Why INCOMPLETE affected path list in scan result?

[functicons]

We are experiencing an issue that the scanner (CLI v7.4.4) doesn't generate a complete affected path list for a CVE in one-go, instead it reports incrementally after each fix. Say there are 10 paths affected by CVE-20221234 in total, but the scanner first reports 3 affected paths, after we fix and rerun scanning, it reports another 3, then report another 4.

Just wanted to know if this is a known issue? Any related config to generate complete affected path list in one-go?

[functicons]

Any log I can enable to debug the issue?

[aikebah]

Take a good look at your report. I suspect you'll find a collapsed section 'Related Dependencies' where the remaining items are already listed for the first run.

[functicons]

Thanks for the info! That led me to the right direction. Our internal tool relies on the CSV format, seems the info is included as Related Dependencies in json and html formats of the report, but missing in CSV format.

Example:

    "isVirtual" : false,
    "fileName" : "ranger-gcs-authorization-service-2.0-1.0.jar (shaded: log4j:log4j:1.2.17)",
    "filePath" : "/workspace/bigtop/ranger_2.0.0-1_all/usr/lib/dataproc-ranger-gcs-plugin/ranger-gcs-authorization-service-2.0-1.0.jar/META-INF/maven/log4j/log4j/pom.xml",
    "md5" : "b83dfef66f307a7d71f52ab59a8bce54",
    "sha1" : "309d3cac016db1a4cd4565ea2b95c0bdf040f8d1",
    "sha256" : "3b95a3d3cdd3aa4b91ab327ddb5a1bfe03d81e273794e36aa1440471d5d70e5e",
    "description" : "Apache Log4j 1.2",
    "license" : "The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",
    "relatedDependencies" : [ {
      "isVirtual" : false,
      "fileName" : "phoenix-client-4.14.1-HBase-1.4-embedded.jar (shaded: log4j:log4j:1.2.17)",
      "filePath" : "/workspace/bigtop/presto_340-1_all/usr/lib/presto/plugin/phoenix/phoenix-client-4.14.1-HBase-1.4-embedded.jar/META-INF/maven/log4j/log4j/pom.xml",
      "sha256" : "3b95a3d3cdd3aa4b91ab327ddb5a1bfe03d81e273794e36aa1440471d5d70e5e",
      "sha1" : "309d3cac016db1a4cd4565ea2b95c0bdf040f8d1",
      "md5" : "b83dfef66f307a7d71f52ab59a8bce54",
      "packageIds" : [ {
        "id" : "pkg:maven/log4j/log4j@1.2.17"
      } ]
    }

Any config we can avoid listing them as 'Related Dependencies', and show each of them as a separate item in CSV format?

[aikebah]

The properties keys controlling the analyzer that lead to this are analyzer.dependencymerging.enabled and analyzer.dependencybundling.enabled, both of which are NOT exposed as configurable flags in the CLI, so the only way to disable them is to take the default properties file, switch off those two analyzers by changing the enabled property value to false and use the -P/--propertyfile CLI parameter to take that modified properties-file as the default-settings to be modified by further command-line flags (or also set other properties to your desired defaults)

[functicons]

Thank you! Do I have to create a copy of the default properties file then modify? Is there a way I can override just these 2 properties from the CLI?

[jeremylong]

Just create a properties file and add the two properties. Then include it via the --propertyfile arg.

[jeremylong]

Example:

analyzer.dependencymerging.enabled=false
analyzer.dependencybundling.enabled=false

[functicons]

Thank you @jeremylong and @aikebah! It's resolved!

[functicons]

@jeremylong @aikebah, actually the 2 properties didn't work as expected,

$ cat ./scanner.properties
analyzer.dependencybundling.enabled=false
analyzer.dependencymerging.enabled=false

$ DependencyCheck/cli/target/release/bin/dependency-check.sh --propertyfile ./scanner.properties ...

I still find relatedDependencies generated in json output:

$ cat dependency-check-report.json | grep /presto_340-1_all/usr/lib/presto/plugin/accumulo/validation-api-2.0.1.Final.jar -C 20

{
    "isVirtual" : false,
    "fileName" : "validation-api-2.0.1.Final.jar",
    "filePath" : "/home/dagang/tmp/cve/2_0_deb10_20230119_122200-RC01/presto_340-1_all/usr/lib/presto/lib/validation-api-2.0.1.Final.jar",
    "md5" : "5d02c034034a7a16725ceff787e191d6",
    "sha1" : "cb855558e6271b1b32e716d24cb85c7f583ce09e",
    "sha256" : "9873b46df1833c9ee8f5bc1ff6853375115dadd8897bcb5a0dffb5848835ee6c",
    "description" : "\n        Bean Validation API\n    ",
    "license" : "Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt",
    "relatedDependencies" : [ {
      "isVirtual" : false,
      "fileName" : "validation-api-2.0.1.Final.jar",
      "filePath" : "/home/dagang/tmp/cve/2_0_deb10_20230119_122200-RC01/presto_340-1_all/usr/lib/presto/plugin/accumulo/validation-api-2.0.1.Final.jar",
      "sha256" : "9873b46df1833c9ee8f5bc1ff6853375115dadd8897bcb5a0dffb5848835ee6c",
      "sha1" : "cb855558e6271b1b32e716d24cb85c7f583ce09e",
      "md5" : "5d02c034034a7a16725ceff787e191d6"
    }, {

while the path is not in CSV output:

$ cat /home/dagang/tmp/cve/run/output/dependency-check-report.csv | grep presto_340-1_all/usr/lib/presto/plugin/accumulo/validation-api-2.0.1.Final.jar

(emtpy)

[functicons]

I compared the JSON/CSV output of 2 property files, one with the 2 properties false, the other true. The results are different, and the diff looks good. It is just a little hard to understand why I still see relatedDependencies in json output when the properties are set to false.

[jeremylong]

Personally - I would leave the properties alone and just use jq to transform the format you want.