search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.29k stars 1.26k forks source link

[FP]: False positive for CVE-2024-35255 in com.microsoft.azure/msal4j@1.15.1 #6840

Open juanmanuelromeraferrio opened 1 month ago

juanmanuelromeraferrio commented 1 month ago

Package URl

pkg:maven/com.microsoft.azure/msal4j@1.15.1

CPE

cpe:2.3:a:microsoft:authentication_library:1.15.1:::::::*

CVE

CVE-2024-35255

ODC Integration

{"label"=>"CLI"}

ODC Version

10.0.2

Description

The msal4j library version 1.15.1 is marked as excluded for CVE-2024-35255, but is still being reported as vulnerable. This appears to be a false positive, as the vulnerability should not apply to versions 1.15.1 and above.

github-actions[bot] commented 1 month ago

Maven Coordinates

<dependency>
   <groupId>com.microsoft.azure</groupId>
   <artifactId>msal4j</artifactId>
   <version>1.15.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6840
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:authentication_library</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9941860681

github-actions[bot] commented 1 month ago

Maven Coordinates

<dependency>
   <groupId>com.microsoft.azure</groupId>
   <artifactId>msal4j</artifactId>
   <version>1.15.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6840
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:authentication_library</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9941871855

github-actions[bot] commented 1 month ago

Maven Coordinates

<dependency>
   <groupId>com.microsoft.azure</groupId>
   <artifactId>msal4j</artifactId>
   <version>1.15.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6840
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:authentication_library</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9941886001

matthiaskraaz commented 1 month ago

Not good. This also suppresses true positives.

The match to cpe:/a:microsoft:authentication_library:::~~~node.js~~ and cpe:/a:microsoft:authentication_library:::~~~.net~~ respectively cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:node.js:*:* and cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:.net:*:* should be suppressed, while the match to cpe:/a:microsoft:authentication_library:::~~~java~~ respectively cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:java:*:* must be kept.

What is the correct syntax in suppressions.xml for that? Thanks in advance for your help.

BTW: Does suppressions.xml really only accept CPE 2.2 and not CPE 2.3? Would be nice to have CPE 2.3 in suppressions.xml, so it is aligned with the report.

juanmanuelromeraferrio commented 1 month ago

Hi,

Thank you for your response. I just wanted to report that the msal4j library version 1.15.1 is incorrectly marked as vulnerable to CVE-2024-35255, which appears to be a false positive. I did not intend to propose a specific suppression solution.

Could you please advise on how to proceed or if there are any additional steps I need to take to ensure this false positive is properly handled?

Thank you in advance for your help.

trask commented 1 month ago

I had similar finding to @matthiaskraaz, which is that libraries/versions for other languages (e.g. Python and JavaScript) are getting matched

vil2be commented 3 weeks ago

Hi, is there any update on this?

denAbramoff commented 1 week ago

Any news?