Renovate reports security issue that pip-audit doesn't

[mueller-ma]

What would you like help with?

I think I found a bug

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

Renovate reports two security issues for Python package ansible: mueller-ma/renovate-reproduce#2

I'm using ansible==9.5.1, which shouldn't be affected: https://osv.dev/vulnerability/PYSEC-2021-125

pip-audit doesn't find this issue:

$ pip-audit -r <(echo ansible==7.0.0)
Found 3 known vulnerabilities in 1 package
Name    Version ID                  Fix Versions
------- ------- ------------------- ------------
ansible 7.0.0   PYSEC-2020-220
ansible 7.0.0   PYSEC-2021-125
ansible 7.0.0   GHSA-jpvw-p8pr-9g2x 8.5.0
$ pip-audit -r <(echo ansible==9.5.1)
No known vulnerabilities found

Logs (if relevant)

No response

[rarkins]

@Churro I debugged this to here:

renovate/lib/workers/repository/process/vulnerabilities.ts

Lines 324 to 341 in 04f4edb

	private includedInRanges(
	depVersion: string,
	affected: Osv.Affected,
	versioningApi: VersioningApi,
	): boolean {
	for (const range of affected.ranges ?? []) {
	if (range.type === 'GIT') {
	continue;
	}
	let vulnerable = false;
	for (const event of this.sortEvents(range.events, versioningApi)) {
	if (
	is.nonEmptyString(event.introduced) &&
	(event.introduced === '0' ||
	this.isVersionGtOrEq(depVersion, event.introduced, versioningApi))
	) {
	vulnerable = true;

It seems to return vulnerable=true without checking the fixed version?

[Churro]

The advisory doesn't include a fixed version but also no version range, only a list of affected versions. I'd be able to take a closer look at this tomorrow.

[Churro]

As promised, I did some in-depth research on this now:

• The OSV representation of PYSEC-2021-125 includes no fixed version and marks individual versions, as well as a version range from 0 to * (unlimited) as affected. ansible 9.5.1 isn't explicity listed but matched by this range definition.

  See here for full OSV entry of PYSEC-2021-125

  {
      "id": "PYSEC-2021-125",
      "details": "A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.",
      "aliases": [
          "CVE-2021-3532"
      ],
      "modified": "2023-11-08T04:06:09.524728Z",
      "published": "2021-06-09T12:15:00Z",
      "references": [
          {
              "type": "REPORT",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956464"
          }
      ],
      "affected": [
          {
              "package": {
                  "name": "ansible",
                  "ecosystem": "PyPI",
                  "purl": "pkg:pypi/ansible"
              },
              "ranges": [
                  {
                      "type": "ECOSYSTEM",
                      "events": [
                          {
                              "introduced": "0"
                          }
                      ]
                  }
              ],
              "versions": [
                  "1.0",
                  "1.1",
                  "1.2",
                  "1.2.1",
                  "1.2.2",
                  "1.2.3",
                  "1.3.0",
                  "1.3.1",
                  "1.3.2",
                  "1.3.3",
                  "1.3.4",
                  "1.4",
                  "1.4.1",
                  "1.4.2",
                  "1.4.3",
                  "1.4.4",
                  "1.4.5",
                  "1.5",
                  "1.5.1",
                  "1.5.2",
                  "1.5.3",
                  "1.5.4",
                  "1.5.5",
                  "1.6",
                  "1.6.1",
                  "1.6.10",
                  "1.6.2",
                  "1.6.3",
                  "1.6.4",
                  "1.6.5",
                  "1.6.6",
                  "1.6.7",
                  "1.6.8",
                  "1.6.9",
                  "1.7",
                  "1.7.1",
                  "1.7.2",
                  "1.8",
                  "1.8.1",
                  "1.8.2",
                  "1.8.3",
                  "1.8.4",
                  "1.9.0",
                  "1.9.0.1",
                  "1.9.1",
                  "1.9.2",
                  "1.9.3",
                  "1.9.4",
                  "1.9.5",
                  "1.9.6",
                  "2.0.0",
                  "2.0.0.0",
                  "2.0.0.1",
                  "2.0.0.2",
                  "2.0.1.0",
                  "2.0.2.0",
                  "2.1.0.0",
                  "2.1.1.0",
                  "2.1.2.0",
                  "2.1.3.0",
                  "2.1.4.0",
                  "2.1.5.0",
                  "2.1.6.0",
                  "2.10.0",
                  "2.10.0a1",
                  "2.10.0a2",
                  "2.10.0a3",
                  "2.10.0a4",
                  "2.10.0a5",
                  "2.10.0a6",
                  "2.10.0a7",
                  "2.10.0a8",
                  "2.10.0a9",
                  "2.10.0b1",
                  "2.10.0b2",
                  "2.10.0rc1",
                  "2.10.1",
                  "2.10.2",
                  "2.10.3",
                  "2.10.4",
                  "2.10.5",
                  "2.10.6",
                  "2.10.7",
                  "2.2.0.0",
                  "2.2.1.0",
                  "2.2.2.0",
                  "2.2.3.0",
                  "2.3.0.0",
                  "2.3.1.0",
                  "2.3.2.0",
                  "2.3.3.0",
                  "2.4.0.0",
                  "2.4.1.0",
                  "2.4.2.0",
                  "2.4.3.0",
                  "2.4.4.0",
                  "2.4.5.0",
                  "2.4.6.0",
                  "2.5.0",
                  "2.5.0a1",
                  "2.5.0b1",
                  "2.5.0b2",
                  "2.5.0rc1",
                  "2.5.0rc2",
                  "2.5.0rc3",
                  "2.5.1",
                  "2.5.10",
                  "2.5.11",
                  "2.5.12",
                  "2.5.13",
                  "2.5.14",
                  "2.5.15",
                  "2.5.2",
                  "2.5.3",
                  "2.5.4",
                  "2.5.5",
                  "2.5.6",
                  "2.5.7",
                  "2.5.8",
                  "2.5.9",
                  "2.6.0",
                  "2.6.0a1",
                  "2.6.0a2",
                  "2.6.0rc1",
                  "2.6.0rc2",
                  "2.6.0rc3",
                  "2.6.0rc4",
                  "2.6.0rc5",
                  "2.6.1",
                  "2.6.10",
                  "2.6.11",
                  "2.6.12",
                  "2.6.13",
                  "2.6.14",
                  "2.6.15",
                  "2.6.16",
                  "2.6.17",
                  "2.6.18",
                  "2.6.19",
                  "2.6.2",
                  "2.6.20",
                  "2.6.3",
                  "2.6.4",
                  "2.6.5",
                  "2.6.6",
                  "2.6.7",
                  "2.6.8",
                  "2.6.9",
                  "2.7.0",
                  "2.7.0.dev0",
                  "2.7.0a1",
                  "2.7.0b1",
                  "2.7.0rc1",
                  "2.7.0rc2",
                  "2.7.0rc3",
                  "2.7.0rc4",
                  "2.7.1",
                  "2.7.10",
                  "2.7.11",
                  "2.7.12",
                  "2.7.13",
                  "2.7.14",
                  "2.7.15",
                  "2.7.16",
                  "2.7.17",
                  "2.7.18",
                  "2.7.2",
                  "2.7.3",
                  "2.7.4",
                  "2.7.5",
                  "2.7.6",
                  "2.7.7",
                  "2.7.8",
                  "2.7.9",
                  "2.8.0",
                  "2.8.0a1",
                  "2.8.0b1",
                  "2.8.0rc1",
                  "2.8.0rc2",
                  "2.8.0rc3",
                  "2.8.1",
                  "2.8.10",
                  "2.8.11",
                  "2.8.12",
                  "2.8.13",
                  "2.8.14",
                  "2.8.15",
                  "2.8.16",
                  "2.8.16rc1",
                  "2.8.17",
                  "2.8.17rc1",
                  "2.8.18",
                  "2.8.18rc1",
                  "2.8.19",
                  "2.8.19rc1",
                  "2.8.2",
                  "2.8.20",
                  "2.8.20rc1",
                  "2.8.3",
                  "2.8.4",
                  "2.8.5",
                  "2.8.6",
                  "2.8.7",
                  "2.8.8",
                  "2.8.9",
                  "2.9.0",
                  "2.9.0b1",
                  "2.9.0rc1",
                  "2.9.0rc2",
                  "2.9.0rc3",
                  "2.9.0rc4",
                  "2.9.0rc5",
                  "2.9.1",
                  "2.9.10",
                  "2.9.11",
                  "2.9.12",
                  "2.9.13",
                  "2.9.14",
                  "2.9.14rc1",
                  "2.9.15",
                  "2.9.15rc1",
                  "2.9.16",
                  "2.9.16rc1",
                  "2.9.17",
                  "2.9.17rc1",
                  "2.9.18",
                  "2.9.18rc1",
                  "2.9.19",
                  "2.9.19rc1",
                  "2.9.2",
                  "2.9.20",
                  "2.9.20rc1",
                  "2.9.21",
                  "2.9.21rc1",
                  "2.9.22",
                  "2.9.22rc1",
                  "2.9.23",
                  "2.9.23rc1",
                  "2.9.24",
                  "2.9.24rc1",
                  "2.9.25",
                  "2.9.25rc1",
                  "2.9.3",
                  "2.9.4",
                  "2.9.5",
                  "2.9.6",
                  "2.9.7",
                  "2.9.8",
                  "2.9.9",
                  "3.0.0",
                  "3.0.0b1",
                  "3.0.0rc1",
                  "3.1.0",
                  "3.2.0",
                  "3.3.0",
                  "3.4.0",
                  "4.0.0",
                  "4.0.0a1",
                  "4.0.0a2",
                  "4.0.0a3",
                  "4.0.0a4",
                  "4.0.0b1",
                  "4.0.0b2",
                  "4.0.0rc1",
                  "4.1.0",
                  "4.2.0",
                  "4.3.0",
                  "4.4.0",
                  "4.5.0",
                  "2.9.26rc1",
                  "2.9.26",
                  "4.6.0",
                  "2.9.27rc1",
                  "5.0.0a1",
                  "2.9.27",
                  "4.7.0",
                  "5.0.0a2",
                  "4.8.0",
                  "5.0.0a3",
                  "5.0.0b1",
                  "5.0.0b2",
                  "5.0.0rc1",
                  "4.9.0",
                  "5.0.0",
                  "5.0.1",
                  "4.10.0",
                  "5.1.0",
                  "5.2.0",
                  "5.3.0",
                  "5.4.0",
                  "5.5.0",
                  "5.6.0",
                  "6.0.0a1",
                  "5.7.0",
                  "5.7.1",
                  "6.0.0a2",
                  "6.0.0a3",
                  "5.8.0",
                  "6.0.0b1",
                  "6.0.0b2",
                  "5.9.0",
                  "6.0.0rc1",
                  "6.0.0",
                  "5.10.0",
                  "6.1.0",
                  "6.2.0",
                  "6.3.0",
                  "6.4.0",
                  "7.0.0a1",
                  "6.5.0",
                  "7.0.0a2",
                  "6.6.0",
                  "7.0.0b1",
                  "6.7.0",
                  "7.0.0",
                  "7.0.0rc1",
                  "7.1.0",
                  "7.2.0"
              ],
              "database_specific": {
                  "source": "https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2021-125.yaml"
              }
          }
      ],
      "schema_version": "1.6.0",
      "_id": "A2ihVBSNaWAaillz"
  }

• As per OSV schema, "A version is considered affected if it lies within any one of the ranges or is listed in the versions list." (see here). This implies that a list of affected versions and range definition can co-occur. The schema also mentions an equivalent example, in which every version is affected (see here).

• The OSV evaluation in renovate follows the reference pseudocode as much as feasible. I've now also cross-checked it with the implementation in osv-scanner, which didn't exist back then when adding this to renovate, and find no logical differences (see here).

It would be simple now to argue that the advisory is flawed, as the range definition is obsolete and also not accurate.

What makes this case interesting is that running osv-scanner scan requirements.txt on the reproduction repo shows no vulnerabilities, whereas running osv-scanner scan --experimental-local-db requirements.txt flags PYSEC-2021-125. The difference is that the first osv-scanner invocation basically does curl -d '{"package": {"name": "ansible"}, "version": "9.5.1"}' "https://api.osv.dev/v1/query", whereas the call with --experimental-local-db uses the code mentioned before.

So summarizing, the OSV evaluation logic in renovate seems to be correct and compliant with the OSV schema.

Potential options I can think of how to proceed here:

• Make a PR here to fix the upstream advisory and remove the superfluous range. Since CVE-2021-3532 is an alias of this vulnerability and the advisory has been rejected (see here), PYSEC-2021-125 should probably just be deleted. Then wait for OSV to fetch the update.
• Follow-up on the osv-scanner discrepancy because obviously the "online mode" in osv-scanner uses a different evaluation logic, e.g. "ignore range if there is a list of versions present". Not sure in how many further packages this is the case but that's something one could figure out.

[rarkins]

Thanks for the great analysis! It's a strange coincidence that the first occurrence we've seen of this problem also happens to be a withdrawn/rejected CVE.

I wonder if we should have any special handling for "0 to * (unlimited)" to make sure it's not a mistake, although in this case did the reporters of this (invalid) CVE intend to mean "all known versions are affected"?

[Churro]

I wonder if we should have any special handling for "0 to * (unlimited)" to make sure it's not a mistake, although in this case did the reporters of this (invalid) CVE intend to mean "all known versions are affected"?

"0 to unlimited" can happen in practice when every version of a library has an issue and no fix is available yet. After some time, advisories are usually updated with more precise constraints. I recall having seen this, e.g., with guava and log4j a while ago. In this case, it's questionable if any version is affected, since RedHat, as the authority that initially issued CVE-2021-3532, has retracted it stating that it's not a vulnerability (see here).

[mueller-ma]

I opened an issue for PYSEC-2021-125: pypa/advisory-database#182