jeremylong
commented
6 years ago Thank you for the bug report. I will try and look at this one soon.
Closed maxx-nomad closed 1 year ago
jeremylong
commented
6 years ago Thank you for the bug report. I will try and look at this one soon.
darshanmhatre
commented
5 years ago @jeremylong Any updates on this ?
obriat
commented
1 year ago This feature is useless. It didn't detect actual issues (here a major symfony one) and mixed up package name and version. It's particularly true for Drupal modules which trigger 14 years old issues :
composer create-project drupal/recommended-project:9.4.10 . --stability dev --no-interaction --no-install
composer require drush/drush drupal/rest_views drupal/views_attach_library drupal/views_bulk_operations drupal/views_data_export drupal/views_field_compare drupal/leaflet_views
❯ composer audit --locked
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/http-kernel |
| CVE | CVE-2022-24894 |
| Title | CVE-2022-24894: Prevent storing cookie headers in HttpCache |
| URL | https://symfony.com/cve-2022-24894 |
| Affected versions | >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5 |
| | .0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3 |
| | .2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0| |
| | >=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.50|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5. |
| | 2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.20|>=6.0.0,<6.0.20|>=6.1.0,<6.1.12|>=6.2. |
| | 0,<6.2.6 |
| Reported at | 2023-02-01T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
./vendor/bin/drush sec
[success] There are no outstanding security updates for Drupal projects.
docker run --rm -e user=$USER -u $(id -u ${USER}):$(id -g ${USER}) --volume dependency-check:/usr/share/dependency-check/data:z --volume $(pwd):/src:z owasp/dependency-check:latest --scan ./composer.lock --format "CSV" --project dependency-check scan: $(pwd) --out /src --enableExperimental
❯ sed -E 's/^.*(pkg[^,]*).*/\1/g' dependency-check-report.csv
pkg:composer/pear/pear-core-minimal@1.10.11
pkg:composer/pear/pear_exception@1.0.2
pkg:composer/drupal/rest_views@2.0.1
pkg:composer/drupal/views_attach_library@2.0.2
pkg:composer/drupal/views_bulk_operations@4.2.3
pkg:composer/drupal/views_bulk_operations@4.2.3
pkg:composer/drupal/views_data_export@1.2.0
pkg:composer/drupal/views_field_compare@1.0.0In this example, I detect several problems :
I opened an issue on the drupal side : https://www.drupal.org/project/drupal/issues/3339743#comment-14909313
jeremylong
commented
1 year ago @obriat CVE-2022-24894 is still awaiting analysis at the NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24894 ODC wouldn't report on this until the vulnerability is in a published state.
jeremylong
commented
1 year ago ODC will identify the vulnerabilities in yii2 if the OSS Index Analyzer is enabled.
Reporting Bugs/Errors
I scan my project for vulnerable composer dependencies with DependencyCheck (Jenkins plugin or cli version) and some vulnerabilities are not detected.
Example
For example, I use yii2 (2.0.12). It have vulnerabilities: CVE-2018-7269, CVE-2018-6009, CVE-2018-6010. But I see in report "Vulnerable Dependencies: 0"
All databases are updated: NVD CVE 2018: 18/07/2018 17:13:51 NVD CVE Checked: 18/07/2018 17:15:33 NVD CVE Modified: 18/07/2018 16:00:56 VersionCheckOn: 1531934133930