search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.34k stars 1.27k forks source link

[FP]: pkg:npm/mongodb@5.9.2 #6300

Open JoergHeinicke5005 opened 9 months ago

JoergHeinicke5005 commented 9 months ago

Package URl

pkg:npm/mongodb@5.9.2

CPE

cpe:2.3:a:mongodb:mongodb:5.9.2:*:*:*:*:*:*:*

CVE

CVE-2014-8180

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

9.0.5

Description

Dependency Check pulls out the extremely old CVE-2014-8180 (which seems to be applicable to running mongod on some RedHat) and matches it to the mongodb driver for Node.js. Not sure, what exactly has changed, but the NVD website doesn't report any recent change on the entry (last change in 2017). The CVE has not been reported before, i.e., in particular with NVD data feed. Also, it's not always being reported but only occasionally, so behavior seems somewhat non-deterministic.

Is it something which can be suppressed globally or do we have to do it locally?

github-actions[bot] commented 9 months ago

Npm Coordinates

npm -i mongodb@5.9.2

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6300
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/mongodb@.*$</packageUrl>
   <cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7209083854

github-actions[bot] commented 9 months ago

Npm Coordinates

npm -i mongodb@5.9.2

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6300
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/mongodb@.*$</packageUrl>
   <cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7212097877

aikebah commented 9 months ago

Something buggy going on with the ecosystem.

v8.4.3: All mongodb:mongodb CPE entries are linked to ecosystem native v9.0.x: Some mongodb:mongodb CPE entries are still linked to ecosystem native, but many also at null

aikebah commented 9 months ago

Promoting from FP report to bug

aikebah commented 9 months ago

CPEs for 9.x:

112074,a,mongodb,mongodb,*,*,*,*,*,*,*,*,native
112075,a,mongodb,mongodb,1.2.0,*,*,*,*,*,*,*,
112076,a,mongodb,mongodb,1.4.0,*,*,*,*,*,*,*,
112077,a,mongodb,mongodb,1.6.0,*,*,*,*,*,*,*,
112078,a,mongodb,mongodb,1.8.0,*,*,*,*,*,*,*,
112079,a,mongodb,mongodb,2.0.0,*,*,*,*,*,*,*,
112080,a,mongodb,mongodb,2.0.1,*,*,*,*,*,*,*,
112081,a,mongodb,mongodb,2.0.2,*,*,*,*,*,*,*,
112082,a,mongodb,mongodb,2.0.3,*,*,*,*,*,*,*,
112083,a,mongodb,mongodb,2.0.4,*,*,*,*,*,*,*,
112084,a,mongodb,mongodb,2.0.5,*,*,*,*,*,*,*,
112085,a,mongodb,mongodb,2.0.6,*,*,*,*,*,*,*,
112086,a,mongodb,mongodb,2.0.7,*,*,*,*,*,*,*,
112087,a,mongodb,mongodb,2.0.8,*,*,*,*,*,*,*,
112088,a,mongodb,mongodb,2.2.0,*,*,*,*,*,*,*,
112089,a,mongodb,mongodb,2.2.1,*,*,*,*,*,*,*,
112090,a,mongodb,mongodb,2.2.2,*,*,*,*,*,*,*,
112091,a,mongodb,mongodb,2.2.3,*,*,*,*,*,*,*,
112092,a,mongodb,mongodb,2.2.4,*,*,*,*,*,*,*,
112093,a,mongodb,mongodb,2.2.5,*,*,*,*,*,*,*,
112094,a,mongodb,mongodb,2.2.6,*,*,*,*,*,*,*,
112095,a,mongodb,mongodb,2.2.7,*,*,*,*,*,*,*,
112096,a,mongodb,mongodb,2.3.0,*,*,*,*,*,*,*,
118001,a,mongodb,mongodb,2.4.0,*,*,*,*,*,*,*,native
118002,a,mongodb,mongodb,2.4.1,*,*,*,*,*,*,*,native
118003,a,mongodb,mongodb,2.4.2,*,*,*,*,*,*,*,native
118004,a,mongodb,mongodb,2.4.3,*,*,*,*,*,*,*,native
118005,a,mongodb,mongodb,2.4.4,*,*,*,*,*,*,*,native
118006,a,mongodb,mongodb,2.5.0,*,*,*,*,*,*,*,
119498,a,mongodb,mongodb,2.4.5,*,*,*,*,*,*,*,
122881,a,mongodb,mongodb,2.6.0,*,*,*,*,*,*,*,native
122882,a,mongodb,mongodb,2.6.1,*,*,*,*,*,*,*,native
122883,a,mongodb,mongodb,2.6.2,*,*,*,*,*,*,*,
122884,a,mongodb,mongodb,2.6.3,*,*,*,*,*,*,*,
122885,a,mongodb,mongodb,2.6.4,*,*,*,*,*,*,*,
122886,a,mongodb,mongodb,2.6.5,*,*,*,*,*,*,*,
122887,a,mongodb,mongodb,2.6.6,*,*,*,*,*,*,*,
122888,a,mongodb,mongodb,2.6.7,*,*,*,*,*,*,*,
167264,a,mongodb,mongodb,-,*,*,*,*,*,*,*,native
172025,a,mongodb,mongodb,1.7.0,*,*,*,*,*,*,*,native
192188,a,mongodb,mongodb,*,*,*,*,enterprise,*,*,*,native
210050,a,mongodb,mongodb,4.4.0,rc1,*,*,*,*,*,*,native
210051,a,mongodb,mongodb,4.4.0,rc10,*,*,*,*,*,*,native
210052,a,mongodb,mongodb,4.4.0,rc11,*,*,*,*,*,*,native
210053,a,mongodb,mongodb,4.4.0,rc2,*,*,*,*,*,*,native
210054,a,mongodb,mongodb,4.4.0,rc3,*,*,*,*,*,*,native
210055,a,mongodb,mongodb,4.4.0,rc4,*,*,*,*,*,*,native
210056,a,mongodb,mongodb,4.4.0,rc5,*,*,*,*,*,*,native
210057,a,mongodb,mongodb,4.4.0,rc6,*,*,*,*,*,*,native
210058,a,mongodb,mongodb,4.4.0,rc7,*,*,*,*,*,*,native
210059,a,mongodb,mongodb,4.4.0,rc8,*,*,*,*,*,*,native
210060,a,mongodb,mongodb,4.4.0,rc9,*,*,*,*,*,*,native
224613,a,mongodb,mongodb,*,*,*,*,*,visual_studio_code,*,*,native

CPEs for 8.4.3:

106668,a,mongodb,mongodb,2.6.7,*,*,*,*,*,*,*,native
106669,a,mongodb,mongodb,2.6.2,*,*,*,*,*,*,*,native
106670,a,mongodb,mongodb,2.6.1,*,*,*,*,*,*,*,native
106671,a,mongodb,mongodb,2.6.4,*,*,*,*,*,*,*,native
106672,a,mongodb,mongodb,2.6.5,*,*,*,*,*,*,*,native
106673,a,mongodb,mongodb,2.6.6,*,*,*,*,*,*,*,native
106674,a,mongodb,mongodb,2.6.3,*,*,*,*,*,*,*,native
106675,a,mongodb,mongodb,2.6.0,*,*,*,*,*,*,*,native
106676,a,mongodb,mongodb,*,*,*,*,*,*,*,*,native
116706,a,mongodb,mongodb,1.8.0,*,*,*,*,*,*,*,native
116710,a,mongodb,mongodb,2.0.0,*,*,*,*,*,*,*,native
116712,a,mongodb,mongodb,2.0.6,*,*,*,*,*,*,*,native
116714,a,mongodb,mongodb,2.2.2,*,*,*,*,*,*,*,native
116718,a,mongodb,mongodb,1.2.0,*,*,*,*,*,*,*,native
116719,a,mongodb,mongodb,2.2.1,*,*,*,*,*,*,*,native
116722,a,mongodb,mongodb,2.2.0,*,*,*,*,*,*,*,native
116723,a,mongodb,mongodb,1.4.0,*,*,*,*,*,*,*,native
116726,a,mongodb,mongodb,2.0.1,*,*,*,*,*,*,*,native
116728,a,mongodb,mongodb,2.0.3,*,*,*,*,*,*,*,native
116733,a,mongodb,mongodb,2.0.4,*,*,*,*,*,*,*,native
116734,a,mongodb,mongodb,2.2.3,*,*,*,*,*,*,*,native
116735,a,mongodb,mongodb,2.0.5,*,*,*,*,*,*,*,native
116736,a,mongodb,mongodb,1.6.0,*,*,*,*,*,*,*,native
116738,a,mongodb,mongodb,2.0.2,*,*,*,*,*,*,*,native
116739,a,mongodb,mongodb,2.0.7,*,*,*,*,*,*,*,native
120693,a,mongodb,mongodb,2.4.2,*,*,*,*,*,*,*,native
120696,a,mongodb,mongodb,2.4.5,*,*,*,*,*,*,*,native
120697,a,mongodb,mongodb,2.4.0,*,*,*,*,*,*,*,native
120700,a,mongodb,mongodb,2.4.3,*,*,*,*,*,*,*,native
120703,a,mongodb,mongodb,2.5.0,*,*,*,*,*,*,*,native
120704,a,mongodb,mongodb,2.4.4,*,*,*,*,*,*,*,native
120705,a,mongodb,mongodb,2.4.1,*,*,*,*,*,*,*,native
141564,a,mongodb,mongodb,1.7.0,*,*,*,*,*,*,*,native
150252,a,mongodb,mongodb,*,*,*,*,enterprise,*,*,*,native
160046,a,mongodb,mongodb,-,*,*,*,*,*,*,*,native
199106,a,mongodb,mongodb,2.2.5,*,*,*,*,*,*,*,native
199124,a,mongodb,mongodb,2.2.7,*,*,*,*,*,*,*,native
199125,a,mongodb,mongodb,2.3.0,*,*,*,*,*,*,*,native
199131,a,mongodb,mongodb,2.2.4,*,*,*,*,*,*,*,native
199132,a,mongodb,mongodb,2.2.6,*,*,*,*,*,*,*,native
199133,a,mongodb,mongodb,2.0.8,*,*,*,*,*,*,*,native
215550,a,mongodb,mongodb,*,*,*,*,*,visual_studio_code,*,*,native
224263,a,mongodb,mongodb,4.4.0,rc9,*,*,*,*,*,*,native
224264,a,mongodb,mongodb,4.4.0,rc8,*,*,*,*,*,*,native
224265,a,mongodb,mongodb,4.4.0,rc7,*,*,*,*,*,*,native
224266,a,mongodb,mongodb,4.4.0,rc6,*,*,*,*,*,*,native
224267,a,mongodb,mongodb,4.4.0,rc5,*,*,*,*,*,*,native
224268,a,mongodb,mongodb,4.4.0,rc4,*,*,*,*,*,*,native
224269,a,mongodb,mongodb,4.4.0,rc3,*,*,*,*,*,*,native
224270,a,mongodb,mongodb,4.4.0,rc2,*,*,*,*,*,*,native
224271,a,mongodb,mongodb,4.4.0,rc1,*,*,*,*,*,*,native
224272,a,mongodb,mongodb,4.4.0,rc10,*,*,*,*,*,*,native
224273,a,mongodb,mongodb,4.4.0,rc11,*,*,*,*,*,*,native