Closed agatarychter closed 2 years ago
cc @sberyozkin
Hmmm, so first, all of your links are really weird:
The report also contains references to old (and different) versions of other Quarkus artifacts.
So I don't know how your application looks like but the report looks very wrong and it's not Quarkus fault.
@agatarychter Thanks, as Guillaume explained the report does not seem to correctly identify Quarkus 2.7.0 issues, let me have a look as well, some of the minor CVEs have to be marked as resolved in NVD against Quarkus, I'll look into sending an update today. @loicmathieu Hi Loic - how do you configure this plugin, can you let @agatarychter know please for another report be tried ?
@agatarychter
For example, https://nvd.nist.gov/vuln/detail/CVE-2021-28170, it is mentioned in your report, but as you can see there it is shown there Quarkus up to 2.3.0 is affected. Therefore it is a false positive against 2.7.0.Final, i.e the plugin should notice that in the NVD feed and do not flag the error.
FYI, I've just sent an email to NVD to ask to associate the following CVEs mentioned in your report with Quarkus CPEs:
https://nvd.nist.gov/vuln/detail/CVE-2021-21409 https://nvd.nist.gov/vuln/detail/CVE-2021-37136 https://nvd.nist.gov/vuln/detail/CVE-2021-37137 https://nvd.nist.gov/vuln/detail/CVE-2021-43797
Hi, The provided links shows all vulnerabilities for a library without taken into account the version of the library so a lot are fixed in the latests Quarkus version.
On my project we configure the plugin as follow:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${owasp-dependecy-check-plugin.version}</version>
<configuration>
<!-- We fail for High vulnerabilities only -->
<failBuildOnCVSS>7</failBuildOnCVSS>
<suppressionFiles>
<suppressionFile>${project.basedir}/dependency-cpe-suppression.xml</suppressionFile>
</suppressionFiles>
</configuration>
</plugin>
failBuildOnCVSS
is by default on 11 (never fail) and we configure it to 7 to fail only on high severity, as we update Quarkus on a monthly basis, medium severity will probably be fixed by automatically in a few weeks.
Keep in mind that with security, there is no silver bullet, and when a new CVE is detected you may need to update the library in your pom while waiting for the new version to be included in Quarkus (usually in the next release as dependabot is configured for most of the library used by Quarkus).
We configure a suppression file as there is always a lot of false positif (upgrading the plugin may mitigate the issue), our current suppression file looks like this (we favor CPE detection suppresion when possible).
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
<!--
This is a CPE suppression file for the maven dependency check plugin.
Each CPE that is found by error (false positive) needs to be suppressed for a specific jar using it's GAV.
See https://jeremylong.github.io/DependencyCheck/general/suppression.html
-->
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for netty-tcnative-classes to netty
]]>
</notes>
<gav regex="true">^io\.netty:netty-tcnative-classes.*:.*$</gav>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for quarkus-fs-util to quarkus
]]>
</notes>
<gav regex="true">^io\.quarkus:quarkus-fs-util.*:.*$</gav>
<cpe>cpe:/a:quarkus:quarkus</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress CVE-2019-17195 for avro, it seems to be for jose JWT and wrongly reported for avro.
]]>
</notes>
<cve>CVE-2019-17195</cve>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for Quarkus Mutiny to mutiny:mutiny
]]>
</notes>
<gav regex="true">^io\.quarkus:quarkus-mutiny.*:.*$</gav>
<cpe>cpe:/a:mutiny:mutiny</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for Smallrye Mutiny to mutiny:mutiny
]]>
</notes>
<gav regex="true">^io\.smallrye.reactive:mutiny.*:.*$</gav>
<cpe>cpe:/a:mutiny:mutiny</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for Smallrye Mutiny to mutiny:mutiny
]]>
</notes>
<gav regex="true">^io\.smallrye.reactive:smallrye-mutiny.*:.*$</gav>
<cpe>cpe:/a:mutiny:mutiny</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for Smallrye Mutiny to mutiny:mutiny
]]>
</notes>
<gav regex="true">^io\.smallrye.reactive:vertx-mutiny.*:.*$</gav>
<cpe>cpe:/a:mutiny:mutiny</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for graal-sdk to GraalVM (the JVM distribution)
]]>
</notes>
<gav regex="true">^org\.graalvm\.sdk:graal-sdk:.*$</gav>
<cpe>cpe:/a:oracle:graalvm</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for smallrye-context-propagation-storage to storage_project:storage
]]>
</notes>
<gav regex="true">^io\.smallrye:smallrye-context-propagation-storage:.*$</gav>
<cpe>cpe:/a:storage_project:storage</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for quarkus-elasticsearch-reactive
]]>
</notes>
<gav regex="true">^io\.quarkiverse\.quarkus-elasticsearch-reactive:quarkus-elasticsearch-reactive:.*$</gav>
<cpe>cpe:/a:elasticsearch:elasticsearch</cpe>
<cpe>cpe:/a:quarkus:quarkus</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for elasticsearch-client
]]>
</notes>
<gav regex="true">^io\.reactiverse:elasticsearch-client:.*$</gav>
<cpe>cpe:/a:elasticsearch:elasticsearch</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for elasticsearch-client of elasticsearch-client-mutiny
]]>
</notes>
<gav regex="true">^io\.reactiverse:elasticsearch-client-mutiny:.*$</gav>
<cpe>cpe:/a:mutiny:mutiny</cpe>
<cpe>cpe:/a:elasticsearch:elasticsearch</cpe>
</suppress>
</suppressions>
@sberyozkin this suppression is new and may be handle with the dependency check plugin as it was done with other Quarkus sub-project:
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for quarkus-fs-util to quarkus
]]>
</notes>
<gav regex="true">^io\.quarkus:quarkus-fs-util.*:.*$</gav>
<cpe>cpe:/a:quarkus:quarkus</cpe>
</suppress>
Hi @loicmathieu Thank you a lot for the suppression examples. Just one more question - about netty. @gsmet wrote that latest Quarkus version use Netty 4.xxx version. I wanted to ask whether the dependency:tree output is expected: (io.netty:netty-tcnative-classes:jar:2.0.46.Final:compile is coming from io.quarkus:quarkus-undertow:jar:2.5.4.Final (when we check with 2.5.4 Quarkus v.)
[INFO] +- io.quarkus:quarkus-undertow:jar:2.5.4.Final:compile [INFO] | +- io.quarkus:quarkus-vertx-http:jar:2.5.4.Final:compile [INFO] | | +- io.quarkus:quarkus-security-runtime-spi:jar:2.5.4.Final:compile [INFO] | | +- io.quarkus:quarkus-vertx-http-dev-console-runtime-spi:jar:2.5.4.Final:compile [INFO] | | +- io.quarkus:quarkus-vertx:jar:2.5.4.Final:compile [INFO] | | | +- io.quarkus:quarkus-netty:jar:2.5.4.Final:compile [INFO] | | | +- io.netty:netty-codec-haproxy:jar:4.1.72.Final:compile [INFO] | | | +- io.smallrye.common:smallrye-common-annotation:jar:1.8.0:compile [INFO] | | | +- io.smallrye.reactive:smallrye-mutiny-vertx-core:jar:2.15.1:compile [INFO] | | | | +- io.smallrye.reactive:smallrye-mutiny-vertx-runtime:jar:2.15.1:compile [INFO] | | | | - io.smallrye.reactive:vertx-mutiny-generator:jar:2.15.1:compile [INFO] | | | | - io.vertx:vertx-codegen:jar:4.2.2:compile [INFO] | | | - io.smallrye:smallrye-fault-tolerance-vertx:jar:5.2.1:compile [INFO] | | +- io.smallrye.reactive:smallrye-mutiny-vertx-web:jar:2.15.1:compile [INFO] | | | +- io.smallrye.reactive:smallrye-mutiny-vertx-web-common:jar:2.15.1:compile [INFO] | | | +- io.smallrye.reactive:smallrye-mutiny-vertx-auth-common:jar:2.15.1:compile [INFO] | | | - io.smallrye.reactive:smallrye-mutiny-vertx-bridge-common:jar:2.15.1:compile [INFO] | | - io.vertx:vertx-web:jar:4.2.2:compile [INFO] | | +- io.vertx:vertx-web-common:jar:4.2.2:compile [INFO] | | +- io.vertx:vertx-auth-common:jar:4.2.2:compile [INFO] | | - io.vertx:vertx-bridge-common:jar:4.2.2:compile [INFO] | +- io.quarkus.security:quarkus-security:jar:1.1.4.Final:compile [INFO] | | - io.smallrye.reactive:mutiny:jar:1.1.2:compile [INFO] | | - org.reactivestreams:reactive-streams:jar:1.0.3:compile [INFO] | +- jakarta.enterprise:jakarta.enterprise.cdi-api:jar:2.0.2:compile [INFO] | | - jakarta.el:jakarta.el-api:jar:3.0.3:compile [INFO] | +- io.quarkus.http:quarkus-http-servlet:jar:4.1.4:compile [INFO] | +- jakarta.servlet:jakarta.servlet-api:jar:4.0.3:compile [INFO] | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile [INFO] | +- io.quarkus.http:quarkus-http-vertx-backend:jar:4.1.4:compile [INFO] | | +- io.vertx:vertx-core:jar:4.2.2:compile [INFO] | | | +- io.netty:netty-common:jar:4.1.72.Final:compile [INFO] | | | +- io.netty:netty-buffer:jar:4.1.72.Final:compile [INFO] | | | +- io.netty:netty-transport:jar:4.1.72.Final:compile [INFO] | | | +- io.netty:netty-handler:jar:4.1.72.Final:compile [INFO] | | | | - io.netty:netty-tcnative-classes:jar:2.0.46.Final:compile [INFO] | | | +- io.netty:netty-handler-proxy:jar:4.1.72.Final:compile [INFO] | | | | - io.netty:netty-codec-socks:jar:4.1.72.Final:compile [INFO] | | | +- io.netty:netty-codec-http2:jar:4.1.72.Final:compile [INFO] | | | +- io.netty:netty-resolver:jar:4.1.72.Final:compile [INFO] | | | - io.netty:netty-resolver-dns:jar:4.1.72.Final:compile [INFO] | | | - io.netty:netty-codec-dns:jar:4.1.72.Final:compile [INFO] | | - io.quarkus.http:quarkus-http-http-core:jar:4.1.4:compile
Hey @loicmathieu This is great, thanks for all this info, I'll try to document some of it and will ask for your review. I'm going to ask to register quarkus-fs-util
now
@agatarychter It was Loic @loicmathieu who has helped with it :-)
@agatarychter It was Loic @loicmathieu who has helped with it :-)
My bad - already fixed, thanks ;)
@loicmathieu I've sent a quarkus-fs-util
registration email and will let you know once it has been registered.
@agatarychter I believe the netty tcnative
is a different artifact, this is why the versions are different
Maybe we should package the rules somewhere and document it?
@gsmet it's a good idea but it can be cumbersome as we need to find all the false positif and manage the list when things evolve at CPE side to avoid false negative. And a other libraries (even Quarkiverse one) can gives other false positive people may ends up adding two suppression file.
A first step will be to include the dependency check plugin on Quarkus itself (with default config to not crash the build but only report CVE) to see what it reports.
@gsmet Sure, I'd like to show how it can be configured here, https://quarkus.io/guides/security#national-vulnerability-database, but indeed clarify that it is only an example and has to be tuned according to the specific requirements.
@loicmathieu FYI, quarkus-fs-util CPE, the subprojects in a quarkus namespace, but we also have to get an exclusion in the plugin itself, I was just about to open an issue but found it already being fixed :-), https://github.com/jeremylong/DependencyCheck/pull/3978/files, in 6.5.3
@sberyozkin great, I'll update to 6.5.3 to check it.
Describe the bug
Hi Quarkus Team, I am part of the project developing a microservice app based on Quarkus. We have just added a new feature to our project - org.owasp dependency-check-maven plugin which searches for vulnerabilities reported for our dependencies.
The report of our analysis shows many vulnerabilities coming from netty or smallrye (which means - directly from Quarkus).Some of them are reported as CRITICAL or HIGH severity.
The links to examples of reported issues:
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Anetty&cpe_product=cpe%3A%2F%3Anetty%3Anetty&cpe_version=cpe%3A%2F%3Anetty%3Anetty%3A2.0.46
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aquarkus&cpe_product=cpe%3A%2F%3Aquarkus%3Aquarkus&cpe_version=cpe%3A%2F%3Aquarkus%3Aquarkus%3A0.0.8
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aquarkus&cpe_product=cpe%3A%2F%3Aquarkus%3Aquarkus&cpe_version=cpe%3A%2F%3Aquarkus%3Aquarkus%3A2.7.0
I would like to ask if you are providing some fix versions for those or maybe you could advise how we can handle the vulnerabilities ourselves?
Thank you in advance for your answer.
Best regards, Agata Rychter
Versions used: Quarkus 2.7.0. Final
dependency-check-maven plugin: version 6.5.0
Expected behavior
No vulnerabilites in report coming from Quarkus dependency
Actual behavior
report-2.7.0.Final.pdf Many vulnerabilities coming from Quarkus of CRITICAL/HIGH severity
How to Reproduce?
use Quarkus project of version 2.7.0.Final
use plugin: `
Output of
uname -a
orver
No response
Output of
java -version
No response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.7.0.Final
Build tool (ie. output of
mvnw --version
orgradlew --version
)mvn clean install
Additional information
No response