DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Failed to identify some JS components

Open toron22 opened this issue 2 years ago • 7 comments

What could be the reason for failing to identify CPE and CVE for such JS components as 'jsoneditor 9.5.5' and 'jspdf 1.5.3'? Both these components have known CPEs and CVEs. The versions 6.x and 7.1.0 of the Dependency check were used.

We've got a vulnerability report created by Sonatype tool for the released project from one of our clients and this report contains CVEs for those components. It is how we discovered that we missed them in our scans with Dependency check tool.

Thanks.

toron22 avatar May 06 '22 20:05 toron22

Are these listed as dependencies? eg in package lock file ... we can only guess

mprins avatar May 07 '22 06:05 mprins

Yes, those components are listed as dependencies, but with no CPE identified and therefore with Evidence and CVE counts equal to zero.

toron22 avatar May 07 '22 20:05 toron22

Do you have a sample project that can demonstrate this?

jeremylong avatar May 08 '22 11:05 jeremylong

Thanks Jeremy for getting back to me.

Our project is very large and comprehensive. But the project deployment has a separate folder containing the 'jsoneditor' component. So, I've tried having this folder as a source for ODC scan and got the same result as for the full scan of our project deployment. But as I've mentioned before, the Sonatype scan provided by our client for the same deployment revealed the known vulnerability for that component.

The attached is the folder with this component copied from our deployment and the result ODC report for that folder.

jsoneditor.zip

dependency-check-report.zip

toron22 avatar May 09 '22 01:05 toron22

That is likely the issue - you are scanning the project deployment not the build. Dependency-check is really designed to, for most supported technology stacks, to scan the build files. While some data may be extracted from the dependencies themselves - most of the time ODC looks for things like the package.json and package-lock.json.

jeremylong avatar May 09 '22 09:05 jeremylong

Hi Jeremy,

I've run the scan of our build instead of deployment, but still the CPE and CVE have not been identified for those components.

Besides the the folder with the installed component 'jsoneditor' the build contains ZIP file 'jsoneditor-9.5.5.zip' for that component downloaded from the vendor. So, for that zip there was the following CMD message while running the scan:

"[WARN] Analyzing <component allocation folder>\jsoneditor\jsoneditor-9.5.5.zip\jsoneditor-9.5.5\package-lock.json - however, the node_modules directory does not exist. Please run npm install prior to running dependency-check".

I've run the 'npm install --package-lock' and re-scanned the build but it didn't help to get a known vulnerability for that component.

Thanks.

toron22 avatar May 10 '22 17:05 toron22

Does npm audit identify the vulnerable component?

jeremylong avatar Jun 28 '22 09:06 jeremylong