Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FP]: False positive for apache-el-11.0.0.jar against multiple jetty 11 CVE's #7145

Closed
vbode opened this issue Nov 8, 2024 · 12 comments
Closed
Labels
duplicate FP Report maven changes to the maven plugin

Comments

@vbode
Copy link

vbode commented Nov 8, 2024

Package URl

pkg:maven/org.mortbay.jasper/[email protected]

CPE

cpe:2.3:a:eclipse:jetty:11.0.0:-:*:*:*:*:*:*

CVE

CVE-2021-28165

ODC Integration

{"label"=>"Docker"}

ODC Version

11.0.0

Description

It seems like Jetty 11 is being detected as a CPE for apache-el, causing many jetty 11 CVEs to be detected.
See the attached screenshot.
image

@vbode vbode added the FP Report label Nov 8, 2024
Copy link
Contributor

github-actions bot commented Nov 8, 2024

Maven Coordinates

<dependency>
   <groupId>org.mortbay.jasper</groupId>
   <artifactId>apache-el</artifactId>
   <version>11.0.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7145
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache-el@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11739964544

@github-actions github-actions bot added the maven changes to the maven plugin label Nov 8, 2024
@aikebah
Copy link
Collaborator

aikebah commented Nov 10, 2024

approved

Copy link
Contributor

Suppress already exists in generatedSuppressions branch. See issue #7047.

@vbode
Copy link
Author

vbode commented Nov 11, 2024

Hi @aikebah, I see this has now been approved. Does this mean the suppression is live, or do I need to wait for a new dependency check release?

@vbode
Copy link
Author

vbode commented Dec 4, 2024

Hi @aikebah.
I just updated to 11.1.1 but the dependency scan still finds this vulnerability.
What could be wrong?

@aikebah
Copy link
Collaborator

aikebah commented Dec 4, 2024

@vbode the bot indicated

Suppress already exists

gut feel: you picked the wrong CPE and one or more of the other jetty-CPEs are what causes this FP to surface

@vbode
Copy link
Author

vbode commented Dec 5, 2024

@aikebah Ah I see that my suppression is now suppressing a different CVE. I think however this is also still a false positive from apache-el.
image

@aikebah
Copy link
Collaborator

aikebah commented Dec 5, 2024

@vbode That's a suppression from your own suppression file.

@aikebah
Copy link
Collaborator

aikebah commented Dec 5, 2024

If your hosted suppressions file would function properly you would have an empty report, just like in our pipeline

image

@vbode
Copy link
Author

vbode commented Dec 5, 2024

@aikebah
Indeed that is a suppression from our own file, however, I think this suppression should not be needed since it is detecting a CVE from Jetty corresponding to the apache-el version.

Regarding the report you shared, I think your report is empty because no vulnerabilities were suppressed at all, because there were no vulnerabilities to suppress.
In our case there are vulnerabilities to suppress:
image

@aikebah
Copy link
Collaborator

aikebah commented Dec 5, 2024

Report is empty, because the suppressions that are performed by the FP mitigations from the hosted suppressions file (base suppressions) are not added to the list.
The suppressed vulnerabilities enumeration is aimed at 'accepted or mitigated valid risks of a library'

@vbode
Copy link
Author

vbode commented Dec 9, 2024

I've had a look again. I see now that we had this error:
2024-12-06 12:48:27.520 | [WARN] Hosted Suppressions file is empty or missing - attempting to force the update
2024-12-06 12:48:27.520 | [WARN] Empty Hosted Suppression file after update, results may contain false positives already resolved by the DependencyCheck project due to failed download of the hosted suppression file

After adding the --hostedSuppressionsForceUpdate flag, this error no longer shows up, and our suppression no longer needs to suppress the apache-el false positive. We were already using the --noupdate flag, because we use a hosted SQL database.

Thanks for the help @aikebah !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
duplicate FP Report maven changes to the maven plugin
Projects
None yet
Development

No branches or pull requests

2 participants