DependencyCheck
DependencyCheck copied to clipboard
jeremylong
Suppressing on CPE with a star symbol in the path
I'm attempting to suppress some warnings about C#-related packages that gRPC lists in its test/ and examples/ directories.
I'm trying to do this with a combination of <filePath> and <cpe> conditions, which work in other cases, but not here. I think this is because there is a * in the path.
The CPE, as reported in the HTML and XML reports, is: cpe:2.3:a:*:Grpc.Core.Api:__GRPC_NUGET_VERSION_\_:*:*:*:*:*:*:*
I've tried a lot if variations, including some with `
-
cpe:2.3:a:*:Grpc.Core.Api:__GRPC_NUGET_VERSION_\_(and without the mysterious escaping slash) -
cpe:/a:*:Grpc.Core.Api:__GRPC_NUGET_VERSION__ -
cpe:/a:\*:Grpc.Core.Api:__GRPC_NUGET_VERSION__
What would be the correct way to match with a star symbol?
Thanks.
Did you include the regex="true" attribute?
<cpe regex="true">^cpe:/a:\*:Grpc.Core.Api:__GRPC_NUGET_VERSION__.*$</cpe>
I did in some cases. I tried your suggestion just now but the vulnerabilities still end up in the report, even if I make the regex broader (<cpe regex="true">^cpe:/a:.*$</cpe>)
Could this be a bug?
Btw, I know the filePath is correct because the vulns are being suppressed if I use <vulnerabilityName regex="true">.*</vulnerabilityName>
Here is the XML of the vulnerabilities for the gRPC C# package:
<vulnerabilities>
<vulnerability source="OSSINDEX">
<name>CVE-2017-7860</name>
<severity>CRITICAL</severity>
<cvssV3>
<baseScore>9.8</baseScore>
<attackVector>N</attackVector>
<attackComplexity>L</attackComplexity>
<privilegesRequired>N</privilegesRequired>
<userInteraction>N</userInteraction>
<scope>U</scope>
<confidentialityImpact>H</confidentialityImpact>
<integrityImpact>H</integrityImpact>
<availabilityImpact>H</availabilityImpact>
<baseSeverity>CRITICAL</baseSeverity>
</cvssV3>
<description>Google gRPC before 2017-02-22 has an out-of-bounds write caused by a heap-based buffer overflow related to the parse_unix function in core/ext/client_channel/parse_address.c.</description>
<references>
<reference>
<source>OSSINDEX</source>
<url>https://ossindex.sonatype.org/vulnerability/b6cb17ab-ceb9-4cf8-abf7-8a28671e6db8?component-type=nuget&component-name=Grpc&utm_source=dependency-check&utm_medium=integration&utm_content=6.2.2</url>
<name>[CVE-2017-7860] Google gRPC before 2017-02-22 has an out-of-bounds write caused by a heap-based ...</name>
</reference>
</references>
<vulnerableSoftware>
<software vulnerabilityIdMatched="true">cpe:2.3:a:*:Grpc:__GRPC_NUGET_VERSION_\_:*:*:*:*:*:*:*</software>
</vulnerableSoftware>
</vulnerability>
<vulnerability source="OSSINDEX">
<name>CVE-2017-7861</name>
<severity>CRITICAL</severity>
<cvssV3>
<baseScore>9.8</baseScore>
<attackVector>N</attackVector>
<attackComplexity>L</attackComplexity>
<privilegesRequired>N</privilegesRequired>
<userInteraction>N</userInteraction>
<scope>U</scope>
<confidentialityImpact>H</confidentialityImpact>
<integrityImpact>H</integrityImpact>
<availabilityImpact>H</availabilityImpact>
<baseSeverity>CRITICAL</baseSeverity>
</cvssV3>
<description>Google gRPC before 2017-02-22 has an out-of-bounds write related to the gpr_free function in core/lib/support/alloc.c.</description>
<references>
<reference>
<source>OSSINDEX</source>
<url>https://ossindex.sonatype.org/vulnerability/f443da74-47c7-4ef1-acd2-35cda3f1c434?component-type=nuget&component-name=Grpc&utm_source=dependency-check&utm_medium=integration&utm_content=6.2.2</url>
<name>[CVE-2017-7861] Google gRPC before 2017-02-22 has an out-of-bounds write related to the gpr&#95;free...</name>
</reference>
</references>
<vulnerableSoftware>
<software vulnerabilityIdMatched="true">cpe:2.3:a:*:Grpc:__GRPC_NUGET_VERSION_\_:*:*:*:*:*:*:*</software>
</vulnerableSoftware>
</vulnerability>
<vulnerability source="OSSINDEX">
<name>CVE-2017-8359</name>
<severity>CRITICAL</severity>
<cvssV3>
<baseScore>9.8</baseScore>
<attackVector>N</attackVector>
<attackComplexity>L</attackComplexity>
<privilegesRequired>N</privilegesRequired>
<userInteraction>N</userInteraction>
<scope>U</scope>
<confidentialityImpact>H</confidentialityImpact>
<integrityImpact>H</integrityImpact>
<availabilityImpact>H</availabilityImpact>
<baseSeverity>CRITICAL</baseSeverity>
</cvssV3>
<description>Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.</description>
<references>
<reference>
<source>OSSINDEX</source>
<url>https://ossindex.sonatype.org/vulnerability/c93233a1-ad49-409e-b308-2d84e2c2511b?component-type=nuget&component-name=Grpc&utm_source=dependency-check&utm_medium=integration&utm_content=6.2.2</url>
<name>[CVE-2017-8359] Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based ...</name>
</reference>
</references>
<vulnerableSoftware>
<software vulnerabilityIdMatched="true">cpe:2.3:a:*:Grpc:__GRPC_NUGET_VERSION_\_:*:*:*:*:*:*:*</software>
</vulnerableSoftware>
</vulnerability>
<vulnerability source="OSSINDEX">
<name>CVE-2017-9431</name>
<severity>CRITICAL</severity>
<cvssV3>
<baseScore>9.8</baseScore>
<attackVector>N</attackVector>
<attackComplexity>L</attackComplexity>
<privilegesRequired>N</privilegesRequired>
<userInteraction>N</userInteraction>
<scope>U</scope>
<confidentialityImpact>H</confidentialityImpact>
<integrityImpact>H</integrityImpact>
<availabilityImpact>H</availabilityImpact>
<baseSeverity>CRITICAL</baseSeverity>
</cvssV3>
<description>Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.</description>
<references>
<reference>
<source>OSSINDEX</source>
<url>https://ossindex.sonatype.org/vulnerability/8b1195b9-f8e9-42a3-afe9-17e9b84aea8b?component-type=nuget&component-name=Grpc&utm_source=dependency-check&utm_medium=integration&utm_content=6.2.2</url>
<name>[CVE-2017-9431] Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based ...</name>
</reference>
</references>
<vulnerableSoftware>
<software vulnerabilityIdMatched="true">cpe:2.3:a:*:Grpc:__GRPC_NUGET_VERSION_\_:*:*:*:*:*:*:*</software>
</vulnerableSoftware>
</vulnerability>
<vulnerability source="OSSINDEX">
<name>CVE-2020-7768</name>
<severity>HIGH</severity>
<cvssV3>
<baseScore>7.5</baseScore>
<attackVector>N</attackVector>
<attackComplexity>L</attackComplexity>
<privilegesRequired>N</privilegesRequired>
<userInteraction>N</userInteraction>
<scope>U</scope>
<confidentialityImpact>N</confidentialityImpact>
<integrityImpact>N</integrityImpact>
<availabilityImpact>H</availabilityImpact>
<baseSeverity>HIGH</baseSeverity>
</cvssV3>
<description>The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.</description>
<references>
<reference>
<source>OSSINDEX</source>
<url>https://ossindex.sonatype.org/vulnerability/31202fc2-39b9-45ab-a56a-c8adc55526fc?component-type=nuget&component-name=Grpc&utm_source=dependency-check&utm_medium=integration&utm_content=6.2.2</url>
<name>[CVE-2020-7768] The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulne...</name>
</reference>
</references>
<vulnerableSoftware>
<software vulnerabilityIdMatched="true">cpe:2.3:a:*:Grpc:__GRPC_NUGET_VERSION_\_:*:*:*:*:*:*:*</software>
</vulnerableSoftware>
</vulnerability>
</vulnerabilities>
@jeremylong my gut feel would be that it's because the CPE is coming from Sonatype OSSINDEX rather than NVD streams (NVD uses cpe:/a:grpc:grpc). Could it be that cpe suppression only works if the CPE source is NVD data?
Sorry - just circling back through old questions. If this is still a problem can you provide the Package URL from the HTML report?