search

albuch / sbt-dependency-check

SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). :rainbow:
Apache License 2.0
266 stars 35 forks source link

false positive: com.softwaremill.sttp.client/async-http-client-backend_2.11@2.0.7 #138

Closed jaymeyer closed 4 years ago

jaymeyer commented 4 years ago

Describe the bug

The dependency: com.softwaremill.sttp.client/async-http-client-backend_2.11@2.0.7 is falsely identified as a HIGH severity CVE from a different dependency: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14063 These 2 libraries are not the same, their package ids are different in maven central. org.asynchttpclient vs. com.softwaremill.sttp.client

Version of sbt-dependency-check used

2.0.0

Log file

a generated dependency check report html

To Reproduce

Steps to reproduce the behavior:

  1. add this line to your Scala build.sbt: "com.softwaremill.sttp.client" %% "async-http-client-backend-future" % "2.0.7"
  2. sbt dependencyCheck
  3. the resulting Dependency Check report (in html format) marks 2 dependencies as HIGH severity and a link to the CVE above

Expected behavior

The Dependency Check report should be "clean" and should not report this dependency

Additional context

It appears that the false positive is resulting from the fact the the async-http-client-backend-future artifact with version 2.0.7 has a similar name and version as a true HIGH severity artifact. But the com.softwaremill.sttp.client group is different than the actual CVE.

Perhaps this one is the true vulnerability: https://mvnrepository.com/artifact/org.asynchttpclient/async-http-client But these packages: org.asynchttpclient vs. com.softwaremill.sttp.client

are not the same. And so the dependencyCheck plugin is falsely identifying them as the same artifact/version.

jaymeyer commented 4 years ago

It appears that there is a transitive dependency here: https://mvnrepository.com/artifact/com.softwaremill.sttp.client/async-http-client-backend_2.11/2.0.7

but this depends on a recent patch of the org. asynchttpclient: https://mvnrepository.com/artifact/org.asynchttpclient/async-http-client/2.11.0

the tool appears to be complaining about : org. asynchttpclient % 2.0.7

albuch commented 4 years ago

Hi @jaymeyer, please report false-positives in the upstream project https://github.com/jeremylong/DependencyCheck as sbt-dependency-check is only a wrapper around the core library provided by the aforementioned project. In the meantime you can use a local configuration to suppress the false-positive. See https://jeremylong.github.io/DependencyCheck/general/suppression.html for instructions.