Supported CVEs for reachability analysis
Supported
Fluid Attacks informs of reachability status at the following levels:
- Latent: (a) A vulnerable dependency is declared in the package manager, but (b) no file imports the dependency.
- Potential: (a) A vulnerable dependency is declared in the package manager, (b) the vulnerable dependency is imported in the code, but (c) the vulnerable function in the dependency is not called from the code.
- Reachable: (a) A vulnerable dependency is declared in the package manager, (b) the vulnerable dependency is imported in the code, and (c) the vulnerable function in the dependency is called from the code.
Below are two technical examples and an analogy for better comprehension:
Example 1 in JS (Node.js)
Example 2 in Python
Analogy
Example 1 in JS (Node.js)
package.json{
"name": "demo-app",
"version": "1.0.0",
"dependencies": {
"vulnLib": "1.2.3"
}
}// LATENT: Library declared in package.json but not imported nor used
console.log("Hello world");
// POTENTIAL: Library imported but vulnerable function not used
import vulnLib from 'vulnLib',
console.log("Library loaded but dangerous function not used")
// REACHABLE: Library imported and vulnerable function is used
import vulnLib from 'vulnLib',
vulnLib.dangerousFunction(); // <- Risk activated// REACHABLE: Library imported and vulnerable function is used// REACHABLE: Library imported and vulnerable function is used
Example 2 in Python
requirements.txtvuln-lib==1.2.3
app.py# LATENT: Library declared in requirements.txt but not imported nor used
print("Hello world")
# POTENTIAL: Library imported but vulnerable function not used
import vuln_lib
print("Library loaded but dangerous function not used")
# REACHABLE: Library imported and vulnerable function is used
import vuln_lib
vuln_lib.dangerousFunction() # <- Risk activated// REACHABLE: Library imported and vulnerable function is used// REACHABLE: Library imported and vulnerable function is used
Analogy
- Latent
- The book is in the library (declared), but
- you do not read any chapter (not imported).
- Potential
- The book is in the library (declared),
- you start reading any chapter (imported), but
- you do not read the faulty chapter.
- Reachable
- The book is in the library (declared),
- you start reading any chapter (imported), and
- you read the faulty chapter and use it as a reference for your MBA thesis.
Latent and Potential
At the Latent and Potential levels, Fluid Attacks supports all CVEs (or other advisories) issued about vulnerable third-party dependencies or libraries in reliable vulnerability databases and written in all supported languages and package managers. See the list of sources in Vulnerability signature update.
Reachable
Currently, Fluid Attacks has methods to detect when software effectively calls known vulnerable functions reported in the CVE entries/advisories shown in the following table, where they are classified by the programming language in which the functions are written:
|
Language
|
CVE IDs
|
Methods
|
|
C#
|
3
|
|
|
Dart
|
1
|
|
|
Go
|
1
|
|
|
Java
|
6
|
|
|
JavaScript
|
45
|
|
|
Kotlin
|
1
|
|
|
PHP
|
1
|
|
|
Python
|
12
|
|
|
Ruby
|
4
|
|
|
Scala
|
1
|
|
|
Swift
|
1
|
|
|
TypeScript
|
|
45
|
|
|
Total methods
|
121
|
Unsupported
Latent and Potential
At the Latent and Potential levels, Fluid Attacks' testing does not support CVEs/advisories outside its supported databases and supported languages and packages.
Reachable
At the Reachable level, Fluid Attacks' analysis does not support any CVE/advisory corresponding to vulnerabilities in software libraries not listed in the above table.
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.