DependencyCheck
DependencyCheck copied to clipboard
Published
20 hours ago •
jeremylong
jeremylong
Exception in thread "Thread-31" java.lang.IllegalArgumentException at org.owasp.dependencycheck.processing.BundlerAuditProcessor.addCriticalityToVulnerability(BundlerAuditProcessor.java:244)
trafficstars
Describe
dependency-check
-s /builds/xxx/sss/pppppp
-o /builds/xxx/sss/pppppp
--suppression owaspdc-suppression-file.xml
-f ALL
--noupdate
--nodeAuditSkipDevDependencies
--nodePackageSkipDevDependencies
--disableYarnAudit
--disableRetireJS
--disableMSBuild
--ossIndexUsername [MASKED]
--ossIndexPassword [MASKED]
--prettyPrint
--log owdc-1.log
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Launching: [bundle-audit, version] from /tmp/dctemp6d38cd1b-6e3e-47c4-bede-5dfacf3f32fa
[WARN] Warnings from bundle-audit
[INFO] Ruby Bundle Audit Analyzer is enabled and is using bundle-audit with version details: bundler-audit 0.9.1
. Note: It is necessary to manually run "bundle-audit update" occasionally to keep its database up to date.
[INFO] Launching: [bundle-audit, check, --verbose] from /builds/front/xxx/xxx/xxx/root/node_modules/react-native/template
Exception in thread "Thread-31" java.lang.IllegalArgumentException
at io.github.jeremylong.openvulnerability.client.nvd.CvssV2Data$Version.fromValue(CvssV2Data.java:859)
at io.github.jeremylong.openvulnerability.client.nvd.CvssV2Data.<init>(CvssV2Data.java:57)
at org.owasp.dependencycheck.processing.BundlerAuditProcessor.addCriticalityToVulnerability(BundlerAuditProcessor.java:244)
at org.owasp.dependencycheck.processing.BundlerAuditProcessor.run(BundlerAuditProcessor.java:145)
at java.base/java.lang.Thread.run(Thread.java:829)
[INFO] Finished Ruby Bundle Audit Analyzer (2 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
Version of dependency-check used Dependency-Check Core version 9.0.5 User-agent: dependency-check/9.0.5 (Linux; 6.2.0-37-generic; amd64; 11.0.21)
Log file
2023-12-14 15:34:53,830 org.owasp.dependencycheck.Engine:679
INFO - Finished Archive Analyzer (0 seconds)
2023-12-14 15:34:53,833 org.owasp.dependencycheck.Engine:829
DEBUG - Initializing Ruby Bundle Audit Analyzer
2023-12-14 15:34:53,835 org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer:190
INFO - Launching: [bundle-audit, version] from /tmp/dctemp6d38cd1b-6e3e-47c4-bede-5dfacf3f32fa
2023-12-14 15:34:55,297 org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer:219
WARN - Warnings from bundle-audit
2023-12-14 15:34:55,299 org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer:249
INFO - Ruby Bundle Audit Analyzer is enabled and is using bundle-audit with version details: bundler-audit 0.9.1
. Note: It is necessary to manually run "bundle-audit update" occasionally to keep its database up to date.
2023-12-14 15:34:55,300 org.owasp.dependencycheck.Engine:764
DEBUG - Starting Ruby Bundle Audit Analyzer
2023-12-14 15:34:55,301 org.owasp.dependencycheck.Engine:812
DEBUG - Parallel processing with up to 24 threads: Ruby Bundle Audit Analyzer.
2023-12-14 15:34:55,313 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/builds/front/xxx/xxx/xxx/root/node_modules/react-native/template/Gemfile.lock' (Ruby Bundle Audit Analyzer)
2023-12-14 15:34:55,317 org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer:190
INFO - Launching: [bundle-audit, check, --verbose] from /builds/front/xxx/xxx/xxx/root/node_modules/react-native/template
2023-12-14 15:34:56,454 org.owasp.dependencycheck.processing.BundlerAuditProcessor:139
DEBUG - bundle-audit (template): Name: activesupport
2023-12-14 15:34:56,543 org.owasp.dependencycheck.processing.BundlerAuditProcessor:298
DEBUG - bundle-audit (template): Version: 6.1.5.1
2023-12-14 15:34:56,544 org.owasp.dependencycheck.processing.BundlerAuditProcessor:187
DEBUG - bundle-audit (template): CVE: CVE-2023-22796
2023-12-14 15:34:56,660 org.owasp.dependencycheck.processing.BundlerAuditProcessor:251
DEBUG - bundle-audit (template): Criticality: Unknown
2023-12-14 15:34:56,661 org.owasp.dependencycheck.processing.BundlerAuditProcessor:206
DEBUG - bundle-audit (template): URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
2023-12-14 15:34:56,662 org.owasp.dependencycheck.processing.BundlerAuditProcessor:139
DEBUG - bundle-audit (template): Name: activesupport
2023-12-14 15:34:56,663 org.owasp.dependencycheck.processing.BundlerAuditProcessor:298
DEBUG - bundle-audit (template): Version: 6.1.5.1
2023-12-14 15:34:56,663 org.owasp.dependencycheck.processing.BundlerAuditProcessor:187
DEBUG - bundle-audit (template): CVE: CVE-2023-28120
2023-12-14 15:34:56,664 org.owasp.dependencycheck.data.nvdcve.CveDB:801
DEBUG - CVE-2023-28120 does not exist in the database
2023-12-14 15:34:56,695 org.owasp.dependencycheck.Engine:679
INFO - Finished Ruby Bundle Audit Analyzer (2 seconds)
2023-12-14 15:34:56,714 org.owasp.dependencycheck.Engine:829
DEBUG - Initializing File Name Analyzer
To Reproduce Steps to reproduce the behavior:
- run dependency-check
- See Exception
What version of react native is being used?
web-impl/root/package.json
{
"name": "app-template",
"version": "1.0.0",
"browserslist": [
"last 2 Chrome versions",
"last 2 Firefox versions",
"last 2 Edge versions",
"last 2 Safari versions"
],
"scripts": {
"start": "webpack serve --config webpack.dev.js",
"build": "webpack --config webpack.prod.js",
"preversion": "npm run build",
"postversion": "npm publish",
"prettier": "prettier --write \"{,!(node_modules|build|dist)/**/}*.js\""
},
"dependencies": {
"@lottiefiles/react-lottie-player": "^3.4.1",
"@react-google-maps/api": "^2.2.0",
"@types/react-resizable": "^1.7.2",
"antd": "^4.24.10",
"buffer": "^6.0.3",
"classnames": "^2.3.1",
"core-js": "^3.12.1",
"file-saver": "^2.0.5",
"first-di": "^0.1.50",
"i18next": "^21.9.1",
"i18next-browser-languagedetector": "^6.1.4",
"i18next-http-backend": "^1.4.1",
"immutability-helper": "^3.1.1",
"lodash": "^4.17.21",
"mark.js": "^8.11.1",
"mobx": "^6.9.0",
"mobx-react": "^7.6.0",
"react": "^17.0.2",
"react-dnd": "^14.0.2",
"react-dnd-html5-backend": "^14.0.0",
"react-dom": "^17.0.2",
"react-google-recaptcha": "^2.1.0",
"react-horizontal-scrolling-menu": "^3.2.3",
"react-i18next": "^11.16.2",
"react-input-autosize": "^3.0.0",
"react-insta-stories": "^2.4.2",
"react-number-format": "^5.1.2",
"react-qr-code": "^2.0.7",
"react-resizable": "^1.11.1",
"react-rnd": "^10.3.5",
"react-router": "^5.2.0",
"react-router-dom": "^5.2.0",
"react-transition-group": "^4.4.2",
"react-world-flags": "^1.5.0",
"recharts": "^2.0.9",
"reflect-metadata": "^0.1.13",
"sha1": "^1.1.1",
"sockjs-client": "^1.5.2",
"url-polyfill": "^1.1.12",
"uuid": "^8.3.2"
},
"devDependencies": {
...
"@pmmmwh/react-refresh-webpack-plugin": "^0.5.10",
"@types/react": "^16.14.5",
"@types/react-dom": "^16.9.12",
"@types/react-event-listener": "^0.4.12",
"@types/react-google-recaptcha": "^2.1.0",
"@types/react-input-autosize": "^2.2.0",
"@types/react-router-dom": "^5.1.7",
"@types/react-transition-group": "^4.4.1",
"@types/react-world-flags": "^1.4.2",
"react-native": "^0.68.2",
"eslint-config-react-app": "^7.0.1",
"eslint-plugin-react": "^7.30.1",
"eslint-plugin-react-hooks": "^4.6.0",
"react-native": "^0.68.2",
"react-refresh-typescript": "^2.0.9",
...
},
...
I've tracked this down for a bit. It seems the immediate cause is https://github.com/jeremylong/DependencyCheck/blob/v9.0.9/core/src/main/java/org/owasp/dependencycheck/processing/BundlerAuditProcessor.java#L244
if (v != null && (v.getCvssV2() != null || v.getCvssV3() != null)) {
if (v.getCvssV2() != null) {
vulnerability.setCvssV2(v.getCvssV2());
}
if (v.getCvssV3() != null) {
vulnerability.setCvssV3(v.getCvssV3());
}
} else {
if ("High".equalsIgnoreCase(criticality)) {
score = 8.5;
} else if ("Medium".equalsIgnoreCase(criticality)) {
score = 5.5;
} else if ("Low".equalsIgnoreCase(criticality)) {
score = 2.0;
}
final CvssV2Data cvssData = new CvssV2Data(null, null, null, null, null, null, null, null, score, criticality.toUpperCase(),
null, null, null, null, null, null, null, null, null, null);
final CvssV2 cvssV2 = new CvssV2(null, null, cvssData, criticality.toUpperCase(), null, null, null, null, null, null, null);
vulnerability.setCvssV2(cvssV2);
vulnerability.setUnscoredSeverity(null);
}
This new CvssV2Data with version information null causes the error since the constructor just tried to call the version parse for it
https://github.com/jeremylong/Open-Vulnerability-Project/blob/v5.1.1/open-vulnerability-clients/src/main/java/io/github/jeremylong/openvulnerability/client/nvd/CvssV2Data.java#L57
public CvssV2Data(String version, String vectorString, AccessVectorType accessVector,
AccessComplexityType accessComplexity, AuthenticationType authentication, CiaType confidentialityImpact,
CiaType integrityImpact, CiaType availabilityImpact, Double baseScore, String baseSeverity,
ExploitabilityType exploitability, RemediationLevelType remediationLevel,
ReportConfidenceType reportConfidence, Double temporalScore,
CollateralDamagePotentialType collateralDamagePotential, TargetDistributionType targetDistribution,
CiaRequirementType confidentialityRequirement, CiaRequirementType integrityRequirement,
CiaRequirementType availabilityRequirement, Double environmentalScore) {
this.version = Version.fromValue(version);
since the fromValue doesn't really support the null (only 2.0 version allowed)
https://github.com/jeremylong/Open-Vulnerability-Project/blob/v5.1.1/open-vulnerability-clients/src/main/java/io/github/jeremylong/openvulnerability/client/nvd/CvssV2Data.java#L856
@JsonCreator
public static Version fromValue(String value) {
Version constant = CONSTANTS.get(value);
if (constant == null) {
throw new IllegalArgumentException(value);
} else {
return constant;
}
}
I'll leave the fix to someone more familiar with the project, but I'd assume using hard-coded version "2.0" for the fallback vulnerabilities instead of null would fix the immediate cause.
Ping @jeremylong
Ok, changed my mind and made a PR suggestion just to also have the vulnerability name be printed in debug mode (possibly beneficial in the future too).