jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.47k stars 1.29k forks source link

Missing Sonatype OSS issues for PHP/composer packages #5400

Open simon-n opened 1 year ago

simon-n commented 1 year ago

Given a PHP composer.lock file, pointing to a package that is listed as vulnerable on Sonatype OSS Index. Running latest dependency-check-cli (8.0.2) by serving Sonatype login credentials results in an empty report. Apparently, known vulnerabilities of PHP packages aren't reported at all.

Reproduction guide I've attached a ZIP file, containing a minimum composer.json (and resulting composer.lock) file. It requires PHP package symfony/http-kernel@v5.1.4 which is listed as vulnerable on OSS Index:

  1. Place composer.lock file onto current working directory
  2. Scan working directory using dependency-check-cli, providing the --enableExperimental option
  3. Check generated report file(s) -> no vulnerabilities are reported

Let me know if you need further information to investigate.

Thank you in advance!

mprins commented 1 year ago

There are no analyzers for php/composer: https://jeremylong.github.io/DependencyCheck/analyzers/index.html

simon-n commented 1 year ago

Sure, from the "experimental" section: https://jeremylong.github.io/DependencyCheck/analyzers/composer-lock.html

aikebah commented 1 year ago

Is rooted in a difference in package URL

ODC uses pkg:composer/symfony/http-kernel@5.1.4, whereas apparently OSSIndex uses pkg:composer/symfony/http-kernel@v5.1.4

aikebah commented 1 year ago

As a work-around you could use a locally build version with a dirty-hack patch applied that will add the package-url in the form that OSSIndex requires. It will duplicate every v-prefixed version in the report, but you'll get the OSSIndex results.

Hope to look into the possibilities for a clean patch later this week as from the looks of it OSSIndex needs the v-prefix when present, whereas NIST NVD requires the plain version number (but the experimental analyzer does not provide sufficient evidences for ODC logic to match one of the listed CPEs at https://nvd.nist.gov/vuln/detail/CVE-2020-15094 to the symfony http-kernel package)

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java b/core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java
index e3b4bae65..ca110f68d 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java
@@ -82,12 +82,13 @@ public class ComposerLockParser {
                             if (pkg.containsKey("version")) {
                                 final String group = groupName.substring(0, groupName.indexOf('/'));
                                 final String project = groupName.substring(groupName.indexOf('/') + 1);
-                                String version = pkg.getString("version");
-                                // Some version numbers begin with v - which doesn't end up matching CPE's
+                                final String version = pkg.getString("version");
+                                LOGGER.debug("Got package {}/{}/{}", group, project, version);
+                                // Some version numbers begin with v - which doesn't always end up matching CPE's
                                 if (version.startsWith("v")) {
-                                    version = version.substring(1);
+                                    LOGGER.debug("Also adding packageURL with v-less version {}", version.substring(1));
+                                    composerDependencies.add(new ComposerDependency(group, project, version.substring(1)));
                                 }
-                                LOGGER.debug("Got package {}/{}/{}", group, project, version);
                                 composerDependencies.add(new ComposerDependency(group, project, version));
                             } else {
                                 LOGGER.debug("Group/package {} does not have a version", groupName);
math-98 commented 10 months ago

Is there any update regarding this issue? we would really like to use this tool in my company to audit our PHP apps