Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: pkg:npm/[email protected] #6300

Open
JoergHeinicke5005 opened this issue Dec 14, 2023 · 5 comments
Open

[FP]: pkg:npm/[email protected] #6300

JoergHeinicke5005 opened this issue Dec 14, 2023 · 5 comments
Labels
bug

Comments

@JoergHeinicke5005
Copy link
Contributor

Package URl

pkg:npm/[email protected]

CPE

cpe:2.3:a:mongodb:mongodb:5.9.2:*:*:*:*:*:*:*

CVE

CVE-2014-8180

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

9.0.5

Description

Dependency Check pulls out the extremely old CVE-2014-8180 (which seems to be applicable to running mongod on some RedHat) and matches it to the mongodb driver for Node.js. Not sure, what exactly has changed, but the NVD website doesn't report any recent change on the entry (last change in 2017). The CVE has not been reported before, i.e., in particular with NVD data feed. Also, it's not always being reported but only occasionally, so behavior seems somewhat non-deterministic.

Is it something which can be suppressed globally or do we have to do it locally?
@github-actions GitHub Actions
Copy link
Contributor

Npm Coordinates

npm -i [email protected]

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6300
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/mongodb@.*$</packageUrl>
   <cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7209083854

@github-actions github-actions bot added the npm label Dec 14, 2023
@JoergHeinicke5005 JoergHeinicke5005 changed the title [FP]: [FP]: pkg:npm/[email protected] Dec 14, 2023
@github-actions GitHub Actions
Copy link
Contributor

Npm Coordinates

npm -i [email protected]

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6300
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/mongodb@.*$</packageUrl>
   <cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7212097877

@aikebah aikebah added bug and removed FP Report labels Dec 21, 2023
@aikebah
Copy link
Collaborator

aikebah commented Dec 21, 2023

Something buggy going on with the ecosystem.

v8.4.3: All mongodb:mongodb CPE entries are linked to ecosystem native
v9.0.x: Some mongodb:mongodb CPE entries are still linked to ecosystem native, but many also at null

@aikebah
Copy link
Collaborator

aikebah commented Dec 21, 2023

Promoting from FP report to bug

@aikebah
Copy link
Collaborator

aikebah commented Dec 21, 2023

CPEs for 9.x:

112074,a,mongodb,mongodb,*,*,*,*,*,*,*,*,native
112075,a,mongodb,mongodb,1.2.0,*,*,*,*,*,*,*,
112076,a,mongodb,mongodb,1.4.0,*,*,*,*,*,*,*,
112077,a,mongodb,mongodb,1.6.0,*,*,*,*,*,*,*,
112078,a,mongodb,mongodb,1.8.0,*,*,*,*,*,*,*,
112079,a,mongodb,mongodb,2.0.0,*,*,*,*,*,*,*,
112080,a,mongodb,mongodb,2.0.1,*,*,*,*,*,*,*,
112081,a,mongodb,mongodb,2.0.2,*,*,*,*,*,*,*,
112082,a,mongodb,mongodb,2.0.3,*,*,*,*,*,*,*,
112083,a,mongodb,mongodb,2.0.4,*,*,*,*,*,*,*,
112084,a,mongodb,mongodb,2.0.5,*,*,*,*,*,*,*,
112085,a,mongodb,mongodb,2.0.6,*,*,*,*,*,*,*,
112086,a,mongodb,mongodb,2.0.7,*,*,*,*,*,*,*,
112087,a,mongodb,mongodb,2.0.8,*,*,*,*,*,*,*,
112088,a,mongodb,mongodb,2.2.0,*,*,*,*,*,*,*,
112089,a,mongodb,mongodb,2.2.1,*,*,*,*,*,*,*,
112090,a,mongodb,mongodb,2.2.2,*,*,*,*,*,*,*,
112091,a,mongodb,mongodb,2.2.3,*,*,*,*,*,*,*,
112092,a,mongodb,mongodb,2.2.4,*,*,*,*,*,*,*,
112093,a,mongodb,mongodb,2.2.5,*,*,*,*,*,*,*,
112094,a,mongodb,mongodb,2.2.6,*,*,*,*,*,*,*,
112095,a,mongodb,mongodb,2.2.7,*,*,*,*,*,*,*,
112096,a,mongodb,mongodb,2.3.0,*,*,*,*,*,*,*,
118001,a,mongodb,mongodb,2.4.0,*,*,*,*,*,*,*,native
118002,a,mongodb,mongodb,2.4.1,*,*,*,*,*,*,*,native
118003,a,mongodb,mongodb,2.4.2,*,*,*,*,*,*,*,native
118004,a,mongodb,mongodb,2.4.3,*,*,*,*,*,*,*,native
118005,a,mongodb,mongodb,2.4.4,*,*,*,*,*,*,*,native
118006,a,mongodb,mongodb,2.5.0,*,*,*,*,*,*,*,
119498,a,mongodb,mongodb,2.4.5,*,*,*,*,*,*,*,
122881,a,mongodb,mongodb,2.6.0,*,*,*,*,*,*,*,native
122882,a,mongodb,mongodb,2.6.1,*,*,*,*,*,*,*,native
122883,a,mongodb,mongodb,2.6.2,*,*,*,*,*,*,*,
122884,a,mongodb,mongodb,2.6.3,*,*,*,*,*,*,*,
122885,a,mongodb,mongodb,2.6.4,*,*,*,*,*,*,*,
122886,a,mongodb,mongodb,2.6.5,*,*,*,*,*,*,*,
122887,a,mongodb,mongodb,2.6.6,*,*,*,*,*,*,*,
122888,a,mongodb,mongodb,2.6.7,*,*,*,*,*,*,*,
167264,a,mongodb,mongodb,-,*,*,*,*,*,*,*,native
172025,a,mongodb,mongodb,1.7.0,*,*,*,*,*,*,*,native
192188,a,mongodb,mongodb,*,*,*,*,enterprise,*,*,*,native
210050,a,mongodb,mongodb,4.4.0,rc1,*,*,*,*,*,*,native
210051,a,mongodb,mongodb,4.4.0,rc10,*,*,*,*,*,*,native
210052,a,mongodb,mongodb,4.4.0,rc11,*,*,*,*,*,*,native
210053,a,mongodb,mongodb,4.4.0,rc2,*,*,*,*,*,*,native
210054,a,mongodb,mongodb,4.4.0,rc3,*,*,*,*,*,*,native
210055,a,mongodb,mongodb,4.4.0,rc4,*,*,*,*,*,*,native
210056,a,mongodb,mongodb,4.4.0,rc5,*,*,*,*,*,*,native
210057,a,mongodb,mongodb,4.4.0,rc6,*,*,*,*,*,*,native
210058,a,mongodb,mongodb,4.4.0,rc7,*,*,*,*,*,*,native
210059,a,mongodb,mongodb,4.4.0,rc8,*,*,*,*,*,*,native
210060,a,mongodb,mongodb,4.4.0,rc9,*,*,*,*,*,*,native
224613,a,mongodb,mongodb,*,*,*,*,*,visual_studio_code,*,*,native

CPEs for 8.4.3:

106668,a,mongodb,mongodb,2.6.7,*,*,*,*,*,*,*,native
106669,a,mongodb,mongodb,2.6.2,*,*,*,*,*,*,*,native
106670,a,mongodb,mongodb,2.6.1,*,*,*,*,*,*,*,native
106671,a,mongodb,mongodb,2.6.4,*,*,*,*,*,*,*,native
106672,a,mongodb,mongodb,2.6.5,*,*,*,*,*,*,*,native
106673,a,mongodb,mongodb,2.6.6,*,*,*,*,*,*,*,native
106674,a,mongodb,mongodb,2.6.3,*,*,*,*,*,*,*,native
106675,a,mongodb,mongodb,2.6.0,*,*,*,*,*,*,*,native
106676,a,mongodb,mongodb,*,*,*,*,*,*,*,*,native
116706,a,mongodb,mongodb,1.8.0,*,*,*,*,*,*,*,native
116710,a,mongodb,mongodb,2.0.0,*,*,*,*,*,*,*,native
116712,a,mongodb,mongodb,2.0.6,*,*,*,*,*,*,*,native
116714,a,mongodb,mongodb,2.2.2,*,*,*,*,*,*,*,native
116718,a,mongodb,mongodb,1.2.0,*,*,*,*,*,*,*,native
116719,a,mongodb,mongodb,2.2.1,*,*,*,*,*,*,*,native
116722,a,mongodb,mongodb,2.2.0,*,*,*,*,*,*,*,native
116723,a,mongodb,mongodb,1.4.0,*,*,*,*,*,*,*,native
116726,a,mongodb,mongodb,2.0.1,*,*,*,*,*,*,*,native
116728,a,mongodb,mongodb,2.0.3,*,*,*,*,*,*,*,native
116733,a,mongodb,mongodb,2.0.4,*,*,*,*,*,*,*,native
116734,a,mongodb,mongodb,2.2.3,*,*,*,*,*,*,*,native
116735,a,mongodb,mongodb,2.0.5,*,*,*,*,*,*,*,native
116736,a,mongodb,mongodb,1.6.0,*,*,*,*,*,*,*,native
116738,a,mongodb,mongodb,2.0.2,*,*,*,*,*,*,*,native
116739,a,mongodb,mongodb,2.0.7,*,*,*,*,*,*,*,native
120693,a,mongodb,mongodb,2.4.2,*,*,*,*,*,*,*,native
120696,a,mongodb,mongodb,2.4.5,*,*,*,*,*,*,*,native
120697,a,mongodb,mongodb,2.4.0,*,*,*,*,*,*,*,native
120700,a,mongodb,mongodb,2.4.3,*,*,*,*,*,*,*,native
120703,a,mongodb,mongodb,2.5.0,*,*,*,*,*,*,*,native
120704,a,mongodb,mongodb,2.4.4,*,*,*,*,*,*,*,native
120705,a,mongodb,mongodb,2.4.1,*,*,*,*,*,*,*,native
141564,a,mongodb,mongodb,1.7.0,*,*,*,*,*,*,*,native
150252,a,mongodb,mongodb,*,*,*,*,enterprise,*,*,*,native
160046,a,mongodb,mongodb,-,*,*,*,*,*,*,*,native
199106,a,mongodb,mongodb,2.2.5,*,*,*,*,*,*,*,native
199124,a,mongodb,mongodb,2.2.7,*,*,*,*,*,*,*,native
199125,a,mongodb,mongodb,2.3.0,*,*,*,*,*,*,*,native
199131,a,mongodb,mongodb,2.2.4,*,*,*,*,*,*,*,native
199132,a,mongodb,mongodb,2.2.6,*,*,*,*,*,*,*,native
199133,a,mongodb,mongodb,2.0.8,*,*,*,*,*,*,*,native
215550,a,mongodb,mongodb,*,*,*,*,*,visual_studio_code,*,*,native
224263,a,mongodb,mongodb,4.4.0,rc9,*,*,*,*,*,*,native
224264,a,mongodb,mongodb,4.4.0,rc8,*,*,*,*,*,*,native
224265,a,mongodb,mongodb,4.4.0,rc7,*,*,*,*,*,*,native
224266,a,mongodb,mongodb,4.4.0,rc6,*,*,*,*,*,*,native
224267,a,mongodb,mongodb,4.4.0,rc5,*,*,*,*,*,*,native
224268,a,mongodb,mongodb,4.4.0,rc4,*,*,*,*,*,*,native
224269,a,mongodb,mongodb,4.4.0,rc3,*,*,*,*,*,*,native
224270,a,mongodb,mongodb,4.4.0,rc2,*,*,*,*,*,*,native
224271,a,mongodb,mongodb,4.4.0,rc1,*,*,*,*,*,*,native
224272,a,mongodb,mongodb,4.4.0,rc10,*,*,*,*,*,*,native
224273,a,mongodb,mongodb,4.4.0,rc11,*,*,*,*,*,*,native

@aikebah aikebah removed the npm label Dec 21, 2023
@aikebah aikebah mentioned this issue Jan 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aikebah @JoergHeinicke5005