search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.34k stars 1.26k forks source link

Why is Nimbus 9.37.2 not flagged for CVE-2023-52428? #6464

Open marcelstoer opened 7 months ago

marcelstoer commented 7 months ago

I am (still) trying to understand the inner workings of this great project better.

Which data source tells dependency-check that Nimbus 9.37.2 is not affected by CVE-2023-52428?

The NIST/MITRE entry at https://nvd.nist.gov/vuln/detail/CVE-2023-52428 is currently missing a "Known Affected Software Configurations" section. Without the CPEs usually listed there, it does not formally state that version 9.37.2 is not affected. The only hint is the prose description starting with

In Connect2id Nimbus JOSE+JWT before 9.37.2...

The only machine-readable source for this information I could find is the OSV entry at https://osv.dev/vulnerability/CVE-2023-52428. However, according to #6039 dependency-check does not use OSV yet.

NIST snapshot for reference below

Screenshot 2024-02-13 at 10 51 14
jeremylong commented 7 months ago

See how the CVE at the NVD says "AWAITING ANALYSIS" in the yellow warning bar? The CVE still is not complete in the NVD data as it has no affected software listed.

marcelstoer commented 7 months ago

Yes 😄

I am trying to understand why dependency-check against Nimbus 9.28 fails i.e. reports a vulnerability (correct) but passes when run against Nimbus 9.37.3 (again, correct). How does it know? The formal information available in the CVE at the NVD does not contain the necessary clues.

jeremylong commented 7 months ago

ODC uses several sources of vulnerabilities. If only using the NVD (for instance in this case if you disabled the OSS Index Analyzer) the CVE would likely not show up until after the CVE has been analyzed and it lists specific CPEs that are vulnerable. If the OSS Index Analyzer is flagging the vulnerability - you would have to ask Sonatype as the OSS Index Analyzer was contributed by them and uses data from their service.

marcelstoer commented 7 months ago

Thanks, I understand that. As CVE-2023-52428 for Nimbus 9.28 had indeed been reported by the OSS Index Analyzer in my project, I initially looked at their report at https://ossindex.sonatype.org/vulnerability/CVE-2023-52428. It contains the same scarce information as the NVD entry. Given these two sources, I was puzzled how dependency-check would know that 9.37.2+ be not vulnerable.

jeremylong commented 7 months ago

Turn off the OSS Index Analyzer and run your tests again. Hopefully, that will help you understand how ODC works.

marcelstoer commented 7 months ago

you would have to ask Sonatype as the OSS Index Analyzer was contributed by them and uses data from their service.

Ok, looks like there's some magic going on behind the scenes.

I ran the Maven plugin with -debug to get some extra information and grepped for nimbus.

...
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Archive Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (File Name Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Jar Analyzer)
[DEBUG] Reading pom entry: META-INF/maven/com.nimbusds/nimbus-jose-jwt/pom.xml
[DEBUG] Read pom.properties: META-INF/maven/com.nimbusds/nimbus-jose-jwt/pom.properties
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Dependency Merging Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Hint Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Version Filter Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (CPE Analyzer)
[DEBUG] product:(jwt9 nimbus\-jose\-jwtv9 jose^2 jwt jwtv9 josev9 nimbus\-jose\-jwt9 jose9^2 jose^2 nimbusdsv9 com.nimbusds com.nimbusdsv9 nimbusds nimbusds9 nimbus\-jose\-jwt com.nimbusds9) AND vendor:(com.nimbusds https\:\/\/bitbucket.org\/connect2id\/nimbus\-jose\-jwt jose^2 jwt nimbusds^2 nimbus\-jose\-jwt)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (False Positive Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (NVD CVE Analyzer)
[DEBUG] Cache miss for cpe:2.3:a:connect2id:nimbus_jose\+jwt:9.37.3:*:*:*:*:*:*:*
[DEBUG] OSS Index Analyzer submitting: [....]
[DEBUG] Found cached report for: pkg:maven/com.nimbusds/nimbus-jose-jwt@9.37.3
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Sonatype OSS Index Analyzer)
[DEBUG] Enrich dependency: Dependency{ fileName='nimbus-jose-jwt-9.37.3.jar', actualFilePath='/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar', filePath='/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar', packagePath='/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar'}

[DEBUG]   Package: pkg:maven/com.nimbusds/nimbus-jose-jwt@9.37.3 -> HIGH

[DEBUG] Enrich dependency: Dependency{ fileName='nimbus-jose-jwt-9.37.3.jar/META-INF/maven/com.google.code.gson/gson/pom.xml', actualFilePath='/var/folders/pl/nxddb61s6y7_hdjqbr2l7pfm0000gn/T/dctemp43e57c0f-b9eb-4ae0-b3f0-5293dd3e3010/check16188098707609691027tmp/94/pom.xml', filePath='/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar/META-INF/maven/com.google.code.gson/gson/pom.xml', packagePath='com.google.code.gson:gson:2.10.1'}
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Vulnerability Suppression Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Known Exploited Vulnerability Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Dependency Bundling Analyzer)
[DEBUG] Begin Analysis of '/Users/marcelstoer/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.37.3/nimbus-jose-jwt-9.37.3.jar' (Unused Suppression Rule Analyzer)

I put empty lines around the one line that sticks out to me as most interesting. It looks to me as if the OSS analyzer initially finds nimbus-jose-jwt@9.37.3 vulnerable with HIGH (remember: fixed with 9.37.2). However, the build passes and the final report doesn't mention it. As we don't suppress it manually I must assume there's some logic which later finds out that 9.37.3 is actually a fixed non-vulnerable version - but not reported in log.