[FP]: protobuf-java CVEs reported for gwt-servlet

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.45k stars 1.28k forks source link

[FP]: protobuf-java CVEs reported for gwt-servlet #4912

Open melo0187 opened 2 years ago

melo0187 commented 2 years ago

Package URl

pkg:maven/com.google.protobuf/protobuf-java@2.5.0

CPE

cpe:2.3:a:google:protobuf-java:2.5.0:*:*:*:*:*:*:*

CVE

CVE-2022-3171

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

7.1.1

Description

Quoting @tbroyer from GWT:

protocol buffer in gwt-servlet is never actually used for serialization, it's an internal dependency of sourcemaps and streaminghtmlparser (used for SafeHtml)

If I understand correctly, we should generally ignore protobuf-java related CVEs reported for gwt-servlet.

github-actions[bot] commented 2 years ago

Maven Coordinates

<dependency>
   <groupId>com.google.protobuf</groupId>
   <artifactId>protobuf-java</artifactId>
   <version>2.5.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4912
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf-java@.*$</packageUrl>
   <cpe>cpe:/a:google:protobuf-java</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3204755831

mprins commented 2 years ago

This is incorrect; protobuf-java is correctly identified and the CVE applies to this version, it is not a false positive

@melo0187 if you want to ignore this you should add it to your local suppression file

tbroyer commented 2 years ago

@melo0187 Is maybe gwt-servlet.jar misidentified as protobuf-java? (it contains META-INF/maven/com.google.protobuf/protobuf-java/pom.properties and META-INF/maven/com.google.protobuf/protobuf-java/pom.xml so I'd understand if tools misidentify it based on those files ; in which case we could fix that packaging issue in the next GWT version)

mprins commented 2 years ago

A suppression would/could be for

...
   <packageUrl regex="true">^pkg:maven/ <gwt-servlet.jar></packageUrl>
   <cpe>cpe:/a:google:protobuf-java</cpe>

so that any protobuf version in gwt-servlet.jar is ignored

melo0187 commented 2 years ago

@melo0187 Is maybe gwt-servlet.jar misidentified as protobuf-java? (it contains META-INF/maven/com.google.protobuf/protobuf-java/pom.properties and META-INF/maven/com.google.protobuf/protobuf-java/pom.xml so I'd understand if tools misidentify it based on those files

@tbroyer I think that is what is going on, based on the dependency-check output: gwt-servlet-2.8.2.jar/META-INF/maven/com.google.protobuf/protobuf-java/pom.xml (pkg:maven/com.google.protobuf/protobuf-java@2.5.0, cpe:2.3:a:google:protobuf-java:2.5.0:*:*:*:*:*:*:*) : CVE-2022-3171

If that is "just" a packaging issue, a fix in GWT itself would be the best long term solution.

melo0187 commented 1 year ago

In the meantime you can add CVE-2022-3510 to the list of protobuf-java CVEs to suppress, if they matched because of gwt-servlet.

I think the solution of a generic suppress rule like @mprins suggested can't work. He suggested ignoring the cpe targeting protobuf-java when the packageUrl is the one of gwt-servlet. However when looking at the dependency check output the matched package is protobuf-java-2.5.0, which it is in gwt-servlets META-INF. Afaik the rule can't be told that this originated from gwt-servlet and that it should be ignored only in this circumstance.

So nothing changes as long as gwtproject/gwt#9778 isn't done.