search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.32k stars 1.26k forks source link

[FP]: CVE-2017-16111, which applies to the content module of the hapijs/hapi.js framework, gets falgged on ktor dependencies with `content` in the name #6693

Closed volkert-fastned closed 3 months ago

volkert-fastned commented 3 months ago

Package URl

pkg:maven/io.ktor/ktor-client-content-negotiation-jvm@2.3.11

CPE

cpe:2.3:a:content_project:content:2.3.11:::::::*

CVE

CVE-2017-16111

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

9.2.0

Description

Vulnerability CVE-2017-16111, which applies to the content module of hapi.js (a Node.js library) gets flagged on Ktor dependencies that have content in the name:

ktor-client-content-negotiation-jvm-2.3.11-sources.jar (pkg:maven/io.ktor/ktor-client-content-negotiation-jvm@2.3.11, cpe:2.3:a:content_project:content:2.3.11:*:*:*:*:*:*:*) : CVE-2017-16111
ktor-server-content-negotiation-jvm-2.3.11-sources.jar (pkg:maven/io.ktor/ktor-server-content-negotiation-jvm@2.3.11, cpe:2.3:a:content_project:content:2.3.11:*:*:*:*:*:*:*) : CVE-2017-16111

Strangely enough, this suddenly got flagged (along with a bunch of other vulnerabilities) while I tried to upgrade a project from Kotlin 1.9.x to Kotlin 2.0. But the dependencies that suddenly got flagged with that upgrade weren't related to the Kotlin 2.0 upgrade.

Also worth noting: according to NIST, the CPE should in fact be cpe:2.3:a:content_project:content:*:*:*:*:*:node.js:*:* but the CPE that the DendencyCheck Gradle plugin flags has a wildcard in place of the node.js part. Perhaps that's what's causing this false positive?

github-actions[bot] commented 3 months ago

Maven Coordinates

<dependency>
   <groupId>io.ktor</groupId>
   <artifactId>ktor-client-content-negotiation-jvm</artifactId>
   <version>2.3.11</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6693
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.ktor/ktor-client-content-negotiation-jvm@.*$</packageUrl>
   <cpe>cpe:/a:content_project:content</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9268481543

volkert-fastned commented 3 months ago

This is one of multiple FPs of Node.js vulnerabilities that suddenly got flagged on Java/JVM dependencies while I was upgrading Kotlin from 1.9.x to 2.0, apparently because the CPE had an asterisk in the third position, which should have contained the string node.js, according to NIST:

jeremylong commented 3 months ago

approved

github-actions[bot] commented 3 months ago

Suppress rule has been added to the generatedSuppressions branch.

volkert-fastned commented 3 months ago

@jeremylong It still flags the second one, even with the automatically generated suppression in place:

ktor-server-content-negotiation-jvm-2.3.11-sources.jar (pkg:maven/io.ktor/ktor-server-content-negotiation-jvm@2.3.11, cpe:2.3:a:content_project:content:2.3.11:*:*:*:*:*:*:*) : CVE-2017-16111
volkert-fastned commented 3 months ago

@jeremylong Not broad enough, see the suggestion I added to the fix commit.