Open mumans opened 8 months ago
Hi, Any news about this issue ? Thx
You would likely get a faster turn around on this if you submitted these using the false positive report instead of just reporting a bug. Yes, you would likely have to report three (one for each incorrectly identified CPE). In some cases it is just a simple approval needed to put the fix in via the automation we built.
Describe the bug The depencendy-check flags the wrong packages with the wrong identifiers : Identified : pkg:javascript/lodash@3.0.3 Flaged : pkg:javascript/lodash.isboolean@3.0.3
Identified : pkg:javascript/lodash@3.0.3 Flaged : pkg:javascript/lodash.isnumber@3.0.3
Identified : pkg:javascript/lodash@4.0.1 Flaged : pkg:javascript/lodash.isstring@4.0.1
Those packages have no vulnerabilities : lodash.isboolean@3.0.3 : https://security.snyk.io/package/npm/lodash.isboolean/3.0.3 lodash.isnumber@3.0.3 : https://security.snyk.io/package/npm/lodash.isnumber/3.0.3 lodash.isstring@4.0.1 : https://security.snyk.io/package/npm/lodash.isstring/4.0.1
So we can't suppress pkg:javascript/lodash@3.0.3 and pkg:javascript/lodash@4.0.1 to bypass this bad parsing since lodash version 4.17.12 and lower has critical vulnerabilities.
Version of dependency-check used The problem occurs using version 9.0.8 but we see that since version 8.4.3, didn't test older ones (tested in cli and docker but I think it concerns all types)
Log file Nothing in the logs :
[INFO] Checking for updates [INFO] Skipping the NVD API Update as it was completed within the last 240 minutes [INFO] Skipping Known Exploited Vulnerabilities update check since last check was within 24 hours. [INFO] Check for updates complete (463 ms) ... [INFO] Analysis Started [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Node.js Package Analyzer (0 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Created CPE Index (1 seconds) [INFO] Finished CPE Analyzer (1 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [INFO] Finished Node Audit Analyzer (0 seconds) [INFO] Finished RetireJS Analyzer (0 seconds) [INFO] Finished Sonatype OSS Index Analyzer (0 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Finished Unused Suppression Rule Analyzer (0 seconds) [INFO] Analysis Complete (1 seconds) [INFO] Writing HTML report to: ./dependency-check-report.html
To Reproduce Simple steps to reproduce the behavior:
{ "name": "test", "version": "1.0.0", "description": "", "main": "index.js", "author": "", "license": "ISC", "dependencies": { "lodash.isboolean": "^3.0.3", "lodash.isnumber": "^3.0.3", "lodash.isstring": "^4.0.1" } }
npm install
./bin/dependency-check.sh --out . --scan ./
Expected behavior No vulnerabilities raised