search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.48k stars 1.29k forks source link

Maven plugin stopped reporting vulnerabilities in liferay-kernel since 7.4.0 #5633

Open brudnyhenry opened 1 year ago

brudnyhenry commented 1 year ago

Describe the bug I was using OWASP dependency checker 6.5.0 for a while now and it was scanning all my libraries. However, after upgrading to 7.4.0 and also 8.2.1 the regular scan that was used to report all vulnerabilities, stopped reporting issues for Liferay-kernel Example Pom.xml

    <dependency>
        <groupId>com.liferay.portal</groupId>
        <artifactId>com.liferay.portal.kernel</artifactId>
        <version>2.64.1</version>
        <scope>provided</scope>
    </dependency>

Version of dependency-check used 7.4.0 and 8.2.1 are NOK 6.5.0 OK 7.3.2 OK

Log file

No com.liferay.portal.kernel vulnerability in 7.4.4 and 8.2.1 [INFO] --- dependency-check-maven:8.2.1:aggregate (default-cli) @ xxxxxx ---

Correct vulnerability list when using 6.5.0 or 7.3.2

[INFO] --- dependency-check-maven:6.5.0:aggregate (default-cli) @ xxxxx
One or more dependencies were identified with known vulnerabilities in xxxxx:

com.liferay.portal.kernel-2.64.1.jar (pkg:maven/com.liferay.portal/com.liferay.portal.kernel@2.64.1, cpe:2.3:a:liferay:liferay:2.64.1:*:*:*:*:*:*:*, cpe:2.3:a:liferay:liferay_portal:2.64.1:*:*:*:*:*:*:*, cpe:2.3:a:liferay:portal:2.64.1:*:*:*:*:*:*:*) : CVE-2009-3742, CVE-2010-5327, CVE-2014-8349, CVE-2016-10404, CVE-2016-3670, CVE-2017-1000425, CVE-2017-12645, CVE-2017-12646, CVE-2017-12647, CVE-2017-12648, CVE-2017-12649, CVE-2018-10795, CVE-2019-16147, CVE-2019-16891, CVE-2019-6588, CVE-2020-15839, CVE-2020-15840, CVE-2020-15841, CVE-2020-15842, CVE-2020-24554, CVE-2020-7961, CVE-2021-29040, CVE-2021-33320, CVE-2021-33322, CVE-2021-33325, CVE-2021-33326, CVE-2021-33333, CVE-2021-38263, CVE-2021-38266, CVE-2022-28980

...... To Reproduce run maven mvn dependency-check:aggregate -Dformat=All

Expected behavior report Liferay vulnerabilities Additional context Add any other context about the problem here.

aikebah commented 1 year ago

See #5085 for context and follow the link in your report for the package-url: OSSIndex also indicates that that jar contains no vulnerabilities.

aikebah commented 1 year ago

Note that before that change the vulnerabilities were retrieved from NVD for 

cpe:2.3:a:liferay:liferay:2.64.1:*:*:*:*:*:*:*
cpe:2.3:a:liferay:liferay_portal:2.64.1:*:*:*:*:*:*:*
cpe:2.3:a:liferay:portal:2.64.1:*:*:*:*:*:*:*

which was incorrect as liferay kernel 2.64.1 is for Liferay Portal 7.0.6 so it should report the issues as found for

cpe:2.3:a:liferay:liferay:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:liferay:liferay_portal:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:liferay:portal:7.0.6:*:*:*:*:*:*:*