search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.33k stars 1.26k forks source link

To fix vulnerable dependency SQLitePCLRaw.lib.e_sqlite3.2.0.4 #3645

Open Arivazhagan-s opened 3 years ago

Arivazhagan-s commented 3 years ago

Hi, We are developing a project in .net framework WPF application for windows. In that application we have implemented AppCenter to track analytics and diagnostics. We use three packages for AppCenter implementation, Microsoft.AppCenter - version 4.3.0 Microsoft.Appcenter.Analytics - version 4.3.0 Microsoft.AppCenter.Crashes - version 4.3.0 . Some of the dependency packages were also installed along with the AppCenter packages like SQLitePCLRaw.lib.e_sqlite3.2.0.5 SQLitePCLRaw.core.2.0.5 SQLitePCLRaw.bundle_green.2.0.5 SQLitePCLRaw.provider.dynamic_cdec1.2.0.4.

When we try running the OWASP dependency check report for vulnerabilities in our project. We got vulnerable dependencies due to these packages, SQLitePCLRaw.lib.e_sqlite3.v110_xp.1.1.14 SQLitePCLRaw.lib.e_sqlite3.2.0.5

The problem occurs using version 6.3.1 of the OWASP dependency check.

These are all the CVE links from the report. CVE-2015-3414 - https://nvd.nist.gov/vuln/detail/CVE-2015-3414 CVE-2015-3415 - https://nvd.nist.gov/vuln/detail/CVE-2015-3415 CVE-2015-3416 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416 CVE-2015-3717 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3717 CVE-2015-5895 - https://nvd.nist.gov/vuln/detail/CVE-2015-5895 CVE-2015-6607 - https://nvd.nist.gov/vuln/detail/CVE-2015-6607 CVE-2016-6153 - https://nvd.nist.gov/vuln/detail/CVE-2016-6153 CVE-2017-10989 - https://nvd.nist.gov/vuln/detail/CVE-2017-10989 CVE-2018-20346 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20346 CVE-2018-20505 - https://nvd.nist.gov/vuln/detail/CVE-2018-20505 CVE-2018-20506 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20506 CVE-2018-8740 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8740 CVE-2019-19645 - https://nvd.nist.gov/vuln/detail/CVE-2019-19645 CVE-2019-19646 - https://nvd.nist.gov/vuln/detail/CVE-2019-19646 CVE-2020-11655 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11655 CVE-2020-11656 - https://nvd.nist.gov/vuln/detail/CVE-2020-11656 CVE-2020-13434 - https://nvd.nist.gov/vuln/detail/CVE-2020-13434 CVE-2020-13435 - https://nvd.nist.gov/vuln/detail/CVE-2020-13435 CVE-2020-13630 - https://nvd.nist.gov/vuln/detail/CVE-2020-13630 CVE-2020-13631 - https://nvd.nist.gov/vuln/detail/CVE-2020-13631 CVE-2020-13632 - https://nvd.nist.gov/vuln/detail/CVE-2020-13632 CVE-2020-15358 - https://nvd.nist.gov/vuln/detail/CVE-2020-15358

We logged an issue regarding this in SQLitePCL.raw. They suggested us to use SQLitePCL.raw 2.0.5 which is using SQLite3.35.5. OWASP suggest us to use higher version than SQLite3.8.9 but still package is listed under the vulnerabilities even after updating the package to SQLitePCL.raw 2.0.5. https://github.com/ericsink/SQLitePCL.raw/issues/438#issuecomment-908019328

Based on the advise from SQLitePCL.raw we suspect , the tool (OWASP) extracts the SQLite version from the dll file name - e_sqlite3.dll and declaring it as a vulnerability after checking the CVE's Database, where the most recent SQLite version affected seems to be 3.32.3.

Latest update from SQLitePCL.raw is image https://github.com/ericsink/SQLitePCL.raw/issues/438#issuecomment-915167092

Here I am attaching the report and also the sample project we have created with same packages. Please analyze the attachments and help us to confirm the packages is vulnerable or not.
Report : Vcheck_report.zip Sample Project : https://drive.google.com/file/d/1bziQV3uxhxTOTbiOS2pFDBbsI8s0-AI5/view

jeremylong commented 3 years ago

FP are quite common with ODC. Please see https://jeremylong.github.io/DependencyCheck/general/thereport.html

--Jeremy

On Mon, Sep 13, 2021 at 7:45 AM Arivazhagan-s @.***> wrote:

Hi, We are developing a project in .net framework WPF application for windows. In that application we have implemented AppCenter to track analytics and diagnostics. We use three packages for AppCenter implementation,

Microsoft.AppCenter - version 4.3.0 Microsoft.Appcenter.Analytics - version 4.3.0 Microsoft.AppCenter.Crashes - version 4.3.0 . Some of the dependency packages were also installed along with the AppCenter packages like

SQLitePCLRaw.lib.e_sqlite3.2.0.5 SQLitePCLRaw.core.2.0.5 SQLitePCLRaw.bundle_green.2.0.5 SQLitePCLRaw.provider.dynamic_cdec1.2.0.4.

When we try running the OWASP dependency check report for vulnerabilities in our project. We got vulnerable dependencies due to these packages,

SQLitePCLRaw.lib.e_sqlite3.v110_xp.1.1.14 SQLitePCLRaw.lib.e_sqlite3.2.0.5

The problem occurs using version 6.3.1 of the OWASP dependency check.

These are all the CVE links from the report. CVE-2015-3414 - https://nvd.nist.gov/vuln/detail/CVE-2015-3414 CVE-2015-3415 - https://nvd.nist.gov/vuln/detail/CVE-2015-3415 CVE-2015-3416 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416 CVE-2015-3717 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3717 CVE-2015-5895 - https://nvd.nist.gov/vuln/detail/CVE-2015-5895 CVE-2015-6607 - https://nvd.nist.gov/vuln/detail/CVE-2015-6607 CVE-2016-6153 - https://nvd.nist.gov/vuln/detail/CVE-2016-6153 CVE-2017-10989 - https://nvd.nist.gov/vuln/detail/CVE-2017-10989 CVE-2018-20346 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20346 CVE-2018-20505 - https://nvd.nist.gov/vuln/detail/CVE-2018-20505 CVE-2018-20506 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20506 CVE-2018-8740 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8740 CVE-2019-19645 - https://nvd.nist.gov/vuln/detail/CVE-2019-19645 CVE-2019-19646 - https://nvd.nist.gov/vuln/detail/CVE-2019-19646 CVE-2020-11655 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11655 CVE-2020-11656 - https://nvd.nist.gov/vuln/detail/CVE-2020-11656 CVE-2020-13434 - https://nvd.nist.gov/vuln/detail/CVE-2020-13434 CVE-2020-13435 - https://nvd.nist.gov/vuln/detail/CVE-2020-13435 CVE-2020-13630 - https://nvd.nist.gov/vuln/detail/CVE-2020-13630 CVE-2020-13631 - https://nvd.nist.gov/vuln/detail/CVE-2020-13631 CVE-2020-13632 - https://nvd.nist.gov/vuln/detail/CVE-2020-13632 CVE-2020-15358 - https://nvd.nist.gov/vuln/detail/CVE-2020-15358

We logged an issue regarding this in SQLitePCL.raw. They suggested us to use SQLitePCL.raw 2.0.5 which is using SQLite3.35.5. OWASP suggest us to use higher version than SQLite3.8.9 but still package is listed under the vulnerabilities even after updating the package to SQLitePCL.raw 2.0.5. ericsink/SQLitePCL.raw#438 (comment) https://github.com/ericsink/SQLitePCL.raw/issues/438#issuecomment-908019328

Based on the advise from SQLitePCL.raw we suspect , the tool (OWASP) extracts the SQLite version from the dll file name - e_sqlite3.dll and declaring it as a vulnerability after checking the CVE's Database https://nvd.nist.gov/vuln/search/results?cpe_vendor=cpe%3A%2F%3Asqlite&cpe_version=cpe%3A%2F%3Asqlite%3Asqlite%3A3&cpe_product=cpe%3A%2F%3Asqlite%3Asqlite&results_type=overview&form_type=Advanced&search_type=all&startIndex=0, where the most recent SQLite version affected seems to be 3.32.3.

Latest update from SQLitePCL.raw is [image: image] https://user-images.githubusercontent.com/89505044/133076231-c0ddc73e-c26c-41e1-8776-2d1b8ba487c6.png ericsink/SQLitePCL.raw#438 (comment) https://github.com/ericsink/SQLitePCL.raw/issues/438#issuecomment-915167092

Here I am attaching the report and also the sample project we have created with same packages. Please analyze the attachments and help us to confirm the packages is vulnerable or not. Report : Vcheck_report.zip https://github.com/jeremylong/DependencyCheck/files/7153850/Vcheck_report.zip Sample Project : https://drive.google.com/file/d/1bziQV3uxhxTOTbiOS2pFDBbsI8s0-AI5/view

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jeremylong/DependencyCheck/issues/3645, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGSVQXPHUGZ4OIMY6CO4A3UBXP4RANCNFSM5D5T7IQA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

Arivazhagan-s commented 3 years ago

@jeremylong Is there any specific way to confirm the False Positive ?

mprins commented 3 years ago

Is there any specific way to confirm the False Positive ?

Please: