[FP]: False positive on wrapped elasticsearch libraries against ada CPE

[jubui]

Package URl

n/a

CPE

cpe:2.3:a:4d:4d:7.17.23:*:*:*:*:*:*:*

CVE

CVE-2024-9410

ODC Integration

None

ODC Version

10.0.3

Description

CVE is against ada but none of the libraries in the report are ada. Noticeably, our CPE cpe:2.3:a:4d:4d:7.17.23:*:*:*:*:*:*:* very closely resembles the CVE's CPE: cpe:2.3:a:ada:ada:7.17.23:*:*:*:*:*:*:*. I suspect there is some bad fuzzy search matching going on with the CPE. Our build packages up some elasticsearch libraries into its own zip file.

The following are reported but are not ada:

• analysis-common-7.17.23.jar
• ingest-common-7.17.23.jar
• ingest-geoip-7.17.23.jar
• keystore-cli-7.17.23.jar
• lang-painless-7.17.23.jar
• legacy-geo-7.17.23.jar
• runtime-fields-common-7.17.23.jar

output of dependencyCheckAnalyze:

my-package.zip: analysis-common-7.17.23.jar (cpe:2.3:a:4d:4d:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:ada:ada:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elastic:elasticsearch:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.17.23:*:*:*:*:*:*:*) : CVE-2024-9410
my-package.zip: ingest-common-7.17.23.jar (cpe:2.3:a:4d:4d:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:ada:ada:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elastic:elasticsearch:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.17.23:*:*:*:*:*:*:*) : CVE-2024-9410
my-package.zip: ingest-geoip-7.17.23.jar (cpe:2.3:a:4d:4d:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:ada:ada:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elastic:elasticsearch:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.17.23:*:*:*:*:*:*:*) : CVE-2024-9410
my-package.zip: keystore-cli-7.17.23.jar (cpe:2.3:a:4d:4d:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:ada:ada:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elastic:elasticsearch:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.17.23:*:*:*:*:*:*:*) : CVE-2024-9410
my-package.zip: lang-painless-7.17.23.jar (cpe:2.3:a:4d:4d:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:ada:ada:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elastic:elasticsearch:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.17.23:*:*:*:*:*:*:*) : CVE-2024-9410
my-package.zip: legacy-geo-7.17.23.jar (cpe:2.3:a:4d:4d:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:ada:ada:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elastic:elasticsearch:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.17.23:*:*:*:*:*:*:*) : CVE-2024-9410
my-package.zip: runtime-fields-common-7.17.23.jar (cpe:2.3:a:4d:4d:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:ada:ada:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elastic:elasticsearch:7.17.23:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.17.23:*:*:*:*:*:*:*) : CVE-2024-9410

[github-actions]

Error parsing package url: n/a.

Error: Error: Invalid purl: missing required "pkg" scheme component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12240050584

[chadlwilson]

Please include the maven package URIs for the artifacts being incorrectly matched as noted in the report, or it's too difficult to review/craft a suppression.

[jubui]

@chadlwilson thanks for taking a look. There was no package URI that was output as part of the dependency check report. You can see in the screenshot that the third column is just blank:

Where would I be able to find the package URIs for the following? Is pkg URI something I can find publicly?

analysis-common-7.17.23.jar
ingest-common-7.17.23.jar
ingest-geoip-7.17.23.jar
keystore-cli-7.17.23.jar
lang-painless-7.17.23.jar
legacy-geo-7.17.23.jar
runtime-fields-common-7.17.23.jar

[chadlwilson]

Maybe that's in some way the problem here. Is it the same on a more recent ODC version? You're not using it via Gradle or maven plugin?

Do you have a simple way to reproduce this?

If it's specific to the way the jars are inside that zip and it can't find poms to match the jars to their source you might have to suppress them yourselves as a generic suppression will have issues too.

Usually the report will give you a suggested suppression in the detail (by sha or similar if it can't figure out the maven package) which is a hint as to the problem.

[github-actions]

Error parsing package url: n/a.

Error: Error: Invalid purl: missing required "pkg" scheme component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12259469681

[aikebah]

@jubui Your libraries are not hosted on Maven Central and are therefor not found (from sha1 value) by the CentralAnalyzer, which means the CLI needs to fall-back to pure textual analysis of evidences found in the jars not taking into account the maven coordinates for the same libraries.

If you have a private repository manager (Artifactory Pro or Nexus) proxying the access to amongst others the codelibs repository you might have better results when you activate their respective analyzer that would do a sha1-hash search for the library in your private repository manager and should typically manage to link the maven Group/Artifact/Version of the libraries so that a better match can be made.