Skip to content

paulsamuels/cve-false-positive-example

BranchesTags

Repository files navigation

Example of FPs when scanning a .jar file with minimal content & default dates.

I'm pretty sure that the root cause of this is twofold:

  1. Some index of .jar files contains the hashes of broken/incomplete releases that had almost nothing in their .jar files (I'm guessing the OSSIndex)
  2. A local build produces some .jar files with matching content

Not sure if this is something that needs to be 'fixed' in dependency-check, but thought it was worth sharing

Repository contents

  • reproduces-issue.jar - a JAR that reproduces the issue when scanned
  • dependency-check-report.html - an example scan report
  • jar-with-different-modified-dates.jar a JAR which is identical apart from modified/created dates & does not reproduce the issue (has different MD5/SHA1/SHA256)

Steps to reproduce

  • Found with dependency-check CLI 7.4.0 installed on M1 Mac
> git clone https://github.com/paulsamuels/cve-false-positive-example
> cd cve-false-positive-example
> dependency-check --scan reproduces-issue.jar

The generated report identifies the jar as being multiple maven packages.

How the issue was found:

  • A java build ends up producing some .jar files that only contain a META-INF/MANIFEST.MF file

  • That file only contains the content:

Manifest-Version: 1.0
  • Both the file & it's parent META-INF directory have created+modified dates of 1 February 1980 at 00:00
  • A dependency check is run that scans the .jar (Issue found in dependency-checker 7.4.0 CLI installed via homebrew)
  • The dependency-check output reports (with highest confidence) that the .jar is an instance of a lot of other java packages:
Identifiers
pkg:maven/com.github.tony19/[email protected]  (Confidence:Highest)
pkg:maven/com.net128.oss.web.lib/[email protected]  (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected]  (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected]  (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected]  (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected]  (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected]  (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected]  (Confidence:Highest)
pkg:maven/com.palantir.atlasdb/[email protected]  (Confidence:Highest)
pkg:maven/dev.inmo/[email protected]  (Confidence:Highest)
pkg:maven/dev.inmo/[email protected]  (Confidence:Highest)
pkg:maven/dev.inmo/[email protected]  (Confidence:Highest)
pkg:maven/dev.inmo/[email protected]  (Confidence:Highest)
pkg:maven/it.unibo.alchemist/[email protected]  (Confidence:Highest)
pkg:maven/org.jetbrains.kotlin-wrappers/[email protected]  (Confidence:Highest)
pkg:maven/org.ton/[email protected]  (Confidence:Highest)
pkg:maven/org.ton/[email protected]  (Confidence:Highest)

The identified packages seem to exist in the Sonatype OSSIndex, but have not been published to Maven Central. They smell like failed releases.

Other evidence

A .jar file with content that has the same Manifest file content (but different modified dates) does not get identified as these maven packages e.g. jar-with-different-modified-dates.jar

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages