support for optional fields

README.md

@@ -66,28 +66,32 @@ git push origin vulnerability-branch-name
 
 ## Guidelines for JSON Fields
 
+Required Fields:
 - `package_name`: Name of the affected package.
 - `patch_versions`: Array of versions that fix the issue.
 - `vulnerable_ranges`: Array of ranges that are vulnerable. If all versions are vulnerable, add string `"*"`.
 - `cwe`: Array of related CWE identifiers.
 - `tldr`: A short but concise description of the vulnerability.
 - `doest_this_affect_me`: A short explanation in which cases the vulnerability affects the user.
 - `how_to_fix`: A short explanation on how to fix the vulnerability.
-- `reporter`: Feel free to add your name or company name. Otherwise, leave it empty.
 - `vulnerable_to`: The type of attack.
 - `related_cve_id`: If a CVE ID already exists (with incorrect information), add the CVE ID here. Otherwise, leave it empty.
 - `language`: The programming language of the package (e.g., `js`, `python`, `php`).
 - `severity_class`: Severity classification (`LOW`, `MEDIUM`, `HIGH`, `CRITICAL`).
 - `aikido_score`: The vulnerability score on a scale of 0-100 (0 is least severe, 100 is most severe).
 - `changelog`: The url of the changelog where this vulnerability got fixed.
+- `published`: Do not add this field. It will be automatically added by GitHub Actions.
+- `last_modified`: Do not add this field. It will be automatically added by GitHub Actions.
+
+Optional Fields:
+- `reporter`: Feel free to add your name or company name. Otherwise, leave it empty.
 - `package_name_alias`: If the package name is an alias, add the original package name here.
 - `package_wildcard_ends_in`: If you want to match partial package names, add the ending here.
 - `package_wildcard_contains`: If you want to match partial package names, add the containing string here.
 - `extra_specific_non_vulnerable_versions`: If there are specific versions that are not vulnerable, regardles of the version range, add them here.
 - `unaffected_distros`: If there are specific distributions that are not vulnerable, regardles of the version range, add them here.
 - `simplify_version_if_has_patch_part`: If the version has a patch part in format `9.6_p2-r0+deb9u1`, Aikido will only match on the 9.6 part. Set this to `true` if this is the case.
-- `published`: Do not add this field. It will be automatically added by GitHub Actions.
-- `last_modified`: Do not add this field. It will be automatically added by GitHub Actions.
+
 
 Refer to existing files in the repository for examples.
 

input/new.json

@@ -6,17 +6,10 @@
   "tldr": "",
   "doest_this_affect_me": "",
   "how_to_fix": "",
-  "reporter": "",
   "vulnerable_to": "",
   "related_cve_id": "",
   "language": "",
   "severity_class": "",
   "aikido_score": 0,
-  "changelog": "",
-  "package_name_alias": null,
-  "package_wildcard_ends_in": null,
-  "package_wildcard_contains": null,
-  "extra_specific_non_vulnerable_versions": null,
-  "unaffected_distros": null,
-  "simplify_version_if_has_patch_part": false
+  "changelog": ""
 }

tests/validVulnerability.test.js

@@ -3,7 +3,34 @@ const path = require("path");
 
 const vulnerabilitiesDir = path.join(__dirname, "../vulnerabilities");
 const newVulnerabilityDir = path.join(__dirname, "../input");
-const newVulnerabilityEmptyTemplate = {"package_name":"","patch_versions":[],"vulnerable_ranges":[],"cwe":[],"tldr":"","doest_this_affect_me":"","how_to_fix":"","reporter":"","vulnerable_to":"","related_cve_id":"","language":"","severity_class":"","aikido_score":0,"changelog":"","package_name_alias":null,"package_wildcard_ends_in":null,"package_wildcard_contains":null,"extra_specific_non_vulnerable_versions":null,"unaffected_distros":null,"simplify_version_if_has_patch_part":false};
+const newVulnerabilityEmptyTemplate = {"package_name":"","patch_versions":[],"vulnerable_ranges":[],"cwe":[],"tldr":"","doest_this_affect_me":"","how_to_fix":"","vulnerable_to":"","related_cve_id":"","language":"","severity_class":"","aikido_score":0,"changelog":""};
+
+const optionalFields = [
+    'reporter',
+    'package_name_alias',
+    'package_wildcard_ends_in',
+    'package_wildcard_contains',
+    'extra_specific_non_vulnerable_versions',
+    'unaffected_distros',
+    'simplify_version_if_has_patch_part',
+    'published',
+    'last_modified',
+]
+const requiredFields = [
+    'package_name',
+    'patch_versions',
+    'vulnerable_ranges',
+    'cwe',
+    'tldr',
+    'doest_this_affect_me',
+    'how_to_fix',
+    'vulnerable_to',
+    'related_cve_id',
+    'language',
+    'severity_class',
+    'aikido_score',
+    'changelog',
+]
 
 // Helper functions to load vulnerabilities
 function readAllJsonFiles() {
@@ -25,6 +52,8 @@ function readAllJsonFiles() {
 
   const newVulnerability = JSON.parse(fs.readFileSync(path.join(newVulnerabilityDir, "new.json"), "utf-8"));
 
+  assertValidFields(newVulnerability);
+
   if(JSON.stringify(newVulnerability) !== JSON.stringify(newVulnerabilityEmptyTemplate)){
     // ok changes made to new.json -> make sure to test it as well
     vulnerabilities["new"] = newVulnerability;
@@ -41,6 +70,19 @@ function listAllIds(vulnerabilities) {
   return Object.keys(vulnerabilities)
 }
 
+function assertValidFields(vuln) {
+  // make sure all required fields are present
+  for (const requiredField of requiredFields) {
+    expect(vuln[requiredField]).toBeDefined();
+  }
+
+  // make sure no unsupported fields are introduced
+  for (const newField of Object.keys(vuln)) {
+    const possibleFields = [...requiredFields, ...optionalFields];
+    expect(possibleFields).toContain(newField);
+  }
+}
+
 // Tests
 describe("Valid Vulnerabilities", () => {
   let vulnerabilities;
@@ -57,13 +99,8 @@ describe("Valid Vulnerabilities", () => {
         expect(typeof vuln.last_modified).toBe("string");
         expect(vuln.published).toMatch(/^\d{4}-\d{2}-\d{2}$/);
         expect(vuln.last_modified).toMatch(/^\d{4}-\d{2}-\d{2}$/);
-
-        const expectedKeys = [...Object.keys(newVulnerabilityEmptyTemplate), 'published', 'last_modified'];
-
-        expect(Object.keys(vuln).sort().join(',')).toBe(expectedKeys.sort().join(','));
-      }else{
-        expect(Object.keys(vuln).sort().join(',')).toBe(Object.keys(newVulnerabilityEmptyTemplate).sort().join(','));
       }
+      assertValidFields(vuln);
 
       expect(vuln.package_name).not.toBe("");
       expect(Array.isArray(vuln.patch_versions)).toBe(true);
@@ -78,29 +115,29 @@ describe("Valid Vulnerabilities", () => {
       expect(typeof vuln.aikido_score).toBe("number");
       expect(typeof vuln.changelog).toBe("string");
 
-      if (vuln.package_name_alias !== null) {
+      if (vuln.package_name_alias !== undefined && vuln.package_name_alias !== null) {
         expect(typeof vuln.package_name_alias).toBe("string");
       }
 
-      if (vuln.package_wildcard_contains !== null) {
+      if (vuln.package_wildcard_contains !== undefined && vuln.package_wildcard_contains !== null) {
         expect(typeof vuln.package_wildcard_contains).toBe("string");
       }
 
-      if (vuln.extra_specific_non_vulnerable_versions !== null) {
+      if (vuln.extra_specific_non_vulnerable_versions !== undefined && vuln.extra_specific_non_vulnerable_versions !== null) {
         expect(Array.isArray(vuln.extra_specific_non_vulnerable_versions)).toBe(
           true
         );
       }
 
-      if (vuln.unaffected_distros !== null) {
+      if (vuln.unaffected_distros !== undefined && vuln.unaffected_distros !== null) {
         expect(Array.isArray(vuln.unaffected_distros)).toBe(true);
       }
 
-      if (vuln.simplify_version_if_has_patch_part !== null) {
+      if (vuln.simplify_version_if_has_patch_part !== undefined && vuln.simplify_version_if_has_patch_part !== null) {
         expect(typeof vuln.simplify_version_if_has_patch_part).toBe("boolean");
       }
 
-      if (vuln.reporter !== null) {
+      if (vuln.reporter !== undefined && vuln.reporter !== null) {
         expect(typeof vuln.reporter).toBe("string");
       }
 

vulnerabilities/AIKIDO-2023-10001.json

@@ -20,19 +20,12 @@
   "tldr": "Several security vulnerabilities were quietly patched in `axios` version 1.6.4 and version 0.29.0. Notably, a prototype pollution flaw impacted the `formDataToJSON` function, posing a significant risk. Additionally, a Regular Expression Denial of Service (ReDoS) vulnerability was identified and fixed in the `combineURLs` function.",
   "doest_this_affect_me": "You are affected by this flaw if you use the formDataToJSON function. This is more likely to happen in a front-end than in a backend.",
   "how_to_fix": "To fix, either freeze the prototype or upgrade to axios 1.6.4 or above.",
-  "reporter": null,
   "vulnerable_to": "Prototype Pollution",
   "related_cve_id": "",
   "language": "JS",
   "severity_class": "HIGH",
   "aikido_score": 77,
   "changelog": "https://github.com/axios/axios/releases/tag/v1.6.4",
-  "package_name_alias": null,
-  "package_wildcard_ends_in": null,
-  "package_wildcard_contains": null,
-  "extra_specific_non_vulnerable_versions": null,
-  "unaffected_distros": null,
-  "simplify_version_if_has_patch_part": false,
   "published": "2024-02-01",
   "last_modified": "2024-11-22"
 }

vulnerabilities/AIKIDO-2024-10001.json

@@ -15,19 +15,12 @@
   "tldr": "A code injection vulnerability was silently addressed in version 3.1.1 of `lilconfig`, impacting all uses of the package in earlier versions.",
   "doest_this_affect_me": "You are affected by this flaw if you use the 3.1.0 version of this package.",
   "how_to_fix": "To fix, upgrade to `lilconfig` 3.1.1 or above.",
-  "reporter": null,
   "vulnerable_to": "Code Injection",
   "related_cve_id": "",
   "language": "JS",
   "severity_class": "MEDIUM",
   "aikido_score": 50,
   "changelog": "https://github.com/antonk52/lilconfig/releases/tag/v3.1.1",
-  "package_name_alias": null,
-  "package_wildcard_ends_in": null,
-  "package_wildcard_contains": null,
-  "extra_specific_non_vulnerable_versions": null,
-  "unaffected_distros": null,
-  "simplify_version_if_has_patch_part": false,
   "published": "2024-02-23",
   "last_modified": "2024-02-23"
 }

vulnerabilities/AIKIDO-2024-10002.json

@@ -15,19 +15,12 @@
   "tldr": "A Remote Code Execution (RCE) vulnerability was discreetly patched in version 6.0.0 of rpyc. This exploit is only possible when the server-side accesses the `__array__` attribute and invokes it, such as through `np.array(x)`.",
   "doest_this_affect_me": "You are affected by this flaw if you use a version >= 4.0.0 and <= 5.3.1 of this package.",
   "how_to_fix": "To fix, upgrade to `rpyc` 6.0.0 or above.",
-  "reporter": null,
   "vulnerable_to": "Remote Code Execution (RCE)",
   "related_cve_id": "CVE-2024-27758",
   "language": "python",
   "severity_class": "HIGH",
   "aikido_score": 80,
   "changelog": "https://github.com/tomerfiliba-org/rpyc/releases/tag/6.0.0",
-  "package_name_alias": null,
-  "package_wildcard_ends_in": null,
-  "package_wildcard_contains": null,
-  "extra_specific_non_vulnerable_versions": null,
-  "unaffected_distros": null,
-  "simplify_version_if_has_patch_part": false,
   "published": "2024-02-26",
   "last_modified": "2024-02-26"
 }

vulnerabilities/AIKIDO-2024-10003.json

@@ -15,19 +15,12 @@
   "tldr": "The connection to the FTPS server was insufficiently secured because the FTP library, by default, does not utilize SSL certificates.",
   "doest_this_affect_me": "You are affected by this flaw if you use the FTP secure connection functionality and version 6.3.0 or 6.4.0 of this package.",
   "how_to_fix": "To fix, upgrade to `smart-open` 7.0.0 or above.",
-  "reporter": null,
   "vulnerable_to": "Man-in-the-middle attack",
   "related_cve_id": "",
   "language": "python",
   "severity_class": "MEDIUM",
   "aikido_score": 45,
   "changelog": "https://github.com/piskvorky/smart_open/releases/tag/v7.0.0",
-  "package_name_alias": null,
-  "package_wildcard_ends_in": null,
-  "package_wildcard_contains": null,
-  "extra_specific_non_vulnerable_versions": null,
-  "unaffected_distros": null,
-  "simplify_version_if_has_patch_part": false,
   "published": "2024-02-26",
   "last_modified": "2024-02-26"
 }

vulnerabilities/AIKIDO-2024-10004.json

@@ -1,5 +1,6 @@
 {
   "package_name": "aws-cdk",
+  "package_name_alias": "aws-cdk-lib",
   "patch_versions": [
     "2.130.0"
   ],
@@ -15,19 +16,12 @@
   "tldr": "Affected versions of this package allow attackers to forge log entries or inject malicious content into log files.",
   "doest_this_affect_me": "You are affected by this flaw if you use a version >= 2.109.0 and <= 2.129.0 of this package.",
   "how_to_fix": "To fix, upgrade to `aws-cdk` 2.130.0 or above.",
-  "reporter": null,
   "vulnerable_to": "Log injection",
   "related_cve_id": "",
   "language": "python",
   "severity_class": "LOW",
   "aikido_score": 20,
   "changelog": "https://github.com/aws/aws-cdk/releases/tag/v2.130.0",
-  "package_name_alias": "aws-cdk-lib",
-  "package_wildcard_ends_in": null,
-  "package_wildcard_contains": null,
-  "extra_specific_non_vulnerable_versions": null,
-  "unaffected_distros": null,
-  "simplify_version_if_has_patch_part": false,
   "published": "2024-02-26",
   "last_modified": "2024-02-26"
 }

vulnerabilities/AIKIDO-2024-10005.json

@@ -1,5 +1,6 @@
 {
   "package_name": "aws-cdk",
+  "package_name_alias": "aws-cdk-lib",
   "patch_versions": [
     "2.130.0"
   ],
@@ -15,19 +16,12 @@
   "tldr": "Affected versions of this package allow attackers to forge log entries or inject malicious content into log files.",
   "doest_this_affect_me": "You are affected by this flaw if you use a version >= 2.109.0 and <= 2.129.0 of this package.",
   "how_to_fix": "To fix, upgrade to `aws-cdk` 2.130.0 or above.",
-  "reporter": null,
   "vulnerable_to": "Log injection",
   "related_cve_id": "",
   "language": "JS",
   "severity_class": "LOW",
   "aikido_score": 20,
   "changelog": "https://github.com/aws/aws-cdk/releases/tag/v2.130.0",
-  "package_name_alias": "aws-cdk-lib",
-  "package_wildcard_ends_in": null,
-  "package_wildcard_contains": null,
-  "extra_specific_non_vulnerable_versions": null,
-  "unaffected_distros": null,
-  "simplify_version_if_has_patch_part": false,
   "published": "2024-02-26",
   "last_modified": "2024-02-26"
 }

vulnerabilities/AIKIDO-2024-10006.json

@@ -15,19 +15,12 @@
   "tldr": "Affected versions of this package present a security risk due to the use of `innerHTML` for injecting CSS into `<style>` elements in `bootstrap-lazy.ts`. Switching to `textContent` mitigates the risk of executing malicious scripts. This is considered a low-risk issue, as most browser extensions block such behavior by default.",
   "doest_this_affect_me": "You are affected by this flaw if you use a version >= 4.7.2 and <= 4.12.2 of this package.",
   "how_to_fix": "To fix, upgrade to version 4.12.3 or above.",
-  "reporter": null,
   "vulnerable_to": "CSS injection",
   "related_cve_id": "",
   "language": "JS",
   "severity_class": "LOW",
   "aikido_score": 7,
   "changelog": "https://github.com/ionic-team/stencil/releases/tag/v4.12.3",
-  "package_name_alias": null,
-  "package_wildcard_ends_in": null,
-  "package_wildcard_contains": null,
-  "extra_specific_non_vulnerable_versions": null,
-  "unaffected_distros": null,
-  "simplify_version_if_has_patch_part": false,
   "published": "2024-02-27",
   "last_modified": "2024-02-27"
 }

vulnerabilities/AIKIDO-2024-10007.json

@@ -1,5 +1,6 @@
 {
   "package_name": "github.com/RobotsAndPencils/go-saml",
+  "package_wildcard_ends_in": "go-saml",
   "patch_versions": [],
   "vulnerable_ranges": [
     [
@@ -13,19 +14,12 @@
   "tldr": "Affected versions of this package are vulnerable to authentication bypass, as SAML signatures can be forged when the library is used.",
   "doest_this_affect_me": "You use this package or any fork to authenticate users.",
   "how_to_fix": "Stop using this library or check the Github advisory for advanced workarounds.",
-  "reporter": null,
   "vulnerable_to": "Authentication bypass",
   "related_cve_id": "CVE-2023-48703",
   "language": "Go",
   "severity_class": "CRITICAL",
   "aikido_score": 100,
   "changelog": "https://securitylab.github.com/advisories/GHSL-2023-121_go-saml__archived_/",
-  "package_name_alias": null,
-  "package_wildcard_ends_in": "go-saml",
-  "package_wildcard_contains": null,
-  "extra_specific_non_vulnerable_versions": null,
-  "unaffected_distros": null,
-  "simplify_version_if_has_patch_part": false,
   "published": "2024-03-01",
   "last_modified": "2024-03-01"
 }

vulnerabilities/AIKIDO-2024-10008.json

@@ -1,5 +1,6 @@
 {
   "package_name": "tomcat-embed-core",
+  "package_wildcard_ends_in": "tomcat-catalina",
   "patch_versions": [
     "10.1.19",
     "9.0.86",
@@ -25,19 +26,12 @@
   "tldr": "Affected versions of this package are vulnerable to a Denial of Service (DoS) attack if the Tomcat server is configured to allow HTTP/2 requests.",
   "doest_this_affect_me": "You are affected if you use Tomcat (within the affected versions) to process HTTP/2 requests without a load balancer in front of it.",
   "how_to_fix": "Upgrade `Tomcat` to any of the patched versions.",
-  "reporter": null,
   "vulnerable_to": "DOS",
   "related_cve_id": "CVE-2024-24549",
   "language": "Java",
   "severity_class": "HIGH",
   "aikido_score": 75,
   "changelog": "https://www.cve.org/CVERecord?id=CVE-2024-24549",
-  "package_name_alias": null,
-  "package_wildcard_ends_in": "tomcat-catalina",
-  "package_wildcard_contains": null,
-  "extra_specific_non_vulnerable_versions": null,
-  "unaffected_distros": null,
-  "simplify_version_if_has_patch_part": false,
   "published": "2024-03-13",
   "last_modified": "2024-03-13"
 }