search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.43k stars 1.28k forks source link

Fetch Snyk issues #5035

Open raj77in opened 2 years ago

raj77in commented 2 years ago

Describe the bug No issues reported for json-20080701.jar and rhino-1.7R4.jar.

Version of dependency-check used The problem occurs using version 7.3.0 of the cli.

Log file Log file

To Reproduce Steps to reproduce the behavior:

  1. Get the above mentioned jar files

  2. Copy the 2 jars in a folder (I named it as jars/test)

  3. Run dependency checker with following command

    ./dependency-check/bin/dependency-check.sh --prettyPrint --enableExperimental -s jars/test

  4. Check the report dependency-check-report.html

Expected behavior For both the jars, there should be issues reported.

Additional context According to OSS Index, there is one HIGH vuln For the rhino jar, Synk database shows there are vulnerabilities.

nhumblot commented 1 year ago

Regarding the json dependency:

The request performed to the OSS Index api is the following:

curl https://ossindex.sonatype.org/api/v3/component-report -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' -d '{"coordinates":["pkg:maven/org.json/json@20080701"]}'

With the following response:

[
  {
    "coordinates": "pkg:maven/org.json/json@20080701",
    "description": "JSON (JavaScript Object Notation) is a lightweight data-interchange format.\n    It is easy for humans to read and write. It is easy for machines to parse and generate.\n    It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition\n    - December 1999. JSON is a text format that is completely language independent but uses\n    conventions that are familiar to programmers of the C-family of languages, including C, C++, C#,\n    Java, JavaScript, Perl, Python, and many others.\n    These properties make JSON an ideal data-interchange language.",
    "reference": "https://ossindex.sonatype.org/component/pkg:maven/org.json/json@20080701?utm_source=curl&utm_medium=integration&utm_content=7.85.0",
    "vulnerabilities": [
      {
        "id": "sonatype-2022-3061",
        "displayName": "sonatype-2022-3061",
        "title": "1 vulnerability found",
        "description": "1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account",
        "cvssScore": 7.5,
        "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "cwe": "CWE-699",
        "reference": "https://ossindex.sonatype.org/vulnerability/sonatype-2022-3061",
        "externalReferences": []
      }
    ]
  }
]

In OssIndexAnalyzer.requestReports(final Dependency[] dependencies), return client.requestComponentReports(packages) returns no vulnerability.

If we perform the following curl request, by specifying Dependency Check in the user agent, we end up not having the vulnerability in the response:

curl https://ossindex.sonatype.org/api/v3/component-report -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' -H 'Accept: application/vnd.ossindex.component-report.v1+json' -H 'User-Agent: dependency-check/7.4.4-SNAPSHOT (Linux; 6.0.15-300.fc37.x86_64; amd64; 1.8.0_352)' -d '{"coordinates":["pkg:maven/org.json/json@20080701"]}'

[
  {
    "coordinates": "pkg:maven/org.json/json@20080701",
    "description": "JSON (JavaScript Object Notation) is a lightweight data-interchange format.\n    It is easy for humans to read and write. It is easy for machines to parse and generate.\n    It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition\n    - December 1999. JSON is a text format that is completely language independent but uses\n    conventions that are familiar to programmers of the C-family of languages, including C, C++, C#,\n    Java, JavaScript, Perl, Python, and many others.\n    These properties make JSON an ideal data-interchange language.",
    "reference": "https://ossindex.sonatype.org/component/pkg:maven/org.json/json@20080701?utm_source=dependency-check&utm_medium=integration&utm_content=7.4.4-SNAPSHOT",
    "vulnerabilities": []
  }
]

Hi @jeremylong @aikebah :wave:

Do you know about a specific business rule on the OSS Index API side that might filter non CVE vulnerabilities results when being contacted by Dependency Check? I did not find anything related in our issues.

Our documentation for this analyzer says:

Uses the OSS Index APIs to report on vulnerabilities not found in the NVD. The collection of identified Package-URL identifiers are submitted to the OSS Index for analysis and the resulting identified vulnerabilities are included in the report. In addition, vulnerabilities found in both the NVD and OSS Index may have additional references added.

Source

This let imply we could get this non CVE in return of the API.

I would gladly take any historical knowledge or context about this if you have any :slightly_smiling_face:

Following your response, I can perform additional testing to see how DependencyCheck might support these non CVE vulnerabilities, enhance it if needed and see how to contact the maintainers of the OSS Index to fetch these.

Let me know if you want it to evolve. Thank you for your help. :relaxed:

aikebah commented 1 year ago

@nhumblot very likely that the filter from https://github.com/jeremylong/DependencyCheck/issues/4527#issuecomment-1136715391 is still in place for unauthenticated users.

aikebah commented 1 year ago

@nhumblot With authentication (do not forget to clear your OSSIndex cache) it's not quite working as expected in my view: the HTML report properly lists it, but CLI output shows no sign of encountered vulnerabilities.

dependency-check.sh --ossIndexUsername=**redacted** --ossIndexPassword=**redacted** -s .

yields output

[INFO] Check for updates complete (10 ms)
[INFO] 

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

   About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
   False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

💖 Sponsor: https://github.com/sponsors/jeremylong

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Central Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished CPE Analyzer (0 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (1 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
[INFO] Writing report to: /Users/aikebah/Projects/json/./dependency-check-report.html

but at least has the vulnerability listed in the report:

Screenshot 2022-12-30 at 12 05 52
aikebah commented 1 year ago

@nhumblot With authentication (do not forget to clear your OSSIndex cache) it's not quite working as expected in my view: the HTML report properly lists it, but CLI output shows no sign of encountered vulnerabilities.

Ah... nevermind... that's just me being too spoiled with standard maven settings / parent poms...

adding a --failOnCVSS 0 yields the expected additional output 

[ERROR] 

One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': 

json-20080701.jar: [sonatype-2022-3061] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')(7.5)

See the dependency-check report for more details.
nhumblot commented 1 year ago

So the json false negative is a duplicate of #4527

Regarding the rhino false negative, the identified vulnerability is not a CVE but a vulnerability identified by Snyk and not declared as a CVE. To get it, we would need to implement a SnykAnalyzer using their API to fetch the issues and aggregate them in Dependency Check.

Would such a feature be accepted?

This looks to be an enhancement and not a bug. I am updating the tags accordingly. :slightly_smiling_face:

aikebah commented 1 year ago

The main issue with Snyk API in my view is that it's business/enterprise only, so there is no way we can validate the proper interoperation.

And as Snyk also publishes it's own scanning integrations I think that Snyk clients are better off using the tools directly published by Snyk.