Open stl543 opened 7 months ago
Can you please share the BOM you're uploading? Really the only relevant parts of the BOM are the components you're getting false positives on.
Just to give an example, CPEs support wildcards (*
). If the BOM you're uploading uses CPEs like this:
cpe:2.3:a:*:mail:1.4.7:*:*:*:*:*:*:*
You will get matches with cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:* ( \|<1.11.8 )
, because *
matches nextcloud
, and 1.4.7
is smaller than 1.11.8
.
Hello ! Thanks for your answer. The uploaded BOM doesn't contain any CPE information... Here are the parts dealing to the two artifacts (jcalendar and mail) :
<components>
<component type="library" bom-ref="pkg:maven/com.toedter/jcalendar@1.4?type=jar">
<group>com.toedter</group>
<name>jcalendar</name>
<version>1.4</version>
<scope>required</scope>
<hashes>
<hash alg="MD5">0a0863943cf89741c7a0c2721027446d</hash>
<hash alg="SHA-1">180cf82b37b0c1324e7de33bd0114be7d86678cd</hash>
<hash alg="SHA-256">284fcfbb7938d5b85bb0f540c712fa042521a4c50f4a5d47da02ba19bff291eb</hash>
<hash alg="SHA-512">612a8bce9ad14474fdd163ab0f8e95e4b6f5318b405751c650143b4d18613de7e03355d022823a9971188fc90586b6c3a525730d58622816968a8fb97f7a6a26</hash>
<hash alg="SHA-384">17bb0d73a146352c95daee35656856d663d68bd25874edead4e1ebf3b206b7911501e0016941800d8b6e993cad342961</hash>
<hash alg="SHA3-384">650e79914b21a5c5bbe4da322e7985ffa386da1736fc24f1ff891402389c646790aca2e983811869abd2a35339372444</hash>
<hash alg="SHA3-256">0bb0129e2a8af16e05396a9821b315d3ceb1e056c442c3f17480be84f1d92899</hash>
<hash alg="SHA3-512">27c418c1433b9c668a49214390b957b49839832f118e6633e753b391177f5c2be06b30fd833c22fcf1eb6d3bcb284f7442bb3f3460de0c5cf8bd5c6968f13c4e</hash>
</hashes>
<licenses/>
<purl>pkg:maven/com.toedter/jcalendar@1.4?type=jar</purl>
</component>
<component type="library" bom-ref="pkg:maven/javax.mail/mail@1.4.7?type=jar">
<group>javax.mail</group>
<name>mail</name>
<version>1.4.7</version>
<scope>required</scope>
<hashes>
<hash alg="MD5">77f53ff0c78ba43c4812ecc9f53e20f8</hash>
<hash alg="SHA-1">9add058589d5d85adeb625859bf2c5eeaaedf12d</hash>
<hash alg="SHA-256">78c33b4f7c7b60f4b680f2d2405b1f063d71929cf1a4fbc328888379f365fcfb</hash>
<hash alg="SHA-512">331d2ecda625f4ad8a2c2539b577e9906787e7ef08d47683f45dd6fff18e3b7601071f20970896210bd26498018aa570fe2ab4bfd7f7084068a234a809bbd481</hash>
<hash alg="SHA-384">9b2529ac136de86400b6eaa9eb887cdc3de3cd993131caf99ce808bc2ac208b01772018aa38d49ca0bd1bc962e08834a</hash>
<hash alg="SHA3-384">4c86276795145265031b3ea63c097106df20076151c8a3a682a7092d68d91f243697286e3f543e8a1ef1e46ed4bb157e</hash>
<hash alg="SHA3-256">eef5fbcc453d8f709bc49c5f3d4f02a7cd8437f62cab9eb6b5396713a2098973</hash>
<hash alg="SHA3-512">c28159ba68a18d7d57428fcd75a9b019b3e79e573debbeef2859ba522309b9362552c861063a5ab541175bfb0ae69c08e5fa237f3ed3b05160de46e4fd2d8132</hash>
</hashes>
<licenses/>
<purl>pkg:maven/javax.mail/mail@1.4.7?type=jar</purl>
</component>
</components>
Okay, that's odd then.
In the "Audit Vulnerabilities" tab, what is it showing as the analyzer that found the vulnerabilities?
Do you have fuzzy CPE matching enabled?
Hello ! Thanks for your response. These vulnerabilities are found by the analyzer NVD. But I think you're right: all the fuzzy CPE options are enabled in our configuration. I am going to check if, when disabling these options, the two vulnerabilities disapear. I keep you informed :)
Best regards, Estelle
Hello, The two vulnerabilities are still displayed in the "audit vulnerabilities" tab. Is there a cache to clean to the already-found vulnerabilities or to be sure that there is no longer false positive CVE found ? Thanks for your help ! Estelle
Hello, Dependency-track seems to still see the vulnerabilities, even if fuzz options are disabled. How this situation can be fixed ? Thanks for help, Estelle
Current Behavior
Hello,
Dependency track seems to detect CVE-2023-25160 (NVD) on javax.mail.mail, v1.4.7, but this CVE concerns nextcloud. When I ask dependency track for CVE detail : cpe:2.3:a:nextcloud:mail:::::::: ( |<1.11.8 ) | NVD cpe:2.3:a:nextcloud:mail:::::::: ( >=1.12.0|<1.12.9 ) | NVD cpe:2.3:a:nextcloud:mail:::::::: ( >=1.13.0|<1.14.5 ) | NVD cpe:2.3:a:nextcloud:mail:::::::: ( >=2.0.0|<2.2.1 ) | NVD
Also I do not understand how this CVE can be detected on this artifact. The groupId is different and also the filter is supposed not to match... Note that I have the same issue on another artifact (com.toedter.jcalendar, CVE-2018-3763, which not a nextcloud artifact too...)
I supposed there is a problem with pattern matching...
Steps to Reproduce
Expected Behavior
CVE 2023-25160 (concerning nextcloud artifacts) not raised for this artifact.
Dependency-Track Version
4.10.0
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist