[FP]: Node.js bignum library vulnerability being flagged in Kotlin bignum library

volkert-fastned commented 1 month ago

Package URl

pkg:maven/com.ionspin.kotlin/bignum@0.3.9

CPE

cpe:2.3:a:bignum_project:bignum:0.3.9:*:*:*:*:*:*:*

CVE

CVE-2022-25324

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

10.0.3

Description

This broad CPE gets flagged in multiple packages:

cpe:2.3:a:bignum_project:bignum:0.3.9:*:*:*:*:*:*:* -> pkg:maven/com.ionspin.kotlin/bignum@0.3.9
cpe:2.3:a:bignum_project:bignum:0.3.9:*:*:*:*:*:*:* -> pkg:maven/com.ionspin.kotlin/bignum-js@0.3.9
cpe:2.3:a:bignum_project:bignum:0.3.9:*:*:*:*:*:*:* -> pkg:maven/com.ionspin.kotlin/bignum-jvm@0.3.9
cpe:2.3:a:bignum_project:bignum:0.3.9:*:*:*:*:*:*:* -> pkg:maven/com.ionspin.kotlin/bignum-macosarm64@0.3.9
cpe:2.3:a:bignum_project:bignum:0.3.9:*:*:*:*:*:*:* -> pkg:maven/com.ionspin.kotlin/bignum-serialization-kotlinx-js@0.3.9

To be fair, this bignum dependency is a Kotlin Multiplatform Library, with (among other backends) a JS backend, which may very well be using the Node.js bignum library underneath. But I don't think that's what being flagged here. It really looks like another typical example of a generic CPE pattern being applied too broadly.

Could the Dependency Check plugin(s) be somehow improved so that it would recognize the platform(s) to which a CVE applies, and take that into account when matching CPEs with project dependencies? Thanks.

github-actions[bot] commented 1 month ago

Maven Coordinates

<dependency>
   <groupId>com.ionspin.kotlin</groupId>
   <artifactId>bignum</artifactId>
   <version>0.3.9</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6863
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.ionspin\.kotlin/bignum@.*$</packageUrl>
   <cpe>cpe:/a:bignum_project:bignum</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10040197518

volkert-fastned commented 1 month ago

This broader CVE-level suppression worked for me, but it does assume that the JS-specific dependencies of this KMP library don't actually depend on the affected JS library:

    <suppress>
        <notes><![CDATA[
        FP per issue #6863
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.ionspin\.kotlin/bignum.*$</packageUrl>
        <cve>CVE-2022-25324</cve>
    </suppress>

aikebah commented 1 month ago

@volkert-fastned "depending on" is not an issue with the suppressions. Only if another package is packaging the affected JS in their own artifact it would be triggering an improper suppression.

Why do you not simply suppress the CPE? With your suppression each future CVE on the same JS library would also get (wrongly, assuming it's not packaging that JS file internally) linked again to your Kotlin artifacts.

jeremylong / DependencyCheck