DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: Multiple CVEs reported against camel-activemq

Open mpreziuso opened this issue 3 years ago • 3 comments

Package URl

pkg:maven/org.apache.camel/[email protected]

CPE

cpe:2.3:a:apache:activemq:3.18.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:camel:3.18.0:*:*:*:*:*:*:*

CVE

Multiple

ODC Integration

{"label"=>"CLI"}

ODC Version

7.1.1

Description

This is a tricky one I think...

Apache Camel is an open source integration framework that empowers you to quickly and easily integrate various systems consuming or producing data.

The dependency I include is [email protected] but I think all the above CVEs, when they refer to client side vulnerabilities, they apply to activemq-camel/client which from what I can see are still transitive dependencies but the version that is imported is 5.17.1 which should not be vulnerable according to the CPEs for each CVE.

So it looks there are multiple issues here at play:

  1. Both server and client CVEs are matched against the client
  2. CVEs that could apply to activemq-camel/client (which is on version 5.x.x) are flagged for camel-activemq (which is on version 3.x.x)
  3. If it is flagging these CVEs against the transitive dependency is matching those CVEs against the wrong version (e.g. I have 5.17.1 installed and CVE is for up to 5.6.0)

mpreziuso avatar Aug 01 '22 19:08 mpreziuso

Maven Coordinates

<dependency>
   <groupId>org.apache.camel</groupId>
   <artifactId>camel-activemq</artifactId>
   <version>3.18.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4721
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel-activemq@.*$</packageUrl>
   <cpe>cpe:/a:apache:activemq</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2777399716

github-actions[bot] avatar Aug 01 '22 19:08 github-actions[bot]

Maven Coordinates

<dependency>
   <groupId>org.apache.camel</groupId>
   <artifactId>camel-activemq</artifactId>
   <version>3.18.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4721
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel-activemq@.*$</packageUrl>
   <cpe>cpe:/a:apache:activemq</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2777400660

github-actions[bot] avatar Aug 01 '22 19:08 github-actions[bot]

It's not as tricky as you think, dependency-check is well prepared to handle the case of activemq being a transtive dependency of a library falsely identified as being part of activemq.

The suppression as suggested (suppression of the apache activemq CPE on this library) is fully appropriate. The transitive dependencies towards activemq libraries will be found and assessed by dependency-check on their own merits (using the proper version of activemq (5.17.1) to evaluate against the vulnerable version range). If any CVEs still apply to ActiveMQ 5.17.1 they will be reported (dependency-check does distinguish between the client- and server-side of activeMQ, as there is only a single CPE for both within the NIST NVD, so server-side issues can be expected to be reported when only using the client-side libraries)

aikebah avatar Aug 02 '22 22:08 aikebah

Hi @aikebah, thanks for the information.

Does this mean this can/should be put into a release? If so, when do you think this could be done?

Thanks

mpreziuso avatar Sep 26 '22 13:09 mpreziuso

@mpreziuso yes, thanks for pinging me on this. Will try to get it in our hosted suppressions file.

approved

aikebah avatar Oct 07 '22 20:10 aikebah

Suppress rule has been added to the generatedSuppressions branch.

github-actions[bot] avatar Oct 07 '22 20:10 github-actions[bot]