search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.44k stars 1.28k forks source link

dependency-check-maven:9.0.7:aggregate ignores hostedSuppressionsUrl and knownExploitedUrl? #6329

Closed RobSHK closed 3 weeks ago

RobSHK commented 11 months ago

Describe the bug Using Maven dependency-check-maven:9.0.7:aggregate with the parameters hostedSuppressionsUrl and knownExploitedUrl defined in the pom.xml, both files exists and not empty, but still the following Warning appears:

[WARNING] Hosted Suppressions file is empty or missing - attempting to force the update
[WARNING] Empty Hosted Suppression file after update, results may contain false positives already resolved by the DependencyCheck project due to failed download of the hosted suppression file

Version of dependency-check used The problem occurs using version 9.0.7 of the maven plugin.

Log file https://gist.github.com/RobSHK/758e91d104f7414ea804a1fc735b179a

Expected behavior The refered files should be used.

jeremylong commented 10 months ago

The files may exists - but are you correctly supplying a URI? How have you configured these parameters?

RobSHK commented 10 months ago

I assume that the URI is correctly supplied, the parameters are defined within the pom.xml, referencing to files which are located in our Nexus Repository: `https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/owasp-v9/publishedSuppressions/latest/publishedSuppressions-latest.xml</owasp.hostedSuppressionsUrl>

https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/owasp-v9/known_exploited_vulnerabilities/latest/known_exploited_vulnerabilities-latest.json`
aikebah commented 10 months ago

https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/ are you sure that's not a typo and should be nexus-server instead?

jeremylong commented 10 months ago

I've never seen a configuration that used: <owasp.hostedSuppressionsUrl>. I'd expect something more like:

            <plugin>
              <groupId>org.owasp</groupId>
              <artifactId>dependency-check-maven</artifactId>
              <version>9.0.7</version>
              <configuration>
                  <hostedSuppressionsUrl>https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/owasp-v9/publishedSuppressions/latest/publishedSuppressions-latest.xml</hostedSuppressionsUrl>
              </configuration>
              <executions>
                  <execution>
                      <goals>
                          <goal>check</goal>
                      </goals>
                  </execution>
              </executions>
            </plugin>

Also, if you add the -x argument all of the configuration will be logged so you can pipe the output to a file and then search for hosted.suppressions.url.

RobSHK commented 10 months ago

https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/ are you sure that's not a typo and should be nexus-server instead?

Sure it is a typo, I've changed the real nexus address, just to avoid sharing our company real address.

aikebah commented 10 months ago

@Jeremy, they likely use a (corporate standard) parent-pom that configures Dependency-check with a custom property, so that it can be overridden (in maven settings.xml or with -D properties on the command-line) on environments where another URL should be used. (e.g. developers use the public URL exposed on the intranet or internet and build-infra uses an in-datacenter private URL to access the same resource)

Typically the company standard pom would set the intranet/internet-url as a property in the pom.xml, so that developers don't need to modify their settings.xml and the in-house CI/Build environment has a settings.xml that overrules the property so that the more efficient direct connection to the server is used by the build-infrastructure.

            <plugin>
              <groupId>org.owasp</groupId>
              <artifactId>dependency-check-maven</artifactId>
              <version>9.0.7</version>
              <configuration>
                  <hostedSuppressionsUrl>${owasp.hostedSuppressionsUrl}</hostedSuppressionsUrl>
              </configuration>
              <executions>
                  <execution>
                      <goals>
                          <goal>check</goal>
                      </goals>
                  </execution>
              </executions>
            </plugin>
aikebah commented 10 months ago

https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/ are you sure that's not a typo and should be nexus-server instead?

Sure it is a typo, I've changed the real nexus address, just to avoid sharing our company real address.

In that case... .check that the repository is actually accessible anonymously and not shielded off with a required login. The 'empty file' (in the download caches) could be a symptom of an authentication failure trying to retrieve it.

RobSHK commented 10 months ago

I've never seen a configuration that used: <owasp.hostedSuppressionsUrl>. I'd expect something more like:

            <plugin>
              <groupId>org.owasp</groupId>
              <artifactId>dependency-check-maven</artifactId>
              <version>9.0.7</version>
              <configuration>
                  <hostedSuppressionsUrl>https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/owasp-v9/publishedSuppressions/latest/publishedSuppressions-latest.xml</hostedSuppressionsUrl>
              </configuration>
              <executions>
                  <execution>
                      <goals>
                          <goal>check</goal>
                      </goals>
                  </execution>
              </executions>
            </plugin>

Also, if you add the -x argument all of the configuration will be logged so you can pipe the output to a file and then search for hosted.suppressions.url.

Sorry I've copied the wrong pom.xml entry, the correct one is: <hostedSuppressionsUrl>https://nexus-server/nexus/repository/binaries/XXX/XXX/XXX/owasp-v9/publishedSuppressions/latest/publishedSuppressions-latest.xml</hostedSuppressionsUrl> I've run it again with -X, as expected it is a huge log, I have to remove any sensitive data from it, then I'll share it.

RobSHK commented 10 months ago

https://nexsus-server/nexus/repository/binaries/xx/xxx/xxx/ are you sure that's not a typo and should be nexus-server instead?

Sure it is a typo, I've changed the real nexus address, just to avoid sharing our company real address.

In that case... .check that the repository is actually accessible anonymously and not shielded off with a required login. The 'empty file' (in the download caches) could be a symptom of an authentication failure trying to retrieve it.

I'm pretty sure it is not an accessibility issue as also the knownExploitedUrl is pointing to Nexus, but no warnings appears.

<knownExploitedUrl>https://nexus-server/nexus/repository/binaries/XXX/XXX/XXX/owasp-v9/known_exploited_vulnerabilities/latest/known_exploited_vulnerabilities-latest.json</knownExploitedUrl>

jeremylong commented 10 months ago

If your nexus requires auth - it could be being blocked.

RobSHK commented 10 months ago

If your nexus requires auth - it could be being blocked.

Again as in my last comment, in that case shouldn't also the knownExploitedUrl throw a warning or error? both files are located in the same repository, the hostedSuppressionsUrl throw warning the other one not. The log is located here

RobSHK commented 10 months ago

For the avoidance of doubt I just tested it also with a local file, same behavior.

`file:///home/jenkins/temp/publishedSuppressions.xml

https://nexus-server/nexus/repository/binaries/XXX/XXX/XXX/owasp-v9/known_exploited_vulnerabilities/latest/known_exploited_vulnerabilities-latest.json

`

`[INFO] --- dependency-check-maven:9.0.7:aggregate (default) @ vcmobile-pom --- [INFO] Found snapshot reactor project in aggregate for vcmobile:vcmobile-client:1.6.9-SNAPSHOT - creating a virtual dependency as the snapshot found in the repository may contain outdated dependencies. [INFO]

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user's risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

💖 Sponsor: https://github.com/sponsors/jeremylong

[INFO] Analysis Started [INFO] Finished Archive Analyzer (0 seconds) [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Jar Analyzer (0 seconds) [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/@angular/localize/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/@angular/localize/node_modules/@babel/core/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/@angular/localize/node_modules/semver/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/@angular/localize/node_modules/source-map/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/@es-joy/jsdoccomment/node_modules/comment-parser/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/@es-joy/jsdoccomment/node_modules/jsdoc-type-pratt-parser/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/@es-joy/jsdoccomment/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/@popperjs/core/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/experimental-utils/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/comment-parser/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/eslint-plugin-jsdoc/node_modules/@es-joy/jsdoccomment/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/eslint-plugin-jsdoc/node_modules/comment-parser/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/eslint-plugin-jsdoc/node_modules/jsdoc-type-pratt-parser/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/eslint-plugin-jsdoc/node_modules/regextras/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/eslint-plugin-jsdoc/node_modules/spdx-expression-parse/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/eslint-plugin-jsdoc/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/eslint-plugin-jsdoc/node_modules/escape-string-regexp/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/eslint-plugin-prefer-arrow/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/jsdoc-type-pratt-parser/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/karma-chrome-launcher/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/karma-chrome-launcher/node_modules/which/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/regextras/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/spdx-exceptions/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/spdx-expression-parse/node_modules/spdx-exceptions/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/spdx-expression-parse/node_modules/spdx-license-ids/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/spdx-expression-parse/package.json [WARNING] Unable to find node module: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/client/node_modules/spdx-license-ids/package.json [INFO] Finished Node.js Package Analyzer (1 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Created CPE Index (1 seconds) [WARNING] Hosted Suppressions file is empty or missing - attempting to force the update [WARNING] Empty Hosted Suppression file after update, results may contain false positives already resolved by the DependencyCheck project due to failed download of the hosted suppression file [INFO] Finished CPE Analyzer (5 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@.$, regex=true, caseSensitive=false},cve={CVE-2021-44228,}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org.apache.logging.log4j/log4j-api@.$, regex=true, caseSensitive=false},cve={CVE-2021-44228,}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org.apache.logging.log4j/log4j-api@.$, regex=true, caseSensitive=false},cve={CVE-2021-44832,}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org.apache.logging.log4j/log4j-api@.$, regex=true, caseSensitive=false},cve={CVE-2021-45046,}} [INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@.*$, regex=true, caseSensitive=false},cve={CVE-2021-44832,}} [INFO] Finished Unused Suppression Rule Analyzer (0 seconds) [INFO] Analysis Complete (7 seconds) [INFO] Writing XML report to: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/target/dependency-check-report.xml [INFO] Writing HTML report to: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/target/dependency-check-report.html [INFO] Writing JSON report to: /var/lib/jenkins/workspace/INFO-SMART-SC-OWASP-V9-INT/target/dependency-check-report.json [WARNING]

One or more dependencies were identified with known vulnerabilities in OWASP-TEST-PIPELINE:

async:^2.6.2 (pkg:npm/async@2.6.3, cpe:2.3:a:async_project:async:2.6.3:::::::) : CVE-2021-43138 decode-uri-component:^0.2.0 (pkg:npm/decode-uri-component@0.2.0, cpe:2.3:a:decode-uri-component_project:decode-uri-component:0.2.0:::::::) : CVE-2022-38900, CVE-2022-38778 engine.io:~6.1.0 (pkg:npm/engine.io@6.1.0, cpe:2.3:a:socket:engine.io:6.1.0:::::::) : CVE-2022-21676, CVE-2022-41940, CVE-2023-31125 follow-redirects:^1.0.0 (pkg:npm/follow-redirects@1.14.6, cpe:2.3:a:follow-redirects_project:follow-redirects:1.14.6:::::::) : CVE-2022-0155, CVE-2022-0536 http-cache-semantics:^4.1.0 (pkg:npm/http-cache-semantics@4.1.0, cpe:2.3:a:http-cache-semantics_project:http-cache-semantics:4.1.0:::::::) : CVE-2022-25881 jackson-databind-2.13.0.jar (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.0, cpe:2.3:a:fasterxml:jackson-databind:2.13.0:::::::, cpe:2.3:a:fasterxml:jackson-modules-java8:2.13.0:::::::) : CVE-2020-36518, CVE-2021-46877, CVE-2022-42003, CVE-2022-42004, CVE-2023-35116 json5:1.0.1 (pkg:npm/json5@1.0.1, cpe:2.3:a:json5:json5:1.0.1:::::::) : CVE-2022-46175 json5:^2.1.2 (pkg:npm/json5@2.2.0, cpe:2.3:a:json5:json5:2.2.0:::::::) : CVE-2022-46175 jsrsasign:10.5.1 (pkg:npm/jsrsasign@10.5.1, cpe:2.3:a:jsrsasign_project:jsrsasign:10.5.1:::::::) : CVE-2022-25898 jszip:^3.1.3 (pkg:npm/jszip@3.7.1, cpe:2.3:a:jszip_project:jszip:3.7.1:::::::) : CVE-2022-48285 karma:6.3.9 (pkg:npm/karma@6.3.9, cpe:2.3:a:karma_project:karma:6.3.9:::::::) : CVE-2021-23495, CVE-2022-0437 loader-utils:1.4.0 (pkg:npm/loader-utils@1.4.0, cpe:2.3:a:webpack.js:loader-utils:1.4.0:::::::) : CVE-2022-37601, CVE-2022-37599, CVE-2022-37603 loader-utils:2.0.2 (pkg:npm/loader-utils@2.0.2, cpe:2.3:a:webpack.js:loader-utils:2.0.2:::::::) : CVE-2022-37601, CVE-2022-37599, CVE-2022-37603 loader-utils:3.2.0 (pkg:npm/loader-utils@3.2.0, cpe:2.3:a:webpack.js:loader-utils:3.2.0:::::::) : CVE-2022-37599, CVE-2022-37603 log4js:6.3.0 (pkg:npm/log4js@6.3.0, cpe:2.3:a:log4js_project:log4js:6.3.0:::::::) : CVE-2022-21704 logback-core-1.2.7.jar (pkg:maven/ch.qos.logback/logback-core@1.2.7, cpe:2.3:a:qos:logback:1.2.7:::::::) : CVE-2023-6378, CVE-2021-42550 minimatch:^3.0.4 (pkg:npm/minimatch@3.0.4, cpe:2.3:a:minimatch_project:minimatch:3.0.4:::::::) : CVE-2022-3517 minimist:^1.2.0 (pkg:npm/minimist@1.2.5, cpe:2.3:a:substack:minimist:1.2.5:::::::) : CVE-2021-44906 moment:2.29.1 (pkg:npm/moment@2.29.1, cpe:2.3:a:momentjs:moment:2.29.1:::::::) : CVE-2022-24785, CVE-2022-31129 nanoid:^3.1.30 (pkg:npm/nanoid@3.1.30, cpe:2.3:a:nanoid_project:nanoid:3.1.30:::::::) : CVE-2021-23566 postcss:7.0.39 (pkg:npm/postcss@7.0.39, cpe:2.3:a:postcss:postcss:7.0.39:::::::) : CVE-2023-44270 postcss:8.4.4 (pkg:npm/postcss@8.4.4, cpe:2.3:a:postcss:postcss:8.4.4:::::::) : CVE-2023-44270 qs:6.5.2 (pkg:npm/qs@6.5.2, cpe:2.3:a:qs_project:qs:6.5.2:::::::) : CVE-2022-24999 qs:6.9.6 (pkg:npm/qs@6.9.6, cpe:2.3:a:qs_project:qs:6.9.6:::::::) : CVE-2022-24999 snakeyaml-1.29.jar (pkg:maven/org.yaml/snakeyaml@1.29, cpe:2.3:a:snakeyaml_project:snakeyaml:1.29:::::::) : CVE-2022-1471, CVE-2022-25857, CVE-2022-38749, CVE-2022-38751, CVE-2022-38752, CVE-2022-41854, CVE-2022-38750 socket.io-parser:4.0.4 (pkg:npm/socket.io-parser@4.0.4, cpe:2.3:a:socket:socket.io-parser:4.0.4:::::::) : CVE-2022-2421, CVE-2023-32695 spring-boot-2.6.1.jar (pkg:maven/org.springframework.boot/spring-boot@2.6.1, cpe:2.3:a:vmware:spring_boot:2.6.1:::::::) : CVE-2023-20873, CVE-2023-20883 spring-boot-devtools-2.6.1.jar (pkg:maven/org.springframework.boot/spring-boot-devtools@2.6.1, cpe:2.3:a:vmware:spring_boot:2.6.1:::::::, cpe:2.3:a:vmware:spring_boot_tools:2.6.1:::::::, cpe:2.3:a:vmware:spring_tools:2.6.1:::::::) : CVE-2023-20873, CVE-2023-20883 spring-boot-starter-web-2.6.1.jar (pkg:maven/org.springframework.boot/spring-boot-starter-web@2.6.1, cpe:2.3:a:vmware:spring_boot:2.6.1:::::::, cpe:2.3:a:web_project:web:2.6.1:::::::) : CVE-2023-20873, CVE-2023-20883 spring-core-5.3.13.jar (pkg:maven/org.springframework/spring-core@5.3.13, cpe:2.3:a:pivotal_software:spring_framework:5.3.13:::::::, cpe:2.3:a:springsource:spring_framework:5.3.13:::::::, cpe:2.3:a:vmware:spring_framework:5.3.13:::::::) : CVE-2022-22965, CVE-2023-20860, CVE-2022-22950, CVE-2022-22971, CVE-2023-20861, CVE-2023-20863, CVE-2022-22968, CVE-2022-22970, CVE-2021-22060 spring-security-core-5.6.0.jar (pkg:maven/org.springframework.security/spring-security-core@5.6.0, cpe:2.3:a:pivotal_software:spring_security:5.6.0:::::::, cpe:2.3:a:vmware:spring_security:5.6.0:::::::) : CVE-2022-22978, CVE-2022-31692, CVE-2023-34034, CVE-2022-31690, CVE-2022-22976 spring-security-oauth2-resource-server-5.6.0.jar (pkg:maven/org.springframework.security/spring-security-oauth2-resource-server@5.6.0, cpe:2.3:a:pivotal:spring_security_oauth:5.6.0:::::::, cpe:2.3:a:pivotal_software:spring_security:5.6.0:::::::, cpe:2.3:a:pivotal_software:spring_security_oauth:5.6.0:::::::, cpe:2.3:a:vmware:spring_security:5.6.0:::::::) : CVE-2022-22978, CVE-2022-31692, CVE-2023-34034, CVE-2022-31690, CVE-2022-22976 spring-security-web-5.6.0.jar (pkg:maven/org.springframework.security/spring-security-web@5.6.0, cpe:2.3:a:pivotal_software:spring_security:5.6.0:::::::, cpe:2.3:a:vmware:spring_security:5.6.0:::::::, cpe:2.3:a:web_project:web:5.6.0:::::::) : CVE-2022-22978, CVE-2022-31692, CVE-2023-34034, CVE-2022-31690, CVE-2022-22976 spring-web-5.3.13.jar (pkg:maven/org.springframework/spring-web@5.3.13, cpe:2.3:a:pivotal_software:spring_framework:5.3.13:::::::, cpe:2.3:a:springsource:spring_framework:5.3.13:::::::, cpe:2.3:a:vmware:spring_framework:5.3.13:::::::, cpe:2.3:a:web_project:web:5.3.13:::::::) : CVE-2016-1000027, CVE-2022-22965, CVE-2023-20860, CVE-2022-22950, CVE-2022-22971, CVE-2023-20861, CVE-2023-20863, CVE-2022-22968, CVE-2022-22970, CVE-2021-22060 spring-webmvc-5.3.13.jar (pkg:maven/org.springframework/spring-webmvc@5.3.13, cpe:2.3:a:pivotal_software:spring_framework:5.3.13:::::::, cpe:2.3:a:springsource:spring_framework:5.3.13:::::::, cpe:2.3:a:vmware:spring_framework:5.3.13:::::::, cpe:2.3:a:web_project:web:5.3.13:::::::) : CVE-2022-22965, CVE-2023-20860, CVE-2022-22950, CVE-2022-22971, CVE-2023-20861, CVE-2023-20863, CVE-2022-22968, CVE-2022-22970, CVE-2021-22060 terser:^5.7.2 (pkg:npm/terser@5.10.0, cpe:2.3:a:terser:terser:5.10.0:::::::) : CVE-2022-25858 tomcat-embed-core-9.0.55.jar (pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.55, cpe:2.3:a:apache:tomcat:9.0.55:::::::, cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.55:::::::) : CVE-2022-29885, CVE-2022-42252, CVE-2022-45143, CVE-2023-44487, CVE-2023-46589, CVE-2022-23181, CVE-2022-34305, CVE-2023-41080, CVE-2023-42795, CVE-2023-45648, CVE-2023-28708, CVE-2021-43980 tough-cookie:2.5.0 (pkg:npm/tough-cookie@2.5.0, cpe:2.3:a:salesforce:tough-cookie:2.5.0:::::::) : CVE-2023-26136 ua-parser-js:0.7.31 (pkg:npm/ua-parser-js@0.7.31, cpe:2.3:a:ua-parser-js_project:ua-parser-js:0.7.31:::::::) : CVE-2022-25927 webpack:5.65.0 (pkg:npm/webpack@5.65.0, cpe:2.3:a:webpack.js:webpack:5.65.0:::::::) : CVE-2023-28154 word-wrap:1.2.3 (pkg:npm/word-wrap@1.2.3, cpe:2.3:a:word-wrap_project:word-wrap:1.2.3:::::::) : CVE-2023-26115 xml2js:0.4.23 (pkg:npm/xml2js@0.4.23, cpe:2.3:a:xml2js_project:xml2js:0.4.23:::::::*) : CVE-2023-0842

See the dependency-check report for more details.

[INFO] ------------------------------------------------------------------------ [INFO] Reactor Summary for OWASP-TEST-PIPELINE 1.6.9-SNAPSHOT: [INFO] [INFO] Smart Client .............................. SUCCESS [ 53.185 s] [INFO] Smart Server .............................. SUCCESS [ 7.320 s] [INFO] OWASP-TEST-PIPELINE ................................ SUCCESS [ 11.092 s] [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS`

$ ll /home/jenkins/temp/publishedSuppressions.xml -rw-rw-r-- 1 jenkins jenkins47016 Dec 21 14:49 /home/jenkins/temp/publishedSuppressions.xml

aikebah commented 10 months ago

@RobSHK 

[DEBUG] Setting: odc.autoupdate='false'

You have disabled auto-update, but some other job has put an empty hosted suppression in the cache

The 'forced update' signalled by the warning about the empty hosted suppressions only happens when you have auto-update enabled or if you yourself explicitly request for a forced update of the hostedSuppressionsFile

https://github.com/jeremylong/DependencyCheck/blob/93a552618359d3cfb209ef5c686659addf73e8be/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java#L251

RobSHK commented 10 months ago

publishedSuppressions.xml

Where is that cache located? or better how could I avoid that and that the up to date hosted suppression file will be used?

aikebah commented 10 months ago

Within the DependencyCheck dataDirectory just like the other caches.

If you did not modify the default location it would be within your Maven local repository as documented at http://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html

A cached copy will be considered up-to-date for a configurable amount of time (see hostedSuppressionsValidForHours in the same document), but will not be updated if you have set autoUpdate to false, use hostedSuppressionsForceUpdate (also on the same page) to enable updates of hostedSuppressionFile even if autoupdate is off (which will trigger an update not taking the validForHours setting into account, it will always update the file).

jeremylong commented 10 months ago

Is this still an issue?

RobSHK commented 10 months ago

This could be closed, I've added the hostedSuppressionsForceUpdate as suggested, afterwards the warnings are gone. Thank you.