sonatype-2020-1324 is not a vulnerability

OSSIndex / vulns

Report missing advisories and corrections on OSS Index

17 stars 12 forks source link

sonatype-2020-1324 is not a vulnerability #299

Closed msymons closed 2 years ago

msymons commented 2 years ago

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/sonatype-2020-1324?component-type=maven&component-name=com.h2database/h2

Component URL Latest version of h2 (as of June 20 2022) reports the vulnerability, as do all earlier versions.

https://ossindex.sonatype.org/component/pkg:maven/com.h2database/h2@2.1.214

Description sonatype-2020-1324 is based on a blogpost from Code White:

https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html

I reported this to the h2 project and they have provided a detailed explanation of why this is NOT a vulnerability:

https://github.com/h2database/h2database/issues/3552

lukaseder commented 2 years ago

I'm running into this as well, and found https://github.com/h2database/h2database/issues/3547, in addition to https://github.com/h2database/h2database/issues/3552, which @msymons reported.

This is the second significant false positive I've encountered in only 2 days, and by significant, I mean that skilled security researchers would have identified the false positives as such?

Given the ubiquitous usage of Sonatype for OSS infrastructure, I hope these kinds of (automated, I suspect?) false positives will be addressed very soon:

It creates a lot of busywork for everyone in the entire Java OSS supply chain
Even worse: We definitely want to avoid a "The Boy Who Cried Wolf" situation, where people stop taking vulnerability reports seriously!

axsharma commented 2 years ago

Thanks for bringing this to our attention! We have reviewed the issue and removed sonatype-2020-1324 from our security data.

Please do feel free to let us know if you need anything else!

Best, Ax Sharma Sonatype

msymons commented 2 years ago

Please do feel free to let us know if you need anything else!

Perhaps a new version of the API that would be able to reflect that an advisory has been withdrawn? The ability of the API to provide a last-updated timestamp?

The problem with simply removing something like sonatype-2020-1324 from data is that the old data still "pollutes" downstream systems... with no formal mechanism in the API to keep things properly updated.

axsharma commented 2 years ago

Noted, thanks again for the feedback - taking it to our product teams.

ken-duck commented 2 years ago

An internal feature request has been created for your feature:

Perhaps a new version of the API that would be able to reflect that an advisory has been withdrawn? The ability of the API to provide a last-updated timestamp?

As this is a fairly major change in the data pipeline I cannot comment on where it would fit on the roadmap, but I do like the idea so will try and champion it and/or find an alternative way to make it happen.