No vulnerabilities found for Maven project

[giulio1979]

Hi, I am scanning a maven project, the system finds 203 dependencies and their versions but no vulnerabilities.

At the same time dependency-check finds a lot of issues:

dependency-check version: 5.3.3-SNAPSHOT Report Generated On: Mon, 22 Jun 2020 17:53:03 GMT Dependencies Scanned: 799 (533 unique) Vulnerable Dependencies: 36 Vulnerabilities Found: 126 Vulnerabilities Suppressed: 24

Most issues from dependency-check have been confirmed.

Do you have any ideas ? The logs look perfect, no exceptions. I have restarted the system and pulled latest containers, including snapshot version.

NVM files look ok also.

[stevespringett]

Refer to https://docs.dependencytrack.org/FAQ/

[giulio1979]

OSS Index is enabled, I loaded the project a few hours ago ...

I noticed for the components loaded via cyclonedx the CPE is empty. I added the CPE for one dependency and the expected vulnerability appeared immediately.

[stevespringett]

Do you have the purl of a confirmed vulnerable component?

[giulio1979]

pkg:maven/org.dom4j/dom4j@2.1.1?type=jar

[giulio1979]

I would expect: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3a%2fa%3adom4j_project%3adom4j%3a2.1.1

CVE-2020-10683	dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.Published: May 01, 2020; 03:15:12 PM -04:00

[stevespringett]

Seems to be a false negative in OSS Index. Report the issue here https://ossindex.sonatype.org/doc/report-vulnerability

[giulio1979]

Vulnerable Dependencies: 36 Vulnerabilities Found: 126 Vulnerabilities Suppressed: 24

Do you think all are false negatives in Sonatype ?

[stevespringett]

No. This particular case was a false negative. But keep in mind that Dependency Check generates false positives by design. So comparing DC to DT is not advisable unless you weed out all the false positives first. Comparing DT to Snyk or something similar is a more worthwhile comparison.

Also note that CPE is not capable of describing components or modules, only vendor, name, and version. So if you have a component that is part of a larger thing that is vulnerable, but you're not actually using the affected component, use of CPE will generate false positives whereas OSS Index will not - it will be much more precise down to the component level. This is one of many reasons why the NVD has deprecated use of CPE.

[giulio1979]

Thanks Steve, I will look deeper into it, if 95% of detections are false positives in dependency-check then that information is almost useless. Your project is looking amazing and very promising !

I have a few questions, can I extract the BOMs as a report and aggregate multiple projects into some sort of a product ?

[stevespringett]

Thank you. I think DC is highly valuable - I was actually the first contributor to the project back in 2013. But I use it mostly for audit purposes due to the high false positive rate. Read How it works?.

You can create aggregate BOMs with the Maven plugin. The NPM plugin allows you to merge BOMs together. But DT currently does not have the capability of aggregating projects together. This is on the roadmap but it's not something I can get to short term.

[giulio1979]

Thank you again !

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.