search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.3k stars 1.26k forks source link

OWASP 5.2.2 has a vulnerability reported when analyzed by OWASP itself #2332

Closed Anshu2405 closed 4 years ago

Anshu2405 commented 4 years ago

OWASP 5.2.2 (and even the latest 5.2.4) has a vulnerability when analyzed by OWASP itself.

The problem occurs using version 5.2.2/5.2.4 of the maven plugin

Added below dependency in project :

org.owasp dependency-check-maven 5.2.2

Command : mvn org.owasp:dependency-check-maven:check

As per the OWASP report:

plexus-utils-3.0.22.jar

Description:
A collection of various utility classes to ease working with strings, files, command lines, XML and
    more.

File Path: ..\..\.m2\repository\org\codehaus\plexus\plexus-utils\3.0.22\plexus-utils-3.0.22.jar
MD5: 2a32677a099da7c5b9b2b39c066f2cc6
SHA1: 764f26e0ab13a87c48fe55f525dfb6a133b7a92f
SHA256:0f31c44b275f87e56d46a582ce96d03b9e2ab344cf87c4e268b34d3ad046beab
Referenced In Project/Scope:testProject:compile

Evidence
Identifiers
pkg:maven/org.codehaus.plexus/plexus-utils@3.0.22  (Confidence:High)
cpe:2.3:a:plexus-utils_project:plexus-utils:3.0.22:*:*:*:*:*:*:*  (Confidence:Highest)  suppress
Published Vulnerabilities
Directory traversal in org.codehaus.plexus.util.Expand (OSSINDEX)  suppress

> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.
> 
> -- [github.com](https://github.com/codehaus-plexus/plexus-utils/issues/4)
null

Severity: 0.0

References:
OSSINDEX - Directory traversal in org.codehaus.plexus.util.Expand
Vulnerable Software & Versions (OSSINDEX):

cpe:2.3:a:org.codehaus.plexus:plexus-utils:3.0.22:*:*:*:*:*:*:*
Possible XML Injection (OSSINDEX)  suppress

> `org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)` does not check if the comment includes a `"-->"` sequence.  This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.
> 
> -- [github.com](https://github.com/codehaus-plexus/plexus-utils/issues/3)
null

Severity: 0.0

References:
OSSINDEX - Possible XML Injection
Vulnerable Software & Versions (OSSINDEX):

Analysis is reporting 2 vulnerabilities from OSSINDEX in the OWASP plugin itself. Could you please look into the issue.

Anshu2405 commented 4 years ago

Hi Jeremy ,

We could still see the same issue with v5.3.0 also.

Vulnerabilities reported:

commons-beanutils-1.9.2.jar (pkg:maven/commons-beanutils/commons-beanutils@1.9.2, cpe:2.3:a:apache:commons_beanutils:1.9.2:::::::) : CVE-2019-10086 plexus-utils-3.0.22.jar (pkg:maven/org.codehaus.plexus/plexus-utils@3.0.22, cpe:2.3:a:plexus-utils_project:plexus-utils:3.0.22:::::::) : Directory traversal in org.codehaus.plexus.util.Expand, Possible XML Injection

Logs:

[INFO] Scanning for projects... [INFO] [INFO] ------------------------< TestMaven:TestMaven >------------------------- [INFO] Building TestMaven 0.0.1-SNAPSHOT [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- dependency-check-maven:5.3.0:check (default-cli) @ TestMaven --- [INFO] Instance is null, returning unconfigured instance [INFO] thread_pool.default PoolConfiguration = useBoundary = [false] boundarySize = [2000] maximumPoolSize = [150] minimumPoolSize = [4] keepAliveTime = [300000] whenBlockedPolicy = [RUN] startUpSize = [4] [INFO] Setting default auxiliaries to ODC [INFO] setting defaultCompositeCacheAttributes to [ useLateral = true, useRemote = true, useDisk = true, maxObjs = 0, maxSpoolPerRun = -1, diskUsagePattern = UPDATE, spoolChunkSize = 2 ] [INFO] setting defaultElementAttributes to [ IS_LATERAL = false, IS_SPOOL = true, IS_REMOTE = false, IS_ETERNAL = false, MaxLifeSeconds = 86400, IdleTime = 1800, CreateTime = 1579524700164, LastAccessTime = 1579524700164, getTimeToLiveSeconds() = 86399, createTime = 1579524700164 ] [INFO] initialized MemoryCache for POM [INFO] Constructed cache with name [POM] and cache attributes [ useLateral = true, useRemote = true, useDisk = true, maxObjs = 0, maxSpoolPerRun = -1, diskUsagePattern = UPDATE, spoolChunkSize = 2 ] [INFO] No cache event logger defined for auxiliary [jcs.auxiliary.ODC] [INFO] Using standard serializer [org.apache.commons.jcs.utils.serialization.StandardSerializer@50d3bf39] for auxiliary [jcs.auxiliary.ODC] [INFO] thread_pool.disk_cache_event_queue PoolConfiguration = useBoundary = [false] boundarySize = [2000] maximumPoolSize = [150] minimumPoolSize = [4] keepAliveTime = [300000] whenBlockedPolicy = [RUN] startUpSize = [4] [INFO] Region [POM] Cache file root directory: .....m2\repository\org\owasp\dependency-check-data\4.0\cache [INFO] Region [POM] Set maxKeySize to: '1000000' [INFO] Region [POM] Indexed Disk Cache is alive. [INFO] initialized MemoryCache for NODEAUDIT [INFO] Constructed cache with name [NODEAUDIT] and cache attributes [ useLateral = true, useRemote = true, useDisk = true, maxObjs = 0, maxSpoolPerRun = -1, diskUsagePattern = UPDATE, spoolChunkSize = 2 ] [INFO] No cache event logger defined for auxiliary [jcs.auxiliary.ODC] [INFO] Using standard serializer [org.apache.commons.jcs.utils.serialization.StandardSerializer@769d513] for auxiliary [jcs.auxiliary.ODC] [INFO] Region [NODEAUDIT] Cache file root directory: .....m2\repository\org\owasp\dependency-check-data\4.0\cache [INFO] Region [NODEAUDIT] Set maxKeySize to: '1000000' [INFO] Region [NODEAUDIT] Indexed Disk Cache is alive. [INFO] initialized MemoryCache for CENTRAL [INFO] Constructed cache with name [CENTRAL] and cache attributes [ useLateral = true, useRemote = true, useDisk = true, maxObjs = 0, maxSpoolPerRun = -1, diskUsagePattern = UPDATE, spoolChunkSize = 2 ] [INFO] No cache event logger defined for auxiliary [jcs.auxiliary.ODC] [INFO] Using standard serializer [org.apache.commons.jcs.utils.serialization.StandardSerializer@5e4fa1da] for auxiliary [jcs.auxiliary.ODC] [INFO] Region [CENTRAL] Cache file root directory: .....m2\repository\org\owasp\dependency-check-data\4.0\cache [INFO] Region [CENTRAL] Set maxKeySize to: '1000000' [INFO] Region [CENTRAL] Indexed Disk Cache is alive. [INFO] Parsed regions [POM, NODEAUDIT, CENTRAL] [INFO] Finished configuration in 241 ms. [INFO] Checking for updates [INFO] Skipping NVD check since last check was within 4 hours. [INFO] Skipping RetireJS update since last update was within 24 hours. [INFO] Check for updates complete (579 ms) [INFO]

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

[INFO] Analysis Started [INFO] Finished Archive Analyzer (4 seconds) [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Jar Analyzer (1 seconds) [ERROR] ---------------------------------------------------- [ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or configure the path dotnet core. [ERROR] ---------------------------------------------------- [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Created CPE Index (4 seconds) [INFO] Finished CPE Analyzer (6 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [INFO] Finished RetireJS Analyzer (0 seconds) [INFO] Finished Sonatype OSS Index Analyzer (0 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Analysis Complete (24 seconds) [WARNING]

One or more dependencies were identified with known vulnerabilities in TestMaven:

commons-beanutils-1.9.2.jar (pkg:maven/commons-beanutils/commons-beanutils@1.9.2, cpe:2.3:a:apache:commons_beanutils:1.9.2:::::::) : CVE-2019-10086 plexus-utils-3.0.22.jar (pkg:maven/org.codehaus.plexus/plexus-utils@3.0.22, cpe:2.3:a:plexus-utils_project:plexus-utils:3.0.22:::::::) : Directory traversal in org.codehaus.plexus.util.Expand, Possible XML Injection

See the dependency-check report for more details.

[INFO] Element event queue destroyed: org.apache.commons.jcs.engine.control.event.ElementEventQueue@3f81621c [INFO] In DISPOSE, [NODEAUDIT] fromRemote [false] [INFO] In DISPOSE, [NODEAUDIT] auxiliary [NODEAUDIT] [INFO] In DISPOSE, [NODEAUDIT] put 0 into auxiliary NODEAUDIT [INFO] No longer waiting for event queue to finish: Pooled Cache Event Queue Working = true Alive = false Empty = true Queue Size = 0 Queue Capacity = 2147483647 Pool Size = 0 Maximum Pool Size = 150 [INFO] In dispose, destroying event queue. [INFO] Region [NODEAUDIT] Saving keys to: NODEAUDIT, key count: 0 [INFO] Region [NODEAUDIT] Finished saving keys. [INFO] Region [NODEAUDIT] Shutdown complete. [INFO] In DISPOSE, [NODEAUDIT] disposing of memory cache. [INFO] Memory Cache dispose called. [INFO] In DISPOSE, [CENTRAL] fromRemote [false] [INFO] In DISPOSE, [CENTRAL] auxiliary [CENTRAL] [INFO] In DISPOSE, [CENTRAL] put 0 into auxiliary CENTRAL [INFO] No longer waiting for event queue to finish: Pooled Cache Event Queue Working = true Alive = false Empty = true Queue Size = 0 Queue Capacity = 2147483647 Pool Size = 0 Maximum Pool Size = 150 [INFO] In dispose, destroying event queue. [INFO] Region [CENTRAL] Saving keys to: CENTRAL, key count: 0 [INFO] Region [CENTRAL] Finished saving keys. [INFO] Region [CENTRAL] Shutdown complete. [INFO] In DISPOSE, [CENTRAL] disposing of memory cache. [INFO] Memory Cache dispose called. [INFO] In DISPOSE, [POM] fromRemote [false] [INFO] In DISPOSE, [POM] auxiliary [POM] [INFO] In DISPOSE, [POM] put 0 into auxiliary POM [INFO] No longer waiting for event queue to finish: Pooled Cache Event Queue Working = true Alive = false Empty = true Queue Size = 0 Queue Capacity = 2147483647 Pool Size = 0 Maximum Pool Size = 150 [INFO] In dispose, destroying event queue. [INFO] Region [POM] Saving keys to: POM, key count: 0 [INFO] Region [POM] Finished saving keys. [INFO] Region [POM] Shutdown complete. [INFO] In DISPOSE, [POM] disposing of memory cache. [INFO] Memory Cache dispose called. [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 35.332 s [INFO] Finished at: 2020-01-20T18:22:10+05:30 [INFO] ------------------------------------------------------------------------

jeremylong commented 4 years ago

When I run the following I see no findings for ODC:

git clone --depth 1 https://github.com/jeremylong/DependencyCheck.git
mvn org.owasp:dependency-check-maven:5.3.0:aggregate

From the aggregate report:

dependency-check version: 5.3.0
Report Generated On: Tue, 21 Jan 2020 08:04:11 -0500
Dependencies Scanned: 106 (96 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 0

I am using mvn 3.6.1:

$ mvn --version
Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555; 2019-04-04T15:00:29-04:00)
Maven home: /usr/local/Cellar/maven/3.6.1/libexec
Java version: 1.8.0_212, vendor: AdoptOpenJDK, runtime: /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "10.15.2", arch: "x86_64", family: "mac"
Anshu2405 commented 4 years ago

We could produce the issue by following below steps:

Step 1: Add below dependency in sample test maven project:

org.owasp dependency-check-maven 5.3.0

Step 2: Invoke mvn org.owasp:dependency-check-maven:check

jeremylong commented 4 years ago

Ah - now I understand where the confusion is. dependency-check-maven has several provided dependencies. If your base project trying to extend dependency-check-maven does not explicitly define the version it is using for these provided dependencies then Maven itself will pick the version and in some cases they may have transitive dependencies with vulnerabilities. I would suggest explicitly defining your maven api versions and using the latest version of Maven itself.

We have to use the provided scope for the core maven libraries as we don't know what version of the core libraries a specific maven build will use.

Anshu2405 commented 4 years ago

@jeremylong

As mentioned issue in other thread https://github.com/jeremylong/DependencyCheck/issues/2449 , I could see vulnerability in commons-beanutils-1.9.2.jar has been addressed.

Same issue is happening with plexus-utils jar as well. Direct vulnerability is fixed but still the vulnerability is reported from below file-management dependecy.

[INFO] +- org.apache.maven.shared:file-management:jar:3.0.0:compile ....... [INFO] | - org.codehaus.plexus:plexus-utils:jar:3.0.22:compile

Could you please define the version of plexus-utils in maven module so that it only uses the patched version and doesn't report vulnerability.