Quarkus: Quarkus is not known in the NVD Database CPE
Describe the bug
Quarkus is not known in the NVD Database CPE (Common Platform Enumeration: https://nvd.nist.gov/products/cpe) Dictionary so when running the OWASP dependency check some false positive are found.
Expected behavior
The NVD CPE directory should be aware of Quarkus.
Actual behavior
When running the OWASP Maven depency check plugin, false positive are found around quarkus-postgres that is detected as the Postgres driver and not as quakus-postgres
quarkus-jdbc-postgresql-0.15.0.jar (pkg:maven/io.quarkus/[email protected], cpe:2.3:a:postgresql:postgresql:0.15.0:*:*:*:*:*:*:*) : CVE-2007-2138, CVE-2010-0733, CVE-2014-0060, CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064, CVE-2014-0065, CVE-2014-0066, CVE-2014-0067, CVE-2015-3165, CVE-2015-5288, CVE-2015-5289, CVE-2016-0766, CVE-2016-0768, CVE-2016-0773, CVE-2016-5423, CVE-2016-5424, CVE-2016-7048, CVE-2017-14798, CVE-2017-7484, CVE-2018-1115
quarkus-jdbc-postgresql-0.15.0.jar is found as cpe:2.3:a:postgresql:postgresql:0.15.0
For a workaround, I can add a CPE exclusion on the owasp dependency check plugin via an exclusion file in my pom.xml but the best will be to include Quarkus artifacts in the NVD database as propre CPE.
To Reproduce
Steps to reproduce the behavior:
- Create an app with PostgresSQL
- Add the OWASP dependency check maven plugin
- mvn verify
Environment (please complete the following information):
- Quarkus version or git rev: 0.15.0
loicmathieu
All 20 comments
If someone hit the same issue, the corresponding suppression file is a workaround while waiting for Quarkus to be known in the NVD database.
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
<suppress>
<notes>
<![CDATA[
Supress the false positive CPE for quarkus-jdbc-postgresql to postgresql
]]>
</notes>
<gav regex="true">^io\.quarkus:quarkus-jdbc-postgresql:.*$</gav>
<cpe>cpe:2.3:a:postgresql:postgresql</cpe>
</suppress>
</suppressions>
There is two more quarkus libraries that are wrongly detected by the OWASP dependency check maven plugin :
- quarkus-resteasy-0.20.0.jar (pkg:maven/io.quarkus/[email protected], cpe:2.3:a:redhat:resteasy:0.20.0:::::::*) : CVE-2011-5245, CVE-2012-0818, CVE-2016-9606
- quarkus-undertow-0.20.0.jar (pkg:maven/io.quarkus/[email protected], cpe:2.3:a:redhat:undertow:0.20.0:::::::*)
@gsmet is someone from the official Quarkus team can declare Quarkus libraries as CPE on the NVD library ?
loicmathieu
on 7 Aug 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you!
We are doing this automatically to ensure out-of-date issues does not stay around indefinitely.
If you believe this issue is still relevant please put a comment on it on why and if it truly needs to stay request or add 'pinned' label.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 13 Nov 2019
Can someone from the core Quarkus team can declare the Quarkus artifact inside the NVD database ?
Here is the up-to-date suppression dependency file that I use:
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
<!--
This is a CPE suppression file for the maven dependency check plugin.
Each CPE that is found by error (false positive) needs to be suppressed for a specific jar using it's GAV.
See https://jeremylong.github.io/DependencyCheck/general/suppression.html
-->
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for quarkus-jdbc-postgresql to postgresql
]]>
</notes>
<gav regex="true">^io\.quarkus:quarkus-jdbc-postgresql:.*$</gav>
<cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for quarkus-resteasy to resteasy
]]>
</notes>
<gav regex="true">^io\.quarkus:quarkus-resteasy.*:.*$</gav>
<cpe>cpe:/a:redhat:resteasy</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for quarkus-undertow to undertow
]]>
</notes>
<gav regex="true">^io\.quarkus:quarkus-undertow.*:.*$</gav>
<cpe>cpe:/a:redhat:undertow</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for quarkus-swagger-ui to swagger_project:swagger-ui
]]>
</notes>
<gav regex="true">^io\.quarkus:quarkus-swagger-ui.*:.*$</gav>
<cpe>cpe:/a:swagger_project:swagger-ui</cpe>
</suppress>
<suppress>
<notes>
<![CDATA[
Suppress the false positive CPE for quarkus-netty to netty
]]>
</notes>
<gav regex="true">^io\.quarkus:quarkus-netty.*:.*$</gav>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>
</suppressions>
@n1hility @emmanuelbernard do we have someone that could help with this?
gsmet
on 13 Nov 2019
Not on top of my head. I don't even know the process
emmanuelbernard
on 14 Nov 2019
@emmanuelbernard process is to send an email
Organizations interested in submitting CPE Names should contact the NVD CPE team at [email protected] for help with the processing of their submission.
dufoli
on 20 Mar 2020
It looks like this issue may have gone stale. Is there an update?
I just ran into the following with Quarkus 1.8.3:
One or more dependencies were identified with known vulnerabilities in shift-rest:
3393
3394
mutiny-0.7.0.jar (pkg:maven/io.smallrye.reactive/[email protected], cpe:2.3:a:mutiny:mutiny:0.7.0:*:*:*:*:*:*:*) : CVE-2013-0136, CVE-2018-15529
3395
quarkus-resteasy-server-common-1.8.3.Final.jar (pkg:maven/io.quarkus/[email protected], cpe:2.3:a:redhat:resteasy:1.8.3:*:*:*:*:*:*:*) : CVE-2011-5245, CVE-2012-0818, CVE-2016-9606, CVE-2020-25633
Given the age of these CVEs, they are likely false positives, with the probable exception of: CVE-2020-25633.
cgruver
on 12 Oct 2020
CVE-2020-25633 is on the wrong artifact because Quarkus is not known in the CVE database so the artifact resultion wrongly resolves quarkus resteasy to resteasy itself (cpe:2.3:a:redhat:resteasy:1.8.3).
This issue is still valid
loicmathieu
on 12 Oct 2020
@sberyozkin could we (or someone at Red Hat) take care of this?
gsmet
on 12 Oct 2020
@gsmet I'll investigate, also CC @stuartwdouglas. I believe it is the sync issue between the public Red Hat CVE DB and NVD, as I can often see NVD CVEs referring to the original Red Hat reported CVEs
sberyozkin
on 15 Oct 2020
@sberyozkin if nobody declares the Quarkus maven artifact to the NVD database it resolves to what it knows (usually redhat libraries), as explained here https://nvd.nist.gov/products/cpe someone needs to contact the NVD CPE team via its email [email protected]
loicmathieu
on 15 Oct 2020
@loicmathieu I'm going to look into it shortly, thanks
sberyozkin
on 22 Oct 2020
@loicmathieu Hi Loic, do you know how does the OWASP matching algorithm work ?
For example, if we have the association in NVD between cpe:2.3:a:quarkusio:quarkus:1.9.0:Final and a given CVE, is having .quarkus. in this CPE entry enough for the OWASP plugin to detect that that CVE is resolved when scanning a package like io.quarkus:quarkus-netty in any version of Quarkus after 1.9.0.Final ?
We have dozens of extensions so ideally a single CPE entry would be enough...
Thanks
sberyozkin
on 23 Oct 2020
@sberyozkin I have no idea how it is declared inside the NVD database.
loicmathieu
on 23 Oct 2020
@loicmathieu Sorry, my question is more about OWASP plugin and its about matching strategy
sberyozkin
on 27 Oct 2020
@sberyozkin the OWASP plugin based it's matching startegy on CPE (Common Platform Enumeration).
Here is the evidence it founds on quarkus-resteasy that leads to the cpe:redhat:resteasy:1.8.3, as soon as Quarkus CPE will be declared on the NVD Database it will leads to a Quarkus CPE instead of a resteasy ones so eliminates all false positive.
| Type | Source | Name | Value | Confidence |
|---|---|---|---|---|
| Vendor | jar | package name | resteasy | Highest |
| Vendor | pom | parent-artifactid | quarkus-resteasy-parent | Low |
| Vendor | file | name | quarkus-resteasy | High |
| Vendor | jar | package name | quarkus | Highest |
| Vendor | pom | name | Quarkus - RESTEasy - Runtime | High |
| Vendor | pom | artifactid | quarkus-resteasy | Low |
| Vendor | Manifest | Implementation-Vendor | JBoss by Red Hat | High |
| Vendor | jar | package name | io | Highest |
| Vendor | hint analyzer | vendor | redhat | Highest |
| Vendor | Manifest | os-arch | amd64 | Low |
| Vendor | Manifest | build-jdk-spec | 1.8 | Low |
| Vendor | jar | package name | runtime | Highest |
| Vendor | Manifest | specification-vendor | JBoss by Red Hat | Low |
| Vendor | Manifest | os-name | Linux | Medium |
| Vendor | Manifest | java-vendor | AdoptOpenJDK | Medium |
| Vendor | pom | groupid | io.quarkus | Highest |
| Vendor | Manifest | implementation-url | http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-resteasy-parent/quarkus-resteasy | Low |
| Product | jar | package name | resteasy | Highest |
| Product | Manifest | specification-title | Quarkus - RESTEasy - Runtime | Medium |
| Product | file | name | quarkus-resteasy | High |
| Product | jar | package name | quarkus | Highest |
| Product | pom | parent-artifactid | quarkus-resteasy-parent | Medium |
| Product | pom | name | Quarkus - RESTEasy - Runtime | High |
| Product | jar | package name | io | Highest |
| Product | Manifest | os-arch | amd64 | Low |
| Product | jar | package name | runtime | Highest |
| Product | Manifest | build-jdk-spec | 1.8 | Low |
| Product | Manifest | os-name | Linux | Medium |
| Product | Manifest | Implementation-Title | Quarkus - RESTEasy - Runtime | High |
| Product | pom | artifactid | quarkus-resteasy | Highest |
| Product | Manifest | implementation-url | http://www.jboss.org/quarkus-parent/quarkus-build-parent/quarkus-resteasy-parent/quarkus-resteasy | Low |
| Product | pom | groupid | io.quarkus | Highest |
| Version | pom | version | 1.8.3.Final | Highest |
| Version | Manifest | Implementation-Version | 1.8.3.Final | High |
loicmathieu
on 27 Oct 2020
I just added an example app to our repo which uses Quarkus 1.9.2 and a lot of CVEs popped up:
graal-sdk-20.2.0.jar (pkg:maven/org.graalvm.sdk/[email protected], cpe:2.3:a:oracle:graalvm:20.2.0:*:*:*:*:*:*:*) : CVE-2020-14803
mutiny-0.9.0.jar (pkg:maven/io.smallrye.reactive/[email protected], cpe:2.3:a:mutiny:mutiny:0.9.0:*:*:*:*:*:*:*) : CVE-2013-0136, CVE-2018-15529
quarkus-undertow-1.9.2.Final.jar (pkg:maven/io.quarkus/[email protected], cpe:2.3:a:redhat:undertow:1.9.2:*:*:*:*:*:*:*) : CVE-2019-10184, CVE-2019-10212, CVE-2019-14888, CVE-2019-3888, CVE-2020-10687, CVE-2020-10705, CVE-2020-10719, CVE-2020-1745, CVE-2020-1757
vertx-core-3.9.4.jar (pkg:maven/io.vertx/[email protected], cpe:2.3:a:eclipse:vert.x:3.9.4:*:*:*:*:*:*:*) : CVE-2019-17640
Could you mind update those vulnerable dependencies? Should I create another issue for that?
lukaszlenart
on 23 Nov 2020
@lukaszlenart what you see is exactly the issue I described in this issue, except for Vert.x all these are false positive.
- graal-sdk is detected as GraalVM and the CVE is for en issue on the VM not on the SDK)
- mutiny is detected as something else
- quarkus-undertow is detected as undertow itself so an old CVE is linked
By adding Quarkus on the NVD database, quarkus-undertow would be detected as Quarkus and not Undertow and the issue disapear.
The dependency check plugin uses 'CPE' to, based on collected evidence (file name, maven artifactid/groupid), detected a dependency as known target on the vulnerability database, as long as Quarkus is not defined here, false positive will exist. No dependecy upgrade would correct this.
You can add an exclusion file to workaround this issue.
loicmathieu
on 23 Nov 2020
Thanks a lot @loicmathieu for the clarification!
lukaszlenart
on 26 Nov 2020
Related issues
dcdh
路
3Comments
rodrigofujioka
路
3Comments
emmanuelbernard
路
3Comments
rsvoboda
路
3Comments
nderwin
路
3Comments
Most helpful comment
Can someone from the core Quarkus team can declare the Quarkus artifact inside the NVD database ?
Here is the up-to-date suppression dependency file that I use: