search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.41k stars 1.28k forks source link

[FP]: Muliple packages detected as homepage_project:homepage #6467

Open OrangeDog opened 8 months ago

OrangeDog commented 8 months ago

Package URl

pkg:maven/com.querydsl/querydsl-core@5.0.0

CPE

cpe:2.3:a:homepage_project:homepage:5.0.0:::::::*

CVE

No response

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

9.0.9

Description

When POMs do not have their properties expanded correctly, dependency check still uses the variable as evidence. In an apparently common case, this leads to this evidence:

Vendor  pom url ${project.homepage} Highest
Product pom url ${project.homepage} Medium

and a detection of cpe:2.3:a:homepage_project:homepage.

Rather than have to individually suppress this whenever it comes up, perhaps the analyser should simply discard any evidence that is a Maven property expression?

github-actions[bot] commented 8 months ago

Maven Coordinates

<dependency>
   <groupId>com.querydsl</groupId>
   <artifactId>querydsl-core</artifactId>
   <version>5.0.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6467
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.querydsl/querydsl-core@.*$</packageUrl>
   <cpe>cpe:/a:homepage_project:homepage</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7902690410