Poutine Build Platform Advisories (#221)

boostsecurityio · Oct 7, 2024 · 6008965 · 6008965
1 parent c847c94
commit 6008965
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 4 deletions.
diff --git a/opa/populate_build_platform_vuln_database_test.go b/opa/populate_build_platform_vuln_database_test.go
@@ -74,9 +74,7 @@ type CVEData struct {
 	} `json:"containers"`
 }
 
-func TransformCVEDataToAdvisories(cveData []CVEData) PlatformAdvisories {
-	advisories := PlatformAdvisories{}
-
+func TransformCVEDataToAdvisories(advisories PlatformAdvisories, cveData []CVEData) PlatformAdvisories {
 	for _, data := range cveData {
 		for _, affected := range data.Containers.CNA.Affected {
 			vendor := strings.ToLower(affected.Vendor)
@@ -217,7 +215,13 @@ func TestPopulateDatabase(t *testing.T) {
 		return nil
 	})
 
-	advisories := TransformCVEDataToAdvisories(cves)
+	poutineAdvisories, err := GetPoutineAdvisories()
+	assert.NoError(t, err)
+
+	assert.NotNil(t, poutineAdvisories)
+	assert.NotEmpty(t, poutineAdvisories)
+
+	advisories := TransformCVEDataToAdvisories(poutineAdvisories, cves)
 
 	advisoriesJson, err := AdvisoriesToJSON(advisories)
 	assert.NoError(t, err)
@@ -239,3 +243,20 @@ func TestPopulateDatabase(t *testing.T) {
 		log.Fatalf("Failed to write updated content to file: %v", err)
 	}
 }
+
+func GetPoutineAdvisories() (PlatformAdvisories, error) {
+	advisories := PlatformAdvisories{}
+
+	advisoriesPath := "poutine_build_platform_advisories.json"
+
+	content, err := os.ReadFile(advisoriesPath)
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal(content, &advisories)
+	if err != nil {
+		return nil, err
+	}
+	return advisories, nil
+}
diff --git a/opa/poutine_build_platform_advisories.json b/opa/poutine_build_platform_advisories.json
@@ -0,0 +1,26 @@
+{
+  "gitlab": {
+    "PVE-2024-00001": {
+      "osv_id": "PVE-2024-00001",
+      "published": "2024-09-10T18:50:12.965Z",
+      "aliases": [],
+      "summary": "Dependencies omniauth-saml and ruby-saml through CVE-2024-45409 do not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system",
+      "severity": [{
+        "type": "CVSS_V3",
+        "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
+      }],
+      "cwe_ids": [
+        "CWE-347"
+      ],
+      "vulnerable_versions": [],
+      "vulnerable_version_ranges": [
+        ">=17.3, <17.3.3",
+        ">=17.2, <17.2.7",
+        ">=17.1, <17.1.8",
+        ">=17.0, <17.0.8",
+        ">=16.11, <16.11.10"
+      ],
+      "vulnerable_commit_shas": []
+    }
+  }
+}
diff --git a/opa/rego/external/build_platform.rego b/opa/rego/external/build_platform.rego
@@ -12480,5 +12480,25 @@ advisories = {
 			],
 			"vulnerable_commit_shas": [],
 		},
+		"PVE-2024-00001": {
+			"osv_id": "PVE-2024-00001",
+			"published": "2024-09-10T18:50:12.965Z",
+			"aliases": [],
+			"summary": "Dependencies omniauth-saml and ruby-saml through CVE-2024-45409 do not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system",
+			"severity": [{
+				"type": "CVSS_V3",
+				"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
+			}],
+			"cwe_ids": ["CWE-347"],
+			"vulnerable_versions": [],
+			"vulnerable_version_ranges": [
+				">=17.3, <17.3.3",
+				">=17.2, <17.2.7",
+				">=17.1, <17.1.8",
+				">=17.0, <17.0.8",
+				">=16.11, <16.11.10",
+			],
+			"vulnerable_commit_shas": [],
+		},
 	},
 }