search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.47k stars 1.29k forks source link

Archive analyzer throws exception while reading archive #5645

Open himanshukumar4642 opened 1 year ago

himanshukumar4642 commented 1 year ago

Recently We have been facing issues while performing scan for some of our images. The error looks something like below

[INFO] Analysis Started
[ERROR] Exception reading archive '.wh.nginx-1.18.0-2.el7.ngx.x86_64.rpm'.
[WARN] An error occurred while analyzing '<workspace_directory>/<image_path>/layer.tar' (Archive Analyzer).

We are aware of this change that took effect with v8.0.2. We are suspecting that the issue is the dependency check is unable to read a zipfile in the tarfile. Can something be done to resolve this issue? Not sure but eventually on passing'--zipExtensions "rpm" ' to our scan command , it does not throws this exception. I am not able to co relate this. please help me to understand it. Similarly for .tar.gz file extension.

[INFO] Analysis Started
[ERROR] Exception reading archive '.wh.jdk-19_linux-x64_bin.tar.gz'.
[WARN] An error occurred while analyzing '<workspace_directory>/<image_path>/layer.tar' (Archive Analyzer).

P.S. We are currently using v8.1.2

himanshukumar4642 commented 1 year ago

Can anyone please provide any comments ?

jeremylong commented 1 year ago

Pretty sure you have it figured out - something cannot be correctly extracted from layer.tar. You might get more details with the --log odc.log option.

himanshukumar4642 commented 1 year ago

@jeremylong shouldn't this be considered as a bug since the archive analyzer is unable to extract files properly ?

himanshukumar4642 commented 1 year ago

Can anyone look into this issue ?

jeremylong commented 1 year ago

We use apache compress - if you look at their jira there are a few issues with decompressing some archives. One example is COMPRESS-562 and COMPRESS-513. I don't have your archive file so I can't open a defect with their project.

In the meantime you could configure the failOnError option.

himanshukumar4642 commented 1 year ago

@jeremylong how can we use failOnError option on the CLI when passing in parameters ?

jeremylong commented 1 year ago

Sorry - the failOnError is a configuration on the Maven or Gradle plugins. If this is on the CLI, the report should still be generated. As such, you can either ignore the error. Or alternatively, you could un-tar the file before running ODC.

himanshukumar4642 commented 1 year ago

@jeremylong we are getting error for extraction this time.

[ERROR] Exception extracting archive 'testtar.tar'
...
[ERROR] java.io.IOException: Truncated TAR archive

we tried to exclude that using --exclude **/*testtar.tar (with and without quotes(single and double) both tried) but still its getting picked up and reporting same error. This is somewhat painful. We're unable to exclude stuff .

Please provide some solution here. Thanks

lucky499 commented 1 year ago

I am also facing the similar issue,

I tried adding tar, zip, tgz extensions like below as argument and all of the scans finished with zero scans/findings. '--zipExtensions "rpm","gz","zip","tgz","tar" '

rpm and gz were already working after adding tar, zip the scans are blank.

Please suggest a way to get rid of this issue.

jeremylong commented 1 year ago

From the documentation:

Argument Name Parameter Description
--zipExtensions <strings> A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.  

So I might suggested:

--zipExtensions "rpm,gz,zip,tgz,tar"

jeremylong commented 1 year ago

regarding the exclude --exclude **/testtar.tar should work - unless the tar is actually contained within another archive.

lucky499 commented 1 year ago

Hi @jeremylong ,

I have tried the solution below suggested but still the scan results are coming blank but I am expecting some results out of this scan because if I remove tgz,zip,tar from --zipExtensions it is producing some(partial) scan results and scan fails in the middle of the scan with tar extraction/reading exception.

From the documentation:

Argument Name Parameter Description --zipExtensions A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. So I might suggested:

--zipExtensions "rpm,gz,zip,tgz,tar"

Please find the logs from my scan

18:58:53  2023-05-03 13:28:39,544 - INFO - Running scan with: /tmp/dependency-check/bin/dependency-check.sh --propertyfile /working_dir/owasp-configuration.properties --log /working_dir/workspace --noupdate --disableCentral --disableOssIndex --disableYarnAudit --out /working_dir/workspace/reports --exclude **/*file-3.4.13* --exclude **/*file-3.4.14* --zipExtensions "rpm,gz,tgz,zip,tar" --disableNodeAudit --disableNodeJS --suppression /working_dir/suppress.xml  --suppression /working_dirnew/suppress.xml --format "ALL" --prettyPrint --scan /working_dir/workspace/data/oir --project test
18:59:25  [INFO] 
18:59:25  
18:59:25  Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
18:59:25  
18:59:25  
18:59:25     About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
18:59:25     False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html
18:59:25  
18:59:25  💖 Sponsor: https://github.com/sponsors/jeremylong
18:59:25  
18:59:25  
18:59:25  [INFO] Analysis Started
18:59:25  [INFO] Finished Archive Analyzer (0 seconds)
18:59:25  [INFO] Finished File Name Analyzer (0 seconds)
18:59:25  [INFO] Finished Dependency Merging Analyzer (0 seconds)
18:59:25  [INFO] Finished Version Filter Analyzer (0 seconds)
18:59:25  [INFO] Finished Hint Analyzer (0 seconds)
18:59:25  [INFO] Created CPE Index (2 seconds)
18:59:25  [INFO] Finished CPE Analyzer (2 seconds)
18:59:25  [INFO] Finished False Positive Analyzer (0 seconds)
18:59:25  [INFO] Finished NVD CVE Analyzer (0 seconds)
18:59:25  [INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
18:59:25  [INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
18:59:25  [INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
18:59:25  [INFO] Analysis Complete (2 seconds)
18:59:25  [INFO] Writing report to: /owasp-client/workspace/reports/dependency-check-report.xml
18:59:25  [INFO] Writing report to: /owasp-client/workspace/reports/dependency-check-report.html
18:59:25  [INFO] Writing report to: /owasp-client/workspace/reports/dependency-check-report.json
18:59:25  [INFO] Writing report to: /owasp-client/workspace/reports/dependency-check-report.csv
18:59:25  [INFO] Writing report to: /owasp-client/workspace/reports/dependency-check-report.sarif
18:59:26  [INFO] Writing report to: /owasp-client/workspace/reports/dependency-check-jenkins.html
18:59:26  [INFO] Writing report to: /owasp-client/workspace/reports/dependency-check-junit.xml
18:59:28  2023-05-03 13:29:28,001 - INFO - The scan completed
18:59:28  2023-05-03 13:29:28,001 - INFO - Goodbye
himanshukumar4642 commented 1 year ago

regarding the exclude --exclude **/testtar.tar should work - unless the tar is actually contained within another archive.

Yes this tar is an archive inside another archive. Is there any way to exclude this file from being scanned ?

HQPhamOrcl commented 1 year ago

In regards to 

So I might suggested:
--zipExtensions "rpm,gz,zip,tgz,tar"

Would that be redundancies of the default values - https://jeremylong.github.io/DependencyCheck/analyzers/archive-analyzer.html?

OWASP dependency-check includes an analyzer an archive analyzer that will attempt to extract files from the archive that are supported by the other file type analyzers.

Files Types Scanned: ZIP, EAR, WAR, JAR, SAR, APK, NUPKG, TAR, GZ, TGZ, RPM

Additional file extensions for ZIP archives can be added, see the configuration section in the Maven, Ant, or CLI interfaces for more information on configuration.
jeremylong commented 1 year ago

@himanshukumar4642 - at the moment, no, there is no way to exclude an archive contained in another archive.

himanshukumar4642 commented 1 year ago

@jeremylong when can we expect any fix for this issue ? The issues which you pointed above with the compressor seems to be created way long back and still in OPEN state. Please provide any suggestion . Thanks

himanshukumar4642 commented 1 year ago

@jeremylong can you provide any ETA for the fix ? We are really facing serious issues. Thanks