search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.26k stars 2.2k forks source link

Wrong detection of maven dependency versions if multiple dependency imports are defined. #1943

Closed jkroepke closed 2 years ago

jkroepke commented 2 years ago

Description

Using the fs scanner to detect vulnerable libraries of the pom.xml leads to incorrect version detection and false-positive reports.

What did you expect to happen?

A report based on the correct detected dependency versions.

What happened instead?

A false-positive report based on the incorrect detected dependency versions.

Output of run with -debug:

% docker run -ti --rm -v $HOME/Library/Caches:/root/.cache/ -v $PWD:/work aquasec/trivy:0.25.1 -debug fs /work/
2022-04-05T08:45:01.329Z    DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-04-05T08:45:01.338Z    DEBUG   cache dir:  /root/.cache/trivy
2022-04-05T08:45:01.341Z    DEBUG   DB update was skipped because the local DB is the latest
2022-04-05T08:45:01.342Z    DEBUG   DB Schema: 2, UpdatedAt: 2022-04-05 06:06:16.749989935 +0000 UTC, NextUpdate: 2022-04-05 12:06:16.749989435 +0000 UTC, DownloadedAt: 2022-04-05 08:35:08.7752161 +0000 UTC
2022-04-05T08:45:01.347Z    DEBUG   Vulnerability type:  [os library]
2022-04-05T08:45:01.352Z    DEBUG   Resolving com.fasterxml.jackson:jackson-bom:2.13.2.20220328...
2022-04-05T08:45:01.593Z    DEBUG   Resolving org.jboss.resteasy:resteasy-bom:5.0.2.Final...
2022-04-05T08:45:01.666Z    DEBUG   Resolving org.keycloak:keycloak-parent:17.0.1...
2022-04-05T08:45:01.739Z    DEBUG   Resolving org.keycloak:keycloak-admin-client:37...
2022-04-05T08:45:01.763Z    DEBUG   org.keycloak:keycloak-admin-client:37 was not found in local/remote repositories
2022-04-05T08:45:01.764Z    DEBUG   Resolving com.fasterxml.jackson.core:jackson-databind:2.12.1...
2022-04-05T08:45:01.884Z    DEBUG   Resolving com.fasterxml.jackson.core:jackson-annotations:2.12.1...
2022-04-05T08:45:01.904Z    DEBUG   Resolving com.fasterxml.jackson.core:jackson-core:2.12.1...
2022-04-05T08:45:01.930Z    DEBUG   OS is not detected and vulnerabilities in OS packages are not detected.
2022-04-05T08:45:01.930Z    DEBUG   Detected OS: unknown
2022-04-05T08:45:01.930Z    INFO    Number of language-specific files: 1
2022-04-05T08:45:01.930Z    INFO    Detecting pom vulnerabilities...
2022-04-05T08:45:01.930Z    DEBUG   Detecting library vulnerabilities, type: pom, path: pom.xml

pom.xml (pom)
=============
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+
|                   LIBRARY                   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |   FIXED VERSION    |                 TITLE                 |
+---------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518   | HIGH     | 2.12.1            | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service   |
|                                             |                  |          |                   |                    | via a large depth of nested objects   |
|                                             |                  |          |                   |                    | -->avd.aquasec.com/nvd/cve-2020-36518 |
+---------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+

Output of trivy -v:

Version: 0.25.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-04-05 06:06:16.749989935 +0000 UTC
  NextUpdate: 2022-04-05 12:06:16.749989435 +0000 UTC
  DownloadedAt: 2022-04-05 08:35:08.7752161 +0000 UTC

Additional details (base image name, container registry info...):

Test with main branch of https://github.com/adorsys/keycloak-config-cli . For reporting this bug, I generated a minimal pom.xml of the project:

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>de.adorsys.keycloak</groupId>
    <artifactId>keycloak-config-cli</artifactId>
    <packaging>jar</packaging>
    <version>5.0.1-SNAPSHOT</version>

    <name>keycloak-config-cli</name>

    <properties>
        <java.version>11</java.version>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>

        <keycloak.version>17.0.1</keycloak.version>
        <jackson.version>2.13.2.20220328</jackson.version>
        <resteasy.version>5.0.2.Final</resteasy.version>
    </properties>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>com.fasterxml.jackson</groupId>
                <artifactId>jackson-bom</artifactId>
                <version>${jackson.version}</version>
                <scope>import</scope>
                <type>pom</type>
            </dependency>

            <dependency>
                <groupId>org.jboss.resteasy</groupId>
                <artifactId>resteasy-bom</artifactId>
                <version>${resteasy.version}</version>
                <scope>import</scope>
                <type>pom</type>
            </dependency>

            <dependency>
                <groupId>org.keycloak</groupId>
                <artifactId>keycloak-parent</artifactId>
                <version>${keycloak.version}</version>
                <scope>import</scope>
                <type>pom</type>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <dependencies>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-admin-client</artifactId>
            <exclusions>
                <exclusion>
                    <groupId>org.jboss.resteasy</groupId>
                    <artifactId>resteasy-jaxb-provider</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
        </dependency>

    </dependencies>

    <build>
        <finalName>${project.artifactId}</finalName>
    </build>
</project>

Trivy report:

pom.xml (pom)
=============
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+
|                   LIBRARY                   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |   FIXED VERSION    |                 TITLE                 |
+---------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518   | HIGH     | 2.12.1            | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service   |
|                                             |                  |          |                   |                    | via a large depth of nested objects   |
|                                             |                  |          |                   |                    | -->avd.aquasec.com/nvd/cve-2020-36518 |
+---------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+

maven output:

% mvn dependency:tree | grep jackson-databind
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile

I guess multiple import bom is confusing trivy. The dependency is defined in com.fasterxml.jackson.jackson-bom and org.keycloak.keycloak-parent. 2.12.1 is defined in org.keycloak.keycloak-parent, while 2.13.2.2 is defined in com.fasterxml.jackson.jackson-bom.

For reference: The rootfs scanner of the builded jar does not report the jackson-databind library which is correct.

jkroepke commented 2 years ago

Posible fix: https://github.com/aquasecurity/go-dep-parser/pull/91