search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.66k stars 565 forks source link

False Positive with nextcloud artifacts #3500

Open stl543 opened 7 months ago

stl543 commented 7 months ago

Current Behavior

Hello,

Dependency track seems to detect CVE-2023-25160 (NVD) on javax.mail.mail, v1.4.7, but this CVE concerns nextcloud. When I ask dependency track for CVE detail : cpe:2.3:a:nextcloud:mail:::::::: ( |<1.11.8 ) | NVD cpe:2.3:a:nextcloud:mail:::::::: ( >=1.12.0|<1.12.9 ) | NVD cpe:2.3:a:nextcloud:mail:::::::: ( >=1.13.0|<1.14.5 ) | NVD cpe:2.3:a:nextcloud:mail:::::::: ( >=2.0.0|<2.2.1 ) | NVD

Also I do not understand how this CVE can be detected on this artifact. The groupId is different and also the filter is supposed not to match... Note that I have the same issue on another artifact (com.toedter.jcalendar, CVE-2018-3763, which not a nextcloud artifact too...)

I supposed there is a problem with pattern matching...

Steps to Reproduce

  1. Run dependency-track on a project using the artifact javax.mail.mail

Expected Behavior

CVE 2023-25160 (concerning nextcloud artifacts) not raised for this artifact.

Dependency-Track Version

4.10.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

nscuro commented 7 months ago

Can you please share the BOM you're uploading? Really the only relevant parts of the BOM are the components you're getting false positives on.

Just to give an example, CPEs support wildcards (*). If the BOM you're uploading uses CPEs like this:

cpe:2.3:a:*:mail:1.4.7:*:*:*:*:*:*:*

You will get matches with cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:* ( \|<1.11.8 ), because * matches nextcloud, and 1.4.7 is smaller than 1.11.8.

stl543 commented 7 months ago

Hello ! Thanks for your answer. The uploaded BOM doesn't contain any CPE information... Here are the parts dealing to the two artifacts (jcalendar and mail) : 

<components>
    <component type="library" bom-ref="pkg:maven/com.toedter/jcalendar@1.4?type=jar">
      <group>com.toedter</group>
      <name>jcalendar</name>
      <version>1.4</version>
      <scope>required</scope>
      <hashes>
        <hash alg="MD5">0a0863943cf89741c7a0c2721027446d</hash>
        <hash alg="SHA-1">180cf82b37b0c1324e7de33bd0114be7d86678cd</hash>
        <hash alg="SHA-256">284fcfbb7938d5b85bb0f540c712fa042521a4c50f4a5d47da02ba19bff291eb</hash>
        <hash alg="SHA-512">612a8bce9ad14474fdd163ab0f8e95e4b6f5318b405751c650143b4d18613de7e03355d022823a9971188fc90586b6c3a525730d58622816968a8fb97f7a6a26</hash>
        <hash alg="SHA-384">17bb0d73a146352c95daee35656856d663d68bd25874edead4e1ebf3b206b7911501e0016941800d8b6e993cad342961</hash>
        <hash alg="SHA3-384">650e79914b21a5c5bbe4da322e7985ffa386da1736fc24f1ff891402389c646790aca2e983811869abd2a35339372444</hash>
        <hash alg="SHA3-256">0bb0129e2a8af16e05396a9821b315d3ceb1e056c442c3f17480be84f1d92899</hash>
        <hash alg="SHA3-512">27c418c1433b9c668a49214390b957b49839832f118e6633e753b391177f5c2be06b30fd833c22fcf1eb6d3bcb284f7442bb3f3460de0c5cf8bd5c6968f13c4e</hash>
      </hashes>
      <licenses/>
      <purl>pkg:maven/com.toedter/jcalendar@1.4?type=jar</purl>
    </component>
    <component type="library" bom-ref="pkg:maven/javax.mail/mail@1.4.7?type=jar">
      <group>javax.mail</group>
      <name>mail</name>
      <version>1.4.7</version>
      <scope>required</scope>
      <hashes>
        <hash alg="MD5">77f53ff0c78ba43c4812ecc9f53e20f8</hash>
        <hash alg="SHA-1">9add058589d5d85adeb625859bf2c5eeaaedf12d</hash>
        <hash alg="SHA-256">78c33b4f7c7b60f4b680f2d2405b1f063d71929cf1a4fbc328888379f365fcfb</hash>
        <hash alg="SHA-512">331d2ecda625f4ad8a2c2539b577e9906787e7ef08d47683f45dd6fff18e3b7601071f20970896210bd26498018aa570fe2ab4bfd7f7084068a234a809bbd481</hash>
        <hash alg="SHA-384">9b2529ac136de86400b6eaa9eb887cdc3de3cd993131caf99ce808bc2ac208b01772018aa38d49ca0bd1bc962e08834a</hash>
        <hash alg="SHA3-384">4c86276795145265031b3ea63c097106df20076151c8a3a682a7092d68d91f243697286e3f543e8a1ef1e46ed4bb157e</hash>
        <hash alg="SHA3-256">eef5fbcc453d8f709bc49c5f3d4f02a7cd8437f62cab9eb6b5396713a2098973</hash>
        <hash alg="SHA3-512">c28159ba68a18d7d57428fcd75a9b019b3e79e573debbeef2859ba522309b9362552c861063a5ab541175bfb0ae69c08e5fa237f3ed3b05160de46e4fd2d8132</hash>
      </hashes>
      <licenses/>
      <purl>pkg:maven/javax.mail/mail@1.4.7?type=jar</purl>
    </component>
  </components>
nscuro commented 7 months ago

Okay, that's odd then.

In the "Audit Vulnerabilities" tab, what is it showing as the analyzer that found the vulnerabilities?

Do you have fuzzy CPE matching enabled? image

stl543 commented 7 months ago

Hello ! Thanks for your response. These vulnerabilities are found by the analyzer NVD. But I think you're right: all the fuzzy CPE options are enabled in our configuration. I am going to check if, when disabling these options, the two vulnerabilities disapear. I keep you informed :)

Best regards, Estelle

stl543 commented 7 months ago

Hello, The two vulnerabilities are still displayed in the "audit vulnerabilities" tab. Is there a cache to clean to the already-found vulnerabilities or to be sure that there is no longer false positive CVE found ? Thanks for your help ! Estelle

stl543 commented 7 months ago

Hello, Dependency-track seems to still see the vulnerabilities, even if fuzz options are disabled. How this situation can be fixed ? Thanks for help, Estelle