Open simon-n opened 1 year ago
There are no analyzers for php/composer: https://jeremylong.github.io/DependencyCheck/analyzers/index.html
Sure, from the "experimental" section: https://jeremylong.github.io/DependencyCheck/analyzers/composer-lock.html
Is rooted in a difference in package URL
ODC uses pkg:composer/symfony/http-kernel@5.1.4
, whereas apparently OSSIndex uses pkg:composer/symfony/http-kernel@v5.1.4
As a work-around you could use a locally build version with a dirty-hack patch applied that will add the package-url in the form that OSSIndex requires. It will duplicate every v-prefixed version in the report, but you'll get the OSSIndex results.
Hope to look into the possibilities for a clean patch later this week as from the looks of it OSSIndex needs the v-prefix when present, whereas NIST NVD requires the plain version number (but the experimental analyzer does not provide sufficient evidences for ODC logic to match one of the listed CPEs at https://nvd.nist.gov/vuln/detail/CVE-2020-15094 to the symfony http-kernel package)
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java b/core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java
index e3b4bae65..ca110f68d 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java
@@ -82,12 +82,13 @@ public class ComposerLockParser {
if (pkg.containsKey("version")) {
final String group = groupName.substring(0, groupName.indexOf('/'));
final String project = groupName.substring(groupName.indexOf('/') + 1);
- String version = pkg.getString("version");
- // Some version numbers begin with v - which doesn't end up matching CPE's
+ final String version = pkg.getString("version");
+ LOGGER.debug("Got package {}/{}/{}", group, project, version);
+ // Some version numbers begin with v - which doesn't always end up matching CPE's
if (version.startsWith("v")) {
- version = version.substring(1);
+ LOGGER.debug("Also adding packageURL with v-less version {}", version.substring(1));
+ composerDependencies.add(new ComposerDependency(group, project, version.substring(1)));
}
- LOGGER.debug("Got package {}/{}/{}", group, project, version);
composerDependencies.add(new ComposerDependency(group, project, version));
} else {
LOGGER.debug("Group/package {} does not have a version", groupName);
Is there any update regarding this issue? we would really like to use this tool in my company to audit our PHP apps
Given a PHP
composer.lock
file, pointing to a package that is listed as vulnerable on Sonatype OSS Index. Running latest dependency-check-cli (8.0.2) by serving Sonatype login credentials results in an empty report. Apparently, known vulnerabilities of PHP packages aren't reported at all.Reproduction guide I've attached a ZIP file, containing a minimum
composer.json
(and resultingcomposer.lock
) file. It requires PHP packagesymfony/http-kernel@v5.1.4
which is listed as vulnerable on OSS Index:composer.lock
file onto current working directorydependency-check-cli
, providing the--enableExperimental
optionLet me know if you need further information to investigate.
Thank you in advance!