All CVE scan for nodejsscan, eslint, and codeql. #70

tprokopcda · 2021-02-02T16:35:25Z

tprokopcda
Feb 2, 2021

Hello,

I saw the presentation at BHEU, great job! I tried running a test against all CVEs for nodejsscan, eslint, and codeql. I think I have the drivers configured properly, but the results for nodejsscan seem very low and I was wondering if this was consistent with your testing at well.

Are these results similar to what you have seen or is it possible I configured the nodejsscan driver incorrectly?

Thanks!

Answered by esbena

Feb 3, 2021

Hi

Your observations match mine. But lets take a dive into some of the
results, to sanity check the nodejsscan behaviour. In conclusion, I
think everything is as it should be, and perhaps nodejsscan just
needs a minor tweak to support a few more CVEs.

From your screenshot, nodejsscan do produce a few good results for
the CWE-23 group. So lets investigate that.

$ bin/cli run --tool eslint-default --tool nodejsscan-default --tool codeql-default CWE-23
...
$ bin/cli report --kind server --tool eslint-default --tool nodejsscan-default --tool codeql-default CWE-23

From the overview, CVE-2017-16107 and CVE-2018-11798 appears
interesting to look at: in 5 of 6 cases, the vulnerability is
detec…

View full answer

esbena · 2021-02-03T10:14:53Z

esbena
Feb 3, 2021
Maintainer

Hi

Your observations match mine. But lets take a dive into some of the
results, to sanity check the nodejsscan behaviour. In conclusion, I
think everything is as it should be, and perhaps nodejsscan just
needs a minor tweak to support a few more CVEs.

From your screenshot, nodejsscan do produce a few good results for
the CWE-23 group. So lets investigate that.

$ bin/cli run --tool eslint-default --tool nodejsscan-default --tool codeql-default CWE-23
...
$ bin/cli report --kind server --tool eslint-default --tool nodejsscan-default --tool codeql-default CWE-23

From the overview, CVE-2017-16107 and CVE-2018-11798 appears
interesting to look at: in 5 of 6 cases, the vulnerability is
detected.

Looking at CVE-2017-16107, we see that nodejsscan can flag up calls
of the form fs.createReadStream(__dirname+req.url, ...) using the
rule generic_path_traversal. By the name alone, this sounds
pretty reasonable.

Looking at CVE-2018-11798, we see that nodejsscan does not flag
up any of the lines that the other analyses flag, even though the
lines are of a form that is very similar to fs.createReadStream
example above (IMO).

Looking at the alerts that nodejscan do produce for
CVE-2018-11798, we see that it is able to find something, although
those alerts does not appear to be related to the CVE:

$ cat work/results/nodejsscan-default_CVE-2018-11798_prePatch.json  | jq .runs[].alerts
[
  {
    "location": {
      "file": "lib/nodejs/lib/thrift/web_server.js",
      "line": 516
    },
    "ruleID": "express_xss"
  },
  {
    "location": {
      "file": "lib/nodejs/lib/thrift/web_server.js",
      "line": 514
    },
    "ruleID": "node_sha1"
  },
  {
    "location": {
      "file": "lib/nodejs/lib/thrift/web_server.js",
      "line": 96
    },
    "ruleID": "buffer_noassert"
  }
]

1 reply

tprokopcda May 11, 2021
Author

Thank you for the detailed explanation.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

All CVE scan for nodejsscan, eslint, and codeql. #70

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

All CVE scan for nodejsscan, eslint, and codeql. #70

tprokopcda Feb 2, 2021

Replies: 1 comment · 1 reply

esbena Feb 3, 2021 Maintainer

tprokopcda May 11, 2021 Author

tprokopcda
Feb 2, 2021

Replies: 1 comment 1 reply

esbena
Feb 3, 2021
Maintainer

tprokopcda May 11, 2021
Author