search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.13k stars 1.23k forks source link

False Positive on glob-parent@5.1.2 #3621

Open aarongoldenthal opened 2 years ago

aarongoldenthal commented 2 years ago

False positive on npm package glob-parent@5.1.2 (pkg:npm/glob-parent@5.1.2) incorrectly reported as cpe:2.3:a:*:glob-parent:\\<5.1.2.

    {
      "isVirtual": true,
      "fileName": "glob-parent:5.1.2",
      "filePath": "\/app\/package-lock.json?glob-parent",
      "projectReferences": [
        "pa11y-ci-reporter-html: transitive"
      ],
      "evidenceCollected": {
        "vendorEvidence": [
          {
            "type": "vendor",
            "confidence": "HIGH",
            "source": "package.json",
            "name": "name",
            "value": "glob-parent"
          }
        ],
        "productEvidence": [
          {
            "type": "product",
            "confidence": "HIGHEST",
            "source": "package.json",
            "name": "name",
            "value": "glob-parent"
          }
        ],
        "versionEvidence": [
          {
            "type": "version",
            "confidence": "HIGHEST",
            "source": "package.json",
            "name": "version",
            "value": "5.1.2"
          }
        ]
      },
      "packages": [
        {
          "id": "pkg:npm\/glob-parent@5.1.2",
          "confidence": "HIGHEST",
          "url": "https:\/\/ossindex.sonatype.org\/component\/pkg:npm\/glob-parent@5.1.2?utm_source=dependency-check&utm_medium=integration&utm_content=6.3.1"
        }
      ],
      "vulnerabilities": [
        {
          "source": "NPM",
          "name": "1751",
          "unscored": "true",
          "severity": "moderate",
          "cwes": [],
          "description": "`glob-parent` before 5.1.2 has a regular expression denial of service vulnerability. The enclosure regex used to check for strings ending in enclosure containing path separator.",
          "notes": "",
          "references": [
            {
              "source": "Advisory 1751: Regular expression denial of service",
              "name": "- [CVE](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-28469)\n- [GitHub Advisory](https:\/\/github.com\/advisories\/GHSA-ww39-953v-wcq6)\n"
            }
          ],
          "vulnerableSoftware": [
            {
              "software": {
                "id": "cpe:2.3:a:*:glob-parent:\\<5.1.2:*:*:*:*:*:*:*"
              }
            }
          ]
        }
      ]
    },
aarongoldenthal commented 2 years ago

Now reported as NPM-1002627

aarongoldenthal commented 2 years ago

And now also reported as NPM-1005154

JSON Report ```json { "isVirtual": true, "fileName": "glob-parent:5.1.2", "filePath": "\/builds\/gitlab-ci-utils\/pa11y-ci-reporter-html\/package-lock.json?glob-parent", "projectReferences": [ "pa11y-ci-reporter-html: transitive" ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", "confidence": "HIGH", "source": "package.json", "name": "name", "value": "glob-parent" } ], "productEvidence": [ { "type": "product", "confidence": "HIGHEST", "source": "package.json", "name": "name", "value": "glob-parent" } ], "versionEvidence": [ { "type": "version", "confidence": "HIGHEST", "source": "package.json", "name": "version", "value": "5.1.2" } ] }, "packages": [ { "id": "pkg:npm\/glob-parent@5.1.2", "confidence": "HIGHEST", "url": "https:\/\/ossindex.sonatype.org\/component\/pkg:npm\/glob-parent@5.1.2?utm_source=dependency-check&utm_medium=integration&utm_content=6.5.0" } ], "vulnerabilities": [ { "source": "NPM", "name": "1005154", "unscored": "true", "severity": "high", "cwes": [], "description": "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.", "notes": "", "references": [ { "source": "Advisory 1005154: Regular expression denial of service", "name": "- https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-28469\n- https:\/\/github.com\/gulpjs\/glob-parent\/pull\/36\n- https:\/\/github.com\/gulpjs\/glob-parent\/blob\/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474\/index.js%23L9\n- https:\/\/github.com\/gulpjs\/glob-parent\/releases\/tag\/v5.1.2\n- https:\/\/snyk.io\/vuln\/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https:\/\/snyk.io\/vuln\/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https:\/\/snyk.io\/vuln\/SNYK-JS-GLOBPARENT-1016905\n- https:\/\/github.com\/advisories\/GHSA-ww39-953v-wcq6" } ], "vulnerableSoftware": [ { "software": { "id": "cpe:2.3:a:*:glob-parent:\\<5.1.2:*:*:*:*:*:*:*" } } ] } ] }, ```
aarongoldenthal commented 2 years ago

And now also reported for glob-parent v6.0.2, which is reported as cpe:2.3:a:*:glob-parent:\\<5.1.2:*:*:*:*:*:*:*.

JSON Report ```json { "isVirtual": true, "fileName": "glob-parent:6.0.2", "filePath": "\/builds\/gitlab-ci-utils\/pa11y-ci-reporter-html\/package-lock.json?glob-parent", "projectReferences": [ "pa11y-ci-reporter-html: transitive" ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", "confidence": "HIGH", "source": "package.json", "name": "name", "value": "glob-parent" } ], "productEvidence": [ { "type": "product", "confidence": "HIGHEST", "source": "package.json", "name": "name", "value": "glob-parent" } ], "versionEvidence": [ { "type": "version", "confidence": "HIGHEST", "source": "package.json", "name": "version", "value": "6.0.2" } ] }, "packages": [ { "id": "pkg:npm\/glob-parent@6.0.2", "confidence": "HIGHEST", "url": "https:\/\/ossindex.sonatype.org\/component\/pkg:npm\/glob-parent@6.0.2?utm_source=dependency-check&utm_medium=integration&utm_content=6.5.0" } ], "vulnerabilities": [ { "source": "NPM", "name": "1005154", "unscored": "true", "severity": "high", "cwes": [], "description": "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.", "notes": "", "references": [ { "source": "Advisory 1005154: Regular expression denial of service", "name": "- https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-28469\n- https:\/\/github.com\/gulpjs\/glob-parent\/pull\/36\n- https:\/\/github.com\/gulpjs\/glob-parent\/blob\/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474\/index.js%23L9\n- https:\/\/github.com\/gulpjs\/glob-parent\/releases\/tag\/v5.1.2\n- https:\/\/snyk.io\/vuln\/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https:\/\/snyk.io\/vuln\/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https:\/\/snyk.io\/vuln\/SNYK-JS-GLOBPARENT-1016905\n- https:\/\/github.com\/advisories\/GHSA-ww39-953v-wcq6" } ], "vulnerableSoftware": [ { "software": { "id": "cpe:2.3:a:*:glob-parent:\\<5.1.2:*:*:*:*:*:*:*" } } ] } ] }, ```