Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JS: Manually adjust some security-severity scores #6815

Merged
merged 4 commits into from Oct 7, 2021

Conversation

@asgerf
Copy link
Contributor

@asgerf asgerf commented Oct 5, 2021

This PR adjusts some of the security-severity scores to better reflect the quality of the queries producing the alerts.

  • Queries with speculative threat model
    Some queries use a speculative threat model, e.g. by using library inputs or environment variables as taint sources. This was generally reflected in the old precision/severity metadata, but not in the security-severity. For these queries, I've updated the scores using the CVSS calculator by setting 'Attack Complexity' to High and 'User Interaction' to Low (as opposed to None).

  • Tainted format string
    The CWE number for the TaintedFormatString query is associated with buffer overflows from printf/scanf-style functions in C++, which is probably why it had a high derived security-severity score (9.3). But in JavaScript, a tainted format string is unlikely to lead to anything worse than log injection so I've manually update its score to reflect this (7.3).

  • Loop bound injection
    The LoopBoundInjection query is a denial-of-service query, but was missing the CWE-730 tag
    ("denial of service") and had a lower score than the other DoS queries. I've added the CWE tag and
    updated its security-severity to match the other denial-of-service queries.

  • Code injection query
    The derived security-severity score of the JS CodeInjection query was much lower than for other languages (6.1 versus 9.3), possibly due some differences in CWE tags, such as the inclusion of CWE-079. I've also added the more specific CWE-095 ("eval injection") for consistency with other languages. It is a child of already-used CWE-094 ("code injection").

asgerf added 4 commits Oct 5, 2021
In the CVSS calculator we model this by setting 'Attack Complexity' to
High and 'User Interaction' to Low (as opposed to None).

CVSS vector:
  CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
The CWE number for this query is associated with buffer overflows
from printf/scanf-style functions in C++, which has likely determined
its derived security score.

But in JavaScript, a tainted format string is unlikely to lead to
anything worse than log injection so we're manually update its score
to reflect this.
This is a denial-of-service query, but was missing the CWE-730 tag
("denial of service") and consequently had a lower score than the
other DoS queries.
The derived security-severity score of the JS code injection query
was much lower than for other languages (6.1 versus 9.3), possibly due
some differences in CWE tags, such as the inclusion of CWE-079.

We also add the more specific CWE-095 ("eval injection") for consistency
with other languages. It is a child of CWE-094 ("code injection") which
was already tagged.
esbena
esbena approved these changes Oct 5, 2021
@codeql-ci codeql-ci merged commit a0dd3d9 into github:main Oct 7, 2021
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants