nginx clojure 0.5.2 error detected in CVE-2019-20372

rm-hull / nvd-clojure

National Vulnerability Database dependency checker for Clojure projects

MIT License

275 stars 36 forks source link

nginx clojure 0.5.2 error detected in CVE-2019-20372 #112

Closed madawei2699 closed 2 years ago

madawei2699 commented 2 years ago

nginx Clojure 0.5.2 is built with Nginx v1.18.0, but nvd-clojure detected CVE-2019-20372 vulnerability which affects NGINX before 1.17.7.

After investigation, I found it is related to the nvd.nist.gov backend service. the vulnerability id is cpe:2.3:a:nginx:nginx:0.5.2:*:*:*:*:*:*:* and if you use nvd.nist.gov web to refine the search and reset CPE info with these inputs:

Vendor: nginx
Product: nginx
Version: 1.18.0

and the result is none.

So I think the issue is caused by nvd-clojure recognizing the wrong version of nginx in nginx-clojure lib.

vemv commented 2 years ago

Thanks for the report!

False Positive reports are much welcome in the underlying library, namely https://github.com/jeremylong/DependencyCheck

In the meantime you can suppress this via :suppression-file: https://github.com/rm-hull/nvd-clojure/tree/f9a7a90a51bb8b55fd85a3b7df25e0cc14388636#configuration-options

Cheers - V

madawei2699 commented 2 years ago

Thanks!

vemv commented 2 years ago

So I think the issue is caused by nvd-clojure recognizing the wrong version of nginx in nginx-clojure lib.

The only 'recognition' that is performed is parsing a classpath. Ideally passing a classpath is your responsibility, as documented in https://github.com/rm-hull/nvd-clojure/tree/f9a7a90a51bb8b55fd85a3b7df25e0cc14388636#avoiding-classpath-interference

Please make sure to use those ways (or the new one based on clojure -Ttools); older ways of invoking this program are a little more prone to issues.

madawei2699 commented 2 years ago

The nvd-clojure is ok, but the DependencyCheck recognizes error CPE version, this is the issue: https://github.com/jeremylong/DependencyCheck/issues/3842