dependency-check-sonar-plugin icon indicating copy to clipboard operation
dependency-check-sonar-plugin copied to clipboard

Published 20 hours ago verified publisher icon dependency-check

URI encoded package names do not match names in lock-file

Open slosd opened this issue 1 year ago • 6 comments

This method seems to read a URI (https://github.com/package-url/purl-spec), but the URI components are never decoded: https://github.com/dependency-check/dependency-check-sonar-plugin/blob/3aea40419b4a7c7e99af24cc6af3ff61d3e99710/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckUtils.java#L233

As a result a URI encoded string is compared to package names in the lock-file which are not URI encoded.

To Reproduce Excerpt from a JSON report:

{
  "dependencies": [
    {
      "packages": [
        {
          "id": "pkg:npm/%40apollo%[email protected]"
        }
      ]
    }
  ]
}

Current behavior In the example above the vulnerability for "@apollo/server" is added to the first line of package-lock.json

Expected behavior The vulnerability for "@apollo/server" is added where "@apollo/server" is declared in package-lock.json

Versions (please complete the following information):

dependency-check-sonar-plugin: 4.0.0

slosd avatar Oct 15 '23 16:10 slosd

This plugin takes the content of the JSON report. If the content of the reports is incorrect, this would have to be corrected in the main project. https://github.com/jeremylong/DependencyCheck

Reamer avatar Oct 19 '23 12:10 Reamer

I don't think the report is incorrect. Is the content of "id" not supposed to be an URI?

slosd avatar Oct 19 '23 12:10 slosd

Looking at the purl spec it seems pkg:npm/%40apollo/[email protected] would be "more" correct, but as far as I can see that wouldn't work either, because we would compare the literal string "%40apollo/server" to "@apollo/server" in package-lock.json

slosd avatar Oct 19 '23 12:10 slosd

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] avatar Dec 19 '23 02:12 github-actions[bot]

This issue was closed because it has been stalled for 14 days with no activity.

github-actions[bot] avatar Jan 02 '24 02:01 github-actions[bot]

This bug still exists

slosd avatar Jan 02 '24 10:01 slosd

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] avatar Mar 04 '24 02:03 github-actions[bot]

This issue was closed because it has been stalled for 14 days with no activity.

github-actions[bot] avatar Mar 19 '24 01:03 github-actions[bot]