anchore-engine icon indicating copy to clipboard operation
anchore-engine copied to clipboard

Published 20 hours ago verified publisher icon anchore

False positive for tomcat-embed-el-9.0.38.jar

Open swetan27 opened this issue 4 years ago • 6 comments

Version of Anchore Engine and Anchore CLI if applicable: v0.81

False positive for tomcat-embed-el-9.0.38.jar - reported as cpe:/a:apache:tomcat:3.0

Anchore treated version 3.0 of Java API for Servlets (Annotations) as tomcat version.

Any tomcat-embed-el-9.0.38.jar has the following information in the content-java.json anchore report: { "implementation-version": "3.0.FR", "location": "/app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar", "maven-version": "N/A", "origin": "Sun Microsystems, Inc.", "package": "tomcat-embed-el-9.0.38", "specification-version": "3.0", "type": "JAVA-JAR" }

I believe, the above information is transformed to cpe:/a:apache:tomcat:3.0, below snippet from vuln.json:

"package": "tomcat-3.0", "package_cpe": "cpe:/a:-:tomcat:3.0:-:-", "package_cpe23": "cpe:2.3:a:-:tomcat:3.0:-:-:-:-:-:-:-", "package_name": "tomcat", "package_path": "/app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar", "package_type": "java", "package_version": "3.0", "severity": "Medium", "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0128", "vendor_data": [], "vuln": "CVE-2008-0128"

Resulting in 25 vulnerabilities in our case, related with old versions of tomcat because it is considering that we are running a 3.0 version of tomcat when we could be using 9.X.X

Surprisingly similar behavior is not occurring for other jars i.e. tomcat-embed-core-9.0.38.jar, tomcat-embed-websocket-9.0.38.jar, tomcat-annotations-api-9.0.38.jar which are also part of content-java.json

List of vulnerabilities results from Anchore:

  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar(CVE-2000-0672)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2000-0760)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2000-1210)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2001-0590)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2002-1148)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2003-0042)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2003-0043)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2003-0044)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2003-0045)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2005-0808)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2005-4838)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2006-7196)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2007-2449)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2009-2696)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2012-5568)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2013-4286)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2013-4322)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2013-4444)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2013-4590)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2013-6357)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2008-0128)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2002-0493)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2013-2185)
  • /app.jar:BOOT-INF/lib/tomcat-embed-el-9.0.38.jar (CVE-2009-3548)

What did you expect to happen: While we may add the above vulnerabilities in White-list, request you to kindly analyze root cause of this behavior.

What docker images are you using: We are using Debian Docker Base Image

Anything else we need to know: Its a spring boot micro-service. Kindly let me know any other details required.

Log Output Not attaching as scan is happening just fine. Let e know if you require the same.

swetan27 avatar Sep 25 '20 11:09 swetan27

Thanks for reporting this. We're working on some updates on the java side that should help with this. We're looking at how to handle the jar metadata better. Are the jars the same ones available from Maven central?

zhill avatar Sep 29 '20 06:09 zhill

Yes, they are the same ones available from Maven Central

swetan27 avatar Sep 30 '20 13:09 swetan27

How is this issue going? Still showing up false positives in the reports... Running Anchore 0.8.2.

dapc11 avatar Aug 30 '21 06:08 dapc11

@swetan27 and @dapc11 Could you retry with the newest version of anchore engine, v0.10.1? We've made a number of improvements to our image analysis since the versions you are on.

dspalmer99 avatar Aug 30 '21 15:08 dspalmer99

After scanning with v0.10.1 the vulnerabilities related to tomcat-embed-el-9.0.38 are not being reported. But I see Jersey related vulnerabilities being reported which are also false positive. Attaching the output below:

image

Also, on checking the manifest file and Anchore content-java.json report, all the jersey files have origin as org.glassfish.jersey.*

As per NVD, the vulnerability CVE-2021-28168 exist in the Eclipse Jerseyv2.28 to 2.33 has information disclosure vulnerability and affected CPE is cpe:2.3:a:eclipse:jersey::::::::

image

Let me know if you want me to raise a separate issue for this.

swetan27 avatar Aug 31 '21 15:08 swetan27

I am seeing multiple false positives showing up for tomcat-embed-el-9.0.55.jar, too. Should I file a separate issue for this, or is this related to this issue?

seanleblancicdtech avatar Dec 02 '21 04:12 seanleblancicdtech