Hello,
I'm running the following test gradle project and think I have a false negative on Jetty via Dropwizard. (related to #1512 ???):
buildscript {
repositories {
mavenCentral()
}
}
plugins {
id "org.owasp.dependencycheck" version "3.3.2"
id "java"
}
repositories {
mavenCentral()
}
ext {
dropwizardVersion = "1.3.1"
}
dependencies {
compile group: 'io.dropwizard', name: 'dropwizard-core', version: dropwizardVersion
compile group: 'io.dropwizard', name: 'dropwizard-auth', version: dropwizardVersion
}
dependencyCheck {
format='ALL'
}
In the HTML vulnerability report I get
Scan Information (show less):
dependency-check version: 3.3.2
Report Generated On: Oct 25, 2018 at 10:11:20 +02:00
Dependencies Scanned: 92 (92 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 0
NVD CVE 2002: 20/10/2018 09:49:35
NVD CVE 2003: 20/10/2018 09:47:04
NVD CVE 2004: 20/10/2018 09:46:21
NVD CVE 2005: 20/10/2018 09:45:02
NVD CVE 2006: 20/10/2018 09:42:51
NVD CVE 2007: 20/10/2018 09:39:31
NVD CVE 2008: 20/10/2018 09:36:21
NVD CVE 2009: 19/10/2018 09:48:16
NVD CVE 2010: 19/10/2018 09:45:17
NVD CVE 2011: 19/10/2018 09:41:18
NVD CVE 2012: 22/10/2018 09:24:35
NVD CVE 2013: 23/10/2018 09:33:09
NVD CVE 2014: 23/10/2018 13:17:54
NVD CVE 2015: 23/10/2018 09:25:40
NVD CVE 2016: 23/10/2018 09:21:31
NVD CVE 2017: 23/10/2018 13:17:52
NVD CVE 2018: 23/10/2018 09:05:31
NVD CVE Checked: 25/10/2018 09:00:57
NVD CVE Modified: 25/10/2018 07:03:26
VersionCheckOn: 1540296866020
If I scroll down to jetty-servlets-9.4.8.v20171121.jar in the dependenct list, the following CPEs are identified for jetty-servlets-9.4.8.v20171121.jar.
cpe:/a:eclipse:jetty:9.4.8.v20171121
cpe:/a:jetty:jetty:9.4.8.v20171121
If I search the first CPE on https://nvd.nist.gov/vuln/search resulting in:
https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=cpe%3A%2Fa%3Aeclipse%3Ajetty%3A9.4.8.v20171121&search_type=all
Thus, vulnerabilities exist for my (transitive) dependencies but the produced report is empty of vulnerabilities.
Bug? General or specific to jetty? Is it a problem with CPE 2.2 vs 2.3? Or XML/JSON format?
How can we proceed to get a true positive on jetty-servlets-9.4.8.v20171121.jar
gradle clean check dependencyCheckAnalyze -info -debug > check_issue.log in https://gist.github.com/andyswe/48b4a4934ae780c2a21cc026bc1df585
Best regards, Andreas
Details on jetty-servlets-9.4.8.v20171121.jar in the report:
jetty-servlets-9.4.8.v20171121.jar
Description:
Utility Servlets from Jetty
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\andreas\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlets\9.4.8.v20171121\f7b7f3d6be91f5e1a47b4d3ecaf286652b4d1332\jetty-servlets-9.4.8.v20171121.jar
MD5: 920b12079422b8f34f57815c855ecd5f
SHA1: f7b7f3d6be91f5e1a47b4d3ecaf286652b4d1332
SHA256:50ed558aac35fdb08c39d7d8c30f898d199c17e3f002a2d16521bce7325421c1
Referenced In Projects/Scopes:
owasp-test:compile
owasp-test:runtimeClasspath
owasp-test:runtime
owasp-test:default
owasp-test:compileClasspath
Evidence
Identifiers
maven: org.eclipse.jetty:jetty-servlets:9.4.8.v20171121 Confidence:Highest
cpe: cpe:/a:eclipse:jetty:9.4.8.v20171121 Confidence:Low suppress
cpe: cpe:/a:jetty:jetty:9.4.8.v20171121 Confidence:Low suppress
Hello,
I'm running the following test gradle project and think I have a false negative on Jetty via Dropwizard. (related to #1512 ???):
In the HTML vulnerability report I get
If I scroll down to jetty-servlets-9.4.8.v20171121.jar in the dependenct list, the following CPEs are identified for jetty-servlets-9.4.8.v20171121.jar.
If I search the first CPE on https://nvd.nist.gov/vuln/search resulting in:
Thus, vulnerabilities exist for my (transitive) dependencies but the produced report is empty of vulnerabilities.
Bug? General or specific to jetty? Is it a problem with CPE 2.2 vs 2.3? Or XML/JSON format?
How can we proceed to get a true positive on jetty-servlets-9.4.8.v20171121.jar
gradle clean check dependencyCheckAnalyze -info -debug > check_issue.log in https://gist.github.com/andyswe/48b4a4934ae780c2a21cc026bc1df585
Best regards, Andreas
Details on jetty-servlets-9.4.8.v20171121.jar in the report: