[FP]: vulnerability in `date-and-time` (NPM) dependencies being flagged in `kotlinx-datetime` dependencies

[volkert-fastned]

Package URl

pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime*

CPE

cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*

CVE

CVE-2020-26289

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

10.0.3

Description

This NPM-specific CPE is apparently being erroneously applied to multiple Kotlin dependencies:

kotlinx-datetime-0.6.0-sources.jar  cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*   pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime@0.6.0
kotlinx-datetime-js-0.6.0-sources.jar   cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*   pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime-js@0.6.0
kotlinx-datetime-jvm-0.6.0-sources.jar  cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*   pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime-jvm@0.6.0
kotlinx-datetime-macosarm64-0.6.0-sources.jar   cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*   pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime-macosarm64@0.6.0

Since kotlinx-datetime is a Kotlin Multiplatform (KMP) library, the JS-specific dependencies of that library, such as kotlinx-datetime-js, could at least in theory be affected by this vulnerability if they depend on affected versions of the date-and-time NPM dependency, but it doesn't look like that's the reason why this vulnerability is getting flagged. (Even if it did, it should only flag it on the applicable -js dependencies of the library.)

[github-actions[bot]]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10040271163

[github-actions[bot]]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10040275711

[github-actions[bot]]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10040307470

[volkert-fastned]

The likely reason why github-actions couldn't automatically evaluate the false positives was probably because I suffixed the Maven package with an asterisk (*), to make it clear that all packages that start with pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime are apparently flagged by this FP.

[volkert-fastned]

This broader CVE-level suppression worked for me, but it does assume that the JS-specific dependencies of this KMP library don't actually depend on the affected JS library:

    <suppress>
        <notes><![CDATA[
        FP per issue #6864
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlinx/kotlinx-datetime.*$</packageUrl>
        <cve>CVE-2020-26289</cve>
    </suppress>

[aikebah]

@volkert-fastned do you still get these FPs? I tried locally to reproduce it using

plugins {
    kotlin("jvm") version "1.8.0"
}

buildscript {
  repositories {
      mavenLocal()
        maven {
            url = uri("https://plugins.gradle.org/m2/")
        }

      mavenCentral()
  }
  dependencies {
    classpath("org.owasp:dependency-check-gradle:10.0.4")
  }
}

apply(plugin = "org.owasp.dependencycheck")

group = "com.example"
version = "1.0-SNAPSHOT"

repositories {
    mavenLocal()
    mavenCentral()
}

dependencies {
    implementation("org.jetbrains.kotlinx", "kotlinx-datetime", "0.6.0")
    implementation("org.jetbrains.kotlinx", "kotlinx-datetime-js", "0.6.0")
    implementation("org.jetbrains.kotlinx", "kotlinx-datetime-jvm", "0.6.0")
    implementation("org.jetbrains.kotlinx", "kotlinx-datetime-macosarm64", "0.6.0")
}

but the false positives do not show up