop abuse of our cgit=20
> instance for this purpose.  In that case, see the above note about=20
> secdb.alpinelinux.org and you will have more reliable data.
>
> Anyway, Alpine 3.13 does not credit v12.20.1 with the fix for=20
> CVE-2020-8265 because that version was never published in Alpine 3.13, on=
ly Alpine 3.12.
>
> Each security database publishes information based on what packages=20
> have been published in that branch.
>
> You may also wish to look at our security database viewer at=20
> https://eur02.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fsecu
> rity.alpinelinux.org%2Fvuln%2FCVE-2020-8265&amp;data=3D04%7C01%7Cnir.ben
> -eliezer%40aquasec.com%7C8a62227e268a4500f7de08d90a97252c%7Cbc034cf356
> 6b41ca9f245dc49474b05e%7C0%7C0%7C637552466559824167%7CUnknown%7CTWFpbG
> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
> 3D%7C3000&amp;sdata=3DlUnjQo5CpTGEcdVpnmNtHUvT9Co76AGnBFZ0rNaXfgo%3D&amp
> ;reserved=3D0, which shows both Alpine
> 3.12 and 3.13 having fixes in their respective versions of Node.

Or they would if the CPE rules matched the actual package name... :)

But you can at least view the CPE rules for that one.

Ariadne