search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.32k stars 1.26k forks source link

Bad product parsing of dependencies observed with lodash package #6391

Open mumans opened 8 months ago

mumans commented 8 months ago

Describe the bug The depencendy-check flags the wrong packages with the wrong identifiers : Identified : pkg:javascript/lodash@3.0.3 Flaged : pkg:javascript/lodash.isboolean@3.0.3

Identified : pkg:javascript/lodash@3.0.3 Flaged : pkg:javascript/lodash.isnumber@3.0.3

Identified : pkg:javascript/lodash@4.0.1 Flaged : pkg:javascript/lodash.isstring@4.0.1

Those packages have no vulnerabilities : lodash.isboolean@3.0.3 : https://security.snyk.io/package/npm/lodash.isboolean/3.0.3 lodash.isnumber@3.0.3 : https://security.snyk.io/package/npm/lodash.isnumber/3.0.3 lodash.isstring@4.0.1 : https://security.snyk.io/package/npm/lodash.isstring/4.0.1

So we can't suppress pkg:javascript/lodash@3.0.3 and pkg:javascript/lodash@4.0.1 to bypass this bad parsing since lodash version 4.17.12 and lower has critical vulnerabilities.

Version of dependency-check used The problem occurs using version 9.0.8 but we see that since version 8.4.3, didn't test older ones (tested in cli and docker but I think it concerns all types)

Log file Nothing in the logs : [INFO] Checking for updates [INFO] Skipping the NVD API Update as it was completed within the last 240 minutes [INFO] Skipping Known Exploited Vulnerabilities update check since last check was within 24 hours. [INFO] Check for updates complete (463 ms) ... [INFO] Analysis Started [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Node.js Package Analyzer (0 seconds) [INFO] Finished Dependency Merging Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Created CPE Index (1 seconds) [INFO] Finished CPE Analyzer (1 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (0 seconds) [INFO] Finished Node Audit Analyzer (0 seconds) [INFO] Finished RetireJS Analyzer (0 seconds) [INFO] Finished Sonatype OSS Index Analyzer (0 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Finished Unused Suppression Rule Analyzer (0 seconds) [INFO] Analysis Complete (1 seconds) [INFO] Writing HTML report to: ./dependency-check-report.html

To Reproduce Simple steps to reproduce the behavior:

  1. Create packages.json { "name": "test", "version": "1.0.0", "description": "", "main": "index.js", "author": "", "license": "ISC", "dependencies": { "lodash.isboolean": "^3.0.3", "lodash.isnumber": "^3.0.3", "lodash.isstring": "^4.0.1" } }
  2. install packages npm install
  3. run dependecy-check ./bin/dependency-check.sh --out . --scan ./

Expected behavior No vulnerabilities raised

mumans commented 3 months ago

Hi, Any news about this issue ? Thx

jeremylong commented 3 months ago

You would likely get a faster turn around on this if you submitted these using the false positive report instead of just reporting a bug. Yes, you would likely have to report three (one for each incorrectly identified CPE). In some cases it is just a simple approval needed to put the fix in via the automation we built.