search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.1k stars 343 forks source link

maven dependency but no version #1122

Closed jsqfengbao closed 2 weeks ago

jsqfengbao commented 1 month ago

Maven dependency but no version comes from three places, one is the version number defined by dependencyManagement, one is the version number of parent, and one is that other dependencies have it but it is redefined here. These three situations depend on Maven's build mechanism: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html Now the question is, if Maven dependency but no version. Then osv-scanner will not extract it. Is there such a vulnerability, but it is not detected by osv-scanner?

cuixq commented 1 month ago

I believe Maven does not allow dependencies without requirements declared. Can you give an example where you observe Maven dependencies without version requirements?

jsqfengbao commented 1 month ago

for example just like this . https://github.com/jeecgboot/JeecgBoot/blob/master/jeecg-boot/pom.xml#L119-#L133 from line 119 to line 133. Its version number should be inherited from the parent version number。

2.7.18
jsqfengbao commented 1 month ago

Or the version numbers here, some of which come from the version numbers defined in dependencyManagement https://github.com/jeecgboot/JeecgBoot/blob/master/jeecg-boot/jeecg-boot-base-core/pom.xml

jsqfengbao commented 1 month ago

`<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

4.0.0 
<groupId>com.test</groupId>
<artifactId>myJavaDemo</artifactId>
<version>1.1-SNAPSHOT</version>

<properties>
    <maven.compiler.source>10</maven.compiler.source>
    <maven.compiler.target>10</maven.compiler.target>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>3.0.0</version>
    <relativePath/> <!-- lookup parent from repository -->
</parent>

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>

    <!-- Database Driver -->
    <dependency>
        <groupId>com.h2database</groupId>
        <artifactId>h2</artifactId>
        <scope>runtime</scope>
    </dependency>
    <!-- If you use MySQL -->
    <!-- <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <scope>runtime</scope>
    </dependency> -->

    <!-- Lombok for code generation -->
    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
        <version>1.18.24</version>
        <scope>provided</scope>
    </dependency>

    <!-- Spring Boot Testing -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>

    <dependency>
        <groupId>com.alibaba</groupId>
        <artifactId>fastjson</artifactId>
        <version>1.2.43</version>
    </dependency>
</dependencies>

% `

for example In the pom.xml example above, the component returned by the command I executed is empty, but in fact there should be fast-json。

osv-scanner --experimental-offline . Scanning dir . Scanned /Users/pom.xml file and found 8 packages could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Maven ecosystem: unable to fetch OSV database: no offline version of the OSV database is available

cuixq commented 1 month ago

As far as I know, OSV-Scanner should be able to resolve version requirements from dependency management or parent.

For the pom.xml that you provided, <project> and <modelVersion> tags are missing. OSV-Scanner is able to identity transitive dependencies with both tags added.

However, for offline mode, since no requests will be made, parent pom files are not fetched from upstream and thus some version requirements are not resolved.