search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.37k stars 1.27k forks source link

Potential bug in dependency string parsing #6327

Open amanske-ada opened 10 months ago

amanske-ada commented 10 months ago

Describe the bug Suddenly, we got reports of a bunch of vulnerabilities on the github.com/coreos/go-systemd/v22:22.5.0 package. Some of the vulnerabilities are 10+ years old. I believe that these vulnerabilities are related to the linux systemd suite, and not go-systemd itself. Could it be that DependencyCheck does a contains on the dependency strings, and finds systemd in go-systemd?

Screenshot 2023-12-19 at 13 26 56

Version of dependency-check used The problem occurs using version 9.0.7 of the cli via the Jenkins plugin

Log file Not needed in this case, the check itself is successful and the report is generated.

To Reproduce Steps to reproduce the behavior:

  1. git clone https://github.com/rs/zerolog
  2. dependency-check --scan ./ --exclude "submodules/**" "vendor/**" ".scannerwork/**" --disableAssembly --enableExperimental --nvdApiDelay 2500 --format HTML --nvdApiKey xxx
  3. Check the report

Screenshot 2023-12-19 at 13 52 43

Expected behavior No vulnerabilities are reported for the dependency (https://snyk.io/advisor/golang/github.com/coreos/go-systemd/v22)

Additional context Happy to provide more info if needed

jeremylong commented 10 months ago

Check out https://jeremylong.github.io/DependencyCheck/general/internals.html

amanske-ada commented 10 months ago

Got it, thanks!