Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive CVE-2023-4822 was included in E2E Vulnerability detection tests #5368

Closed
1 task done
Rebits opened this issue May 13, 2024 · 6 comments · Fixed by #5369
Closed
1 task done

False positive CVE-2023-4822 was included in E2E Vulnerability detection tests #5368

Rebits opened this issue May 13, 2024 · 6 comments · Fixed by #5369
Assignees
@Rebits
Labels
level/task Task issue type/bug

Comments

@Rebits
Copy link
Member

Rebits commented May 13, 2024
edited

Description

In d19ab01, CVE-2023-4822 has been added to the list of anticipated vulnerabilities for Grafana's vulnerable packages. This update was prompted by findings from beta6 of Vulnerability Detection. However, it's worth noting that this vulnerability is not anticipated to surface in the regular Grafana installation tests, as they are conducted on Grafana itself, not Grafana Enterprise.

Tasks

  • Remove CVE-2023-4822 from the vuln_packages for all grafana packages.

Validation

No validation is needed
@Rebits Rebits self-assigned this May 13, 2024
@Rebits Rebits linked a pull request May 13, 2024 that will close this issue
Refactor E2E Vulnerability Detection tests cases to remove false positive CVE-2023-4822 #5369
Merged
@MARCOSD4 MARCOSD4 mentioned this issue May 14, 2024
Closed
3 tasks
@Rebits
Copy link
Member Author

Rebits commented May 14, 2024

After talking with @sebasfalcone, the product currently is not able to sanitize grafana enterprise case. So we need to use another package for the E2E tests in order to validate the vulnerability detection feature.
After research, I suggest using the following:

  • Grafana-8.5.27 as non Vulnerable
  • Grafana-9.1.1 as vulnerable

Warning

Currently according to Grafana, version 8.5.27 is affected to CVE-2024-1442 and CVE-2023-6152. However these vulnerabilities are currently being analyzed by the NVD so, this version is valid for the E2E tests.
Once the CVE-2024-1442 has been validated by NVD, we would need to change the non vulnerable version to 9.5.17. The nonvulnerable-to-vulnerable case will be covered by the upgrade from 9.5.17 to 10.0.0 (affected by CVE-2024-1442)

@Rebits
Copy link
Member Author

Rebits commented May 14, 2024
edited

Moving ETA to allow testing and review
Delay motivated due to package changing

Testing is only planned for the setup fixture due to known issues regarding the detection of vulnerabilities in Grafana packages (https://github.com/wazuh/intelligence-data/issues/233)

@Rebits Rebits mentioned this issue May 14, 2024
Merged
@Rebits
Copy link
Member Author

Rebits commented May 16, 2024

Detected errors in the teardown method. In addition, it seems that no vulnerabilities are being collected by the test. Further research is required

@Rebits Rebits mentioned this issue May 17, 2024
Closed
2 tasks
@Rebits
Copy link
Member Author

Rebits commented May 20, 2024

Currently testing among different E2E fixes. Check #5397 for more information

@Rebits
Copy link
Member Author

Rebits commented May 21, 2024

Created custom branch to test all E2E fixes tmp-merge-fixes-E2E-tests

Build: https://ci.wazuh.info/job/Test_e2e_system/289/

@santipadilla
Copy link
Member

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Rebits Rebits

Labels
level/task Task issue type/bug
Projects
Release 4.8.0
Status: Done
Milestone
No milestone
3 participants
@Rebits @juliamagan @santipadilla