DB2/OpenSSL False positives

[javixeneize]

Hi

I am analysing a tool as part of a bug bounty program and i have ended analysing a horrible DB2 driver (version 9.7.0.11). The report shows a lot of false positives. Looks like it is ignoring the version and is returning all the known vulnerabilities for DB2, as CVE-2007-3676, CVE-2007-2582 or CVE-2008-4692 that were in the very first versions of DB2 only

Apparently, that version only has two known vulnerabilities https://www.cvedetails.com/vulnerability-list/vendor_id-14/product_id-3424/version_id-194076/IBM-DB2-9.7.0.11.html

I have seen something like that with openssl libraries as well, where it is reporting vulnerabiltiies from 1999 in the 1.1.0e version

[jeremylong]

Can you tell me the GAV coordinates of the DB2 driver you are looking at? Also, can you tell me what the identified CPE value in the dependency-check report is?

[javixeneize]

Hi

com.ibm.db2.jcc db2jcc 4.14.137

CPE (confidence is LOW)

(cpe:/a:ibm:db2:-) https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aibm%3Adb2 cpe:/a:ibm:db2_connect:10.1 cpe:/a:ibm:db2 cpe:/a:ibm:db2:9.5 cpe:/a:ibm:db2:9.5:fp3a cpe:/a:ibm:db2:9.5:fp4a software>cpe:/a:ibm:db2:9.7 cpe:/a:ibm:db2:9.5:fp2a cpe:/a:ibm:db2:9.5:fp3b cpe:/a:ibm:db2:9.5:fp6a cpe:/a:ibm:db2:9.5:fp6 cpe:/a:ibm:db2:9.5:fp5 cpe:/a:ibm:db2:9.7:fp2 cpe:/a:ibm:db2:9.7:fp1 cpe:/a:ibm:db2:9.5:fp2 cpe:/a:ibm:db2:9.5:fp1 cpe:/a:ibm:db2:9.7:fp3 cpe:/a:ibm:db2:9.5:fp4 cpe:/a:ibm:db2:9.5:fp3

[jeremylong]

Is the jar in a public repo? The only version that is close that I can find referenced in mvnrepository is com.ibm.db2.jcc:db2jcc:4.14.137.

Any chance you could share the HTML report for just the single JAR file?

[jeremylong]

The other item I would point out is that dependency-check generally reports a lot of FP for database drivers. This is because there are very few (if any) instances where the DB driver has a CPE that is different than the server. With dependency-check we have taken the stance that these will be reported - they may not be an issue for your application, but may indicate an issue in your environment (i.e. outdated server software). See issue #266 and #623 for more information.

[javixeneize]

Hi

This is a private repo. This one you have referred is version 10.1

I cant share the html report as in the pipeline, this file is not accessible from jenkins (could be a nice improvement though)

I think the problem is exactly that... Its picking it as cpe:/a:ibm:db2:9.7:fp2 when its fp11). Not sure if anything could be done to improve it

Same thing happens with openssl

Thanks

[jeremylong]

I opened #811 to track adding the update and edition matching.

[jeremylong]

Closing this issue and tracking the enhancement via #811.

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.