WIP: investigation and fixes of the false positive purl issue #92

[MagielBruntink]

@romatallinn @proksch Guys you want to be aware of this one. The vulnerable version range parsing is broken, which leads to a lot of false positively marked vulnerable packages/callables. I just added a test that exposes the bug.

[MagielBruntink]

Further info on GH advisory version ranges: https://github.community/t/getting-duplicate-responses-from-security-advisories-graphql-api/120166

[proksch]

@mir-am Could you please have a look at this?

[MagielBruntink]

I have a fix coming, will push tomorrow.

[MagielBruntink]

This should now close #92, let's do some testing though :-)

[MagielBruntink]

Many warnings still appear in the log due to newly added logging statements. Often, the exact specified versions in the version range are missing from the list of version available for the package on eg. Maven:

[2021-10-12 08:19:20,209] [WARN ] [main] [e.f.v.u.m.VersionRanger] - getVulnerableVersionsJSON: version 2.0.6 from range  < 2.0.6 not found among [1.0.0.RELEASE, 1.1.0.RELEASE, 1.1.1.RELEASE, 1.1.2.RELEASE, 1.1.3.RELEASE, 1.1.4.RELEASE, 1.2.0.RELEASE, 1.2.1.RELEASE, 1.2.2.RELEASE, 1.3.0.RELEASE, 1.3.1.RELEASE, 1.3.2.RELEASE, 1.3.3.RELEASE, 1.3.4.RELEASE, 1.3.5.RELEASE, 1.3.6.RELEASE, 1.3.7.RELEASE, 1.4.0.RELEASE, 1.4.1.RELEASE, 1.3.8.RELEASE, 1.4.2.RELEASE, 1.3.9.RELEASE, 1.4.3.RELEASE, 1.4.4.RELEASE, 1.4.5.RELEASE, 1.5.0.RELEASE, 1.4.6.RELEASE, 1.5.1.RELEASE, 1.5.2.RELEASE, 1.5.3.RELEASE, 1.5.4.RELEASE, 1.5.5.RELEASE, 1.5.6.RELEASE, 1.6.0.RELEASE, 1.6.1.RELEASE, 1.6.2.RELEASE, 1.6.3.RELEASE, 1.6.4.RELEASE, 1.6.5.RELEASE, 1.6.6.RELEASE, 1.6.7.RELEASE, 1.7.0.RELEASE, 1.6.8.RELEASE, 1.7.1.RELEASE, 1.6.9.RELEASE, 1.7.2.RELEASE, 1.6.10.RELEASE, 1.7.3.RELEASE, 1.5.7.RELEASE, 1.6.11.RELEASE, 1.7.4.RELEASE, 2.0.0.RELEASE, 1.7.5.RELEASE, 2.0.1.RELEASE, 1.7.6.RELEASE, 2.0.2.RELEASE, 1.7.7.RELEASE, 2.0.3.RELEASE, 1.7.8.RELEASE, 2.0.4.RELEASE, 1.7.9.RELEASE, 2.0.5.RELEASE, 1.7.10.RELEASE, 2.0.6.RELEASE, 1.7.11.RELEASE, 2.0.7.RELEASE, 2.0.8.RELEASE, 2.1.0.RELEASE, 2.0.9.RELEASE, 2.1.1.RELEASE, 2.0.10.RELEASE, 2.1.2.RELEASE, 1.7.12.RELEASE, 2.0.11.RELEASE, 2.1.3.RELEASE, 2.1.4.RELEASE, 1.7.13.RELEASE, 2.0.12.RELEASE, 2.1.5.RELEASE, 2.1.6.RELEASE, 2.1.7.RELEASE, 1.7.14.RELEASE, 2.1.8.RELEASE, 2.0.13.RELEASE, 2.1.9.RELEASE, 2.1.10.RELEASE, 2.1.11.RELEASE, 2.2.0.RELEASE, 2.1.12.RELEASE, 2.2.1.RELEASE, 2.2.2.RELEASE, 2.0.14.RELEASE, 2.1.13.RELEASE, 2.2.3.RELEASE, 2.2.4.RELEASE, 2.2.5.RELEASE, 2.1.14.RELEASE, 2.2.6.RELEASE, 2.1.15.RELEASE, 2.2.7.RELEASE, 2.2.8.RELEASE, 2.1.16.RELEASE, 2.2.9.RELEASE, 2.2.10.RELEASE, 2.1.17.RELEASE, 2.2.11.RELEASE, 2.2.12.RELEASE, 2.3.0, 2.3.1, 1.7.15.RELEASE, 2.2.13.RELEASE, 2.3.2, 2.1.18.RELEASE, 2.2.14.RELEASE, 2.3.3, 2.3.4, 2.2.15.RELEASE, 2.3.5, 2.2.16.RELEASE, 2.3.6, 2.2.17.RELEASE, 2.3.7, 2.2.18.RELEASE, 2.3.8, 2.3.9, 2.3.10]

This now leads to all version being marked vulnerable in that range, which is conservative but also probably will lead to lots of false positives.

[proksch]

So just to double check, does this mean that we need to re-run the producer, or is it enough to re-run the consumer part of the vulnerability crawler?

[MagielBruntink]

Yes, the producer needs to re-run. That's what we are dong in our local deployment at least. Many of the reported vulnerabilties by the producer were false positive due to this bug.