dependency-check-gradle
dependency-check-gradle copied to clipboard
dependency-check
How to avoid Kotlin vulnerabilities in Android Kotlin project with Kotlin-DSL
Hello! Also from my side: Thank you very much, for this awesome project, and all the effort you're putting into it!
To my question:
I have a multi-module Android project (1 app, 5 android-lib modules), written in Kotlin using the Gradle Kotlin-DSL. I'm very unsure, how to configure the dependencyCheck tasks.
"Analyze" will always give me 11 vulnerabilities, all caused by simply using Kotlin as language. "Aggregate" on the other hand, is giving me 0 (zero) vulnerabilities, no matter how low I set failBuildOnCVSS. Based on this SO thread skipping lintClassPath or adding releaseCompileClasspath should fix it. But...well...it's not.
My configuration is as follows:
// project build.gradle.kts
subprojects {
// all the other stuff
apply(plugin = "org.owasp.dependencycheck")
extensions.findByType(org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension::class)?.let {
// skipConfigurations added because of: https://stackoverflow.com/questions/54653400/android-cve-check
// but doesn't help at all. The other suggestion using scanConfigurations doesn't work either.
it.skipConfigurations = listOf("lintClassPath")
it.suppressionFile = "${projectDir.absolutePath}/src/main/res/xml/cve_suppressions.xml"
it.failBuildOnCVSS = 3F //or 9F - it doesn't matter, always getting the same 11 CVEs
}
}
It doesn't matter, if I have this configured in subprojects {} or separately in the individual build.gradle.kts.
These are the reported vulnerabilities I get in each module:
kotlin-stdlib-jdk8-1.4.0.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*) : CVE-2020-15824
kotlin-reflect-1.4.0.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*) : CVE-2020-15824
kotlin-stdlib-jdk7-1.4.0.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*) : CVE-2020-15824
kotlin-stdlib-1.4.0.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*) : CVE-2020-15824
kotlin-stdlib-common-1.4.0.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*) : CVE-2020-15824
kotlin-android-extensions-runtime-1.4.0.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*) : CVE-2020-15824
kotlin-compiler-embeddable-1.4.0.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*) : CVE-2020-15824
kotlin-script-runtime-1.4.0.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*) : CVE-2020-15824
kotlin-daemon-embeddable-1.4.0.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*) : CVE-2020-15824
kotlin-android-extensions-1.4.0.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*) : CVE-2020-15824
kotlin-klib-commonizer-embeddable-1.4.0.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*) : CVE-2020-15824
I'd really appreciate some help to figure out the right configuration here.
Edit: I using the following versions:
- DependencyCheck Plugin: 5.3.2
- Kotlin: 1.4.0
- Gradle Build Tools: 4.0.1
- Gradle 6.1.1
Yeah this looks like a false positive in the check to me - I'm also seeing failures due to CVE-2020-15824 despite being on kotlin version 1.4.10. Tried bumping to the latest version of the dependencyCheck (6.0.1) and it's still happening there.
Per the CVE:
In JetBrains Kotlin from 1.4-M1 to 1.4-RC (as Kotlin 1.3.7x is not affected by the issue. Fixed version is 1.4.0)
So the check should not be flagging 1.4.0 or 1.4.10 as vulnerable.
Still happening with 1.4.21-2.
CVE-2020-15824, CVE-2020-29582, whereas the latter one is fixed in 1.4.21, according to NVD (see https://github.com/jeremylong/DependencyCheck/issues/3133).
You can create a local suppression file or even submit a PR to add the suppression rules.
Most of the time it is a false positive, because we have already upgraded. Traverse dependencies may have been build with older kotlin version.
One fix is to pin/force dependency versions. In most cases it is ok.
For example I had done it with kotlin and junit.
allprojects {
configurations {
all {
resolutionStrategy {
force("org.jetbrains.kotlin:kotlin-stdlib:${Version.kotlin}")
force("org.jetbrains.kotlin:kotlin-stdlib-common:${Version.kotlin}")
force("org.jetbrains.kotlin:kotlin-stdlib-jdk7:${Version.kotlin}")
force("org.jetbrains.kotlin:kotlin-stdlib-jdk8:${Version.kotlin}")
force("org.jetbrains.kotlin:kotlin-test:${Version.kotlin}")
force("org.jetbrains.kotlin:kotlin-test-junit:${Version.kotlin}")
force(Dependencies.Kotlin.Coroutines.common)
force(Dependencies.Kotlin.Coroutines.android)
force(Dependencies.Kotlin.Coroutines.iosArm)
force(Dependencies.Kotlin.Coroutines.iosX64)
force(Dependencies.junit)
force(Dependencies.Kotlin.reflect)
}
}
}
}
With the latest cve. The trick not work out.
So looking into the dependency tree.
./gradlew :module:dependencies
and all traverse dependencies are upgraded
+--- androidx.core:core-ktx:1.7.0
| +--- org.jetbrains.kotlin:kotlin-stdlib:1.5.31 -> 1.6.10 (*)
but still receiving cve issues. So I guess, I will add it to the suppress.xml file.
kotlin-stdlib-1.5.31.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.5.31:*:*:*:*:*:*:*) : CVE-2022-24329
kotlin-stdlib-jdk7-1.5.30.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.5.30:*:*:*:*:*:*:*) : CVE-2022-24329
kotlin-stdlib-jdk8-1.5.30.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.5.30:*:*:*:*:*:*:*) : CVE-2022-24329
