Closed hawkchen closed 1 month ago
This happens due to this very simplistic (and highly non-performant!) logic within the h3xstream RetireJS scanner which this project relies upon, not because of ODC itself:
The list of file patterns to evaluate is maintained by RetireJS upstream here and this is their defined methodology; which is not really for ODC or h3xstream to override.
As you can see, the first pattern is the one creating the false positive here: " pdfjs-dist@(§§version§§) "
To fix this would need either
s/pdfjs-dist@/pdf.js /g
If ODC users more widely disagree with the methodology of RetireJS matching file content regexes, the workaround is to disable the RetireJS scanner and reply on npm audit/yarn audit/NVD data only.
You can use surpressions to avoid this false positive until it is fixed. Retire.js is not an alternative to npm audit. Npm has a better database for anything that can be detected through package.json or similar. The goal for retire.js is to find places where developers have included javascript libraries by just bundling or copy the library file itself without any proper process for handling versions. Npm audit and retire.js serve different purposes.
I agree this regex was a bit simplistic and should have included more context around. I cannot fix it the next days though, so surpress or submit a fix PR if you need a fix faster.
I wasn't trying to imply they are equivalent - if they were there'd be no need for ODC to support :-) I took it was a given that OP would know they could suppress the individual issue.
It's also an unfortunately reality that sometimes suppressions are not possible/maintainable in cases where ODC doesn't know co-ordinates for the jar, as you get into sha or file-path based suppressions which can be pretty brittle.
Since this one seems to relate to an unreleased version of ZK, possibly unlikely that other users will see the specific issue here, but I tend to find people are surprised that the RetireJS analyzer is on by default (with the ODC Gradle plugin at least) and thus aren't familiar with the suite of analyzers within ODC and where the data sources are, especially if some jar they depend on happens to include some JS for functionality they don't use.
Anyway, more trying to help people understand where the logic sits, as otherwise downstream projects like ODC get inundated with issues that need to be addressed upstream (NVD, RetireJS, OSSIndex etc).
This should be fixed now with @chadlwilson ‘s PR to the retire.js repo
Describe the bug The dependency-check Maven plugin incorrectly identifies the version of pdf.js. It misinterprets a comment in
index.src.js
containing the string "pdfjs-dist@3.2.146" as the actual version of the pdf.js package.Version of dependency-check used The problem occurs using version 10.0.2 of the dependency-check Maven plugin.
Log file
To Reproduce Steps to reproduce the behavior:
zkex-10.0.1.jar
aspdf.js@3.2.146
.Expected behavior The plugin should correctly identify the version of pdf.js and not misinterpret comments within the code.
Additional context The issue arises because
index.src.js
containspdfjs-dist@3.2.146
in the comment:I verified the problem by rewriting the string "pdfjs-dist@3.2.146" to "3.2.146", and it doesn't report the wrong version.