DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Potential bug in dependency string parsing

Open amanske-ada opened this issue 1 year ago • 2 comments
trafficstars

Describe the bug Suddenly, we got reports of a bunch of vulnerabilities on the github.com/coreos/go-systemd/v22:22.5.0 package. Some of the vulnerabilities are 10+ years old. I believe that these vulnerabilities are related to the linux systemd suite, and not go-systemd itself. Could it be that DependencyCheck does a contains on the dependency strings, and finds systemd in go-systemd?

Screenshot 2023-12-19 at 13 26 56

Version of dependency-check used The problem occurs using version 9.0.7 of the cli via the Jenkins plugin

Log file Not needed in this case, the check itself is successful and the report is generated.

To Reproduce Steps to reproduce the behavior:

  1. git clone https://github.com/rs/zerolog
  2. dependency-check --scan ./ --exclude "submodules/**" "vendor/**" ".scannerwork/**" --disableAssembly --enableExperimental --nvdApiDelay 2500 --format HTML --nvdApiKey xxx
  3. Check the report

Screenshot 2023-12-19 at 13 52 43

Expected behavior No vulnerabilities are reported for the dependency (https://snyk.io/advisor/golang/github.com/coreos/go-systemd/v22)

Additional context Happy to provide more info if needed

amanske-ada avatar Dec 19 '23 12:12 amanske-ada

Check out https://jeremylong.github.io/DependencyCheck/general/internals.html

jeremylong avatar Dec 19 '23 13:12 jeremylong

Got it, thanks!

amanske-ada avatar Dec 19 '23 16:12 amanske-ada