search

owasp-dep-scan / dep-scan

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
https://owasp.org/www-project-dep-scan/
MIT License
941 stars 94 forks source link

Bug: Depscan identifies incorrect dependencies and incorrect vulnerabilities #320

Closed lantzemil closed 3 days ago

lantzemil commented 4 days ago

Expected Behavior

Depscan should identify correct dependencies and incorrect vulnerabilities. In one repo, it finds npm dependencies that are not actually in use in the repo at all.

image

Actual Behavior

If we perform a depscan on for instance https://github.com/opencv/opencv we will find dependencies such as xvideos, which is not a dependency in this repo. It's most likely found due to this being a substring in a class or similar.

image

Steps to Reproduce

Clone https://github.com/opencv/opencv

Run depscan in the repo and check the report.

Additional Information

No response

prabhu commented 3 days ago

@lantzemil Thank you for raising this issue. The fix is here.

I get the below results with this PR. These are interesting, but also likely false positives. This is because opencv bundles openexr 2.3.0, but also tries to detect the presence of openexr version 3 here. So cdxgen rightly guesses that there is a dependency on version 3. Similarly, it detects opencl 1.2 here.

python depscan/cli.py --bom /Volumes/Work/sandbox/opencv/bom.json --reports-dir /Volumes/Work/sandbox/opencv/reports

██████╗ ███████╗██████╗ ███████╗ ██████╗ █████╗ ███╗   ██╗
██╔══██╗██╔════╝██╔══██╗██╔════╝██╔════╝██╔══██╗████╗  ██║
██║  ██║█████╗  ██████╔╝███████╗██║     ███████║██╔██╗ ██║
██║  ██║██╔══╝  ██╔═══╝ ╚════██║██║     ██╔══██║██║╚██╗██║
██████╔╝███████╗██║     ███████║╚██████╗██║  ██║██║ ╚████║
╚═════╝ ╚══════╝╚═╝     ╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝

INFO [2024-07-05 17:31:16,037] Performing regular scan for /Volumes/Work/sandbox/opencv using plugin bom

                                                            Dependency Scan Results (BOM)
╔════════════════════════════════════════════════════════════╤═════════════════════╤════════════════════════════╤═════════════════════╤══════════════╗
║ Dependency Tree                                            │ Insights            │ Fix Version                │ Severity            │        Score ║
╟────────────────────────────────────────────────────────────┼─────────────────────┼────────────────────────────┼─────────────────────┼──────────────╢
║ OpenEXR@3 ⬅ CVE-2021-45942                                 │                     │ 3.1.5-2                    │ MEDIUM              │          5.0 ║
╟────────────────────────────────────────────────────────────┼─────────────────────┼────────────────────────────┼─────────────────────┼──────────────╢
║ OpenEXR@3 ⬅ CVE-2023-5841                                  │                     │ 3.1.5                      │ MEDIUM              │          5.0 ║
╟────────────────────────────────────────────────────────────┼─────────────────────┼────────────────────────────┼─────────────────────┼──────────────╢
║ OpenEXR@3 ⬅ CVE-2024-31047                                 │                     │                            │ MEDIUM              │          5.0 ║
╟────────────────────────────────────────────────────────────┼─────────────────────┼────────────────────────────┼─────────────────────┼──────────────╢
║ OpenEXR@3 ⬅ CVE-2021-20304                                 │                     │ 3.1.5                      │ MEDIUM              │          5.0 ║
╟────────────────────────────────────────────────────────────┼─────────────────────┼────────────────────────────┼─────────────────────┼──────────────╢
║ OpenEXR@3 ⬅ CVE-2021-3933                                  │                     │ 3.1.5                      │ MEDIUM              │          5.0 ║
╟────────────────────────────────────────────────────────────┼─────────────────────┼────────────────────────────┼─────────────────────┼──────────────╢
║ OpenCL@1.2 ⬅ CVE-2023-4969                                 │                     │                            │ MEDIUM              │          6.5 ║
╟────────────────────────────────────────────────────────────┼─────────────────────┼────────────────────────────┼─────────────────────┼──────────────╢
║ OpenEXR@3 ⬅ CVE-2021-26945                                 │                     │ 3.1.5-2                    │ LOW                 │          2.0 ║
╟────────────────────────────────────────────────────────────┼─────────────────────┼────────────────────────────┼─────────────────────┼──────────────╢
║ OpenEXR@3 ⬅ CVE-2017-9115                                  │                     │ 3.1.1-2.2                  │ HIGH                │          7.5 ║
╟────────────────────────────────────────────────────────────┼─────────────────────┼────────────────────────────┼─────────────────────┼──────────────╢
║ OpenEXR@3 ⬅ CVE-2017-9116                                  │                     │ 3.1.1-2.2                  │ MEDIUM              │          5.0 ║
╟────────────────────────────────────────────────────────────┼─────────────────────┼────────────────────────────┼─────────────────────┼──────────────╢
║ OpenEXR@3 ⬅ CVE-2021-3941                                  │                     │ 3.1.5-2                    │ MEDIUM              │          5.0 ║
╚════════════════════════════════════════════════════════════╧═════════════════════╧════════════════════════════╧═════════════════════╧══════════════╝

Not sure if you might agree with these results, but since these are within my false positives appetite for v5, I will keep it at this level to avoid missing any genuine hits for c/c++ apps.

prabhu commented 3 days ago

bom.vdr.json bom.json

lantzemil commented 13 hours ago

Retested with 5.4.2. No longer experiencing the same issues. Thanks for this.