Dependencycheck: False Positive on muliple libraries as cpe:2.3:a:json_project:json
Example
This is a multi-level problem. I think com.dslplatform:dsl-json has been shaded into this jar, but I don't think json_project:json is the correct CPE for it. You then get #2792 on top (completely unrelated CVEs).
apm-agent-attach-1.17.0.jar: elastic-apm-agent.jar\META-INF/maven/com.dslplatform/dsl-json/pom.xml (pkg:maven/com.dslplatform/[email protected], cpe:2.3:a:json_project:json:1.9.3:*:*:*:*:*:*:*) : CVE-2020-10663, CVE-2020-7712
<dependency>
<groupId>co.elastic.apm</groupId>
<artifactId>apm-agent-attach</artifactId>
<version>${elastic-apm.version}</version>
<optional>true</optional>
</dependency>
OrangeDog
All 14 comments
Forgot to mention: this is new with the 6.0.0 maven plugin.
OrangeDog
on 7 Sep 2020
Rather than make more issues, all of these are also detected as json_project:json:
OrangeDog
on 7 Sep 2020
DependencyCheck v6 (CLI) is also falsely identifying a large number of npm modules as json_project:json, including:
- pkg:npm/%40babel%[email protected]
- pkg:npm/%40types%[email protected]
- pkg:npm/%40types%[email protected]
- pkg:npm/[email protected]
- pkg:npm/[email protected]
- pkg:npm/[email protected]
- pkg:npm/[email protected]
- pkg:npm/[email protected]
- pkg:npm/[email protected]
- pkg:npm/[email protected]
- pkg:npm/[email protected]
- pkg:npm/[email protected]
- pkg:npm/[email protected]
- pkg:npm/[email protected]
The packages are properly identified, but the CPEs are incorrect as cpe:2.3:a:json_project:json.
aarongoldenthal
on 7 Sep 2020
see also #2792 and #2796
mprins
on 8 Sep 2020
A few more I noticed as well:
google-api-services-storage-v1-rev20200727-1.30.10.jar (pkg:maven/com.google.apis/[email protected], cpe:2.3:a:json_project:json:1.30.10:*:*:*:*:*:*:*) : CVE-2020-10663, CVE-2020-7712
google-http-client-jackson2-1.36.0.jar (pkg:maven/com.google.http-client/[email protected], cpe:2.3:a:json_project:json:1.36.0:*:*:*:*:*:*:*) : CVE-2020-10663, CVE-2020-7712
jose4j-0.5.5.jar (pkg:maven/org.bitbucket.b_c/[email protected], cpe:2.3:a:json_project:json:0.5.5:*:*:*:*:*:*:*) : CVE-2020-10663, CVE-2020-7712
json4s-ast_2.11-3.5.3.jar (pkg:maven/org.json4s/[email protected], cpe:2.3:a:json_project:json:3.5.3:*:*:*:*:*:*:*) : CVE-2020-7712
json4s-ast_2.12-3.5.3.jar (pkg:maven/org.json4s/[email protected], cpe:2.3:a:json_project:json:3.5.3:*:*:*:*:*:*:*) : CVE-2020-7712
json4s-core_2.11-3.5.3.jar (pkg:maven/org.json4s/[email protected], cpe:2.3:a:json_project:json:3.5.3:*:*:*:*:*:*:*) : CVE-2020-7712
json4s-core_2.12-3.5.3.jar (pkg:maven/org.json4s/[email protected], cpe:2.3:a:json_project:json:3.5.3:*:*:*:*:*:*:*) : CVE-2020-7712
json4s-jackson_2.11-3.5.3.jar (pkg:maven/org.json4s/[email protected], cpe:2.3:a:json_project:json:3.5.3:*:*:*:*:*:*:*) : CVE-2020-7712
json4s-jackson_2.12-3.5.3.jar (pkg:maven/org.json4s/[email protected], cpe:2.3:a:json_project:json:3.5.3:*:*:*:*:*:*:*) : CVE-2020-7712
json4s-scalap_2.11-3.5.3.jar (pkg:maven/org.json4s/[email protected], cpe:2.3:a:json_project:json:3.5.3:*:*:*:*:*:*:*) : CVE-2020-7712
json4s-scalap_2.12-3.5.3.jar (pkg:maven/org.json4s/[email protected], cpe:2.3:a:json_project:json:3.5.3:*:*:*:*:*:*:*) : CVE-2020-7712
metrics-json-3.1.5.jar (pkg:maven/io.dropwizard.metrics/[email protected], cpe:2.3:a:json_project:json:3.1.5:*:*:*:*:*:*:*) : CVE-2020-7712
minimal-json-0.9.1.jar (pkg:maven/com.eclipsesource.minimal-json/[email protected], pkg:maven/com.eclipsesource.minimal-json/[email protected], cpe:2.3:a:json_project:json:0.9.1:snapshot:*:*:*:*:*:*) : CVE-2020-10663, CVE-2020-7712
cmuchinsky
on 8 Sep 2020
Also falsely identified here:
{
"isVirtual": false,
"fileName": "Newtonsoft.Json.dll",
"md5": "34ca1f6dbd8b86258427309821f2b36d",
"sha1": "be2e146819743548d9c10f0f08ae95c778502d9a",
"sha256": "f46c824243bb46b274fc4ce5e72490021318003ec18999ea8cc6c508e96d1466",
"description": "Json.NET .NET 3.5\n\nJson.NET is a popular high-performance JSON framework for .NET",
"packages": [
{
"id": "pkg:generic\/[email protected]",
"confidence": "MEDIUM",
"url": "https:\/\/ossindex.sonatype.org\/component\/pkg:generic\/[email protected]"
}
],
"vulnerabilityIds": [
{
"id": "cpe:2.3:a:json_project:json:5.0.6.16206:*:*:*:*:*:*:*",
"confidence": "LOW"
}
]
},
Also seeing this for:
jettison-1.3.3.jar (pkg:maven/org.codehaus.jettison/[email protected], cpe:2.3:a:json_project:json:1.3.3:::::::*) : CVE-2020-10663, CVE-2020-7712
g1l3sp
on 22 Sep 2020
Also for:
aws-json-protocol-2.14.11.jar (pkg:maven/software.amazon.awssdk/[email protected], cpe:2.3:a:json_project:json:2.14.11:*:*:*:*:*:*:*) : CVE-2020-7712
djorg83
on 22 Sep 2020
It would be nice if we could filter based on the confidence attribute, both on package and on vulnerability.
wilx
on 22 Sep 2020
I just tested 6.x on a JS project and it's a disaster. 2000+ false positives. Any package with a word like "string" or "unicode" or anything in the name gets picked up as the wrong thing.
OrangeDog
on 1 Oct 2020
The originally reported FP for this ticket was tested with 6.0.2 and appears to be resolved.
jeremylong
on 3 Oct 2020
@jeremylong have you made an error? The grails issue is #2676. This one is some sort of big systemic problem in name matching. Fixing it with (tens of) thousands of suppressions is not going to work.
OrangeDog
on 3 Oct 2020
It looks to me like the issues with this specific CPE are fixed in 6.0.2, but the broader issue with name matching (e.g. #2796, which has about a dozen other CPEs reported for a large number of modules) still exists.
aarongoldenthal
on 3 Oct 2020
@aarongoldenthal completely understood - I'm currently going through the Java FP reported and then I'll work on the node and finally the .net.
jeremylong
on 4 Oct 2020
Related issues
prabhu
路
37Comments
mark-senne
路
37Comments
razeitona
路
15Comments
Vampire
路
15Comments
caperutxa
路
29Comments
Most helpful comment
Rather than make more issues, all of these are also detected as
json_project:json: