Many alerts from OWASP dependency checker

lathspell commented 3 years ago

Bug Description

I use the OWASP Dependency Check Gradle Plugin (org.owasp.dependencycheck:6.2.2, https://owasp.org/www-project-dependency-check/) to scan all my dependencies for known security issues.

Usually it reports none but after applying the following ones in version 1.10.0,

com.buschmais.jqassistant.cli:jqassistant-commandline-neo4jv3
com.buschmais.jqassistant.plugin:common
com.buschmais.jqassistant.plugin:java
com.buschmais.jqassistant.plugin:junit

I get a ton of security issues reported:

asciidoctorj-diagram-2.1.2.jar: batik-all-1.13.jar (cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987
commons-beanutils-1.9.3.jar (pkg:maven/commons-beanutils/commons-beanutils@1.9.3, cpe:2.3:a:apache:commons_beanutils:1.9.3:*:*:*:*:*:*:*) : CVE-2019-10086
commons-io-2.6.jar (pkg:maven/commons-io/commons-io@2.6, cpe:2.3:a:apache:commons_io:2.6:*:*:*:*:*:*:*) : CVE-2021-29425
dirgra-0.3.jar (pkg:maven/org.jruby/dirgra@0.3, cpe:2.3:a:jruby:jruby:0.3:*:*:*:*:*:*:*) : CVE-2010-1330, CVE-2011-4838
guava-28.1-jre.jar (pkg:maven/com.google.guava/guava@28.1-jre, cpe:2.3:a:google:guava:28.1:*:*:*:*:*:*:*) : CVE-2020-8908
jruby-stdlib-9.2.17.0.jar: bcprov-jdk15on-1.65.jar (cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.65:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.65:*:*:*:*:*:*:*) : CVE-2020-28052
jruby-stdlib-9.2.17.0.jar: jopenssl.jar/META-INF/maven/rubygems/jruby-openssl/pom.xml (pkg:maven/rubygems/jruby-openssl@0.10.5, cpe:2.3:a:jruby:jruby:0.10.5:*:*:*:*:*:*:*, cpe:2.3:a:openssl:openssl:0.10.5:*:*:*:*:*:*:*) : CVE-2009-1387, CVE-2010-1330, CVE-2010-4252, CVE-2010-5298, CVE-2011-1945, CVE-2011-4108, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2011-4838, CVE-2012-0027, CVE-2013-6449, CVE-2014-0076, CVE-2015-4000, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, CVE-2016-7056
jruby-stdlib-9.2.17.0.jar: readline.jar/META-INF/maven/rubygems/jruby-readline/pom.xml (pkg:maven/rubygems/jruby-readline@1.3.7, cpe:2.3:a:jruby:jruby:1.3.7:*:*:*:*:*:*:*) : CVE-2010-1330, CVE-2011-4838
neo4j-browser-4.2.5.jar: app-b776cfaa3af4c1e870e9.js (pkg:javascript/bootstrap@3.3.7) : CVE-2018-14040, CVE-2018-14041, CVE-2018-14042, CVE-2019-8331
tika-core-1.22.jar (pkg:maven/org.apache.tika/tika-core@1.22, cpe:2.3:a:apache:tika:1.22:*:*:*:*:*:*:*) : CVE-2020-1950, CVE-2020-1951, CVE-2021-28657

I don't know if false positives are among them but maybe you care enough to check the dependency tree for old versions.

Expected Behaviour

No reported CVE

Your Environment

JDK: 11
OS: MacOS

How can we reproduce the bug?

Add this and then run ./gradlew dependencyCheckAnalyze

plugins {
     id 'org.owasp.dependencycheck' version '6.2.2'
}

murdos commented 4 months ago

I think that configuring dependabot on the various jqa respositories would help keeping dependencies up-to-date, and limit known security issues in transitive dependencies.

DirkMahler commented 4 months ago

Two cents from my side:

I'd like to have continuous OWASP checks, but currently we get false positives that would need to be managed in several repositories. After merging them back into one we should activate these checks
The main contributor to jQA dependencies is the embedded Neo4j database. I'd like to keep the versions that we manage as consistent as possible with the ones provided by the database. Luckily Neo4j itself provides regular updates with CVE related fixes.

jQAssistant / jqassistant