DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.67k stars 574 forks source link

spring framework vulnerability not detected (CVE-2022-22968) #1582

Open ajendrosch2 opened 2 years ago

ajendrosch2 commented 2 years ago

The defect may already be reported! Please search for the defect before creating one.

Current Behavior:

Analysis of a project's SBOM does not show any vulnerabilities although project is affected. The project includes spring-core v5.3.18 which is affected by the following vulnerability https://tanzu.vmware.com/security/cve-2022-22968.

Steps to Reproduce:

(Extract of the created SBOM)


{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "urn:uuid:9369d571-2077-45ea-885a-2faddd4baaf4",
  "version": 1,
  "metadata": {
    "timestamp": "2022-05-04T08:22:36Z",
    "tools": [
      {
        "vendor": "OWASP",
        "name": "Dependency-Track",
        "version": "4.3.6"
      }
    ],
    "component": {
      "name": "component",
      "version": "main",
      "type": "library"
    }
  },
  "components": [
    {
      "group": "org.springframework",
      "name": "spring-core",
      "version": "5.3.18",
      "description": "Spring Core",
      "hashes": [
        {
          "alg": "MD5",
          "content": "91eb16af497ab752763f5bb24e1239e7"
        },
        {
          "alg": "SHA-1",
          "content": "7ff3000f3342989cb011b6095a0e86f2e5176cef"
        },
        {
          "alg": "SHA-256",
          "content": "ca6fbdcf571fe1ee036d8e0b990175169baf629d38a8714f59e0e0fdc8f7a361"
        },
        {
          "alg": "SHA-512",
          "content": "0b687ac0ae4ca715a451f50a221bb317fec0fc5bfec5962454a91bb0158da6ad49a79ded964158a2bbdc5733cc829489b9ee56759684644a757d613daaf18dd1"
        },
        {
          "alg": "SHA3-256",
          "content": "8190f9815df340fe3019584d8b6f72b091f82f82663ea9597ceeb18295631528"
        },
        {
          "alg": "SHA3-512",
          "content": "e5d8c1ca790bf535db1330a061629a11cd26445cd0d81412dbf1525966796cdfe560e690b0d30de7ebb3f54eb8e8c63fc1f82eb819a270020161e2005d7a7a3d"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ],
      "purl": "pkg:maven/org.springframework/spring-core@5.3.18?type=jar",
      "type": "library",
      "bom-ref": "e72c0b82-31b2-4293-935a-5b8bfc935c92"
    }
  ],
  "services": []
}

Expected Behavior:

something like produced by grype:

grype sbom:/Users/user/Downloads/spring-core-sbom.json -o table ✔ Vulnerability DB [updated] ✔ Scanned image [1 vulnerabilities] [0005] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY spring-core 5.3.18 5.3.19 java-archive GHSA-g5mm-vmx4-3rg7 Low

Environment:

Additional Details:

(e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)

nscuro commented 2 years ago

Hi @ajendrosch2, have you enabled GitHub Advisories support in the settings?

I tested with the SBOM you provided and DT correctly detected the vulnerability:

image
stevespringett commented 2 years ago

OSS Index does not discover the vulnerability, but GitHub Advisories do. Support for GitHub Advisories was introduced in Dependency-Track v4.4. So the options are to either 1) report the issue to OSS Index and wait for them to correct, or 2) update to v4.4 and enable GHSA.

valentijnscholten commented 2 years ago

The NVD covers the CVE, but DT doesn't seem to match that. Is it because there's no CPE in the BOM? Still trying to understand the matching model of DT. Is this documented somewhere? The code seems to show an attempt to do "fuzzy cpe matching", depending on some config flags?

EDIT: Didn't look deep enough, fuzzy matching is not implemented yet. I think there's a PR where it's being worked on. image

stevespringett commented 2 years ago

Fuzzy matching will likely be an optional capability in DT 4.5 or 4.6. It is not implemented now.

Refer to:

valentijnscholten commented 2 years ago

I just reread the docs and the info is already there :-) It's a miracle how much more you can read when you're not on a mobile phone.

https://docs.dependencytrack.org/analysis-types/known-vulnerabilities/ https://docs.dependencytrack.org/FAQ/

Let's hope the upgrade to the OSS Index will reduce the number of vulnerabilities "missed" when having only a PURL.