Issue with dependencyCheck not detecting CVE-2023-7104 compared to other scanning tools

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.31k stars 1.26k forks source link

Issue with dependencyCheck not detecting CVE-2023-7104 compared to other scanning tools #6495

Closed qw1212 closed 6 months ago

qw1212 commented 6 months ago

I have encountered an issue where other scanning tools can detect CVE-2023-7104, but dependencyCheck fails to identify it. Why this discrepancy exists?

DependencyCheck: another nvd tool: 企业微信截图_17091917472499

The scan command I am using is as follows. /opt/dependency-check/bin/dependency-check.sh --project "sqlite-jdbc-3.36.0.3.jar" --scan "sqlite-jdbc-3.36.0.3.jar" --junitFailOnCVSS 7 --disableGolangDep --disableGolangMod --format ALL --nvdValidForHours 24 --nvdApiKey xxxxx --nvdDatafeed http://nvdmirror.xxxxx.com/nvdcve-{0}.json.gz --retireJsUrl http://maven.xxxxx.com/repository/tizi/Retirejs/jsrepository.json

How to address this issue within the dependencyCheck tool? Could anyone lend a hand?

aikebah commented 6 months ago

Discrepancy appears to be due to an error in your other tool wrongly attributing the JDBC driver to cpe:2.3:a:sqlite:sqlite instead of cpe:2.3:a:sqlite_jdbc_project:sqlite_jdbc

https://www.sqlite.org/cves.html documents the CVE to exist in an extension that needs to be explicitly enabled on compile.

The CVE is neither listed by OSSINDEX (which would make it reported by the OSSINDEX analyzer), nor Snyk (another easily googleable vulnerabilities resource, which is not consulted by dependencycheck as their API is only accesible for customers) for your exact version of the library.