Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FP]: CVE-2021-3765, validator.js dependency gets flagged on hibernate-validator dependencies #6692

Closed
volkert-fastned opened this issue May 28, 2024 · 6 comments
Labels
FP Report maven changes to the maven plugin

Comments

@volkert-fastned
Copy link
Contributor

Package URl

pkg:maven/org.hibernate.validator/[email protected]

CPE

cpe:2.3:a:validator_project:validator:8.0.1:::::::*

CVE

CVE-2021-3765

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

9.2.0

Description

Vulnerability CVE-2021-3765, which applies to validator.js (a Node.js library) gets flagged on hibernate-validator dependencies:

hibernate-validator-8.0.1.Final-sources.jar (pkg:maven/org.hibernate.validator/[email protected], cpe:2.3:a:validator_project:validator:8.0.1:*:*:*:*:*:*:*) : CVE-2021-3765
hibernate-validator-annotation-processor-8.0.1.Final-sources.jar (pkg:maven/org.hibernate.validator/[email protected], cpe:2.3:a:validator_project:validator:8.0.1:*:*:*:*:*:*:*) : CVE-2021-3765

Strangely enough, this suddenly got flagged (along with a bunch of other vulnerabilities) while I tried to upgrade a project from Kotlin 1.9.x to Kotlin 2.0. But the dependencies that suddenly got flagged with that upgrade weren't related to the Kotlin 2.0 upgrade.

Also worth noting: according to NIST, the CPE should in fact be cpe:2.3:a:validator_project:validator:*:*:*:*:*:node.js:*:* but the CPE that the DendencyCheck Gradle plugin flags has a wildcard in place of the .node.js part. Perhaps that's what's causing this false positive?

Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>org.hibernate.validator</groupId>
   <artifactId>hibernate-validator</artifactId>
   <version>8.0.1.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6692
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.hibernate\.validator/hibernate-validator@.*$</packageUrl>
   <cpe>cpe:/a:validator_project:validator</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9268402034

@github-actions github-actions bot added the maven changes to the maven plugin label May 28, 2024
@volkert-fastned
Copy link
Contributor Author

@jeremylong
Copy link
Owner

approved

Copy link
Contributor

Suppress rule has been added to the generatedSuppressions branch.

github-actions bot added a commit that referenced this issue May 28, 2024
@volkert-fastned
Copy link
Contributor Author

@jeremylong It still flags the other one with the suppression in the automated fix commit:

hibernate-validator-annotation-processor-8.0.1.Final-sources.jar (pkg:maven/org.hibernate.validator/[email protected], cpe:2.3:a:validator_project:validator:8.0.1:*:*:*:*:*:*:*) : CVE-2021-3765

@volkert-fastned
Copy link
Contributor Author

@jeremylong Adding another .* between validator and @ appears to do the trick:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6692
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.hibernate\.validator/hibernate-validator.*@.*$</packageUrl>
   <cpe>cpe:/a:validator_project:validator</cpe>
</suppress>

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Development

No branches or pull requests

2 participants