Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False negative Jetty #1537

Closed
andyswe opened this issue Oct 25, 2018 · 1 comment
Closed

False negative Jetty #1537

andyswe opened this issue Oct 25, 2018 · 1 comment
Labels

Comments

@andyswe
Copy link

andyswe commented Oct 25, 2018

Hello,
I'm running the following test gradle project and think I have a false negative on Jetty via Dropwizard. (related to #1512 ???):

buildscript {
    repositories {
        mavenCentral()
    }
}

plugins {
    id "org.owasp.dependencycheck" version "3.3.2"
    id "java"
}
repositories {
    mavenCentral()
}

ext {
    dropwizardVersion = "1.3.1"
}

dependencies {
    compile group: 'io.dropwizard', name: 'dropwizard-core', version: dropwizardVersion
    compile group: 'io.dropwizard', name: 'dropwizard-auth', version: dropwizardVersion
}

dependencyCheck {
    format='ALL'
}

In the HTML vulnerability report I get

Scan Information (show less):
dependency-check version: 3.3.2
Report Generated On: Oct 25, 2018 at 10:11:20 +02:00
Dependencies Scanned: 92 (92 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 0
NVD CVE 2002: 20/10/2018 09:49:35
NVD CVE 2003: 20/10/2018 09:47:04
NVD CVE 2004: 20/10/2018 09:46:21
NVD CVE 2005: 20/10/2018 09:45:02
NVD CVE 2006: 20/10/2018 09:42:51
NVD CVE 2007: 20/10/2018 09:39:31
NVD CVE 2008: 20/10/2018 09:36:21
NVD CVE 2009: 19/10/2018 09:48:16
NVD CVE 2010: 19/10/2018 09:45:17
NVD CVE 2011: 19/10/2018 09:41:18
NVD CVE 2012: 22/10/2018 09:24:35
NVD CVE 2013: 23/10/2018 09:33:09
NVD CVE 2014: 23/10/2018 13:17:54
NVD CVE 2015: 23/10/2018 09:25:40
NVD CVE 2016: 23/10/2018 09:21:31
NVD CVE 2017: 23/10/2018 13:17:52
NVD CVE 2018: 23/10/2018 09:05:31
NVD CVE Checked: 25/10/2018 09:00:57
NVD CVE Modified: 25/10/2018 07:03:26
VersionCheckOn: 1540296866020

If I scroll down to jetty-servlets-9.4.8.v20171121.jar in the dependenct list, the following CPEs are identified for jetty-servlets-9.4.8.v20171121.jar.

cpe:/a:eclipse:jetty:9.4.8.v20171121
cpe:/a:jetty:jetty:9.4.8.v20171121

If I search the first CPE on https://nvd.nist.gov/vuln/search resulting in:

https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=cpe%3A%2Fa%3Aeclipse%3Ajetty%3A9.4.8.v20171121&search_type=all

Thus, vulnerabilities exist for my (transitive) dependencies but the produced report is empty of vulnerabilities.
Bug? General or specific to jetty? Is it a problem with CPE 2.2 vs 2.3? Or XML/JSON format?
How can we proceed to get a true positive on jetty-servlets-9.4.8.v20171121.jar

gradle clean check dependencyCheckAnalyze -info -debug > check_issue.log in https://gist.github.com/andyswe/48b4a4934ae780c2a21cc026bc1df585

Best regards, Andreas

Details on jetty-servlets-9.4.8.v20171121.jar in the report:

jetty-servlets-9.4.8.v20171121.jar
Description:

 Utility Servlets from Jetty
License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\andreas\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlets\9.4.8.v20171121\f7b7f3d6be91f5e1a47b4d3ecaf286652b4d1332\jetty-servlets-9.4.8.v20171121.jar
MD5: 920b12079422b8f34f57815c855ecd5f
SHA1: f7b7f3d6be91f5e1a47b4d3ecaf286652b4d1332
SHA256:50ed558aac35fdb08c39d7d8c30f898d199c17e3f002a2d16521bce7325421c1
Referenced In Projects/Scopes:
owasp-test:compile
owasp-test:runtimeClasspath
owasp-test:runtime
owasp-test:default
owasp-test:compileClasspath
Evidence
Identifiers
maven: org.eclipse.jetty:jetty-servlets:9.4.8.v20171121  Confidence:Highest
cpe: cpe:/a:eclipse:jetty:9.4.8.v20171121  Confidence:Low  suppress
cpe: cpe:/a:jetty:jetty:9.4.8.v20171121  Confidence:Low  suppress
@lock
Copy link

lock bot commented Nov 27, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Nov 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants