[FP]: spring-boot-jarmode-tools incorrectly identified as vmware:tools

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.41k stars 1.28k forks source link

[FP]: spring-boot-jarmode-tools incorrectly identified as vmware:tools #6725

Closed MichaelVetter closed 4 months ago

MichaelVetter commented 4 months ago

Package URl

pkg:maven/org.springframework.boot/spring-boot-jarmode-tools@3.3.0

CPE

cpe:2.3:a:vmware:tools:3.3.0:*:*:*:*:*:*:*

CVE

No response

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

9.2.0

Description

No response

github-actions[bot] commented 4 months ago

Maven Coordinates

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-jarmode-tools</artifactId>
   <version>3.3.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6725
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-jarmode-tools@.*$</packageUrl>
   <cpe>cpe:/a:vmware:tools</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9514606574

aikebah commented 4 months ago

approved

github-actions[bot] commented 4 months ago

Suppress rule has been added to the generatedSuppressions branch.

rpaasche commented 1 month ago

@aikebah Is this already release? Currently, we get CVE-2016-7079 (and some more vmware-tool related) for spring-boot-jarmode-tools-3.3.4.jar.

Using dependency-check 10.0.4

aikebah commented 1 month ago

@rpaasche Resolutions by the bot are immediately available as a suppression in the hosted suppressions file (assuming that you run your scans with internet connectivity it should become active as soon as the currently cached hostedSuppressions file expires - 2hrs after its latest retrieval in the default setup)

Check you scan report to see whether it properly identifies your jar as the maven package (pkg:maven/.....) listed above in the suppression. Suppressions we add in this project are typically based on the package-url of the library.

rpaasche commented 1 month ago

@aikebah

I see the problem now:

2024-09-26 21:06:01 |  [WARN] Hosted Suppressions file is empty or missing - attempting to force the update
2024-09-26 21:06:01 |  [WARN] Empty Hosted Suppression file after update, results may contain false positives already resolved by the DependencyCheck project due to failed download of the hosted suppression file

Will investigate this.

Thank you.

rpaasche commented 1 month ago

@aikebah

Found the reason and opened https://github.com/jeremylong/DependencyCheck/issues/6993