mysql-connector-java shows wrong vulnerabilities?

[Shumpei Akai]

Dependency on mysql-connector-java 5.1.30 (the latest version) shows many vulnerabilities.

However, they seem to MySQL's vulnerabilities (not mysql-connector-java's).

False positive?

I use dependency-check-maven 1.2.1.

The dependency in the pom.xml is below:

---

<dependency>

    <groupId>mysql</groupId>

    <artifactId>mysql-connector-java</artifactId>

    <version>5.1.30</version>

    <scope>runtime</scope>

</dependency>

---

and the attachment is the report.

[Steve Springett]

Shumpei,

Yes, this is a false positive, as the NVD does not support finer grained components in their database, only product and version. 

For MySQL, it might be good to keep these around as it may indicate old server versions in production as well. But the finding itself on the JDBC driver is a false positive that can be suppressed.

—Steve

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

---

[Shumpei Akai]

Steve,

Okay, I understood.
I'll suppress these false positives.

Thanks.

2014年5月30日金曜日 14時53分24秒 UTC+9 Steve Springett:

[Murray Williams]

Hi there Steve,

I'm also seeing the same problem, i.e. Dependency Check is picking up vulnerabilities in the MySQL database server software rather than in the MySQL Java Connector library that I'm using in my application. There are CVEs that relate to the connector, but it is not picking these up.

So I'm trying to use the hints file to tell Dependency Check to map the MySQL Connector JAR file to point to oracle:mysql_connectors but, so far, the hints seems to have had no effect. Any suggestions as to what I have done wrong?

<?xml version="1.0" encoding="UTF-8"?>
<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
    <hint>
        <given>
            <fileName contains="mysql-connector"/>
        </given>
        <add>
            <evidence type="product" source="hint" name="product" value="mysql_connectors" confidence="HIGHEST"/>
            <evidence type="vendor" source="hint" name="vendor" value="oracle" confidence="HIGHEST"/>
        </add>
    </hint>
</hints>

mysql-connector-java-5.1.39.jar

cpe:/a:mysql:mysql:5.1.39

mysql:mysql-connector-java:5.1.39 ✓

High

95

HIGHEST

27

(The hints file is definitely getting picked up, because if I rename it, I see an error when running Dependency Checker.

Thanks in anticipation,

Murray

[Hans Aikema]

> On 17 Aug 2017, at 13:15, Murray Williams <murr...@gmail.com> wrote:
>
> Hi there Steve,
>
> I'm also seeing the same problem, i.e. Dependency Check is picking up vulnerabilities in the MySQL database server software rather than in the MySQL Java Connector library that I'm using in my application. There are CVEs that relate to the connector, but it is not picking these up.
>
> So I'm trying to use the hints file to tell Dependency Check to map the MySQL Connector JAR file to point to oracle:mysql_connectors but, so far, the hints seems to have had no effect. Any suggestions as to what I have done wrong?
> <?xml version="1.0" encoding="UTF-8"?>
> <hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd">
> <hint>
> <given>
> <fileName contains="mysql-connector"/>
> </given>
> <add>
> <evidence type="product" source="hint" name="product" value="mysql_connectors" confidence="HIGHEST"/>
> <evidence type="vendor" source="hint" name="vendor" value="oracle" confidence="HIGHEST"/>
> </add>
> </hint>
> </hints>
>
>
> mysql-connector-java-5.1.39.jar cpe:/a:mysql:mysql:5.1.39 mysql:mysql-connector-java:5.1.39 ✓ High 95 HIGHEST 27
>
> (The hints file is definitely getting picked up, because if I rename it, I see an error when running Dependency Checker.
>
> Thanks in anticipation,
> Murray
>

Murray,

The fileName contains needs the full filename to match when not using regex (it uses java.lang.String#equals(java.lang.String). So you could either use

<fileName contains="mysql-connector-java-5.1.39.jar”/>

or

<fileName contains="mysql-connector.*" regex="true”/>


to make it match (still would need to suppress the FP for oracle:mysql, but at least you will get the CVEs for oracle:mysql_connectors). I would suggest the latter as that will remain working after updating the version of your dependency.

I tried trimming down the found CPEs by removing all traces that hint towards the mysql database server (using the hints v1.2 schema), but unfortunatly the matching in the CPE Analyzer still considers oracle / mysql_connectors to also fit the oracle:mysql CPE:

<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd">
<hint>
<given>
<fileName contains="mysql-connector.*" regex="true"/>
</given>
<add>
<evidence type="product" source="hint analyzer" name="product" value="mysql_connectors" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="oracle" confidence="HIGHEST"/>
</add>
</hint>
<hint>
<given>
<evidence type="product" source="hint analyzer" name="product" value="mysql_connectors" confidence="HIGHEST"/>
<evidence type="vendor" source="hint analyzer" name="vendor" value="oracle" confidence="HIGHEST"/>
</given>
<remove>
<evidence type="vendor" source="central" name="groupid" value="mysql" confidence="HIGHEST"/>
<evidence type="vendor" source="pom" name="groupid" value="mysql" confidence="HIGHEST"/>
<evidence type="vendor" source="pom" name="url" value="http://dev.mysql.com/doc/connector-j/en/" confidence="HIGHEST"/>

<evidence type="product" source="central" name="artifactid" value="mysql-connector-java" confidence="HIGHEST"/>
<evidence type="product" source="pom" name="artifactid" value="mysql-connector-java" confidence="HIGHEST"/>
</remove>
</hint>
</hints>

resulting in

Initializing CPE Analyzer
Created CPE Index (1 seconds)
Starting CPE Analyzer
Parallel processing is not supported: CPE Analyzer.
Begin Analysis of '/Users/aikebah/.m2/repository/mysql/mysql-connector-java/5.1.43/mysql-connector-java-5.1.43.jar' (CPE Analyzer)
vendor search: oracle sun
product search: mysql_connectors
product:( mysql_connectors ) AND vendor:( oracle sun )
Verifying entry: IndexEntry{vendor=oracle, product=mysql_connectors}
identified vendor/product: oracle/mysql_connectors
Verifying entry: IndexEntry{vendor=oracle, product=mysql}
identified vendor/product: oracle/mysql
Verifying entry: IndexEntry{vendor=oracle, product=mysql_cluster}
Verifying entry: IndexEntry{vendor=oracle, product=mysql_workbench}
Verifying entry: IndexEntry{vendor=oracle, product=mysql_connector/net}
Verifying entry: IndexEntry{vendor=oracle, product=mysql_enterprise_monitor}
Verifying entry: IndexEntry{vendor=oracle, product=mysql_connector/c}
Verifying entry: IndexEntry{vendor=sun, product=mysql_connector/j}
Finished CPE Analyzer (1 seconds)



regards,
Hans

[Murray Williams]

Hi there Hans,

Thanks very much for getting back to me so quickly.

I've found that the following will give me the results I'm expecting...

hints.xml:

<?xml version="1.0" encoding="UTF-8"?>

<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hint.1.2.xsd">
    <hint>
        <given>
            <fileName contains="mysql-connector.*" regex="true"/>
        </given>
        <add>
            <evidence type="product" source="hint analyzer" name="product" value="mysql_connectors" confidence="HIGHEST"/>
            <evidence type="vendor" source="hint analyzer" name="vendor" value="oracle" confidence="HIGHEST"/>
        </add>
    </hint>

</hints>

supression.xml

<suppress>
    <notes>We're not interested in vulnerabilities in MySQL server, only the Connector</notes>
    <gav regex="true">^mysql:mysql-connector-java:.*$</gav>
    <cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress>
    <notes>We're not interested in vulnerabilities in MySQL server, only the Connector.
        Note we must specify the version number in the CPE tag otherwise the connector vulnerabilities also get excluded</notes>
    <gav regex="true">^mysql:mysql-connector-java:.*$</gav>
    <cpe>cpe:/a:oracle:mysql:5.1.39</cpe>
</suppress>

Any idea why suppressing <cpe>cpe:/a:oracle:mysql</cpe> results in cpe:/a:oracle:mysql_connectors:5.1.39 also getting suppressed? Is there anything I can do to prevent this other than specifying the exact version number?

Thanks again,

Murray

[Hans Aikema]

Murray,

I took a look at the code involved (CpeSuppressionAnalyzer and SuppressionRule). If the version is omitted for a cpe suppression a ‘startsWith()’ comparison is done to see if the cpe starts with the given string (which of course is true when checking if ‘cpe:/a:oracle:mysql’ is the starting prefix of 'cpe:/a:oracle:mysql_connectors:5.1.39’

To fix this you can use the regex version of the cpe suppression (the startsWith comparison is only done for a non-regex cpe value, for a regex version the given regex is checked for a match):

<?xml version="1.0" encoding="UTF-8"?>

<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>

<gav regex="true">^mysql:mysql-connector-java:.*$</gav>

<cpe regex="true">cpe:/a:oracle:mysql:.*</cpe>
</suppress>
</suppressions>

regards,
Hans

[Murray Williams]

That achieves exactly what I want - thanks very much again Hans!

[Jeremy Long]

@Hans - thanks for helping out!

@Murray - I'm going to include the hint file additions in the core engine. However, I'm still debating on the suppression rule as I really need to go back and read all of the CVEs for cpe:/a:oracle:mysql:* to ensure none of them are actually for the connector.

--Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.

[Michael Gissing]

Hi,

by accident I encountered the same thing just today, so I checked the hint you added. For me it's not working. If I search NVD, I can't find a product mysql_connectors.
However, what worked for me was the following:

    <hint>
        <given>
            <fileName contains="mysql-connector-java.*" regex="true"/>
        </given>
        <add>
            <evidence type="product" source="hint analyzer" name="product" value="mysql_connector_j" confidence="HIGHEST"/>
            <evidence type="product" source="hint analyzer" name="product" value="mysql_connector/j" confidence="HIGHEST"/>

            <evidence type="vendor" source="hint analyzer" name="vendor" value="oracle" confidence="HIGHEST"/>
        </add>
    </hint>

This way I found for example https://nvd.nist.gov/vuln/detail/CVE-2017-3589 for the files mysql-connector-java-5.1.35-bin.jar and mysql-connector-java-5.1.6.jar

I'm not sure whether that's the correct approach, but I get at least on CVE instead of zero.

HTH,
Michael

[Jeremy Long]

Michael,

Thanks for pointing this out!

--Jeremy

[Hans Aikema]

I have reported the incorrect (no related CPE dictionary item present) listing of CVE-2017-3523 to the NIST (and indicated that there are possibly more CVEs affected by the issue). After they fixed the NVD entry CVE-2017-3523 should also be listed with Michael’s hints, but until that time the mysql_connectors product should be in the evidence as well to have CVE-2017-3523 reported when appropriate for the version of the MySQL Connector/J that you use.

regards,
Hans

> --
> You received this message because you are subscribed to the Google Groups "Dependency Check" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.