search

sonatype-nexus-community / scan-gradle-plugin

Gradle plugin that scans the dependencies of a Gradle project using Sonatype platforms: OSS Index and Nexus IQ Server.
Apache License 2.0
77 stars 22 forks source link

[BUG] When setting the outputFormat to DEPENDENCY_GRAPH ossindexAudit succeeds, even though vulnerabilities are found #164

Open rprinsen opened 2 months ago

rprinsen commented 2 months ago

When I set the outputFormat to DEPENDENCY_GRAPH, the task succeeds, even though vulnerabilities are found: 

> Task :ossIndexAudit
Using anonymous request
  ________  ___   ___  __   ____  ____________   _  __
 / ___/ _ \/ _ | / _ \/ /  / __/ / __/ ___/ _ | / |/ /
/ (_ / , _/ __ |/ // / /__/ _/  _\ \/ /__/ __ |/    /
\___/_/|_/_/ |_/____/____/___/ /___/\___/_/ |_/_/|_/

  _      _                       _   _
 /_)    /_`_  _  _ _/_   _  _   (/  /_`_._  _   _/ _
/_)/_/ ._//_// //_|/ /_//_//_' (_X /  ///_'/ //_/_\
   _/                _//
Gradle Scan version: 2.8.2
------------------------------------------------------------------------------------------------------------------------------------------------------
Checking vulnerabilities in 573 dependencies
Found vulnerabilities in 12 dependencies
+--- org.springframework.boot:spring-boot-starter-web:2.7.18: 0 vulnerabilities detected
|    +--- org.springframework.boot:spring-boot-starter:2.7.18: 0 vulnerabilities detected
|    |    +--- org.springframework.boot:spring-boot-starter-logging:2.7.18: 0 vulnerabilities detected
|    +--- org.springframework.boot:spring-boot-starter-json:2.7.18: 0 vulnerabilities detected
|    |    +--- org.springframework.boot:spring-boot-starter:2.7.18 (*): 0 vulnerabilities detected

(*) - if present, dependencies omitted (listed previously)

Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

For more on this, please refer to https://docs.gradle.org/8.5/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.

BUILD SUCCESSFUL in 2s

When I set the outputFormat to DEFAULT, it fails (as expected):

Task :ossIndexAudit FAILED
Using anonymous request
  ________  ___   ___  __   ____  ____________   _  __
 / ___/ _ \/ _ | / _ \/ /  / __/ / __/ ___/ _ | / |/ /
/ (_ / , _/ __ |/ // / /__/ _/  _\ \/ /__/ __ |/    /
\___/_/|_/_/ |_/____/____/___/ /___/\___/_/ |_/_/|_/

  _      _                       _   _
 /_)    /_`_  _  _ _/_   _  _   (/  /_`_._  _   _/ _
/_)/_/ ._//_// //_|/ /_//_//_' (_X /  ///_'/ //_/_\
   _/                _//
Gradle Scan version: 2.8.2
------------------------------------------------------------------------------------------------------------------------------------------------------

Checking vulnerabilities in 573 dependencies
Found vulnerabilities in 6 dependencies
[1/6] - pkg:maven/ch.qos.logback/logback-classic@1.2.12 - 1 vulnerability found!

   Vulnerability Title:  [CVE-2023-6378] CWE-502: Deserialization of Untrusted Data
   ID:  CVE-2023-6378
   Description:  A serialization vulnerability in logback receiver component part of  logback version 1.4.11 allows an attacker to mount a Denial-Of-Servi...
   CVSS Score:  (7.5/10, High)
   CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
   CVE:  CVE-2023-6378
   Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2023-6378?component-type=maven&component-name=ch.qos.logback%2Flogback-classic&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2

[2/6] - pkg:maven/ch.qos.logback/logback-core@1.2.12 - 1 vulnerability found!

   Vulnerability Title:  [CVE-2023-6378] CWE-502: Deserialization of Untrusted Data
   ID:  CVE-2023-6378
   Description:  A serialization vulnerability in logback receiver component part of  logback version 1.4.11 allows an attacker to mount a Denial-Of-Servi...
   CVSS Score:  (7.5/10, High)
   CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
   CVE:  CVE-2023-6378
   Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2023-6378?component-type=maven&component-name=ch.qos.logback%2Flogback-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':ossIndexAudit'.
> Vulnerabilities detected, check log output to review them

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.

Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

For more on this, please refer to https://docs.gradle.org/8.5/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.

BUILD FAILED in 2s

To Reproduce Steps to reproduce the behavior: set the outputFormat to DEPENDENCY_GRAPH and run the ossIndexAudit task in a project with dependencies with known vulnerabilities

Expected behavior the gradle task should fail if any vulnerabilities are found

Additional context when using the outputFormat DEFAULT, or JSON_CYCLONE_DX_1_4, the task fails (as expected). I'm using plugin version 2.8.3 with gradle 8.5