search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.31k stars 1.26k forks source link

NPM Audit Vulnerability Name changes over time so suppressions don't work #4183

Closed schdief closed 1 year ago

schdief commented 2 years ago

Describe the bug We have multiple suppressions for vulnerabilities raised by NPM Audit Analyzer. From time to time the same vulnerabilties show up again as new ones, so we suppress them again. Later they come back again.

So I have checked the suppression rules (generated from html-report) and noticed that they all have a different vulnerability names although it is the same vulnerability. When I try to access information about the vulnerability with the provided link and the vulnerability name, all the old suppressions land nowhere (404), e. g.: https://www.npmjs.com/advisories/1005325

It seems to me, that the vulnerability name changes over time, although the vulnerability is the same.

This is a screenshot of the HTML report:

image

This is the list of suppressions for one of the vulnerabities:

    <suppress>
   <notes><![CDATA[
   file name: handlebars:4.7.6
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/handlebars@.*$</packageUrl>
   <vulnerabilityName>1005325</vulnerabilityName>
</suppress>    
<suppress>
   <notes><![CDATA[
   file name: handlebars:4.7.6
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/handlebars@.*$</packageUrl>
   <vulnerabilityName>1038957</vulnerabilityName>
</suppress>
    <suppress>
   <notes><![CDATA[
   file name: handlebars:4.7.6
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/handlebars@.*$</packageUrl>
   <vulnerabilityName>1039128</vulnerabilityName>
</suppress>
    <suppress>
   <notes><![CDATA[
   file name: handlebars:4.7.6
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/handlebars@.*$</packageUrl>
   <vulnerabilityName>1059880</vulnerabilityName>
</suppress>
    <suppress>
   <notes><![CDATA[
   file name: handlebars:4.7.6
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/handlebars@.*$</packageUrl>
   <vulnerabilityName>1060051</vulnerabilityName>
</suppress>    
<suppress>
   <notes><![CDATA[
   file name: handlebars:4.7.6
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/handlebars@.*$</packageUrl>
   <vulnerabilityName>1062507</vulnerabilityName>
</suppress>
    <suppress>
   <notes><![CDATA[
   file name: handlebars:4.7.6
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/handlebars@.*$</packageUrl>
   <vulnerabilityName>1062678</vulnerabilityName>
</suppress>

Version of dependency-check used Docker Image with CLI dependency-check version: 7.0.0 sha256:d465e5210743ceb82da30465db7af926912798c4a45a972c0f884eff5d783007

Log file

[2022-03-11T10:16:29.790Z] + /usr/share/dependency-check/bin/dependency-check.sh '--failOnCVSS=7' '--cveUrlModified=https://artifactory.*.com/artifactory/nvd-local/nvdcve-1.1-modified.json.gz' '--cveUrlBase=https://artifactory.*.com/artifactory/nvd-local/nvdcve-1.1-%d.json.gz' '--retireJsUrl=https://artifactory.*.com/artifactory/nvd/jsrepository.json' --nodePackageSkipDevDependencies --suppression odc_suppression.xml --proxyserver b2b-http.*.com --proxyport 8080 --nonProxyHosts '*.*.com' -f JSON -f HTML -s .

[2022-03-11T10:16:39.817Z] [INFO] Checking for updates

[2022-03-11T10:16:40.077Z] [INFO] NVD CVE requires several updates; this could take a couple of minutes.

[2022-03-11T10:16:44.315Z] [INFO] Download Started for NVD CVE - 2002

[2022-03-11T10:16:44.316Z] [INFO] Download Complete for NVD CVE - 2002  (203 ms)

[2022-03-11T10:16:44.316Z] [INFO] Processing Started for NVD CVE - 2002

[2022-03-11T10:16:44.316Z] WARNING: An illegal reflective access operation has occurred

[2022-03-11T10:16:44.316Z] WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/usr/share/dependency-check/lib/jackson-module-afterburner-2.13.1.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)

[2022-03-11T10:16:44.316Z] WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader

[2022-03-11T10:16:44.316Z] WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations

[2022-03-11T10:16:44.316Z] WARNING: All illegal access operations will be denied in a future release

[2022-03-11T10:16:48.534Z] [INFO] Download Started for NVD CVE - 2003

[2022-03-11T10:16:48.534Z] [INFO] Download Complete for NVD CVE - 2003  (185 ms)

[2022-03-11T10:16:52.781Z] [INFO] Download Started for NVD CVE - 2004

[2022-03-11T10:16:52.781Z] [INFO] Download Complete for NVD CVE - 2004  (263 ms)

[2022-03-11T10:16:57.011Z] [INFO] Download Started for NVD CVE - 2005

[2022-03-11T10:16:57.011Z] [INFO] Download Complete for NVD CVE - 2005  (288 ms)

[2022-03-11T10:17:01.229Z] [INFO] Download Started for NVD CVE - 2006

[2022-03-11T10:17:01.229Z] [INFO] Processing Complete for NVD CVE - 2002  (16969 ms)

[2022-03-11T10:17:01.229Z] [INFO] Processing Started for NVD CVE - 2003

[2022-03-11T10:17:01.501Z] [INFO] Download Complete for NVD CVE - 2006  (440 ms)

[2022-03-11T10:17:05.745Z] [INFO] Processing Complete for NVD CVE - 2003  (3792 ms)

[2022-03-11T10:17:05.745Z] [INFO] Processing Started for NVD CVE - 2004

[2022-03-11T10:17:05.745Z] [INFO] Download Started for NVD CVE - 2007

[2022-03-11T10:17:06.330Z] [INFO] Download Complete for NVD CVE - 2007  (819 ms)

[2022-03-11T10:17:10.548Z] [INFO] Download Started for NVD CVE - 2008

[2022-03-11T10:17:11.128Z] [INFO] Download Complete for NVD CVE - 2008  (683 ms)

[2022-03-11T10:17:13.045Z] [INFO] Processing Complete for NVD CVE - 2004  (8103 ms)

[2022-03-11T10:17:13.045Z] [INFO] Processing Started for NVD CVE - 2005

[2022-03-11T10:17:14.966Z] [INFO] Download Started for NVD CVE - 2009

[2022-03-11T10:17:15.542Z] [INFO] Download Complete for NVD CVE - 2009  (399 ms)

[2022-03-11T10:17:19.762Z] [INFO] Download Started for NVD CVE - 2010

[2022-03-11T10:17:20.045Z] [INFO] Download Complete for NVD CVE - 2010  (581 ms)

[2022-03-11T10:17:23.365Z] [INFO] Processing Complete for NVD CVE - 2005  (10136 ms)

[2022-03-11T10:17:23.365Z] [INFO] Processing Started for NVD CVE - 2006

[2022-03-11T10:17:23.947Z] [INFO] Download Started for NVD CVE - 2011

[2022-03-11T10:17:24.207Z] [INFO] Download Complete for NVD CVE - 2011  (232 ms)

[2022-03-11T10:17:28.441Z] [INFO] Download Started for NVD CVE - 2012

[2022-03-11T10:17:28.703Z] [INFO] Download Complete for NVD CVE - 2012  (461 ms)

[2022-03-11T10:17:32.918Z] [INFO] Download Started for NVD CVE - 2013

[2022-03-11T10:17:32.918Z] [INFO] Download Complete for NVD CVE - 2013  (293 ms)

[2022-03-11T10:17:35.494Z] [INFO] Processing Complete for NVD CVE - 2006  (11858 ms)

[2022-03-11T10:17:35.494Z] [INFO] Processing Started for NVD CVE - 2007

[2022-03-11T10:17:37.411Z] [INFO] Download Started for NVD CVE - 2014

[2022-03-11T10:17:37.411Z] [INFO] Download Complete for NVD CVE - 2014  (256 ms)

[2022-03-11T10:17:41.627Z] [INFO] Download Started for NVD CVE - 2015

[2022-03-11T10:17:42.208Z] [INFO] Processing Complete for NVD CVE - 2007  (7015 ms)

[2022-03-11T10:17:42.208Z] [INFO] Processing Started for NVD CVE - 2008

[2022-03-11T10:17:46.417Z] [INFO] Download Complete for NVD CVE - 2015  (4394 ms)

[2022-03-11T10:17:49.718Z] [INFO] Processing Complete for NVD CVE - 2008  (7482 ms)

[2022-03-11T10:17:49.719Z] [INFO] Processing Started for NVD CVE - 2009

[2022-03-11T10:17:49.719Z] [INFO] Download Started for NVD CVE - 2016

[2022-03-11T10:17:49.984Z] [INFO] Download Complete for NVD CVE - 2016  (343 ms)

[2022-03-11T10:17:54.218Z] [INFO] Download Started for NVD CVE - 2017

[2022-03-11T10:17:54.483Z] [INFO] Download Complete for NVD CVE - 2017  (497 ms)

[2022-03-11T10:17:58.699Z] [INFO] Download Started for NVD CVE - 2018

[2022-03-11T10:17:58.959Z] [INFO] Download Complete for NVD CVE - 2018  (396 ms)

[2022-03-11T10:18:00.352Z] [INFO] Processing Complete for NVD CVE - 2009  (10810 ms)

[2022-03-11T10:18:00.352Z] [INFO] Processing Started for NVD CVE - 2010

[2022-03-11T10:18:02.928Z] [INFO] Download Started for NVD CVE - 2019

[2022-03-11T10:18:03.502Z] [INFO] Download Complete for NVD CVE - 2019  (306 ms)

[2022-03-11T10:18:07.743Z] [INFO] Download Started for NVD CVE - 2020

[2022-03-11T10:18:07.743Z] [INFO] Download Complete for NVD CVE - 2020  (381 ms)

[2022-03-11T10:18:11.057Z] [INFO] Processing Complete for NVD CVE - 2010  (10456 ms)

[2022-03-11T10:18:11.057Z] [INFO] Processing Started for NVD CVE - 2011

[2022-03-11T10:18:11.686Z] [INFO] Download Started for NVD CVE - 2021

[2022-03-11T10:18:11.995Z] [INFO] Download Complete for NVD CVE - 2021  (306 ms)

[2022-03-11T10:18:16.080Z] [INFO] Download Started for NVD CVE - 2022

[2022-03-11T10:18:16.384Z] [INFO] Download Complete for NVD CVE - 2022  (107 ms)

[2022-03-11T10:18:23.030Z] [INFO] Processing Complete for NVD CVE - 2011  (11436 ms)

[2022-03-11T10:18:23.030Z] [INFO] Processing Started for NVD CVE - 2012

[2022-03-11T10:18:35.278Z] [INFO] Processing Complete for NVD CVE - 2012  (11324 ms)

[2022-03-11T10:18:35.278Z] [INFO] Processing Started for NVD CVE - 2013

[2022-03-11T10:18:45.308Z] [INFO] Processing Complete for NVD CVE - 2013  (10733 ms)

[2022-03-11T10:18:45.308Z] [INFO] Processing Started for NVD CVE - 2014

[2022-03-11T10:18:55.318Z] [INFO] Processing Complete for NVD CVE - 2014  (10263 ms)

[2022-03-11T10:18:55.318Z] [INFO] Processing Started for NVD CVE - 2015

[2022-03-11T10:19:03.533Z] [INFO] Processing Complete for NVD CVE - 2015  (8820 ms)

[2022-03-11T10:19:03.534Z] [INFO] Processing Started for NVD CVE - 2016

[2022-03-11T10:19:15.812Z] [INFO] Processing Complete for NVD CVE - 2016  (10880 ms)

[2022-03-11T10:19:15.812Z] [INFO] Processing Started for NVD CVE - 2017

[2022-03-11T10:19:25.883Z] [INFO] Processing Complete for NVD CVE - 2017  (10703 ms)

[2022-03-11T10:19:25.883Z] [INFO] Processing Started for NVD CVE - 2018

[2022-03-11T10:19:35.918Z] [INFO] Processing Complete for NVD CVE - 2018  (10788 ms)

[2022-03-11T10:19:35.918Z] [INFO] Processing Started for NVD CVE - 2019

[2022-03-11T10:19:45.927Z] [INFO] Processing Complete for NVD CVE - 2019  (9910 ms)

[2022-03-11T10:19:45.927Z] [INFO] Processing Started for NVD CVE - 2020

[2022-03-11T10:19:58.168Z] [INFO] Processing Complete for NVD CVE - 2020  (11164 ms)

[2022-03-11T10:19:58.168Z] [INFO] Processing Started for NVD CVE - 2021

[2022-03-11T10:20:06.378Z] [INFO] Processing Complete for NVD CVE - 2021  (9511 ms)

[2022-03-11T10:20:06.378Z] [INFO] Processing Started for NVD CVE - 2022

[2022-03-11T10:20:07.333Z] [INFO] Processing Complete for NVD CVE - 2022  (865 ms)

[2022-03-11T10:20:11.640Z] [INFO] Download Started for NVD CVE - Modified

[2022-03-11T10:20:11.640Z] [INFO] Download Complete for NVD CVE - Modified  (69 ms)

[2022-03-11T10:20:11.640Z] [INFO] Processing Started for NVD CVE - Modified

[2022-03-11T10:20:13.562Z] [INFO] Processing Complete for NVD CVE - Modified  (2183 ms)

[2022-03-11T10:20:13.562Z] [INFO] Begin database maintenance

[2022-03-11T10:20:52.392Z] [INFO] Updated the CPE ecosystem on 123863 NVD records

[2022-03-11T10:20:54.325Z] [INFO] Removed the CPE ecosystem on 3483 NVD records

[2022-03-11T10:20:55.720Z] [INFO] Cleaned up 19 orphaned NVD records

[2022-03-11T10:20:55.721Z] [INFO] End database maintenance (42124 ms)

[2022-03-11T10:20:55.721Z] [INFO] Begin database defrag

[2022-03-11T10:21:03.905Z] [INFO] End database defrag (7480 ms)

[2022-03-11T10:21:03.905Z] [INFO] Check for updates complete (264599 ms)

[2022-03-11T10:21:03.905Z] [INFO] 

[2022-03-11T10:21:03.905Z] 

[2022-03-11T10:21:03.905Z] Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

[2022-03-11T10:21:03.905Z] 

[2022-03-11T10:21:03.905Z] 

[2022-03-11T10:21:03.905Z]    About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html

[2022-03-11T10:21:03.905Z]    False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

[2022-03-11T10:21:03.905Z] 

[2022-03-11T10:21:03.905Z] 💖 Sponsor: https://github.com/sponsors/jeremylong

[2022-03-11T10:21:03.905Z] 

[2022-03-11T10:21:03.905Z] 

[2022-03-11T10:21:03.905Z] [INFO] Analysis Started

[2022-03-11T10:21:03.905Z] [INFO] Finished Archive Analyzer (0 seconds)

[2022-03-11T10:21:03.905Z] [INFO] Finished File Name Analyzer (0 seconds)

[2022-03-11T10:21:03.905Z] [INFO] Finished Node.js Package Analyzer (0 seconds)

[2022-03-11T10:21:05.317Z] [INFO] Finished Dependency Merging Analyzer (1 seconds)

[2022-03-11T10:21:05.317Z] [INFO] Finished Version Filter Analyzer (0 seconds)

[2022-03-11T10:21:06.275Z] [INFO] Finished Hint Analyzer (0 seconds)

[2022-03-11T10:21:11.635Z] [INFO] Created CPE Index (5 seconds)

[2022-03-11T10:21:13.032Z] [INFO] Finished CPE Analyzer (6 seconds)

[2022-03-11T10:21:13.032Z] [INFO] Finished False Positive Analyzer (0 seconds)

[2022-03-11T10:21:13.032Z] [INFO] Finished NVD CVE Analyzer (0 seconds)

[2022-03-11T10:21:13.295Z] [INFO] Finished Node Audit Analyzer (0 seconds)

[2022-03-11T10:21:17.525Z] [INFO] Finished Yarn Audit Analyzer (4 seconds)

[2022-03-11T10:21:49.706Z] 00:29  INFO: Vulnerability found: bootstrap below 3.4.1

[2022-03-11T10:21:49.706Z] 00:29  INFO: Vulnerability found: bootstrap below 3.4.0

[2022-03-11T10:21:49.706Z] 00:29  INFO: Vulnerability found: bootstrap below 3.4.0

[2022-03-11T10:21:49.706Z] 00:29  INFO: Vulnerability found: bootstrap below 3.4.0

[2022-03-11T10:21:49.706Z] 00:29  INFO: Vulnerability found: bootstrap below 3.4.0

[2022-03-11T10:21:49.706Z] 00:29  INFO: Vulnerability found: jquery below 1.12.0

[2022-03-11T10:21:49.706Z] 00:29  INFO: Vulnerability found: jquery below 1.12.0

[2022-03-11T10:21:49.706Z] 00:29  INFO: Vulnerability found: jquery below 3.4.0

[2022-03-11T10:21:49.706Z] 00:29  INFO: Vulnerability found: jquery below 3.5.0

[2022-03-11T10:21:49.706Z] 00:29  INFO: Vulnerability found: jquery below 3.5.0

[2022-03-11T10:21:49.706Z] [INFO] Finished RetireJS Analyzer (30 seconds)

[2022-03-11T10:21:49.706Z] [INFO] Finished Sonatype OSS Index Analyzer (1 seconds)

[2022-03-11T10:21:49.706Z] [INFO] Finished Vulnerability Suppression Analyzer (0 seconds)

[2022-03-11T10:21:57.900Z] [INFO] Finished Dependency Bundling Analyzer (7 seconds)

[2022-03-11T10:21:57.900Z] [INFO] Analysis Complete (53 seconds)

[2022-03-11T10:21:57.900Z] [INFO] Writing report to: /var/lib/jenkins/jobs/117/./dependency-check-report.json

[2022-03-11T10:21:58.475Z] [INFO] Writing report to: /var/lib/jenkins/jobs/117/./dependency-check-report.html

script returned exit code 1

To Reproduce Steps to reproduce the behavior:

  1. add handlebars 4.6 to your package.json
  2. perform a scan an find the critical CVE via npm audit
  3. add suppressions suggestion from html report
  4. perform a few scans/wait some time, voila it is listed again as a new vulnerability with a different vulnerability name

Expected behavior Vulnerability names shouldn't change over time so a suppression will work forever.

Additional context

aikebah commented 2 years ago

Sounds to me more like NPM is unstable in its advisories (as you mention that even the advisory link doesn't work anymore). If so... there's nothing we can do on it. Essentially DependencyCheck just reports what the npm audit advisory reports.

tstibbs commented 2 years ago

I'm also seeing some weirdness that would be explained by this issue. Edit, also reported against npm cli: https://github.com/npm/cli/issues/4550

As for "there's nothing we can do" - npm audit does give the github advisory id and the associated CVEs, so suppressions could potentially be based off that? Given that npm is now owned by github and the advisory databases have been merged, I'd assume that every npm advisory has exactly one github advisory associated with it (though I have to say I'd prefer to supress based on CVE rather than github advisory id if at all possible).

schdief commented 2 years ago

@aikebah I agree that the problem origins at NPM Audit, but you could provide another way to suppress its vulnerabilities, like @tstibbs suggested - instead of basing it on the advisoryid you could use the CVE, if this is not feasable I would be ok with suppressing the whole package

option 1 - use CVE:

    <suppress>
   <notes><![CDATA[
   file name: handlebars:4.7.6
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/handlebars@.*$</packageUrl>
   <vulnerabilityName>CVE-2021-23383</vulnerabilityName>
</suppress>

option 2 - use package:

    <suppress>
   <notes><![CDATA[
   file name: handlebars:4.7.6
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/handlebars@.*$</packageUrl>
</suppress>
A-Fitz-Nelnet commented 1 year ago

Is this resolved by PR #5546?

aikebah commented 1 year ago

@A-Fitz-Nelnet yes, that should resolve it indeed. Sounds like I somehow overlooked it in tagging the various related issues.