carlin-q-scott
commented
1 year ago I believe I have the same issue using the MSBuild scanner with Google.Protobuf:3.12.3 CVE-2021-22570
Open kaiboesefeldt opened 2 years ago
carlin-q-scott
commented
1 year ago I believe I have the same issue using the MSBuild scanner with Google.Protobuf:3.12.3 CVE-2021-22570
Describe the bug The vulnerability ID for google protobuf nuget package is not correctly determined.
Version of dependency-check used The problem occurs using version 6.5.0 of the cli.
Log file n/a
To Reproduce Steps to reproduce the behavior:
google.protobuf.3.19.1.nupkgto a separate folder e.g. namedtestdependency-check/bin/dependency-check.sh --scan testdependency-check-report.htmlin a web browserExpected behavior The column "Vulnerablility IDs" for the dependency "Google.Protobuf:3.19.1" should have shown:
cpe:2.3:a:google:protobuf:3.19.1:*:*:*:*:*:*:*Additional context The problem seems to be that the google protobuf library is detected as ecosystem "native", while the nuget package is ecosystem "dotnet". The classification as native seems to come from https://nvd.nist.gov/vuln/detail/CVE-2015-5237. The descrpition of this CVE contains the words "buffer overflow" which leads to classification as "native". If I comment out
BUFFER_OVERFLOWandBUFFER_OVERFLOWSinDescriptionKeywordHint.java, the detection works as expected (after deleting and re-importing the CPEs).Maybe it would be helpful to have an option to either disable consideration of ecosystems at all (which would of course lead to more false positives) or to ignore the ecosystem detection for certain configured eco systems.
The google protobuf lib obviously exists in many ecosystem. In other cases a lib may be a "bridge" providing an interface between an ecosystem like dotnet, python or java and a native implementation. So the "native" ecosystem may play a special role, and it could be helpful to consider this specific property.