search

rm-hull / nvd-clojure

National Vulnerability Database dependency checker for Clojure projects
MIT License
273 stars 35 forks source link

CVE-2017-20189 is reported for projects that depend on clojure 1.9+ #175

Closed antonmos closed 5 months ago

antonmos commented 5 months ago

Description

Given

(defproject test "0.1.0-SNAPSHOT"
  :dependencies [[org.clojure/clojure "1.10.1"]])

Run nvd clojure:

clojure -Ttools install nvd-clojure/nvd-clojure "{:mvn/version \"4.0.0\"}" :as nvd
clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath "\"$(lein classpath)\""

Output:

+-----------------------------+----------------+
| dependency                  | status         |
+-----------------------------+----------------+
| core.specs.alpha-0.2.44.jar | CVE-2017-20189 |
| spec.alpha-0.2.176.jar      | CVE-2017-20189 |
+-----------------------------+----------------+

Version

4.0.0

Java version

openjdk version "21.0.1" 2023-10-17 LTS
OpenJDK Runtime Environment Temurin-21.0.1+12 (build 21.0.1+12-LTS)
OpenJDK 64-Bit Server VM Temurin-21.0.1+12 (build 21.0.1+12-LTS, mixed mode)

Installation compliance

vemv commented 5 months ago

H antonmos, thanks for the report.

I understand that false positives can be skipped locally and should be reported to DependencyCheck.

Did you visit the links?

antonmos commented 5 months ago

Yes, I visited the links :).

The reason I opened this issue is that i suspected the solution is clojure-specific. However, I looked closer at the output of the report output and I am suspecting the cpe spec is wrong

core.specs.alpha-0.2.44.jar cpe:2.3:a:clojure:clojure:0.2.44:*:*:*:*:*:*:*  pkg:maven/org.clojure/core.specs.alpha@0.2.44   CRITICAL    1   Highest 17
spec.alpha-0.2.176.jar  cpe:2.3:a:clojure:clojure:0.2.176:*:*:*:*:*:*:* pkg:maven/org.clojure/spec.alpha@0.2.176    CRITICAL    1   Highest 26
antonmos commented 5 months ago

found a relevant issue https://github.com/jeremylong/DependencyCheck/issues/6438

vemv commented 5 months ago

Thanks!

Although it's unfortunate/ironical that nvd-clojure misdiagnoses something so closely relatedly to Clojure, in the end we're a https://github.com/jeremylong/DependencyCheck wrapper to all such bugs are on them.

(And similarly, they can only do so much when the specs/data from NVD are ambiguous. Ideally the NVD would simply use Maven coordinates instead of CPEs)