dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

False Positive with nextcloud artifacts

Open stl543 opened this issue 1 year ago • 6 comments

Current Behavior

Hello,

Dependency track seems to detect CVE-2023-25160 (NVD) on javax.mail.mail, v1.4.7, but this CVE concerns nextcloud. When I ask dependency track for CVE detail : cpe:2.3:a:nextcloud:mail:::::::: ( |<1.11.8 ) | NVD cpe:2.3:a:nextcloud:mail:::::::: ( >=1.12.0|<1.12.9 ) | NVD cpe:2.3:a:nextcloud:mail:::::::: ( >=1.13.0|<1.14.5 ) | NVD cpe:2.3:a:nextcloud:mail:::::::: ( >=2.0.0|<2.2.1 ) | NVD

Also I do not understand how this CVE can be detected on this artifact. The groupId is different and also the filter is supposed not to match... Note that I have the same issue on another artifact (com.toedter.jcalendar, CVE-2018-3763, which not a nextcloud artifact too...)

I supposed there is a problem with pattern matching...

Steps to Reproduce

  1. Run dependency-track on a project using the artifact javax.mail.mail

Expected Behavior

CVE 2023-25160 (concerning nextcloud artifacts) not raised for this artifact.

Dependency-Track Version

4.10.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

stl543 avatar Feb 27 '24 10:02 stl543

Can you please share the BOM you're uploading? Really the only relevant parts of the BOM are the components you're getting false positives on.

Just to give an example, CPEs support wildcards (*). If the BOM you're uploading uses CPEs like this:

cpe:2.3:a:*:mail:1.4.7:*:*:*:*:*:*:*

You will get matches with cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:* ( \|<1.11.8 ), because * matches nextcloud, and 1.4.7 is smaller than 1.11.8.

nscuro avatar Feb 27 '24 11:02 nscuro

Hello ! Thanks for your answer. The uploaded BOM doesn't contain any CPE information... Here are the parts dealing to the two artifacts (jcalendar and mail) :

<components>
	<component type="library" bom-ref="pkg:maven/com.toedter/[email protected]?type=jar">
    <group>com.toedter</group>
    <name>jcalendar</name>
    <version>1.4</version>
    <scope>required</scope>
    <hashes>
      <hash alg="MD5">0a0863943cf89741c7a0c2721027446d</hash>
      <hash alg="SHA-1">180cf82b37b0c1324e7de33bd0114be7d86678cd</hash>
      <hash alg="SHA-256">284fcfbb7938d5b85bb0f540c712fa042521a4c50f4a5d47da02ba19bff291eb</hash>
      <hash alg="SHA-512">612a8bce9ad14474fdd163ab0f8e95e4b6f5318b405751c650143b4d18613de7e03355d022823a9971188fc90586b6c3a525730d58622816968a8fb97f7a6a26</hash>
      <hash alg="SHA-384">17bb0d73a146352c95daee35656856d663d68bd25874edead4e1ebf3b206b7911501e0016941800d8b6e993cad342961</hash>
      <hash alg="SHA3-384">650e79914b21a5c5bbe4da322e7985ffa386da1736fc24f1ff891402389c646790aca2e983811869abd2a35339372444</hash>
      <hash alg="SHA3-256">0bb0129e2a8af16e05396a9821b315d3ceb1e056c442c3f17480be84f1d92899</hash>
      <hash alg="SHA3-512">27c418c1433b9c668a49214390b957b49839832f118e6633e753b391177f5c2be06b30fd833c22fcf1eb6d3bcb284f7442bb3f3460de0c5cf8bd5c6968f13c4e</hash>
    </hashes>
    <licenses/>
    <purl>pkg:maven/com.toedter/[email protected]?type=jar</purl>
  </component>
	<component type="library" bom-ref="pkg:maven/javax.mail/[email protected]?type=jar">
    <group>javax.mail</group>
    <name>mail</name>
    <version>1.4.7</version>
    <scope>required</scope>
    <hashes>
      <hash alg="MD5">77f53ff0c78ba43c4812ecc9f53e20f8</hash>
      <hash alg="SHA-1">9add058589d5d85adeb625859bf2c5eeaaedf12d</hash>
      <hash alg="SHA-256">78c33b4f7c7b60f4b680f2d2405b1f063d71929cf1a4fbc328888379f365fcfb</hash>
      <hash alg="SHA-512">331d2ecda625f4ad8a2c2539b577e9906787e7ef08d47683f45dd6fff18e3b7601071f20970896210bd26498018aa570fe2ab4bfd7f7084068a234a809bbd481</hash>
      <hash alg="SHA-384">9b2529ac136de86400b6eaa9eb887cdc3de3cd993131caf99ce808bc2ac208b01772018aa38d49ca0bd1bc962e08834a</hash>
      <hash alg="SHA3-384">4c86276795145265031b3ea63c097106df20076151c8a3a682a7092d68d91f243697286e3f543e8a1ef1e46ed4bb157e</hash>
      <hash alg="SHA3-256">eef5fbcc453d8f709bc49c5f3d4f02a7cd8437f62cab9eb6b5396713a2098973</hash>
      <hash alg="SHA3-512">c28159ba68a18d7d57428fcd75a9b019b3e79e573debbeef2859ba522309b9362552c861063a5ab541175bfb0ae69c08e5fa237f3ed3b05160de46e4fd2d8132</hash>
    </hashes>
    <licenses/>
    <purl>pkg:maven/javax.mail/[email protected]?type=jar</purl>
  </component>
</components>

stl543 avatar Feb 27 '24 14:02 stl543

Okay, that's odd then.

In the "Audit Vulnerabilities" tab, what is it showing as the analyzer that found the vulnerabilities?

Do you have fuzzy CPE matching enabled? image

nscuro avatar Feb 28 '24 16:02 nscuro

Hello ! Thanks for your response. These vulnerabilities are found by the analyzer NVD. But I think you're right: all the fuzzy CPE options are enabled in our configuration. I am going to check if, when disabling these options, the two vulnerabilities disapear. I keep you informed :)

Best regards, Estelle

stl543 avatar Feb 28 '24 17:02 stl543

Hello, The two vulnerabilities are still displayed in the "audit vulnerabilities" tab. Is there a cache to clean to the already-found vulnerabilities or to be sure that there is no longer false positive CVE found ? Thanks for your help ! Estelle

stl543 avatar Mar 01 '24 14:03 stl543

Hello, Dependency-track seems to still see the vulnerabilities, even if fuzz options are disabled. How this situation can be fixed ? Thanks for help, Estelle

stl543 avatar Mar 08 '24 18:03 stl543