Describe the bug
Not sure if this is strictly a bug (it's more dodgy-data), but I felt it was worth raising, as it caused confusion.
A local build had created some intermediate JARs which only contained a single file: META-INF/MANIFEST.MF with placeholder created/modified dates.
When scanned, the JAR was identified as matching multiple different maven packages.
After investigating, it seems that the issue is that there are JAR files in the (OSS?)index that have matching contents & modified dates.
These JAR files seem to be related to failed releases.
Identifiers
pkg:maven/com.github.tony19/[email protected] (Confidence:Highest)
pkg:maven/com.net128.oss.web.lib/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/dev.inmo/[email protected] (Confidence:Highest)
pkg:maven/dev.inmo/[email protected] (Confidence:Highest)
pkg:maven/dev.inmo/[email protected] (Confidence:Highest)
pkg:maven/dev.inmo/[email protected] (Confidence:Highest)
pkg:maven/it.unibo.alchemist/[email protected] (Confidence:Highest)
pkg:maven/org.jetbrains.kotlin-wrappers/[email protected] (Confidence:Highest)
pkg:maven/org.ton/[email protected] (Confidence:Highest)
pkg:maven/org.ton/[email protected] (Confidence:Highest)
Version of dependency-check used
The problem occurs using version 7.4.0 of the cli
Log file
https://gist.github.com/andy-may-at/4e9234c02d5676e0942d691ab7d00346
To Reproduce
Steps to reproduce the behavior:
I've created a repo with example jar & example output
git clone https://github.com/paulsamuels/cve-false-positive-example
cd cve-false-positive-example
dependency-check --scan reproduces-issue.jar
Expected behavior
Jar to not be identified as any known package
Additional context
Evidence & additional detail in https://github.com/paulsamuels/cve-false-positive-example
README of that repo is reproduced below:
I'm pretty sure that the root cause of this is twofold:
- Some index of .jar files contains the hashes of broken/incomplete releases that had almost nothing in their .jar files (I'm guessing the OSSIndex)
- A local build produces some .jar files with matching content
Not sure if this is something that needs to be 'fixed' in dependency-check, but thought it was worth sharing
Repository contents
reproduces-issue.jar - a JAR that reproduces the issue when scanneddependency-check-report.html - an example scan reportjar-with-different-modified-dates.jar a JAR which is identical apart from modified/created dates & does not reproduce the issue (has different MD5/SHA1/SHA256)
Steps to reproduce
- Found with dependency-check CLI 7.4.0 installed on M1 Mac
> git clone https://github.com/paulsamuels/cve-false-positive-example
> cd cve-false-positive-example
> dependency-check --scan reproduces-issue.jar
The generated report identifies the jar as being multiple maven packages.
How the issue was found:
- Both the file & it's parent
META-INF directory have created+modified dates of 1 February 1980 at 00:00
- A dependency check is run that scans the .jar
(Issue found in dependency-checker 7.4.0 CLI installed via homebrew)
- The dependency-check output reports (with highest confidence) that the .jar is an instance of a lot of other java packages:
Identifiers
pkg:maven/com.github.tony19/[email protected] (Confidence:Highest)
pkg:maven/com.net128.oss.web.lib/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected] (Confidence:Highest)
pkg:maven/dev.inmo/[email protected] (Confidence:Highest)
pkg:maven/dev.inmo/[email protected] (Confidence:Highest)
pkg:maven/dev.inmo/[email protected] (Confidence:Highest)
pkg:maven/dev.inmo/[email protected] (Confidence:Highest)
pkg:maven/it.unibo.alchemist/[email protected] (Confidence:Highest)
pkg:maven/org.jetbrains.kotlin-wrappers/[email protected] (Confidence:Highest)
pkg:maven/org.ton/[email protected] (Confidence:Highest)
pkg:maven/org.ton/[email protected] (Confidence:Highest)
The identified packages seem to exist in the Sonatype OSSIndex, but have not been published to Maven Central.
They smell like failed releases.
Other evidence
A .jar file with content that has the same Manifest file content (but different modified dates) does not get identified as these maven packages
e.g. jar-with-different-modified-dates.jar
Describe the bug
Not sure if this is strictly a bug (it's more dodgy-data), but I felt it was worth raising, as it caused confusion.
A local build had created some intermediate JARs which only contained a single file:
META-INF/MANIFEST.MFwith placeholder created/modified dates.When scanned, the JAR was identified as matching multiple different maven packages.
After investigating, it seems that the issue is that there are JAR files in the (OSS?)index that have matching contents & modified dates.
These JAR files seem to be related to failed releases.
Version of dependency-check used
The problem occurs using version 7.4.0 of the cli
Log file
https://gist.github.com/andy-may-at/4e9234c02d5676e0942d691ab7d00346
To Reproduce
Steps to reproduce the behavior:
I've created a repo with example jar & example output
Expected behavior
Jar to not be identified as any known package
Additional context
Evidence & additional detail in https://github.com/paulsamuels/cve-false-positive-example
README of that repo is reproduced below:
I'm pretty sure that the root cause of this is twofold:
Not sure if this is something that needs to be 'fixed' in dependency-check, but thought it was worth sharing
Repository contents
reproduces-issue.jar- a JAR that reproduces the issue when scanneddependency-check-report.html- an example scan reportjar-with-different-modified-dates.jara JAR which is identical apart from modified/created dates & does not reproduce the issue (has different MD5/SHA1/SHA256)Steps to reproduce
The generated report identifies the jar as being multiple maven packages.
How the issue was found:
A java build ends up producing some .jar files that only contain a
META-INF/MANIFEST.MFfileThat file only contains the content:
META-INFdirectory have created+modified dates of1 February 1980 at 00:00(Issue found in dependency-checker 7.4.0 CLI installed via homebrew)
The identified packages seem to exist in the Sonatype OSSIndex, but have not been published to Maven Central.
They smell like failed releases.
Other evidence
A .jar file with content that has the same Manifest file content (but different modified dates) does not get identified as these maven packages
e.g.
jar-with-different-modified-dates.jar