search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.29k stars 1.26k forks source link

False Positive on kotlinx.serialization #2748

Open IdamkinI opened 4 years ago

IdamkinI commented 4 years ago

False positive on library kotlinx-serialization-runtime-jvm-1.0-M1-1.4.0-rc.jar - reported as cpe:2.3:a:jetbrains:kotlin:1.0.m1.1.4.0:*:*:*:*:*:*:*

<!-- https://mvnrepository.com/artifact/org.jetbrains.kotlinx/kotlinx-serialization-runtime-jvm -->
<dependency>
    <groupId>org.jetbrains.kotlinx</groupId>
    <artifactId>kotlinx-serialization-runtime-jvm</artifactId>
    <version>1.0-M1-1.4.0-rc</version>
</dependency>
IdamkinI commented 4 years ago

There are similar problems for kotlinx-serialization-core-jvm-1.0.0-RC.jar - reported as cpe:2.3:a:jetbrains:kotlin:1.0.0:*:*:*:*:*:*:*

<!-- https://mvnrepository.com/artifact/org.jetbrains.kotlinx/kotlinx-serialization-core-jvm -->
<dependency>
    <groupId>org.jetbrains.kotlinx</groupId>
    <artifactId>kotlinx-serialization-core-jvm</artifactId>
    <version>1.0.0-RC</version>
</dependency>
jeremylong commented 3 years ago

ODC isn't correctly handling release candidates and milestones when the NVD is including these in the CPE. This will take a bit more to resolve than most FP reports.

IdamkinI commented 3 years ago

This also affects kotlinx-serialization-core-jvm:1.1.0 and kotlinx-serialization-json-jvm:1.1.0

knonm commented 3 years ago

It happens even when it's not a RC or Milestone version. kotlinx-serialization-core-jvm-1.2.2.jar is reported as cpe:2.3:a:jetbrains:kotlin:1.2.2:*:*:*:*:*:*:*.

This false positive happened before with other kotlinx-* libs. Maybe matching any kotlinx lib to the CPE cpe:2.3:a:jetbrains:kotlin:*:*:*:*:*:*:*:* should be avoided. Related issues:

achifal commented 2 years ago

The same problem with kotlinx-datetime-jvm-0.3.1.jar