DependencyCheck
DependencyCheck copied to clipboard
jeremylong
False Positive due to missing "AND/OR" capabilities defined in the NVD data feed
Hello community.
-
Dependencies (gradle with mavenCentral):
-
org.springframework.security:spring-security-config:5.1.4.RELEASE -
org.springframework.security:spring-security-web:5.1.4.RELEASE -
org.springframework.security:spring-security-core:5.1.4.RELEASE
-
-
cpe:2.3:a:pivotal_software:spring_security:5.1.4:*:*:*:*:*:*:*NVD link -
CVE-2018-1258NVD link
According with https://pivotal.io/security/cve-2018-1258 this was fixed in the 5.0.6.RELEASE version.
Original dependency check output:
spring-security-web-5.1.4.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_s
oftware:spring_security:5.1.4:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-config-5.1.4.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:piv
otal_software:spring_security:5.1.4:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-core-5.1.4.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal
_software:spring_security:5.1.4:*:*:*:*:*:*:*) : CVE-2018-1258
Actual spring frameworks version for this project (gradle output):
+--- org.springframework.boot:spring-boot-starter-web -> 2.1.3.RELEASE
| +--- org.springframework.boot:spring-boot-starter:2.1.3.RELEASE
| | +--- org.springframework.boot:spring-boot:2.1.3.RELEASE
| | | +--- org.springframework:spring-core:5.1.5.RELEASE
| | | | \--- org.springframework:spring-jcl:5.1.5.RELEASE
| | | \--- org.springframework:spring-context:5.1.5.RELEASE
| | | +--- org.springframework:spring-aop:5.1.5.RELEASE
| | | | +--- org.springframework:spring-beans:5.1.5.RELEASE
| | | | | \--- org.springframework:spring-core:5.1.5.RELEASE (*)
| | | | \--- org.springframework:spring-core:5.1.5.RELEASE (*)
| | | +--- org.springframework:spring-beans:5.1.5.RELEASE (*)
| | | +--- org.springframework:spring-core:5.1.5.RELEASE (*)
| | | \--- org.springframework:spring-expression:5.1.5.RELEASE
| | | \--- org.springframework:spring-core:5.1.5.RELEASE (*)
+--- org.springframework.boot:spring-boot-starter-security -> 2.1.3.RELEASE
| +--- org.springframework.boot:spring-boot-starter:2.1.3.RELEASE (*)
| +--- org.springframework:spring-aop:5.1.5.RELEASE (*)
| +--- org.springframework.security:spring-security-config:5.1.4.RELEASE
| | +--- org.springframework.security:spring-security-core:5.1.4.RELEASE
| | | +--- org.springframework:spring-aop:5.1.5.RELEASE (*)
| | | +--- org.springframework:spring-beans:5.1.5.RELEASE (*)
| | | +--- org.springframework:spring-context:5.1.5.RELEASE (*)
| | | +--- org.springframework:spring-core:5.1.5.RELEASE (*)
| | | \--- org.springframework:spring-expression:5.1.5.RELEASE (*)
| | +--- org.springframework:spring-aop:5.1.5.RELEASE (*)
| | +--- org.springframework:spring-beans:5.1.5.RELEASE (*)
| | +--- org.springframework:spring-context:5.1.5.RELEASE (*)
| | \--- org.springframework:spring-core:5.1.5.RELEASE (*)
| \--- org.springframework.security:spring-security-web:5.1.4.RELEASE
| +--- org.springframework.security:spring-security-core:5.1.4.RELEASE (*)
| +--- org.springframework:spring-aop:5.1.5.RELEASE (*)
| +--- org.springframework:spring-beans:5.1.5.RELEASE (*)
| +--- org.springframework:spring-context:5.1.5.RELEASE (*)
| +--- org.springframework:spring-core:5.1.5.RELEASE (*)
| +--- org.springframework:spring-expression:5.1.5.RELEASE (*)
| \--- org.springframework:spring-web:5.1.5.RELEASE (*)
As far as I understand it from https://nvd.nist.gov/vuln/detail/CVE-2018-1258
you are affected if you are using both of these dependencies:
cpe:2.3:a:pivotal_software:spring_framework:5.0.5:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*
For us it matches apparently on the spring_security one. We ha spring_framework as a dependency, but that shouldn't match as it is a later version (5.1.5)
I get
spring-security-core-5.1.5.RELEASE.jar (cpe:/a:pivotal_software:spring_security:5.1.5, org.springframework.security:spring-security-core:5.1.5.RELEASE) : CVE-2018-1258
despite using spring 5.1.6.RELEASE and spring security 5.1.5.RELEASE.
also according to pivotal website, this affects the 5.x version only https://pivotal.io/security/cve-2018-1258 However it is flagging 4.x as vulnerable with this CVE. "The bug is present only in Spring Framework 5.0.5.RELEASE. If the application does not use Spring Framework 5.0.5.RELEASE then it is not impacted. The bug does not impact any Spring Framework 4.x versions or any other versions of Spring Framework."
I think this is happening because CpeDB.parseCpes(DefCveItem cve) is flattening all the CPEs for a given CVE without consideration for the operator:
private List<VulnerableSoftware> parseCpes(DefCveItem cve) throws CpeValidationException {
final List<VulnerableSoftware> software = new ArrayList<>();
final List<DefCpeMatch> cpeEntries = cve.getConfigurations().getNodes().stream()
.collect(new NodeFlatteningCollector())
.collect(new CpeMatchStreamCollector())
.filter(predicate -> predicate.getCpe23Uri().startsWith(cpeStartsWithFilter))
//this single CPE entry causes nearly 100% FP - so filtering it at the source.
.filter(entry -> !("CVE-2009-0754".equals(cve.getCve().getCVEDataMeta().getId())
&& "cpe:2.3:a:apache:apache:*:*:*:*:*:*:*:*".equals(entry.getCpe23Uri())))
.collect(Collectors.toList());
final VulnerableSoftwareBuilder builder = new VulnerableSoftwareBuilder();
Then, during scanning, dependency-check takes each CPE, and looks for any matching CVEs. I suppose the "right" way to do this is to say for each CVE, does any CpeMatch match the set of CPEs found during scanning. However, that would be pretty inefficient and scan time would be. correlated to the total number of CVEs that exist.
I see for CVE-2009-0754, a CPE is filtered from the list. Would it be reasonable to do the same thing here for cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*? You would still get an FP if you were using Spring Framework 5.0.5 without Spring Security, but that is better than an FP for every single Spring Security version.
The reason these are getting flagged is because we rely on the NVD data. If you look here:
https://nvd.nist.gov/vuln/detail/CVE-2018-1258 https://nvd.nist.gov/vuln/detail/CVE-2018-1258/cpes?expandCpeRanges=true
You can see that they have some inaccurate data that is causing the inaccurate matches. They have listed cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:* which will flag all versions of Spring Security.
Actually - after taking a second look the issue is that ODC does not utilize the AND capabilities within the NVD. This might take a while to resolve.
In the meantime I would suggest creating a suppression rule for the vulnerability.
Was about to raise a false positive report when I came across this. If it's useful for later; there's a basic re-producing Spring Boot project here.
Would really be great to get support for the AND capabilities - the false positives from the plugin have really been coming down lately; this is the only one we have left :-)
NVD format
When taking CVE-2018-1258 as an exemple, we are getting this JSON describing the cve:
CVE fetched as JSON
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2018-1258",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
]
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
]
},
{
"url": "http://www.securityfocus.com/bid/104222",
"name": "104222",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
]
},
{
"url": "http://www.securitytracker.com/id/1041888",
"name": "1041888",
"refsource": "SECTRACK",
"tags": [
"Third Party Advisory",
"VDB Entry"
]
},
{
"url": "http://www.securitytracker.com/id/1041896",
"name": "1041896",
"refsource": "SECTRACK",
"tags": [
"Third Party Advisory",
"VDB Entry"
]
},
{
"url": "https://access.redhat.com/errata/RHSA-2019:2413",
"name": "RHSA-2019:2413",
"refsource": "REDHAT",
"tags": []
},
{
"url": "https://pivotal.io/security/cve-2018-1258",
"name": "https://pivotal.io/security/cve-2018-1258",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
]
},
{
"url": "https://security.netapp.com/advisory/ntap-20181018-0002/",
"name": "https://security.netapp.com/advisory/ntap-20181018-0002/",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"name": "N/A",
"refsource": "N/A",
"tags": []
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2020.html",
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"tags": []
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2021.html",
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"tags": []
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2020.html",
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"tags": []
},
{
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
]
},
{
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
]
},
{
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
"name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
"refsource": "MISC",
"tags": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted."
}
]
}
},
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"operator": "AND",
"cpe_match": [
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:pivotal_software:spring_framework:5.0.5:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*"
}
]
},
{
"operator": "OR",
"cpe_match": [
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:application_testing_suite:10.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.0.1"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.3"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.2.1"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.0.4.0"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:enterprise_repository:12.1.3.0.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:insurance_policy_administration:10.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:insurance_policy_administration:10.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:insurance_policy_administration:10.2:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:insurance_policy_administration:11.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
"versionEndIncluding": "8.0.2.8191"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_fin_install:9.2:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_assortment_planning:14.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_financial_integration:13.2:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_financial_integration:14.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_financial_integration:14.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:10.3.6.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:12.2.1.2:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*"
}
]
},
{
"operator": "OR",
"cpe_match": [
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:windows:*:*",
"versionStartIncluding": "7.3"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vsphere:*:*",
"versionStartIncluding": "9.4"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*"
}
]
}
]
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
},
"baseMetricV2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "SINGLE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5
},
"severity": "MEDIUM",
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
},
"publishedDate": "2018-05-11T20:29Z",
"lastModifiedDate": "2021-01-20T15:15Z"
}
Response processing
This snippet is parsed as a DefCveItem in NvdCveParser.parse(File file). Class DefNode, a sub-class of DefCveItem holds the operator field valued to "AND". After being parsed, the CVE database is updated with the following instruction: cveDB.updateVulnerability(cve, mapper.getEcosystem(cve));.
CveDB.updateVulnerability(DefCveItem cve, String baseEcosystem) parse a DefCveItem and map it to a List<VulnerableSoftware> by calling CveDB.parseCpes(DefCveItem cve).
When converted to a VulnerableSoftware, we lose the "AND" condition as stated by @tompiscitell. To keep it, we could add a List<VulnerableSoftware> requiredThirdParties field to VulnerableSoftware so we can have the condition during the analysis?
A unit test written to understand the output of CveDB.parseCpes(DefCveItem cve)
package org.owasp.dependencycheck.data.nvdcve;
import java.util.Arrays;
import java.util.List;
import org.junit.Test;
import org.owasp.dependencycheck.data.nvd.json.CVEDataMeta;
import org.owasp.dependencycheck.data.nvd.json.CVEJSON40Min11;
import org.owasp.dependencycheck.data.nvd.json.DefConfigurations;
import org.owasp.dependencycheck.data.nvd.json.DefCpeMatch;
import org.owasp.dependencycheck.data.nvd.json.DefCveItem;
import org.owasp.dependencycheck.data.nvd.json.DefNode;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
import org.owasp.dependencycheck.utils.Settings;
import us.springett.parsers.cpe.exceptions.CpeValidationException;
public class CveDBTest {
@Test
public void test() throws CpeValidationException {
// Given
Settings settings = new Settings();
CveDB db = new CveDB(settings);
DefCpeMatch cpeMatch11 = new DefCpeMatch();
cpeMatch11.setVulnerable(true);
cpeMatch11.setCpe23Uri("cpe:2.3:a:pivotal_software:spring_framework:5.0.5:*:*:*:*:*:*:*");
DefCpeMatch cpeMatch12 = new DefCpeMatch();
cpeMatch12.setVulnerable(true);
cpeMatch12.setCpe23Uri("cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*");
List<DefCpeMatch> cpeMatches1 = Arrays.asList(cpeMatch11, cpeMatch12);
DefNode node1 = new DefNode();
node1.setOperator("AND");
node1.setCpeMatch(cpeMatches1);
DefCpeMatch cpeMatch21 = new DefCpeMatch();
cpeMatch21.setVulnerable(true);
cpeMatch21.setCpe23Uri("cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*");
DefCpeMatch cpeMatch22 = new DefCpeMatch();
cpeMatch22.setVulnerable(true);
cpeMatch22.setCpe23Uri("cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*");
List<DefCpeMatch> cpeMatches2 = Arrays.asList(cpeMatch21, cpeMatch22);
DefNode node2 = new DefNode();
node2.setOperator("OR");
node2.setCpeMatch(cpeMatches2);
List<DefNode> nodes = Arrays.asList(node1, node2);
DefConfigurations configurations = new DefConfigurations();
configurations.setNodes(nodes);
CVEDataMeta metadata = new CVEDataMeta();
metadata.setId("CVE-2018-1258");
CVEJSON40Min11 cveMin = new CVEJSON40Min11();
cveMin.setCVEDataMeta(metadata);
DefCveItem cve = new DefCveItem();
cve.setCve(cveMin);
cve.setConfigurations(configurations);
// When
List<VulnerableSoftware> output = db.parseCpes(cve);
}
}
This unit test shows we are losing the association between these two Spring dependencies. parseCpes() must be set to package protected to make it work. Setting a breakpoint at the end of the test help to see what we are currently getting after the CVE is parsed.
Analysis phase
A change in the response processing part looks to not be enough if we want to be able to identify a vulnerability with an "AND" condition. The analysis happen in NvdCveAnalyzer.analyzeDependency(Dependency dependency, Engine engine). This method is requested by the parent AbstractAnalyzer class.
An analyzer is called by AnalysisTask.call(), itself called by Engine.getAnalysisTasks(Analyzer analyzer, List<Throwable> exceptions). This last method is streaming over each dependency and launch an analysis task.
To identify an "AND" condition, we must have some knowledge about other dependencies currently used by the application. When looking at the data model of a Dependency, it contains Set<Dependency> relatedDependencies. It may be a solution (I have not looked yet how it is set) but I fear it will not be enough to clearly identify these type of vulnerabilities. I'm afraid we need all the dependencies of the application. Further analysis should be done on this.
If the maintainers have already an idea about how it could be solved, I will gladly take any help and guidance. :slightly_smiling_face:
The entire set of dependencies used by the application is contained at the Engine level. If we had the and/or relationships stored - processing them would not be that difficult (for the most part). One thing to note in some cases the AND/OR capabilities in the NVD data define components at other layers (more specifically OS level). Dependency-check currently filters out, by default, CPEs that are anything but those that are application.
I've had other higher priority issues so I haven't tackled this one yet. PRs are always welcome.
Thank you for your answer, I'm open to volunteer on this issue and try to submit a PR if it is seen as a low priority on your side. I prefer to work on low priority issues so I can take my time to get familiarized with the code base. :slightly_smiling_face:
This issue doesn't seem to reproduce for me any more on the latest version of the plugin which is currently 6.5.0.
I can still reproduce it, but only with aggregated dependencies and not with direct ones. (CVE-2018-1258) Example: packaging war files with e.g. spring-security-core or spring-security-oauth2-resource-server as dependencies Plugin Version 7.1.0
Dependency check will not reports all the dependencies of the component.
for ex: When I scan the artifacts, dependency check reports spring beans as vulnerable for a CVE, later when I fix this and scan again, it will report spring-web for the same cve
I need a solution for this so that in a single scan I will get all the spring framework vulnerable dependencies components list
