search

owasp-dep-scan / dep-scan

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
https://owasp.org/www-project-dep-scan/
MIT License
982 stars 96 forks source link

False-Positive: Malicious code in coloramas #341

Closed manuel-cohere closed 5 days ago

manuel-cohere commented 1 week ago

PURL of wrongly matched component

pypi:coloramas

Depscan findings

I don't get the same output with that command.

prabhu commented 1 week ago

@manuel-cohere https://osv.dev/vulnerability/MAL-2024-4924

python depscan/cli.py --purl "pkg:pypi/coloramas@0.4.6" --reports-dir /tmp/reports

██████╗ ███████╗██████╗ ███████╗ ██████╗ █████╗ ███╗   ██╗
██╔══██╗██╔════╝██╔══██╗██╔════╝██╔════╝██╔══██╗████╗  ██║
██║  ██║█████╗  ██████╔╝███████╗██║     ███████║██╔██╗ ██║
██║  ██║██╔══╝  ██╔═══╝ ╚════██║██║     ██╔══██║██║╚██╗██║
██████╔╝███████╗██║     ███████║╚██████╗██║  ██║██║ ╚████║
╚═════╝ ╚══════╝╚═╝     ╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝

DEBUG [2024-09-09 19:05:28,689] Retrieved package metadata for 0/1 packages. Failures count 0
DEBUG [2024-09-09 19:06:07,393] Vulnerability database loaded from /mnt/work/vdb/data.vdb5
DEBUG [2024-09-09 19:06:07,393] Scanning 1 oss dependencies for issues

                                                            Dependency Scan Results (PYPI)
╔══════════════════════════════════════════════════════════════╤═══════════════════════════╤════════════════════════╤═══════════════════╤════════════╗
║ CVE                                                          │ Insights                  │ Fix Version            │ Severity          │      Score ║
╟──────────────────────────────────────────────────────────────┼───────────────────────────┼────────────────────────┼───────────────────┼────────────╢
║ coloramas@0.4.6 ⬅ MAL-2024-4924                              │ 🛑 Malicious              │                        │ CRITICAL          │       10.0 ║
╚══════════════════════════════════════════════════════════════╧═══════════════════════════╧════════════════════════╧═══════════════════╧════════════╝
╭────────────────────────────────────────────────────────────────────── Action Required ───────────────────────────────────────────────────────────────────────╮
│ 🛑 Malicious package found! Treat this as a security incident and follow your organization's playbook to remove this package from all affected applications. │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
manuel-cohere commented 1 week ago

I apologise for the incomplete report.

This is what I'm getting:

        {
            "bom-ref": "MAL-2024-4924/pkg:pypi/colorama@0.4.6",
            "id": "MAL-2024-4924",
            "source": {},
            "ratings": [
                {
                    "score": 10.0,
                    "severity": "critical",
                    "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                    "method": "CVSSv31"
                }
            ],
            "cwes": [],
            "description": "# Malicious code in coloramas (PyPI)\n\n---\n_-= Per source details. Do not edit below this line.=-_",
            "recommendation": "",
            "advisories": [],
            "analysis": {
                "state": "in_triage",
                "detail": "Dependency Tree: [\"pkg:pypi/ariadne-codegen@0.12.0\", \"pkg:pypi/click@8.1.7\", \"pkg:pypi/colorama@0.4.6\"]"
            },

It is flagging pypi/ariadne-codegen@0.12.0, but that package depends on colorama not coloramas

prabhu commented 5 days ago

Thank you! This is fixed by #346