Open marcelstoer opened 7 months ago
See how the CVE at the NVD says "AWAITING ANALYSIS" in the yellow warning bar? The CVE still is not complete in the NVD data as it has no affected software listed.
Yes 😄
I am trying to understand why dependency-check against Nimbus 9.28 fails i.e. reports a vulnerability (correct) but passes when run against Nimbus 9.37.3 (again, correct). How does it know? The formal information available in the CVE at the NVD does not contain the necessary clues.
ODC uses several sources of vulnerabilities. If only using the NVD (for instance in this case if you disabled the OSS Index Analyzer) the CVE would likely not show up until after the CVE has been analyzed and it lists specific CPEs that are vulnerable. If the OSS Index Analyzer is flagging the vulnerability - you would have to ask Sonatype as the OSS Index Analyzer was contributed by them and uses data from their service.
Thanks, I understand that. As CVE-2023-52428 for Nimbus 9.28 had indeed been reported by the OSS Index Analyzer in my project, I initially looked at their report at https://ossindex.sonatype.org/vulnerability/CVE-2023-52428. It contains the same scarce information as the NVD entry. Given these two sources, I was puzzled how dependency-check would know that 9.37.2+ be not vulnerable.
Turn off the OSS Index Analyzer and run your tests again. Hopefully, that will help you understand how ODC works.
you would have to ask Sonatype as the OSS Index Analyzer was contributed by them and uses data from their service.
Ok, looks like there's some magic going on behind the scenes.
I ran the Maven plugin with -debug
to get some extra information and grepped for nimbus
.
...
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Archive Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (File Name Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Jar Analyzer)
[DEBUG] Reading pom entry: META-INF/maven/com.nimbusds/nimbus-jose-jwt/pom.xml
[DEBUG] Read pom.properties: META-INF/maven/com.nimbusds/nimbus-jose-jwt/pom.properties
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Dependency Merging Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Hint Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Version Filter Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (CPE Analyzer)
[DEBUG] product:(jwt9 nimbus\-jose\-jwtv9 jose^2 jwt jwtv9 josev9 nimbus\-jose\-jwt9 jose9^2 jose^2 nimbusdsv9 com.nimbusds com.nimbusdsv9 nimbusds nimbusds9 nimbus\-jose\-jwt com.nimbusds9) AND vendor:(com.nimbusds https\:\/\/bitbucket.org\/connect2id\/nimbus\-jose\-jwt jose^2 jwt nimbusds^2 nimbus\-jose\-jwt)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (False Positive Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (NVD CVE Analyzer)
[DEBUG] Cache miss for cpe:2.3:a:connect2id:nimbus_jose\+jwt:9.37.3:*:*:*:*:*:*:*
[DEBUG] OSS Index Analyzer submitting: [....]
[DEBUG] Found cached report for: pkg:maven/com.nimbusds/nimbus-jose-jwt@9.37.3
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Sonatype OSS Index Analyzer)
[DEBUG] Enrich dependency: Dependency{ fileName='nimbus-jose-jwt-9.37.3.jar', actualFilePath='/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar', filePath='/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar', packagePath='/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar'}
[DEBUG] Package: pkg:maven/com.nimbusds/nimbus-jose-jwt@9.37.3 -> HIGH
[DEBUG] Enrich dependency: Dependency{ fileName='nimbus-jose-jwt-9.37.3.jar/META-INF/maven/com.google.code.gson/gson/pom.xml', actualFilePath='/var/folders/pl/nxddb61s6y7_hdjqbr2l7pfm0000gn/T/dctemp43e57c0f-b9eb-4ae0-b3f0-5293dd3e3010/check16188098707609691027tmp/94/pom.xml', filePath='/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar/META-INF/maven/com.google.code.gson/gson/pom.xml', packagePath='com.google.code.gson:gson:2.10.1'}
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Vulnerability Suppression Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Known Exploited Vulnerability Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Dependency Bundling Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Unused Suppression Rule Analyzer)
I put empty lines around the one line that sticks out to me as most interesting. It looks to me as if the OSS analyzer initially finds nimbus-jose-jwt@9.37.3
vulnerable with HIGH (remember: fixed with 9.37.2). However, the build passes and the final report doesn't mention it. As we don't suppress it manually I must assume there's some logic which later finds out that 9.37.3 is actually a fixed non-vulnerable version - but not reported in log.
I am (still) trying to understand the inner workings of this great project better.
Which data source tells dependency-check that Nimbus 9.37.2 is not affected by CVE-2023-52428?
The NIST/MITRE entry at https://nvd.nist.gov/vuln/detail/CVE-2023-52428 is currently missing a "Known Affected Software Configurations" section. Without the CPEs usually listed there, it does not formally state that version 9.37.2 is not affected. The only hint is the prose description starting with
The only machine-readable source for this information I could find is the OSV entry at https://osv.dev/vulnerability/CVE-2023-52428. However, according to #6039 dependency-check does not use OSV yet.
NIST snapshot for reference below