Refactor NVD node configuration parsing #546

wagoodman · 2025-03-24T21:34:34Z

This refactors the NVD node configuration parsing since the previous implementation when porting from v5 scheme to v6 did not consider non-application CPE parts when crafting new AffectedCPE entries for the DB. The structure of the code was based off of what was there is v5 and was not really best fit to build on.

For instance, in the original code a transposition of affected CPEs and platforms CPEs was performed before attempting to find vulnerable CPE candidates (e.g. AND(OR(app cpes), OR(platform cpes)) --> OR( AND(app cpe, platform cpe), ... )). This transposition is no longer needed.

To test the correctness of the functionality the existing transform function tests were kept intact and updated to reflect the additional functionality that was missing. Additional tests were added to show how different transformer configs (e.g. with or without o and h CPE parts being considered) as well as highlighting when incompatible topologies are encountered.

We now also log warnings when dropping criteria from node configurations:

[0055] DEBUG status eta=11m12s overall=7.96% provider="nvd" 2312/s (42.60%)
[0058] DEBUG status eta=11m52s overall=8.31% provider="nvd" 1784/s (44.51%)
[0060]  WARN unsupported NVD node configuration (dropping criteria) criteria="cpe:2.3:a:libsdl:sdl2_image:2.0.4" AND "cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9" cve=CVE-2019-12216
[0060]  WARN unsupported NVD node configuration (dropping criteria) criteria="cpe:2.3:a:libsdl:sdl2_image:2.0.4" AND "cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9" cve=CVE-2019-12217
[0060]  WARN unsupported NVD node configuration (dropping criteria) criteria="cpe:2.3:a:libsdl:sdl2_image:2.0.4" AND "cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9" cve=CVE-2019-12218
[0060]  WARN unsupported NVD node configuration (dropping criteria) criteria="cpe:2.3:a:libsdl:sdl2_image:2.0.4" AND "cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9" cve=CVE-2019-12219
[0060]  WARN unsupported NVD node configuration (dropping criteria) criteria="cpe:2.3:a:libsdl:sdl2_image:2.0.4" AND "cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9" cve=CVE-2019-12220
[0060]  WARN unsupported NVD node configuration (dropping criteria) criteria="cpe:2.3:a:libsdl:sdl2_image:2.0.4" AND "cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9" cve=CVE-2019-12221
[0061] DEBUG status eta=13m38s overall=8.57% provider="nvd" 1324/s (45.90%)

These nodes are dropped today but are done so silently, this PR adjusts this behavior to at least call out dripping criteria with a warning similar to how we call out CPEs that cannot be parsed as warnings. This allows us to see actively in the logs when new cases crop up and determine if we need to adjust this node configuration parser to account for more cases.

Another case that was not considered when porting from v5 to v6 schema is that now all CPE fields should be considered sensitive when deduplicating matched CPEs; with v5 only a small subset were supported. This PR now considers all except for the version and update fields when deduplicating CPEs -- this will ultimately lead to a difference in the number of a part CPEs written to the DB compared to what we've written previously.

In terms of how many additional CPEs we're storing, how that affects the count of affects CPE / blob records, and the distributed DB size... here's the final breakdown :

	Today's DB	New DB
`select count(*) from affected_cpe_handles`	284,728	820,529
`select count(*) from blobs`	928,338	1,394,787
`select count(*) from cpes where part == "a"`	65,043	64,955
`select count(*) from cpes where part == "o"`	0	44,617
`select count(*) from cpes where part == "h"`	0	9,417
`vulnerability.db` file size	741M	846M
`tar.zst` file size	64M	71M

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

refactor NVD node configuration parsing

c84e0d0

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

wagoodman force-pushed the fix-nvd-node-configuration-parsing branch from b09117f to c84e0d0 Compare March 25, 2025 14:16

wagoodman marked this pull request as ready for review March 25, 2025 14:43

wagoodman marked this pull request as draft March 25, 2025 15:01

wagoodman marked this pull request as ready for review March 25, 2025 15:32

wagoodman added the bug Something isn't working label Mar 25, 2025

wagoodman self-assigned this Mar 25, 2025

wagoodman added this to OSS Mar 25, 2025

wagoodman moved this to In Review in OSS Mar 25, 2025

wagoodman mentioned this pull request Mar 25, 2025

false negative for cpe:2.3:o:linux:linux_kernel:6.6.16:*:*:*:*:*:*:* anchore/grype#2365

Open

spiffcs self-requested a review March 25, 2025 17:05

spiffcs approved these changes Mar 26, 2025

View reviewed changes

wagoodman merged commit fd6c74b into main Mar 26, 2025
11 checks passed

wagoodman deleted the fix-nvd-node-configuration-parsing branch March 26, 2025 12:53

80F4 github-project-automation bot moved this from In Review to Done in OSS Mar 26, 2025

wagoodman mentioned this pull request Mar 26, 2025

Use all CPE parts when considering duplicates #547

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Refactor NVD node configuration parsing #546

Refactor NVD node configuration parsing #546

Refactor NVD node configuration parsing #546

Refactor NVD node configuration parsing #546

Conversation