search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.34k stars 1.26k forks source link

[FP]: Akka.Net Libraries Flagged as outdated Akka Scala Libraries #5836

Open ewilansky opened 1 year ago

ewilansky commented 1 year ago

Package URl

pkg:nuget/Akka.Cluster.Hosting@1.5.7

CPE

cpe:2.3:a:akka:akka:::::::: versions up to (including) 2.4.16

CVE

CVE-2017-1000034

ODC Integration

{"label"=>"CLI"}

ODC Version

8.3.1

Description

All Akka DotNet packages (implemented by Petabridge) are incorrectly detected as Akka Scala packages. I've only added a single package to the package URI field above to allow the automated script attached to this issue post to run. However, this same false positive applies to these packages:

Vendor home page: https://getakka.net/ Vendor source: https://github.com/akkadotnet/akka.net

The only way we have found around this is to add suppressions (attached). owasp-suppressions.xml.zip

github-actions[bot] commented 1 year ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/5647114488

github-actions[bot] commented 1 year ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/5647129879

Aaronontheweb commented 1 year ago 
Determining projects to restore...
/usr/share/dotnet/sdk/7.0.[30](https://github.com/jeremylong/DependencyCheck/actions/runs/5647129879/job/15296574596#step:12:31)6/NuGet.targets(190,5): error MSB4018: The "WriteRestoreGraphTask" task failed unexpectedly. [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018: System.ArgumentException: '1.5.7, pkg:nuget/Akka.Hosting.TestKit@1.5.7, pkg:nuget/Akka.Persistence.Redis@1.5.0, pkg:nuget/Akka.Streams@1.5.8, pkg:nuget/Akka.TestKit.XUnit2@1.5.8' is not a valid version string. (Parameter 'value') [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at NuGet.Versioning.NuGetVersion.Parse(String value) [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at NuGet.Commands.MSBuildRestoreUtility.GetVersion(IMSBuildItem item) [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at NuGet.Commands.MSBuildRestoreUtility.GetPackageSpec(IEnumerable`1 items) [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at System.Linq.Enumerable.SelectEnumerableIterator`2.MoveNext() [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at System.Linq.Enumerable.WhereEnumerableIterator`1.MoveNext() [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at NuGet.Commands.MSBuildRestoreUtility.GetDependencySpec(IEnumerable`1 items) [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at NuGet.Build.Tasks.WriteRestoreGraphTask.Execute() [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at Microsoft.Build.BackEnd.TaskExecutionHost.Microsoft.Build.BackEnd.ITaskExecutionHost.Execute() [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at Microsoft.Build.BackEnd.TaskBuilder.ExecuteInstantiatedTask(ITaskExecutionHost taskExecutionHost, TaskLoggingContext taskLoggingContext, TaskHost taskHost, ItemBucket bucket, TaskExecutionMode howToExecuteTask) [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
Unable to create dependency graph file for project '/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj'. Cannot add package reference.
Error: Process completed with exit code 1.

Hmmm, the tool doesn't like that version string

github-actions[bot] commented 1 year ago

Nuget Coordinates

dotnet add package Akka.Cluster.Hosting --version 1.5.7

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5836
   ]]></notes>
   <packageUrl regex="true">^pkg:nuget/Akka\.Cluster\.Hosting@.*$</packageUrl>
   <cpe>cpe:/a:akka:akka</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/5647181434

ewilansky commented 1 year ago

I updated the post to include a single package URI to see if that resolves that issue.

ewilansky commented 1 year ago

Will this issue be assigned for resolution or is the only remediation for these false positives going to be adding a suppression entry for each one? These libraries should be tracked going-forward so marking them for suppression isn't a good long term option.