DependencyCheck
DependencyCheck copied to clipboard
jeremylong
[FP]: CVE-2023-4759 [email protected]
Package URl
pkg:maven/org.eclipse.jgit/[email protected]
CPE
cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.7.0; versions up to (excluding) 6.7.0.202309050840
cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.6.0; versions up to (excluding) 6.6.1.202309021850
CVE
CVE-2023-4759
ODC Integration
None
ODC Version
8.4.0
Description
According to the CVE description "The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r". The CPE states versions from (including) 6.7.0; versions up to (excluding) 6.7.0.202309050840. So maybe the fact that the CPE states to include 6.7.0 is triggering the FP. Or maybe it's because the excluded version does not have the -r at the end (like the version of the maven artifact does).
Maven Coordinates
<dependency>
<groupId>org.eclipse.jgit</groupId>
<artifactId>org.eclipse.jgit</artifactId>
<version>6.7.0.202309050840-r</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #5943
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
<cpe>cpe:/a:eclipse:jgit</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6238507857
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Maven Coordinates
<dependency>
<groupId>org.eclipse.jgit</groupId>
<artifactId>org.eclipse.jgit</artifactId>
<version>6.7.0.202309050840-r</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #5943
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
<cpe>cpe:/a:eclipse:jgit</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6238518590
Maven Coordinates
<dependency>
<groupId>org.eclipse.jgit</groupId>
<artifactId>org.eclipse.jgit</artifactId>
<version>6.7.0.202309050840-r</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #5943
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
<cpe>cpe:/a:eclipse:jgit</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6238514672
Thanks for raising this @barchetta - I was also looking for guidance from the OWASP Dep Check team as to whether this is essentially due to the way NVD have tagged the affected versions. There are also false negatives here, as all jGit versions prior to 6.6.1 are also affected, but the current mapping doesn't reflect that.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4759 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11
cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* From (including)6.6.0 | Up to (excluding)6.6.1.202309021850
cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* From (including)6.7.0 | Up to (excluding)6.7.0.202309050840
While this is definitely a false positive it seems like it's just an NVD confusion about the date version suffixes (there will not be a 6.7.0.OTHERDATE-r and they should update to
cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* Up to (excluding)6.6.1
I believe then it will go away in OWASP Dep check even though it sees the maven version as 6.7.0.202309050840-r. I'll try contacting them to ask them to re-check it.
I suppose it is still a bit strange here that 202309021850-r seems to be considered less than 202309021850 when parsing the version string
In other words, if 6.7.0.202309021850-r > 6.7.0 (affected!) it seems odd that 6.7.0.202309021850-r is not also greater than 6.7.0.202309021850 (implying now not affected).
Hi, i assume it's the same issue for
<dependency>
<groupId>org.eclipse.jgit</groupId>
<artifactId>org.eclipse.jgit.ssh.jsch</artifactId>
<version>6.7.0.202309050840-r</version>
</dependency>
Which is considered having the same CVE-2023-4759
Because the "suppress" proposed by the bot doesn't work for this one, i suggest this one :
--EDIT-- Add version 6.7.x to avoid suppress the CVE for older version (good!) but it won't work for future version (sick!), let's hope NVD will correct this :pray:
<suppress base="true">
<notes>
<![CDATA[ FP per issue #5943 ]]>
</notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit(\.[\w]*)*@6\.7\..*$</packageUrl>
<cve>CVE-2023-4759</cve>
</suppress>
It works for everything under jgit (like : ...eclipse.jgit.ssh.jsch)
I used <cve> instead of <cpe> because i don't want to suppress "too much", but i could be wrong about that :thinking:
Feel free to correct me on this !
Yeah, probably the same.
I’ve been trying to get NVD to change the CPE versions but they seemed to misunderstand and update it to something even worse (and incorrect). Have tried again earlier today.
I haven't had a reply yet from NIST NVD, sadly.
In any case, for what it's worth upgrading to the recently released JGit 6.8.0.202311291450-r will make this FP go away. https://projects.eclipse.org/projects/technology.jgit/releases/6.8.0