search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.31k stars 1.26k forks source link

Python analyzer not reporting some CVE like CVE-2023-50263 #6522

Open yyuanxin opened 6 months ago

yyuanxin commented 6 months ago

Describe the bug I am scanning a requirements.txt file with dependency check v9.0.9. In the output report, it reflects the package version that is being scanned but no vulnerabilities was detected (nautobot@1.4.1 should flag CVE-2023-50263)

I have checked the h2 database and the CVE is present select * from vulnerability where CVE = 'CVE-2023-50263'

image

I have set the flags --disableOssIndex --disableHostedSuppressions but it seems like the python analyzer is not picking up this CVE for the dependency.

Version of dependency-check used The problem occurs using version 9.0.9 of the dependency-check python analyzer

Log file Attached snippet of the report generated which reflects the dependency package. It is not reporting any CVE for the dependency. image

To Reproduce In requirements.txt, add nautobot==1.4.1 Set the flags --disableOssIndex --disableHostedSuppressions --enableExperimental and scan using python analyzer for requirements.txt

Expected behavior Report should show CVE-2023-50263 for nautobot@1.4.1

Additional context

jeremylong commented 6 months ago

Unfortunately, due to how dependency-check works currently false negatives like this do occur. Especially for the experimental analyzers. As the NVD is the current source and they use the vendor as part of the CPE it is sometimes difficult to determine the vendor from the data in the requirements or lock file.