search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.29k stars 1.26k forks source link

[FP]: vulnerability in `date-and-time` (NPM) dependencies being flagged in `kotlinx-datetime` dependencies #6864

Open volkert-fastned opened 1 month ago

volkert-fastned commented 1 month ago

Package URl

pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime*

CPE

cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*

CVE

CVE-2020-26289

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

10.0.3

Description

This NPM-specific CPE is apparently being erroneously applied to multiple Kotlin dependencies:

kotlinx-datetime-0.6.0-sources.jar  cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*   pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime@0.6.0
kotlinx-datetime-js-0.6.0-sources.jar   cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*   pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime-js@0.6.0
kotlinx-datetime-jvm-0.6.0-sources.jar  cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*   pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime-jvm@0.6.0
kotlinx-datetime-macosarm64-0.6.0-sources.jar   cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*   pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime-macosarm64@0.6.0

Since kotlinx-datetime is a Kotlin Multiplatform (KMP) library, the JS-specific dependencies of that library, such as kotlinx-datetime-js, could at least in theory be affected by this vulnerability if they depend on affected versions of the date-and-time NPM dependency, but it doesn't look like that's the reason why this vulnerability is getting flagged. (Even if it did, it should only flag it on the applicable -js dependencies of the library.)

github-actions[bot] commented 1 month ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10040271163

github-actions[bot] commented 1 month ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10040275711

github-actions[bot] commented 1 month ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10040307470

volkert-fastned commented 1 month ago

The likely reason why github-actions couldn't automatically evaluate the false positives was probably because I suffixed the Maven package with an asterisk (*), to make it clear that all packages that start with pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime are apparently flagged by this FP.

volkert-fastned commented 1 month ago

This broader CVE-level suppression worked for me, but it does assume that the JS-specific dependencies of this KMP library don't actually depend on the affected JS library:

    <suppress>
        <notes><![CDATA[
        FP per issue #6864
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlinx/kotlinx-datetime.*$</packageUrl>
        <cve>CVE-2020-26289</cve>
    </suppress>