Dependency check doesn't spot a .Net vulnerability
284 views
Skip to first unread message
ShaneInSweden
Nov 13, 2017, 4:18:37 AM11/13/17
to Dependency Check
I was running a comparison between WhiteSource and Dependency Check. I created a Microsoft Windows console app project which uses the nuget package System.Net.Security v.4.3.0 (see attached picture msNuget.jpg).
I then ran dependency check on the output catalogue and got the attached report which shows no vulnerabilities. Unfortunately there is a vulnerability CVE-2017-0249
here is the nvd entry https://nvd.nist.gov/vuln/detail/CVE-2017-0249/cpes
here is microsofot advisory https://technet.microsoft.com/en-us/library/security/4021279.aspx
Can help me as to why the vulnerability was not reported?
I set the copy local flag on the System.Net.Security reference so that the dll would be physically present in the output catalogue scanned (see attached picture nuget_output.jpg). Do we have to do this if we are using dependency check? Or can it pick up references like say DotPeek does. I also downloaded manually the nuget package 4.3.0 and checked the version of the dll against the file version in my output catalogie just to double check I had the same dll.
To recreate the problem
To recreate the problem
1. Create a new class library or console project in visual studio.
2. Under the project properties set the Traget Framework to .Net Framework 4.6
3. Under the package manager console window install the vulnerable package
Install-Package System.Net.Security -Version 4.3.0
4. Under references select the System.Net.Security reference and set the copy local property to "true"
5. Build the project
6. Run the dependency check on the output catalogue e.g..
dependency-check.bat --project "test" --scan "C:\DependTest\DependTest\bin\Debug"
Or alternatively download the solution from this onedrive link, build and run the dependency check
/shane
ShaneInSweden
Nov 14, 2017, 3:25:45 AM11/14/17
to Dependency Check
If I didn't make it entirely clear:
Whitesource DOES report an alert related to the dll belonging to the vulnerable package
Dependency check DOES NOT report an alert related to the dll belonging to the vulnerable package
Does anyone know why?
Dependency check DOES NOT report an alert related to the dll belonging to the vulnerable package
Does anyone know why?
Hans Aikema
Nov 14, 2017, 5:33:56 PM11/14/17
to ShaneInSweden, Check Dependency
The Why for not reporting it is in your HTML-report.
If you click the link to show all dependencies and then investigate the System.Net.Security depdency and its evidences you’ll see that the .NET analyzer of dependency-check has detected your .dll as version 4.0.1.0 of the library.
According to the MS report version 4.0.1 is a patched for the vulnerability, so it does not show up.
How DependencyCheck .NET analyzer detects the library versions is beyond my knowledge, but the reason for not reporting a vulnerability is that it detects the library to be a non-vulnerable version
regards,
Hans Aikema
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jeremy Long
Nov 14, 2017, 6:15:23 PM11/14/17
to Hans Aikema, ShaneInSweden, dependen...@googlegroups.com
To be clear, what dependency-check uses for identification is the textual evidence from the assemble. In this case the dlls extended properties indicate that the version is 4.0.1.0. Which appears to be different then what the nuget package says is the version number. I need to spend time working on both .net and python support in the near future.
Jeremy
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
Message has been deleted
ShaneInSweden
Nov 15, 2017, 2:29:30 AM11/15/17
to Dependency Check
Hi
/shane
So the vulnerability exists and should be reported as such.
thanks for looking at that. If you check Microsoft's advisory you can see that version 4.3.0 of the package is unpatched and vulnerable. The version of the dll is 4.0.1.0 (see the attached picture system.net.securityfromnuget4.3.0.jpg using DotPeek). The patched version of the package is 4.3.1 and if you look at the same dll in that package then the version 4.0.1.1 (see the attached picture system.net.securityfromnuget4.3.1.jpg - again takej using DotPeek).
You can download the 2 different versions of the nuget package here using the manual download link, change the file extension to .zip and grab the dll for inspection.
Nuget package home page for each version
Direct download link
/shane
So the vulnerability exists and should be reported as such.
On Monday, 13 November 2017 10:18:37 UTC+1, ShaneInSweden wrote:
On Monday, 13 November 2017 10:18:37 UTC+1, ShaneInSweden wrote:
Jeremy Long
Dec 22, 2017, 7:20:30 AM12/22/17
to Dependency Check
I have created a ticket to track this issue: https://github.com/jeremylong/DependencyCheck/issues/1046
Reply all
Reply to author
Forward
0 new messages