Open metametadata opened 1 month ago
CVE-2016-10707 in Java dep pkg:maven/org.webjars/jquery@1.11.1 is not detected.
Looking at the affected versions in the corresponding GHSA entry https://github.com/advisories/GHSA-mhpp-875w-9cpv:
So AFAIU, Grype correctly didn't report this dep.
👋 Hey @metametadata thanks for the report on the false negatives.
For the first 3:
It looks like they're all sitting as unreviewed in both NVD and GHSA. Because of this there are no entries in the grype database yet that would allow us to match based on PURL or CPE (cpe matching is turned off by default for java and we rely on GHSA's published analysis for PURL matching):
For CVE-2016-10707 it looks like there is a small naming issue that needs to be resolved between what the package manager is resolving and what the vulnerability is being sourced against.
Here are the two different pacakges in maven pkg:maven/org.webjars/jquery@1.11.1 org.webjars.npm:jquery
The one included in the SBOM is NOT vulnerable:
"purl" : "pkg:maven/org.webjars/jquery@1.11.1?type=jar",
The vulnerable PURL would be:
"purl" : "pkg:maven/org.webjars.npm/jquery@1.11.1?type=jar"
note the .npm
in the group name - Are you sure these are the same jar?
It looks like they're all sitting as unreviewed in both NVD and GHSA. Because of this there are no entries in the grype database yet that would allow us to match based on PURL or CPE
Got it, thanks!
I wonder how other scanners are able to match these CVEs then :thinking:
note the .npm in the group name
Good catch! org.webjars.npm/*
is an NPM WebJar which can be build automatically from the corresponding NPM package (via https://www.webjars.org GUI). OTOH, org.webjars/*
is a classic WebJar which requires some kind of manual setup before building.
Are you sure these are the same jar?
They are different, even though somewhere inside they contain exactly the same jQuery JS code.
Conclusion:
1) There's a difference between org.webjars.npm/*
and org.webjars/*
.
1) For some reason CVEs for jQuery cover org.webjars.npm/jquery
artifacts, but not org.webjars/jquery
ones.
It can be easily seen in Vulnerabilities column in https://mvnrepository.com/artifact/org.webjars.npm/jquery vs. https://mvnrepository.com/artifact/org.webjars/jquery.
1) Grype detects CVEs in org.webjars.npm/jquery
and prints more info than for org.webjars/jquery
:
```
✔ Scanned for vulnerabilities [9 vulnerability matches]
├── by severity: 0 critical, 0 high, 9 medium, 0 low, 0 negligible
└── by status: 4 fixed, 5 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
jquery 1.11.1 1.12.2 java-archive GHSA-rmxg-73gg-4p98 Medium
jquery 1.11.1 3.5.0 java-archive GHSA-jpcq-cgw6-v4j6 Medium
jquery 1.11.1 3.5.0 java-archive GHSA-gxr4-xjj5-5px2 Medium
jquery 1.11.1 3.4.0 java-archive GHSA-6c3j-c64m-qhgq Medium
jquery 1.11.1 java-archive CVE-2020-11023 Medium
jquery 1.11.1 java-archive CVE-2020-11022 Medium
jquery 1.11.1 java-archive CVE-2019-11358 Medium
jquery 1.11.1 java-archive CVE-2015-9251 Medium
jquery 1.11.1 java-archive CVE-2007-2379 Medium
```
There's still no CVE-2016-10707, but I think it's correct, as I wrote in the previous comment.
I've also noticed that GHSA vulns here duplicate the CVE ones below them, e.g. `GHSA-rmxg-73gg-4p98` is linked to `CVE-2015-9251`. Maybe Grype should somehow deduplicate such matches? Setting `using-cpes` to `false` helps with this, but I'm concerned it increases the risk of false negatives.
1) Switching from org.webjars/bootstrap
to org.webjars.npm/bootstrap
leads to excluding jQuery transitive dep from the dependency tree. And this is a good idea for me as I don't need jQuery in my real project.
What happened:
1) Vulns in Java dep
pkg:maven/org.webjars/bootstrap@3.4.1
are not detected:2) CVE-2016-10707 in Java dep
pkg:maven/org.webjars/jquery@1.11.1
is not detected.What you expected to happen:
The vulns are detected.
How to reproduce it (as minimally and precisely as possible):
Maven POM file
pom.xml
:Click me
```xmlSBOM file
cycl.json
generated frompom.xml
viamvn -DoutputDirectory=. -DoutputFormat=json -DoutputName=cycl org.cyclonedx:cyclonedx-maven-plugin:2.8.0:makeBom -f pom.xml
:Click me
```json { "bomFormat" : "CycloneDX", "specVersion" : "1.5", "serialNumber" : "urn:uuid:f58d4ca4-4151-3e20-a826-f01c71692f35", "version" : 1, "metadata" : { "timestamp" : "2024-07-26T18:48:34Z", "lifecycles" : [ { "phase" : "build" } ], "tools" : [ { "vendor" : "OWASP Foundation", "name" : "CycloneDX Maven plugin", "version" : "2.8.0", "hashes" : [ { "alg" : "MD5", "content" : "76ffec6a7ddd46b2b24517411874eb99" }, { "alg" : "SHA-1", "content" : "5b0d5b41975b53be4799b9621b4af0cfc41d44b6" }, { "alg" : "SHA-256", "content" : "6852aa0f4e42a2db745bab80e384951a6a65b9215d041081d675780999027e81" }, { "alg" : "SHA-512", "content" : "417de20fcdcb11c9713bacbd57290d8e68037fdb4553fd31b8cb08bd760ad52dc65ea88ad4be15844ad3fd5a4d3e440d2f70326f2fe1e63ec78e059c9a883f8d" }, { "alg" : "SHA-384", "content" : "5eb755c6492e7a7385fa9a1e1f4517875bcb834b2df437808a37a2d6f5285df428741762305980315a63fcef1406597d" }, { "alg" : "SHA3-384", "content" : "0fe16a47cf7aab0b22251dafcc39939b68e8f1778093309d8d2060b51a08df445a8b8ed5a9561669faf2e55f907c76d8" }, { "alg" : "SHA3-256", "content" : "3e5a1eb5ab7d0797498862794709ff8eaaa071fe4cc9ec77f52db7e2f97ef487" }, { "alg" : "SHA3-512", "content" : "59281a3e29e76270d7f44b40b5b9f05e55f1ae3ec716d80add806f360940809e3813998ac7c5758043b8e248aed73b86e37dc506cdb4cde03c16bb617d8e5a3a" } ] } ], "component" : { "group" : "gd.wa", "name" : "minimal-pom", "version" : "1.0-SNAPSHOT", "licenses" : [ ], "purl" : "pkg:maven/gd.wa/minimal-pom@1.0-SNAPSHOT?type=jar", "externalReferences" : [ { "type" : "website", "url" : "http://maven.apache.org" } ], "type" : "library", "bom-ref" : "pkg:maven/gd.wa/minimal-pom@1.0-SNAPSHOT?type=jar" }, "properties" : [ { "name" : "maven.goal", "value" : "makeBom" }, { "name" : "maven.scopes", "value" : "compile,provided,runtime,system" } ] }, "components" : [ { "group" : "org.webjars", "name" : "bootstrap", "version" : "3.4.1", "description" : "WebJar for Bootstrap", "scope" : "required", "hashes" : [ { "alg" : "MD5", "content" : "ba2f9fda2c1fece5ff121e8abc385475" }, { "alg" : "SHA-1", "content" : "2c6a8508a4f1484abcaf334cf2fe3df97cf93eac" }, { "alg" : "SHA-256", "content" : "90fdaa23fb3a9cbce04f4c51699312ab1f1fae2d70c0d1a84541b7e9a76e6e54" }, { "alg" : "SHA-512", "content" : "fb6b12d98bdc2efb6f446fca9356ec0167a8e9757864e9209a66a51cc884c888742a53b22f0c2faeacea528a9e911f9c0a2fd60e6364bc5080cb4da12e68f5aa" }, { "alg" : "SHA-384", "content" : "eb2dcd95bc3036573982d0814433f1d0b883d143f85db7a496c06507495577c068c191101356b2834418544d7f6513fa" }, { "alg" : "SHA3-384", "content" : "2e2820179e8ccb6b00dad6d3d081e7bada7c61abfa85b561d8805997367e8976627804db3d5b2b17e75e478b8c7bd6fa" }, { "alg" : "SHA3-256", "content" : "80ff4fa9640694c39b49021194379675f928be1101fa68e56b9a666193ed4620" }, { "alg" : "SHA3-512", "content" : "84343ebb1c41b1731727196ec7b9eb733b904c70ec2d2b309928396273c0e48f83699d05b4125f69d1baa323268dfb736f9f6519742081becec556a4206dc98a" } ], "licenses" : [ { "license" : { "id" : "Apache-2.0" } } ], "purl" : "pkg:maven/org.webjars/bootstrap@3.4.1?type=jar", "externalReferences" : [ { "type" : "website", "url" : "http://webjars.org" }, { "type" : "distribution-intake", "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" }, { "type" : "vcs", "url" : "http://github.com/webjars/bootstrap" } ], "type" : "library", "bom-ref" : "pkg:maven/org.webjars/bootstrap@3.4.1?type=jar" }, { "group" : "org.webjars", "name" : "jquery", "version" : "1.11.1", "description" : "WebJar for jQuery", "scope" : "required", "hashes" : [ { "alg" : "MD5", "content" : "66dec8956bb59fd4a8015c21b8673544" }, { "alg" : "SHA-1", "content" : "195eda53ac8beba7bff08f9919b48c954c858590" }, { "alg" : "SHA-256", "content" : "197d41758eb59374672fc9346749842b36d950d3f0b429c8846a297274cf95b3" }, { "alg" : "SHA-512", "content" : "d889c87ca34cd9deb0d92231177379b4ae114f87e7ac95791161b3e83376c92485911bbe114fe736559a6adb5396b2176f980d5d450b1df7f8110ca359699dbf" }, { "alg" : "SHA-384", "content" : "b2e589b8ed46628400975fa32ef36cdcd39f2b26e382e0dc45fe71409d92d1de412fc8ead298a1ed63b30da15d810849" }, { "alg" : "SHA3-384", "content" : "55ad3e3353f9f9534dab5f0ae03ba672ef96232e7cbaec9988fffdbb7d6465d0f2665f6d401ba4460a4668aeb26d5889" }, { "alg" : "SHA3-256", "content" : "9c1ec14dcfe883e7f4e922a6681f560623025b25b95fe86956e76898df42446d" }, { "alg" : "SHA3-512", "content" : "134bb2dad553b56e548775f17b3d8c0a751a2533dcc8234dc2f1cb0313ee00a792457cc1f2e971a8a1efc58d551e5dbc78a63fd3dde0c6779a03ea0d0360d6f3" } ], "licenses" : [ { "license" : { "id" : "MIT", "url" : "https://opensource.org/licenses/MIT" } } ], "purl" : "pkg:maven/org.webjars/jquery@1.11.1?type=jar", "externalReferences" : [ { "type" : "website", "url" : "http://webjars.org" }, { "type" : "distribution-intake", "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" }, { "type" : "vcs", "url" : "http://github.com/webjars/jquery" } ], "type" : "library", "bom-ref" : "pkg:maven/org.webjars/jquery@1.11.1?type=jar" } ], "dependencies" : [ { "ref" : "pkg:maven/gd.wa/minimal-pom@1.0-SNAPSHOT?type=jar", "dependsOn" : [ "pkg:maven/org.webjars/bootstrap@3.4.1?type=jar" ] }, { "ref" : "pkg:maven/org.webjars/bootstrap@3.4.1?type=jar", "dependsOn" : [ "pkg:maven/org.webjars/jquery@1.11.1?type=jar" ] }, { "ref" : "pkg:maven/org.webjars/jquery@1.11.1?type=jar", "dependsOn" : [ ] } ] } ```Grype config
config.yaml
:Finally, Grype
grype -c config.yaml sbom:cycl.json
output:Anything else we need to know?:
The listed CVEs can be found by nvd-clojure (a wrapper for OWASP Dependency-Check which takes a Java classpath as an input) and Sonatype OSS Index analyzer in OWASP Dependency-Track (after uploading
cycl.json
SBOM):Screenshot
Environment:
grype version
: