DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Maven Plugin is failing the build on the basis of CvssV3 score

Open Anshu2405 opened this issue 5 years ago • 4 comments

Describe the bug Maven Plugin 5.3.0 is failing maven build w.r.t CvssV3 score instead of CvssV2 score.

Version of dependency-check used 5.3.0

Log file [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': [ERROR] [ERROR] spring-security-core-4.2.0.RELEASE.jar: CVE-2018-1258, CVE-2017-4995, CVE-2016-9879, CVE-2019-11272 [ERROR] spring-core-4.3.4.RELEASE.jar: CVE-2018-1272, CVE-2018-1275, CVE-2016-9878, CVE-2018-1270, CVE-2018-15756

To Reproduce Steps to reproduce the behavior:

  1. Add below dependency in pom.xml <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> 4.2.0.RELEASE

  2. Run org.owasp:dependency-check-maven:5.3.0:check -DfailBuildOnCVSS="7" -Dformat="JSON" on the maven project

Expected behavior I assumed the failBuildOnCVSS will consider only Cvssv2 score for failing the build like old depndency-check versions. But in above example, the build failed due to the cvssv3 score.

How can I make the plugin to only consider specific scoring system for failing the build?

Anshu2405 avatar Feb 06 '20 12:02 Anshu2405

One of the issues is that we may not even have a CVSS score - if the vulnerability comes from OSS, NPM, RetireJS, etc. At the moment - we check all available scores and estimate a CVSS score based off of "unscored" ratings (high, medium, low). I have not looked to ensure that in every case we have a CVSSv3 we also have a CVSSv2.

jeremylong avatar Feb 10 '20 12:02 jeremylong

@jeremylong ,

Can you please add new parameter to distinguish CVssScore and which should be considered for failing the build. For ex: -DfailBuildOnCVSS="7_cvssv2" or "7_cvssv3" It would be really helpful as in current use case, we are not able to figure out why the build has failed. We can ignore the unscored vulnerabilities where we don't have CVSS score.

Anshu2405 avatar Mar 26 '20 15:03 Anshu2405

Any update on this?

Anshu2405 avatar Apr 17 '20 03:04 Anshu2405

In the method checkForFailure, scores for CVSS v2 or v3 are indeed mixed when checking, when both are present.

Maybe we could add a kind of priority in such a case (none (default) / CVSSv2 / CVSSv3) ?

See there : https://github.com/jeremylong/DependencyCheck/blob/v6.5.1/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java#L2431..L2467

ghusta avatar Dec 22 '21 16:12 ghusta