search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.27k stars 1.25k forks source link

Vulnerabilities are reported for an empty JAR file #5559

Open InverseIntegral opened 1 year ago

InverseIntegral commented 1 year ago

Describe the bug I'm scanning an empty JAR file and get the following two vulnerabilities reported:

cpe:2.3:a:binary_project:binary:0.3.47:*:*:*:*:*:*:*
cpe:2.3:a:tor_project:tor:0.3.47:*:*:*:*:*:*:*

With the published vulnerability CVE-2022-36078.

Version of dependency-check used The problem occurs using version 8.1.2 distributed via the latest docker image owasp/dependency-check@sha256:3b48f8bfadc3c689a80b6cefe3efd149d124071b34cfb22e833bb633f7fc137d

Log file Output when running the checker

To Reproduce Steps to reproduce the behavior:

  1. Create a new empty project that uses Gradle 8.0.2
  2. Use the following build.gradle.kts: 
    
plugins {
`java-library`
`java-test-fixtures`
}

tasks.withType(Jar::class.java).configureEach { isPreserveFileTimestamps = false }


3. Build the test-fixture JAR file by running `gradle testFixturesJar`
4. Run the dependency checker via docker ``docker run -it --entrypoint /bin/sh -v `pwd`:`pwd` owasp/dependency-check:latest``
5. Scan the JAR file `/usr/share/dependency-check/bin/dependency-check.sh -s .`

**Expected behavior**
I would expect that the checker to not find any vulnerabilities.

**Additional context**
This issue only happens with Gradle 8.0.2 and only when preserving the timestamp of the JAR file. The description of the JAR file seems wrong too:

> Tor binary resource distribution for Mingw X64

Perhaps, the file is interpreted incorrectly. In case a complete project or the JAR file is required to reproduce this issue, I will provide it. To verify that the JAR file is indeed empty, I checked the content by unzipping it.
aikebah commented 1 year ago

Check your HTML report - what are the evidences in the report found for your empty jar?

This kind of scenarios are perfectly possible due to how DependencyCheck works - collection of evidences from various sources and then guessing the appropriate NVD CPE for it.

InverseIntegral commented 1 year ago

Thank you @aikebah for the quick reply. The evidences found in the HTML report are:

Evidences Type | Source | Name | Value | Confidence -- | -- | -- | -- | -- Vendor | central | artifactid | jsmints | High Vendor | central | artifactid | jsmints-js | High Vendor | central | artifactid | kmp-tor-binary-mingwx64 | High Vendor | central | artifactid | kmp-tor-binary-mingwx86 | High Vendor | central | artifactid | kmp-tor-binary-mingwx86-jvm | High Vendor | central | artifactid | openrndr-gl3-js | High Vendor | central | artifactid | openrndr-openal-js | High Vendor | central | artifactid | openrndr-svg-js | High Vendor | central | artifactid | openrndr-webgl-jvm | High Vendor | central | artifactid | opentelemetry-agent-for-testing | High Vendor | central | artifactid | opentelemetry-jaeger-spring-boot-starter | High Vendor | central | artifactid | opentelemetry-javaagent | High Vendor | central | artifactid | opentelemetry-javaagent-jdbc-bootstrap | High Vendor | central | artifactid | opentelemetry-ktor-1.0 | High Vendor | central | artifactid | opentelemetry-ktor-2.0 | High Vendor | central | artifactid | opentelemetry-ktor-common | High Vendor | central | artifactid | opentelemetry-spring-boot-starter | High Vendor | central | artifactid | opentelemetry-testing-common | High Vendor | central | artifactid | opentelemetry-zipkin-spring-boot-starter | High Vendor | central | artifactid | vosk-model-en | High Vendor | central | groupid | com.alphacephei | High Vendor | central | groupid | com.zegreatrob.jsmints | High Vendor | central | groupid | io.matthewnelson.kotlin-components | High Vendor | central | groupid | io.opentelemetry.instrumentation | High Vendor | central | groupid | io.opentelemetry.javaagent | High Vendor | central | groupid | io.opentelemetry.javaagent.instrumentation | High Vendor | central | groupid | org.openrndr | High Vendor | file | name | dependency-check-fp-test-fixtures | High Vendor | pom | artifactid | jsmints | Low Vendor | pom | artifactid | jsmints-js | Low Vendor | pom | artifactid | kmp-tor-binary-mingwx64 | Low Vendor | pom | artifactid | kmp-tor-binary-mingwx86 | Low Vendor | pom | artifactid | kmp-tor-binary-mingwx86-jvm | Low Vendor | pom | artifactid | openrndr-gl3-js | Low Vendor | pom | artifactid | openrndr-openal-js | Low Vendor | pom | artifactid | openrndr-svg-js | Low Vendor | pom | artifactid | openrndr-webgl-jvm | Low Vendor | pom | artifactid | opentelemetry-agent-for-testing | Low Vendor | pom | artifactid | opentelemetry-jaeger-spring-boot-starter | Low Vendor | pom | artifactid | opentelemetry-javaagent | Low Vendor | pom | artifactid | opentelemetry-javaagent-jdbc-bootstrap | Low Vendor | pom | artifactid | opentelemetry-ktor-1.0 | Low Vendor | pom | artifactid | opentelemetry-ktor-2.0 | Low Vendor | pom | artifactid | opentelemetry-ktor-common | Low Vendor | pom | artifactid | opentelemetry-spring-boot-starter | Low Vendor | pom | artifactid | opentelemetry-testing-common | Low Vendor | pom | artifactid | opentelemetry-zipkin-spring-boot-starter | Low Vendor | pom | artifactid | vosk-model-en | Low Vendor | pom | developer email | contact@alphacephei.com | Low Vendor | pom | developer email | edwin@openrndr.org | Low Vendor | pom | developer email | robert.f.murdock@gmail.com | Low Vendor | pom | developer id | 05nelsonm | Medium Vendor | pom | developer id | com.alphacephei | Medium Vendor | pom | developer id | edwinjakobs | Medium Vendor | pom | developer id | opentelemetry | Medium Vendor | pom | developer id | robertfmurdock | Medium Vendor | pom | developer name | Alpha Cephei Inc | Medium Vendor | pom | developer name | Edwin Jakobs | Medium Vendor | pom | developer name | Matthew Nelson | Medium Vendor | pom | developer name | OpenTelemetry | Medium Vendor | pom | developer name | Rob Murdock | Medium Vendor | pom | groupid | com.alphacephei | Highest Vendor | pom | groupid | com.zegreatrob.jsmints | Highest Vendor | pom | groupid | io.matthewnelson.kotlin-components | Highest Vendor | pom | groupid | io.opentelemetry.instrumentation | Highest Vendor | pom | groupid | io.opentelemetry.javaagent | Highest Vendor | pom | groupid | io.opentelemetry.javaagent.instrumentation | Highest Vendor | pom | groupid | org.openrndr | Highest Vendor | pom | name | jsmints | High Vendor | pom | name | openrndr-gl3 | High Vendor | pom | name | openrndr-openal | High Vendor | pom | name | openrndr-svg | High Vendor | pom | name | openrndr-webgl | High Vendor | pom | name | OpenTelemetry Instrumentation for Java | High Vendor | pom | name | Tor binary resource distribution for Mingw X64 | High Vendor | pom | name | Tor binary resource distribution for Mingw X86 | High Vendor | pom | name | Vosk English Model | High Vendor | pom | url | 05nelsonm/kmp-tor-binary/ | Highest Vendor | pom | url | http://www.alphacephei.com.com/vosk/ | Highest Vendor | pom | url | https://openrndr.org | Highest Vendor | pom | url | open-telemetry/opentelemetry-java-instrumentation | Highest Vendor | pom | url | robertfmurdock/jsmints | Highest Product | central | artifactid | jsmints | High Product | central | artifactid | jsmints-js | High Product | central | artifactid | kmp-tor-binary-mingwx64 | High Product | central | artifactid | kmp-tor-binary-mingwx86 | High Product | central | artifactid | kmp-tor-binary-mingwx86-jvm | High Product | central | artifactid | openrndr-gl3-js | High Product | central | artifactid | openrndr-openal-js | High Product | central | artifactid | openrndr-svg-js | High Product | central | artifactid | openrndr-webgl-jvm | High Product | central | artifactid | opentelemetry-agent-for-testing | High Product | central | artifactid | opentelemetry-jaeger-spring-boot-starter | High Product | central | artifactid | opentelemetry-javaagent | High Product | central | artifactid | opentelemetry-javaagent-jdbc-bootstrap | High Product | central | artifactid | opentelemetry-ktor-1.0 | High Product | central | artifactid | opentelemetry-ktor-2.0 | High Product | central | artifactid | opentelemetry-ktor-common | High Product | central | artifactid | opentelemetry-spring-boot-starter | High Product | central | artifactid | opentelemetry-testing-common | High Product | central | artifactid | opentelemetry-zipkin-spring-boot-starter | High Product | central | artifactid | vosk-model-en | High Product | file | name | dependency-check-fp-test-fixtures | High Product | pom | artifactid | jsmints | Highest Product | pom | artifactid | jsmints-js | Highest Product | pom | artifactid | kmp-tor-binary-mingwx64 | Highest Product | pom | artifactid | kmp-tor-binary-mingwx86 | Highest Product | pom | artifactid | kmp-tor-binary-mingwx86-jvm | Highest Product | pom | artifactid | openrndr-gl3-js | Highest Product | pom | artifactid | openrndr-openal-js | Highest Product | pom | artifactid | openrndr-svg-js | Highest Product | pom | artifactid | openrndr-webgl-jvm | Highest Product | pom | artifactid | opentelemetry-agent-for-testing | Highest Product | pom | artifactid | opentelemetry-jaeger-spring-boot-starter | Highest Product | pom | artifactid | opentelemetry-javaagent | Highest Product | pom | artifactid | opentelemetry-javaagent-jdbc-bootstrap | Highest Product | pom | artifactid | opentelemetry-ktor-1.0 | Highest Product | pom | artifactid | opentelemetry-ktor-2.0 | Highest Product | pom | artifactid | opentelemetry-ktor-common | Highest Product | pom | artifactid | opentelemetry-spring-boot-starter | Highest Product | pom | artifactid | opentelemetry-testing-common | Highest Product | pom | artifactid | opentelemetry-zipkin-spring-boot-starter | Highest Product | pom | artifactid | vosk-model-en | Highest Product | pom | developer email | contact@alphacephei.com | Low Product | pom | developer email | edwin@openrndr.org | Low Product | pom | developer email | robert.f.murdock@gmail.com | Low Product | pom | developer id | 05nelsonm | Low Product | pom | developer id | com.alphacephei | Low Product | pom | developer id | edwinjakobs | Low Product | pom | developer id | opentelemetry | Low Product | pom | developer id | robertfmurdock | Low Product | pom | developer name | Alpha Cephei Inc | Low Product | pom | developer name | Edwin Jakobs | Low Product | pom | developer name | Matthew Nelson | Low Product | pom | developer name | OpenTelemetry | Low Product | pom | developer name | Rob Murdock | Low Product | pom | groupid | com.alphacephei | Highest Product | pom | groupid | com.zegreatrob.jsmints | Highest Product | pom | groupid | io.matthewnelson.kotlin-components | Highest Product | pom | groupid | io.opentelemetry.instrumentation | Highest Product | pom | groupid | io.opentelemetry.javaagent | Highest Product | pom | groupid | io.opentelemetry.javaagent.instrumentation | Highest Product | pom | groupid | org.openrndr | Highest Product | pom | name | jsmints | High Product | pom | name | openrndr-gl3 | High Product | pom | name | openrndr-openal | High Product | pom | name | openrndr-svg | High Product | pom | name | openrndr-webgl | High Product | pom | name | OpenTelemetry Instrumentation for Java | High Product | pom | name | Tor binary resource distribution for Mingw X64 | High Product | pom | name | Tor binary resource distribution for Mingw X86 | High Product | pom | name | Vosk English Model | High Product | pom | url | 05nelsonm/kmp-tor-binary/ | High Product | pom | url | http://www.alphacephei.com.com/vosk/ | Medium Product | pom | url | https://openrndr.org | Medium Product | pom | url | open-telemetry/opentelemetry-java-instrumentation | High Product | pom | url | robertfmurdock/jsmints | High Version | central | version | 0.3.47 | High Version | central | version | 0.4.3-alpha4 | High Version | central | version | 1.24.0 | High Version | central | version | 1.24.0-alpha | High Version | central | version | 3.1.5 | High Version | central | version | 4.7.13-1 | High Version | pom | version | 0.3.47 | Highest Version | pom | version | 0.4.3-alpha4 | Highest Version | pom | version | 1.24.0 | Highest Version | pom | version | 1.24.0-alpha | Highest Version | pom | version | 3.1.5 | Highest Version | pom | version | 4.7.13-1 | Highest
aikebah commented 1 year ago

@InverseIntegral based on the evidences your empty jar with static date appears to have a hash-collision with several artifacts on maven central

Marcono1234 commented 1 year ago

Similar to #5118

InverseIntegral commented 1 year ago

@aikebah @Marcono1234 Thank you both for your replies. We have since fixed the problem on our side by including something into the JAR. Do you think it would make sense to add the SHA1 hash of the empty JAR to the dependencycheck-base-suppression.xml similar to #5118?

jeremylong commented 1 year ago

Yes - I would put the hash into your local suppression file.

InverseIntegral commented 1 year ago

@jeremylong Wouldn't it also make sense to add the hash to the predefined dependencycheck-base-suppression.xml so that other users don't run into this exact issue?