advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

GHSA-mjmj-j48q-9wg2 is triggering for snakeyaml-engine but CVE is for just "snakeyaml"

Open mr-c opened this issue 2 years ago • 5 comments

For some reason the package specification org.yaml:snakeyaml is matching org.snakeyaml:snakeyaml-engine which is a completely different codebase.

https://github.com/github/advisory-database/blob/6e5f74144c12295dd708627997c9249409fff18d/advisories/github-reviewed/2022/12/GHSA-mjmj-j48q-9wg2/GHSA-mjmj-j48q-9wg2.json#L21

image

https://github.com/common-workflow-language/cwljava/blob/63e794f42ed28a03a9bb5429b8e503edb320138c/pom.xml#L99

image

mr-c avatar Feb 23 '23 09:02 mr-c

image

mr-c avatar Mar 25 '23 09:03 mr-c

I believe this repository uses Dependency Graph's submissions API. After their CI runs on actions, it appears they are submitting the full dependency tree to Dependency Graph. The behavior we're seeing is consistent with that submission including a vulnerable version of org.yaml:snakeyaml.

Looking a little deeper, their dependency insights page does indeed show a dependency on org.yaml:snakeyaml = 1.33 (as of this writing).

laserlemon avatar Mar 27 '23 13:03 laserlemon

This looks like a problem with the snapshot detector in use - there are a couple other similar tickets in play. Snapshot submissions are assumed resolved by the submitter, we don't normally validate against the same package mappings and metadata we do for manifest based deps.

Last time this came up, I validated the snapshot submission was picking up the wrong mapping here, but as you can see in the manifest, the right artifactId appears there, and that is what the DG-API manfiest-level data records.

There's been some recent work to integrate snapshot and static-manifest data in repo insights that may be in play here? cc @juxtin

elireisman avatar Apr 05 '23 19:04 elireisman

snakeyaml is a dependency of the above repo albeit an indirect one pulled in by jackson-dataformat-yaml. Work is still in progress to refresh this page and we intend to show the relationship of the different dependencies in future Here is the snapshot generated by the Maven Dependency Tree Dependency Submission action installed on the repo. I've however extracted some bits I've deemed relevant below

{
  ...
  "pkg:maven/com.fasterxml.jackson.dataformat/[email protected]?type=jar":{
                 "package_url":"pkg:maven/com.fasterxml.jackson.dataformat/[email protected]?type=jar",
                 "relationship":"direct",
                 "scope":"runtime",
                 "dependencies":[
                    "pkg:maven/org.yaml/[email protected]?type=jar"
                 ]
              },
   ...,
    "pkg:maven/org.yaml/[email protected]?type=jar":{
       "package_url":"pkg:maven/org.yaml/[email protected]?type=jar",
       "relationship":"indirect",
       "scope":"runtime"
    }
   ...
   "scanned":"2023-03-25T09:31:05.323Z"
   }

cnagadya avatar Apr 06 '23 07:04 cnagadya

Thanks for the thorough explanation, @cnagadya!

To confirm, the issue was that snakeyaml was a transitive dependency of jackson-dataformat-yaml. However, we do not make it clear in the Dependency Graph or Dependabot Alert UIs from where a transitive dependency is coming from. Making this relationship more obvious is planned as future work for the Dependabot and Dependency Graph team.

lseppala avatar Apr 11 '23 21:04 lseppala