google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.28k stars 363 forks source link

False negative in osv-scanner #1387

Closed mlieberman85 closed 3 weeks ago

mlieberman85 commented 3 weeks ago

The following SBOM includes multiple versions of the npm package cookie. OSV-Scanner finds most of the vulns for the various version of cookie. However it misses 0.5.1. I will also look for other false negatives as well.

Link to SBOM - https://raw.githubusercontent.com/guacsec/guac-data/refs/heads/main/top-dh-sboms/rocket.chat.json

Steps to replicate:

  1. osv-scanner --sbom rocket.chat.json --format vertical

Relevant part of output:

  cookie@0.1.0 has the following known vulnerabilities:
    GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters (https://osv.dev/GHSA-pxg6-pf52-xh8x)
  cookie@0.1.3 has the following known vulnerabilities:
    GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters (https://osv.dev/GHSA-pxg6-pf52-xh8x)
  cookie@0.4.0 has the following known vulnerabilities:
    GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters (https://osv.dev/GHSA-pxg6-pf52-xh8x)
  cookie@0.4.1 has the following known vulnerabilities:
    GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters (https://osv.dev/GHSA-pxg6-pf52-xh8x)
  cookie@0.4.2 has the following known vulnerabilities:
    GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters (https://osv.dev/GHSA-pxg6-pf52-xh8x)
  cookie@0.5.0 has the following known vulnerabilities:
    GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters (https://osv.dev/GHSA-pxg6-pf52-xh8x)

Note: 0.5.0 is found but not 0.5.1

Relevant part of the SBOM:

  {
   "SPDXID": "SPDXRef-51df944f1ebfce53",
   "name": "@types/cookie",
   "licenseConcluded": "MIT",
   "downloadLocation": "https://github.com/DefinitelyTyped/DefinitelyTyped.git",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceLocator": "cpe:2.3:a:\\@types\\/cookie:\\@types\\/cookie:0.5.1:*:*:*:*:*:*:*",
     "referenceType": "cpe23Type"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceLocator": "cpe:2.3:a:*:\\@types\\/cookie:0.5.1:*:*:*:*:*:*:*",
     "referenceType": "cpe23Type"
    },
    {
     "referenceCategory": "PACKAGE_MANAGER",
     "referenceLocator": "pkg:npm/%40types/cookie@0.5.1",
     "referenceType": "purl"
    }
G-Rath commented 3 weeks ago

You don't have a dependency on cookie@0.5.1, you've got a dependency on @types/cookie@0.5.1 which is a different package (specifically, it's the TypeScript types for the cookie package, provided by DefinitelyTyped): https://www.npmjs.com/package/@types/cookie

mlieberman85 commented 3 weeks ago

Oops, my bad. Thanks! I'll close this.

G-Rath commented 3 weeks ago

No worries, better safe than sorry ay!