search

dependency-check / dependency-check-sonar-plugin

Integrates Dependency-Check reports into SonarQube
597 stars 134 forks source link

URI encoded package names do not match names in lock-file #863

Closed slosd closed 7 months ago

slosd commented 1 year ago

This method seems to read a URI (https://github.com/package-url/purl-spec), but the URI components are never decoded: https://github.com/dependency-check/dependency-check-sonar-plugin/blob/3aea40419b4a7c7e99af24cc6af3ff61d3e99710/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckUtils.java#L233

As a result a URI encoded string is compared to package names in the lock-file which are not URI encoded.

To Reproduce Excerpt from a JSON report:

{
  "dependencies": [
    {
      "packages": [
        {
          "id": "pkg:npm/%40apollo%2Fserver@4.7.5"
        }
      ]
    }
  ]
}

Current behavior In the example above the vulnerability for "@apollo/server" is added to the first line of package-lock.json

Expected behavior The vulnerability for "@apollo/server" is added where "@apollo/server" is declared in package-lock.json

Versions (please complete the following information):

dependency-check-sonar-plugin: 4.0.0

Reamer commented 1 year ago

This plugin takes the content of the JSON report. If the content of the reports is incorrect, this would have to be corrected in the main project. https://github.com/jeremylong/DependencyCheck

slosd commented 1 year ago

I don't think the report is incorrect. Is the content of "id" not supposed to be an URI?

slosd commented 1 year ago

Looking at the purl spec it seems pkg:npm/%40apollo/server@4.7.5 would be "more" correct, but as far as I can see that wouldn't work either, because we would compare the literal string "%40apollo/server" to "@apollo/server" in package-lock.json

github-actions[bot] commented 10 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] commented 10 months ago

This issue was closed because it has been stalled for 14 days with no activity.

slosd commented 10 months ago

This bug still exists

github-actions[bot] commented 8 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] commented 7 months ago

This issue was closed because it has been stalled for 14 days with no activity.