search

dependency-check / dependency-check-gradle

The dependency-check gradle plugin is a Software Composition Analysis (SCA) tool that allows projects to monitor dependent libraries for known, published vulnerabilities.
http://jeremylong.github.io/DependencyCheck/
Apache License 2.0
361 stars 93 forks source link

Different CVEs reported when using different OWASP versions #337

Closed vidgeus closed 1 year ago

vidgeus commented 1 year ago

Recreation steps: in my project i use the following build.gradle:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'org.owasp:dependency-check-gradle:8.2.1'
    }
}

plugins {
    id 'java'
}

apply plugin: 'org.owasp.dependencycheck'

group 'org.example'
version '1.0-SNAPSHOT'
sourceCompatibility = JavaVersion.VERSION_17

repositories {
    mavenCentral()
}

dependencies {
    implementation("org.springframework.boot:spring-boot-starter-actuator:3.0.6")
}

When I run the dependencyCheckAnalyze gradle task I get the following vulnerability (just snakeyaml): image

But when I change the OWASP version in the build.gradle from 8.2.1 to 8.1.0 then I get different vulnerabilities (snakeyaml & jackson-core): image

Notes: I ran dependencyCheckPurge & dependencyCheckUpdate in both cases to ensure a "clean" recreation of the issue.

The problem: why do different versions of OWASP yield different vulnerabilities? Isn't the vulnerability data source independent from the OWASP releases?

jeremylong commented 1 year ago

The data source is independent - but the evidence and identification is different when using the CLI vs a build plugin. We always recommend the use of a build plugin over the CLI (or docker image). This is expected behavior due to how dependency-check works.

albertjimenez commented 1 year ago

@jeremylong My question is actually this one but reading the answer I believe it might be a confusion, in terms of the original question, the point is that two different versions of the same gradle plugin produce different results. I did not expect that CLI or gradle plugin could yield different results, but same gradle plugin, one 8.2.1 and the other 8.1.0 should yield the same results right?

jeremylong commented 1 year ago

Did you actually look at the "vulnerability" reported by 8.1.0? I bet it looks like a false positive.... Most version upgrades include some level of false positive reduction.

albertjimenez commented 1 year ago

Thank you @jeremylong for the clarification I appreciate it, it looked a false positive indeed