Open santhoshmurthybk opened 3 years ago
santhoshmurthybk
commented
3 years ago I deleted the data folder in my server and ran the dependency check again, and I was able to get the vulnerability I found in my local, is this the behavior of the dependency check? Every time before I run the scan, should I delete the data folder? or is this a bug?
mprins
commented
3 years ago Dependency check will update the data it needs from the internet once a day or more; the log that dependency check writes to the console will tell you what happened; your screenshots are quite useless as the are illegible and only show the report, but not the tool output.
aside from that it would be wise to use a current release and check that you have a package lock file on your server
santhoshmurthybk
commented
3 years ago `D:\dwt-app>dependency-check.bat --project dwt-app --disableRetireJS --suppression dependency-check-suppressions.xml --format HTML --out dependency-check-report.html --scan . [INFO] Checking for updates [INFO] Download Started for NVD CVE - Modified [INFO] Download Complete for NVD CVE - Modified (719 ms) [INFO] Processing Started for NVD CVE - Modified WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/C:/Program%20Files/dependency-check/lib/jackson-module-afterburner-2.11.3.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String) WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release [INFO] Processing Complete for NVD CVE - Modified (10141 ms) [INFO] Begin database maintenance [INFO] Updated the CPE ecosystem on 111987 NVD records [INFO] End database maintenance (32298 ms) [INFO] Begin database defrag [INFO] End database defrag (12594 ms) [INFO] Check for updates complete (57065 ms) [INFO]
Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the userÆs risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
[INFO] Analysis Started [INFO] Finished Archive Analyzer (0 seconds) [INFO] Finished File Name Analyzer (0 seconds) [WARN] Unable to find node module: D:\HCINT-10353\dwt-app\node_modules\zip-stream\node_modules\string_decoder\package.json [WARN] Unable to find node module: D:\dwt-app\node_modules\zip-stream\package.json [INFO] Finished Node.js Package Analyzer (6 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Created CPE Index (5 seconds) [INFO] Finished CPE Analyzer (12 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [INFO] Finished Node Audit Analyzer (85 seconds) [INFO] Finished Sonatype OSS Index Analyzer (33 seconds) [INFO] Finished Vulnerability Suppression Analyzer (1 seconds) [INFO] Finished Dependency Bundling Analyzer (1 seconds) [INFO] Analysis Complete (144 seconds)`
Above is the console output, it still shows that the database is updated, the server is connected to the internet, The logs for unable to find certain modules is because I am running prune --production which will remove my dev dependencies in the node modules, so you can ignore that.
I had taken a backup of the data folder before deleting it(as I stated in the older comment), this log is run with the backup folder, and still, I don't see the vulnerability which I see in my local.
Data folder:
Report:
In the above screenshots, it shows that the database file odc.mv is updated at 7:16 AM, so it means that the database is updated, correct? but why do I still don't see the vulnerability in the report which I see when I run in my local machine
Grimoren
commented
3 years ago I am experiencing something similar with version 6.1.2. Mine uses Jenkins and commits the report to gh-pages branch on GitHub.
santhoshmurthybk
commented
3 years ago Any update on this?
chschu
commented
3 years ago I ran into a similar issue, and it appears that changes to the yearly feeds listed in https://nvd.nist.gov/vuln/data-feeds#JSON_FEED do not reliably update the cached state in H2.
For me it was CVE-2020-0822, which was (falsely) reported to affect Apache Tomcat 9.0.52 between 2021-09-14 and 2021-09-16. Now this entry is still in the H2 database, and it is not removed by the dependencyCheckUpdate task.
Does the incremental update re-fetch the yearly feeds if they have changed?
Edit: The update seems to happen, but it seems that removed CPEs are not removed from the cache during an update: https://github.com/jeremylong/DependencyCheck/blob/762165012a5716bcb7e76123f7ff2c10bc21b041/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java#L760
Please delete any un-needed section from the following issue template:
Reporting Bugs/Errors
I have installed the 6.0.3 dependency check version in my local and the same is installed in my build machine, when I run the dependency check in my local, it shows one vulnerability but in the build machine, it doesn't show that vulnerability. Below are the report screenshots for the same, Local Machine: IST, Windows 10
Server: GMT-4, Windows 2016 Server
The database files in the data folder show that it got updated just before running the scan, but I don't see the vulnerability.
Commands which I am executing before running the dependency check and the command I am running for dependency check scan are as below,
npm install npm prune --production dependency-check.bat --project dwt-app --disableRetireJS --suppression dependency-check-suppressions.xml --format HTML --out dependency-check-report.html --scan .