JS: Manually adjust some security-severity scores #6815
Merged
+10
−8
Conversation
In the CVSS calculator we model this by setting 'Attack Complexity' to High and 'User Interaction' to Low (as opposed to None). CVSS vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
The CWE number for this query is associated with buffer overflows from printf/scanf-style functions in C++, which has likely determined its derived security score. But in JavaScript, a tainted format string is unlikely to lead to anything worse than log injection so we're manually update its score to reflect this.
This is a denial-of-service query, but was missing the CWE-730 tag
("denial of service") and consequently had a lower score than the
other DoS queries.
The derived security-severity score of the JS code injection query
was much lower than for other languages (6.1 versus 9.3), possibly due
some differences in CWE tags, such as the inclusion of CWE-079.
We also add the more specific CWE-095 ("eval injection") for consistency
with other languages. It is a child of CWE-094 ("code injection") which
was already tagged.
esbena
approved these changes
Oct 5, 2021
erik-krogh
approved these changes
Oct 5, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
This PR adjusts some of the security-severity scores to better reflect the quality of the queries producing the alerts.
Queries with speculative threat model
Some queries use a speculative threat model, e.g. by using library inputs or environment variables as taint sources. This was generally reflected in the old precision/severity metadata, but not in the security-severity. For these queries, I've updated the scores using the CVSS calculator by setting 'Attack Complexity' to High and 'User Interaction' to Low (as opposed to None).
Tainted format string
The CWE number for the
TaintedFormatStringquery is associated with buffer overflows from printf/scanf-style functions in C++, which is probably why it had a high derived security-severity score (9.3). But in JavaScript, a tainted format string is unlikely to lead to anything worse than log injection so I've manually update its score to reflect this (7.3).Loop bound injection
The
LoopBoundInjectionquery is a denial-of-service query, but was missing the CWE-730 tag("denial of service") and had a lower score than the other DoS queries. I've added the CWE tag and
updated its security-severity to match the other denial-of-service queries.
Code injection query
The derived security-severity score of the JS
CodeInjectionquery was much lower than for other languages (6.1 versus 9.3), possibly due some differences in CWE tags, such as the inclusion of CWE-079. I've also added the more specific CWE-095 ("eval injection") for consistency with other languages. It is a child of already-used CWE-094 ("code injection").The text was updated successfully, but these errors were encountered: