search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.47k stars 1.28k forks source link

[FP]: Quarkus postgresql extension for CVE-2015-0244 #6879

Open edward9944 opened 3 months ago

edward9944 commented 3 months ago

Package URl

pkg:maven/io.quarkus/quarkus-jdbc-postgresql@3.2.7.Final

CPE

cpe:2.3:a:postgresql:postgresql:3.2.7:::::::, cpe:2.3:a:quarkus:quarkus:3.2.7:::::::

CVE

CVE-2015-0244

ODC Integration

None

ODC Version

10.0.3

Description

Actual postgresql vulnerable version is less than 9.4.1 for this CVE CVE-2015-0244 however Quarkus uses the postgresql version 42.6.0. Quarkus have packed postgresql extension jar version 3.2.7, so OWASP consider this as actual postgresql and marking it as vulnerable.

Note : Package URL was missing in the OWASP scan result, since it is mandatory to provide a package URL to create a issue in GitHub so we provided it manualy.

github-actions[bot] commented 3 months ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10243313625

github-actions[bot] commented 3 months ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10243349218

github-actions[bot] commented 3 months ago

Maven Coordinates

<dependency>
   <groupId>io.quarkus</groupId>
   <artifactId>quarkus-jdbc-postgresql</artifactId>
   <version>3.2.7.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6879
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-jdbc-postgresql@.*$</packageUrl>
   <cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10243364212

aikebah commented 3 months ago

@edward9944 - refer to #6817 - you run an outdated and no longer to be used DependencyCheck version. Your FP does not appear to be reproducible

edward9944 commented 3 months ago

@aikebah we have tried with dependency-check version: 10.0.3 still we are getting the CVE in OWASP report.

github-actions[bot] commented 3 months ago

Maven Coordinates

<dependency>
   <groupId>io.quarkus</groupId>
   <artifactId>quarkus-jdbc-postgresql</artifactId>
   <version>3.2.7.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6879
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-jdbc-postgresql@.*$</packageUrl>
   <cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10299619013

aikebah commented 3 months ago

@edward9944 Can you check whether your jar-file is properly identical to the artifact as hosted on maven central:

quarkus-jdbc-postgresql-3.2.7.Final.jar
File Path: /github/workspace/fp-project/target/dependency/quarkus-jdbc-postgresql-3.2.7.Final.jar
MD5: 63f6d3dea0a1cffbf8caa6ba51b6598f
SHA1: 518c11c2dc504c406dbb89d8dda75febf10cd279
SHA256: 6139116c314df62a6e4c83c396b70c5bf932cea93c2c0865eb12de42d4ff84d6

Should get joined up with other quarkus libraries and not be linked to postgresql

If your file is not binary equivalent that might explain an improper matching to postgresql due to fuzzy textmatching (typically in those cases pkgurl would not be in the report as the CLI was unable to link it to a maven G/A/V; similar might happen if you disable the CentralAnalyzer (and don't configure a NexusAnalyzer to replace it))

A CLI run on the jar-files obtained from Maven Central is expected to bundle the quarkus-jdbc-postgresql library with other quarkus libraries of the same version in the report as 'related dependency'

edward9944 commented 3 months ago

I have crosschecked the MD5 value between maven certral repository and our own repository and it looks same.