DependencyCheck
DependencyCheck copied to clipboard
jeremylong
[FP]: bcprov-jdk14-136 flagged with cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.54:*:*:*:*:*:*:*
Package URl
pkg:maven/bouncycastle/bcprov-jdk14@136
CPE
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.54:::::::*
CVE
CVE-2016-2427
ODC Integration
{"label"=>"CLI"}
ODC Version
7.1.1
Description
Maven package with the following coordinates:
<groupId>bouncycastle</groupId>
<artifactId>bcprov-jdk14</artifactId>
<version>136</version>
is being detected as cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.54:::::::*
which leads to CVE-2016-2427 being detected mistakenly.
Thank you.
Maven Coordinates
<dependency>
<groupId>bouncycastle</groupId>
<artifactId>bcprov-jdk14</artifactId>
<version>136</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #4816
]]></notes>
<packageUrl regex="true">^pkg:maven/bouncycastle/bcprov-jdk14@.*$</packageUrl>
<cpe>cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2993916335
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
In this project we decided to not micromanage projects that release as a whole and are tracked by a single CPE at NIST NVD. This means that the bouncy-castle java projects (mirrored at https://github.com/bcgit/bc-java) are not micro-managed for the assignment of CVEs to their individual subcomponents by us.
The CPE assignment is valid.
In any case I would recommend you try to upgrade to a recent version of the bouncycastle libraries (at 1.71 by now, with an updated location in maven central:
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk14</artifactId>
<version>1.71</version>
</dependency>
Hi @aikebah,
Thanks for your answer.
OK for the micromanagement strategy but here as far as I understand, it is a version misdetection (the product and vendor parts of the CPE are correct).
The Maven package version is 136, which I assume is related to the following CPE: cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.36:::::::*
but the Dependency Check assigns it to the following CPE: cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.54:::::::*
so this is a matter of 154 vs 136.
Regards,
Hi @aikebah,
Thanks for your answer.
OK for the micromanagement strategy but here as far as I understand, it is a version misdetection (the product and vendor parts of the CPE are correct).
The Maven package version is 136, which I assume is related to the following CPE: cpe:2.3🅰️bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.36:::::::*
but the Dependency Check assigns it to the following CPE: cpe:2.3🅰️bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.54:::::::*
Well it's not exactly the version mix-up you mention.
As you can see in the report (section of the identifiers) DependencyCheck assigns the library not to cpe:2.3🅰️bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.54:*:*:*:*:*:*:* but to cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:*:*:*:*:*:*:*:*
That is: any version of legion-of-the-bouncy-castle-java-crytography-api, which explains why it (wrongfully) also matches version 1.54
So the issue at hand is rooted in that it's not assigning any version to the package, rather than the wrong version.
As the coordinates used for the library in your dependency are outdated and current bcprov-jdk14 is using proper versions that are in sync with the version as referenced in their communication I don't want to add a hack to patch out the use of non-dotted <version> x 100 in the older binaries of bouncycastle.
Update the bcprov coordinates (by exclusion and addition as a direct dependency when it's transitive) to org.bouncycastle:bcprov-jdk14 and you'll get proper version alignment for free in addition to a security-patched bouncycastle provider for Java 1.4 and higher (though it's beyond me why anyone would want to stay at the jdk14 edition of this and not upgrade to the jdk8on edition of it)