search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.3k stars 1.26k forks source link

Getting false positives due to scanner taking wildcard in dependency version #3757

Open gosusnkr opened 2 years ago

gosusnkr commented 2 years ago

I just found some difficulty in the scanner while I tried to run the scan with 6.0.5 When I scanned with 6.0.5 I got the result like below

DevExpress.Pdf.v21.1.Core.resources.dll | cpe:2.3:a:devexpress:devexpress:21.1:*:*:*:*:*:*:*cpe:2.3:a:express:express:21.1:*:*:*:*:*:*:* |   | CRITICAL | 1 | High | 4
-- | -- | -- | -- | -- | -- | --

When my vendor scanned with version 6.4.1 on same package, he didn't received any results.

DevExpress.Pdf.v21.1.Core.resources.dll | cpe:2.3:a:devexpress:devexpress:21.1.6.0:*:*:*:*:*:*:* | pkg:generic/DevExpress.Pdf.v21.1.Core.resources@21.1.6.0 |   | 0 | Low | 10
-- | -- | -- | -- | -- | -- | --

I'm thought this might be because in my scan scanner used wildcards in the package version and older version of scanner, the I downloaded the new scanner with version 6.4.1, still I got the result with wild cards in package version.

I didn't find any solution how to teach my scanner to take exact version from the package. Please suggest me on the same.

aikebah commented 2 years ago

"Well, 6.0.5 is a very dated version, likely the improvements in the new releases improved version detection, so your solution would be to update to a maintained version of DependencyCheck."

Edit: only later spotted that you indicate that you tried running with 6.4.1 but failed with the same result.

My gut feel would be (no experience with the .NET assembly analysis part) is that a difference in locally available .NET tooling may be at the root cause of the difference.

gosusnkr commented 2 years ago

I have downloaded the latest version. Still, I'm getting wildcards on my report. When my colleague did it, he was getting exact versions.

aikebah commented 2 years ago

You don't get wildcards, you get a shortened version number detected not reflecting the exact patch level (assuming that you and your colleague do get/resolve the exact same version of the DevExpress DLL).

While I don't know the full details, I do know that underneath it's using the .NET Core libraries (https://jeremylong.github.io/DependencyCheck/analyzers/assembly-analyzer.html). Are you and your colleague 100% in sync in .NET version installed on your system?

aikebah commented 2 years ago

Of course also check that you and your colleague are indeed fully in sync (e.g. same sha256 hash value for the file) on the DevExpress DLL.

jeremylong commented 2 years ago

To me - it looks like you and your colleague have different versions of the DLL.