2024 Dependency Management Report

Part 2: Discrepancies and Shortcomings of Vulnerability Databases  

Ecosystem Coverage of CVEs

‍TL;DR

• 18% of npm vulnerabilities in the public Open Source Vulnerability (OSV) database do not have CVE aliases, thus, npm application developers should make sure that their SCA solution ingests OSV.

• Spotchecks of OSV vulnerabilities without CVE alias illustrate different phenomena, including genuine problems related to bundled binaries in Python projects, or erroneous maintenance of existing CVE aliases.

The recent problems of the NVD raise the question whether vulnerability managers have to consider other, additional databases.

The Open Source Vulnerability database (OSV) established itself as a valuable resource for vulnerabilities in open source projects. It ingests and aggregates several vulnerability databases to cover a wide range of 26 ecosystems — from mainstream to more exotic ecosystems like R or Haskell.

As of June 11th, 2024, the OSV contains a total of 13,963 known vulnerabilities for the prominent ecosystems PyPI, Maven, npm, NuGet, Go and RubyGems.org. 828 of those vulnerabilities do not have a CVE alias, i.e. they would be missed when relying on NVD only, most of them stemming from the GitHub Advisory Database (GHAD).

The next figure illustrates how the number of vulnerabilities without CVE aliases varies per ecosystem – between 1% for Maven and 18% for npm – which suggests that some ecosystems are better covered by NVD than others. The take-away for users of SCA solutions is to check which sources are covered by their respective provider, especially if they develop in JavaScript/npm.

But even where the numbers appear little, it shall be noted that some affect well-known components like PyPI/pillow, PyPI/tensorflow or npm/angular. The next chart displays the Top-50 components that have the most vulnerabilities not aliased by a CVE.

One important question is whether those vulnerabilities matter at all, i.e. whether they are real or disputed, have low or critical severity and whether the affected components are used at all.

A review of all the 11 vulnerabilities for RubyGems/nokogiri shows that they all revolve around the update of bundled binaries, especially libxml2, or vendored code. As such, they overcome the problem discussed in the previous section, which is that SCA solutions struggle to detect bundled libraries and vendored code. Apart from GHSA-r95h-9x8f-r3f7, which clearly states that a vulnerability in libxml2 has no impact on nokogiri, the vulnerabilities seem relevant and should indeed be highlighted to users of nokogiri.

The 9 vulnerabilities for Maven/com.vaadin:vaadin-bom are wrongly reported for not being related to CVEs, due to the fact that the OSV entries do not maintain the alias field. Interestingly, vaadim-bom is a Maven project of type pom, also called BOM POM, and thus will not necessarily appear as a dependency itself. As a consequence, the vulnerabilities associated to vaadim-bom may not be mapped to users of the Vaadim components that actually carry the vulnerable code, which is why we associate them to other Vaadim components, e.g. vaadin-checkbox-flow in case of CVE-2021-33605 (GHSA-hw7r-qrhp-5pff).

The 8 vulnerabilities for PyPI/pillow are a mix of different phenomena discussed before: PYSEC-2023-175 and GHSA-56pw-mpj4-fxww address the bundling of a vulnerable version of the libwebp binary (without referring to each other through an alias). GHSA-jgpv-4h4c-xhw3 is actually related to a CVE, but the entry is not linked through an alias. OSV-2022-1074 and OSV-2022-715 have been automatically created as part of the OSS-Fuzz project, without any impact and severity being given, and the other three refer to genuine vulnerabilities within Pillow itself.

Vulnerability Advisory Publication Delays

TL;DR

• 2,527 out of 3,655 security advisories (69%) are published after the corresponding security release, with a median delay of 25 days, which increases the window of opportunity for attackers to exploit vulnerable systems.

• For 25% of 5,978 vulnerabilities having both a CVE and a GHSA, the GHSA is published 10 or more days after the CVE. During this delay, organizations depending on those sources rely on imprecise CPE-mapping to identify vulnerable components in their stack.

Another important aspect in regards to vulnerability management and vulnerability databases is the timely fix by project maintainers, the publication of corresponding security releases – which contain the respective code changes, and the publication of security advisories that inform OSS users about the presence of vulnerabilities and the availability of available security releases.

The figure below presents relevant events in the timeline of security fix propagation and advisory publication, and various delays that hinder the timely notification of open source users, and increase the window of opportunity for attackers. Minimizing those delays is paramount considering the speedy development of exploits, and the fact that additional delays will be introduced through organizations’ patch processes.

The first potential delay happens between the fix of a vulnerability in a project’s source code repository and the publication of a corresponding security release in a public repository such as Maven or npm, which facilitates the consumption of the fix by downstream users. This delay matters, because attackers may be able to spot the fix commits, hence, know about technicalities of the vulnerability and how to exploit it, while users have no easy way to patch their systems.

Researchers from the North Carolina State University (NCSU) found “that open source packages include security fixes in a new release within 4 days of the fix at the median, npm being the fastest and Maven being the slowest. However, 25% of the releases in our data set still came at least 20 days after the corresponding security fix”.

The window of opportunity may be further increased if a security advisory is published after the security fix release. This has been the case for 2,527 advisories, which corresponds to 69.1% of NCSU’s dataset, and the following table shows the median delay for individual ecosystems, and differentiating between CVEs and non-CVEs.

But the publication of a security advisory or vulnerability information can take different forms – from blog posts and CVEs to GitHub Security Advisories (GHSAs), and whether your SCA tool learns about the advisory depends on its specific information sources.

When comparing the publication dates of CVEs with the sources referenced by those CVEs, a previous study by Anwar et al. showed that ≈ 28% of CVEs have a publication lag of more than a week. In other words, they lag more than one week behind the publication of the same vulnerability in another information source such as “vulnerability databases (e.g. Security Focus), bug reports or email archives threads (e.g. Bugzilla), or security advisories (e.g. cisco.com)”.

For this report, we specifically compare the publication dates of vulnerabilities published both as GHSA in the GitHub Advisory Database and as CVE in the NVD. This is important for two reasons: First, because consumers of GHSAs benefit from the use of package identifiers that match the respective ecosystems, whereas the CPE identifiers used by CVEs only support imprecise mappings. Second, because organizations that only consume NVD data feeds may suffer from a publication delay comparable to what has been observed in the study mentioned above.

5,978 vulnerabilities aggregated by OSV have exactly one GHSA and one CVE as alias. The large majority of those vulnerabilities are first published in the NVD, 25% of those cases with a delay of more than 10 days. This means that the accurate mapping of vulnerabilities using ecosystem-specific package identifiers is significantly delayed, i.e. SCA tools solely relying on those sources can only use the imprecise CPE mapping during this lag.

Conversely, less than 1K vulnerabilities are first published as GHSA, with 75% of CVEs being delayed by less than 3 days.

[2] Open or sneaky? fast or slow? light or heavy?: Investigating security releases of open source packages

Public Advisories Lack Code-level Information

TL;DR

• Across six ecosystems, 47% of advisories in public vulnerability databases do not contain any code-level vulnerability information at all.

• 51% contain one or more references to fix commits, and only 2% contain information about affected functions.

The application of program analysis techniques requires code-level information about vulnerabilities, e.g. the names of affected functions or the fix commits that were developed by OSS project maintainers to overcome a vulnerability. Without such information, it is not possible to establish whether known-vulnerable functions can be executed in the context of a downstream application.

Even though the prose CVE descriptions of some open source vulnerabilities mention the names of affected functions or classes, this information is often incomplete and unstructured, and thus can hardly be used as reliable input for program analysis.

But what are the consequences of this lack of code-level information in public vulnerability databases? First, commercial SCA providers build proprietary databases to complement public advisories. The significant costs of building those make them – understandably – reluctant to share this information, which in turn makes it impossible for end-users and open source projects to validate, and compare it across vendors. Second, it is difficult for open source projects to implement effective code-centric SCA solutions.

The advent of the OSV database with its additional data sources compared to NVD, and the sporadic emergence of security advisories with structured information about affected functions motivated us to investigate the current state of affairs with regard to the availability of code-level vulnerability information. 

As before, we grouped all OSV advisories linked through aliases and considered them as one vulnerability. We then checked whether any advisory for a given group contains a reference to a fix commit, names of affected functions, both of it or none of it. Positive examples are the vulnerabilities (GHSA-hm9v-vj3r-r55m, CVE-2023-36807) for Python/PyPI and (GHSA-35jh-r3h4-6jhm, CVE-2021-23337) for JavaScript/npm, where the GHSA complements the CVE information with fix commits and vulnerable function identifiers.

However, the following chart shows that code-level information is still not widely available in public advisories. The majority of Java/Maven and JavaScript/npm vulnerabilities do not have any code-level information at all (57% and 52%). And even where fix commits are available, e.g. in the majority of Python/PyPI and C#/Nuget vulnerabilities (57% and 54%), it is not clear whether those fix commits are complete (i.e. cover all maintained release branches), or whether they contain changes unrelated to the vulnerability fix.

The number of advisories with affected function identifiers is insignificant except for Python/PyPI and JavaScript/npm, where it reaches 7% and 4% respectively.

[1] https://ieeexplore.ieee.org/iel7/8013/5210089/10381645.pdf

Affected components and component versions

TL;DR

• Across 4 ecosystems, Endor Labs and OSV only agree in 72% cases on the affected packages. In 12% of the cases, they mark an intersecting set of components as affected, and in 10% of the cases, Endor Labs marks one additional package.

Naming the components affected by a given vulnerability is more difficult than it seems, due to various reasons. Examples are open source projects that produce multiple artifacts, project forks or artifact identifiers that change over time or depending on the distribution channel.

CVE-2023-41080, for example, affects Apache Tomcat. The particularity of this project is that Tomcat exists for many years already, that its Maven coordinates changed multiple times and that the same classes are contained in multiple artifacts, e.g. the stand-alone version of the Tomcat Web server and its embedded version.

In this particular case, the vulnerable class FormAuthenticator is contained in the following project artifacts, which exist for the major Tomcat releases 7 to 11: org.apache.tomcat:tomcat, org.apache.tomcat:tomcat-catalina and org.apache.tomcat.embed:tomcat-embed-core. 

Previous Tomcat releases, however, were distributed with different Maven coordinates, namely tomcat:catalina (for major versions up to 5, with the latest release from 2007) and org.apache.tomcat:catalina (for major version 6, with the latest release from 2017), both of which also contain the affected class. For users of those old versions, which are not explicitly marked as vulnerable neither by NVD nor in the Apache mailing list, the big question is whether they are safe…

Other examples comprise BOM dependencies or parent POMs in the Maven ecosystem. Both can be used to harmonize dependency versions, however, they typically do not contain any code itself and may not show up in the dependency graphs of downstream users. Examples are the vaadim-bom discussed in a previous section, or CVE-2017-12159 (GHSA-7fmw-85qm-h22p), which refers to maven/org.keycloak:keycloak-parent, while the vulnerable code is contained in maven/org.keycloak:keycloak-services.

Another interesting case is CVE-2023-36566, affecting the Microsoft Common Data Model SDK: GHSA-vm2m-7hpw-fpmq mentions affected components only for the Maven, NuGet and PyPI ecosystems, but the original advisory from Microsoft also mentions an npm package, which is produced from the same GitHub source code repository.

CVE-2024-35220 (GHSA-pj27-2xvp-4qxg) illustrates the problem of project forks: Originally published as npm/fastify-session, the project is now continued in another GitHub repository and published as npm/@fastify/session. While the GitHub advisory only mentioned the latter as affected, we also added the former as affected, which allows alerting customers who have not migrated yet.

To summarize, the following figures illustrate to what extent OSV and Endor Labs deviate in regards to the affected components.

Across four ecosystems, they agree in 72% of the vulnerabilities on the affected component identifiers. In 10% of vulnerabilities, Endor Labs marks one additional component as affected. In 1% of vulnerabilities, OSV marks one additional package as affected. The example above, CVE-2017-12159 affecting Keycloak, is part of the “Intersecting pkgs”, where OSV mentions a component that Endor does not and vice-versa.

When looking at the Maven ecosystem alone, the discrepancy gets more accentuated: OSV and Endor only agree in 55% of vulnerabilities on the affected components. 

Notable Impacts of Mature Vulnerability Prioritization Practices

TL;DR

• Prioritization lets organizations focus on less than 5% of their total number of vulnerabilities.
• In the case of the Python ecosystem, updating the Top 15 components to non-vulnerable versions would remove more than 75% of all the vulnerability findings (Java 60%, npm 44%).

The first figure shows the Top-50 components having the most known vulnerabilities in OSV across six ecosystems (npm, Maven, PyPI, Go, RubyGems and NuGet).

The prevalence of Python packages, with Tensorflow having the most known vulnerabilities, underlines the importance of handling Python dependencies beyond what’s mentioned in manifest files. By following the import statements, for example, it is possible to get a better understanding of the effective dependency tree, compared to relying on the flattened output of “pip freeze”, which may be hugely inflated if multiple Python projects load dependencies from the same Python library search path.

The next figures show the Top-50 Java/Maven and Python/PyPI packages with the most known vulnerabilities. 

Jenkins is stand-alone software, and should be considered apart. Apache Tomcat can be run stand-alone or embedded, e.g. in self-contained Spring Boot applications. Here, the difference between org.apache.tomcat:tomcat and org.apache.tomact.embed:tomcat-embed-core is striking, and the question arises whether the advisories are complete.

One such example is CVE-2020-13935, which is caused by invalid payload lengths in WebSocket frames. According to OSV, the vulnerability affects org.apache.tomcat:tomcat. According to our analysis, however, the vulnerable classes are comprised in five different Tomcat artifacts, including org.apache.tomcat.embed:tomcat-embed-core or org.apache.tomcat.embed:tomcat-embed-websocket, and exploit PoCs showed that they are indeed exploitable.

The three pie charts shown below show the Top 15 components bringing in the most findings across our customer base. In the case of the Python ecosystem, updating the Top 15 components to non-vulnerable versions would remove close to 74% of all the vulnerability findings (Java 60%, npm 45%).

The next chart shows the percentage of vulnerabilities that can be prioritized when applying different filters. The most effective individual filters only consider vulnerabilities whose vulnerable code is reachable, and whose EPSS score is greater than 1%.

When combining all filters, organizations can focus on roughly 4% of Java and JavaScript vulnerabilities (note that function-level reachability is not yet available for JavaScript), and less than 1% of Python vulnerabilities. 

Vulnerabilities in AI Projects

At the time of the study, in June 2024, the number of vulnerabilities reported for tensorflow by GHSA vs. other vulnerability databases differed by more than 40 (~10%). In the meantime, after having reported those discrepancies to GitHub, the respective GHSAs have been reviewed and updated.

Above discussions regarding vulnerability databases apply across the entire open source ecosystem. Here we have a closer look at open source components that are of particular interest for ML/AI applications.

The next two charts illustrate once more the discrepancy between vulnerability databases: They show the number of vulnerabilities for common ML/AI packages – first considering all databases aggregated by OSV, second only considering the advisories from GitHub’s Advisory Database (GHAD).

Tensorflow has by far the most vulnerabilities – closely followed by the variants tensorflow-gpu and tensorflow-cpu, which is not surprising since they share most of the code base. The number of vulnerabilities considering all OSV data sources, however, is significantly higher compared to the ones reported only through GHSAs, around 40 advisories.

One example is GHSA-24x6-8c7m-hv3f, which only lists tensorflow as affected. The advisories PYSEC-2021-227, PYSEC-2021-518, PYSEC-2021-716, however, mentioned by OSV as aliases of the GHSA, additionally mark tensorflow-gpu/cpu as affected. In the case of pandas, GitHub does not provide a GHSA for the disputed vulnerability CVE-2020-13091.

Open source vulnerability databases can differ significantly in the number of vulnerabilities reported for given packages – illustrated at the example of tensorflow. Users can hardly understand the root cause of such discrepancies, e.g. whether they are due to reporting inconsistencies or disputes.