False Positives in Quarkus

Siarhei Biarozkin

unread,

Apr 7, 2021, 12:52:27 PM4/7/21

to Dependency Check

Hello All,

We've been working for awhile to have the OWASP dependency check plugin to work with the Quarkus [1] project dependencies, as part of the issue [2].

Most of the Quarkus tags, as well as the other Quarkus IO [3] libraries (quarkus-security, quarkus-http. gizmo) have been registered as NVD CPE entries [4].

Our committer Loïc Mathieu has been verifying how the OWASP plugin works. Initially we were getting false positives when the main Quarkus tags were not registered in NVD. That specific problem has been resolved once we registered the main tag, for example,

cpe:2.3:a:quarkus:quarkus:0.0.1:*:*:*:*:*:*:*

etc.

Note the CPE product qualifier is `quarkus`.

Next, Loïc has reported that the plugin reports the false positives against the other QuarkusIO libraries such as `quarkus-security` which the main Quarkus project depends upon.

So we followed with registering `quarkus:quarkus-security`, `quarkus:quarkus-http` and `quarkus:gizmo` (product qualifier is still `quarkus`).

However it did not resolve the problem and as you can see from the comments at [5],

`quarkus:quarkus-security` is ignored and the false positive against `quarkus-security` is still reported as the plugin assumes that `quarkus:quarkus` is the closest match.

I've tried to fix this problem to have a different product qualifier registered for `quarkus-security`/etc, replace quarkus: quarkus-security` as `quarkus-security:quarkus-security`, etc - but the CPE team did not accept this update - they believe `quarkus` is a correct product qualifier (for all the projects at QuarkusIO).

I believe the users can register the exception rules to avoid the plugin reporting the false positives against, in our case, `quarkus-security` (and other QuarkusIO libraries the main Quarkus project depends upon).

However, ideally, we'd like it just to work for our users.

Can you recommend please what can be done for the plugin to avoid matching `quarkus:quarkus-security` against `quarkus:quarkus`, etc ?

Thanks, Sergey

[1] https://github.com/quarkusio/quarkus

[2] https://github.com/quarkusio/quarkus/issues/2611

[3] https://github.com/quarkusio

[4] https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=quarkus

[5] https://github.com/quarkusio/quarkus/issues/2611#issuecomment-804060800

Hans Aikema

unread,

Apr 7, 2021, 5:36:10 PM4/7/21

to Siarhei Biarozkin, Dependency Check

Hi Sergey,

Thanks for the detailed wrap-up of actions already taken.

Your project has put all parts in place to 'get rid of false positives in the future', but there is one crucial element missing: your other libraries are 'too secure' (at least for the known security status at this point in time).

OWASP DependencyCheck matches on a best-match basis to CPEs, but it's source for 'known CPEs' is not the full set of NIST's registered CPEs, but the CPEs as harvested from the NIST NVD vulnerability datafeeds.

Having the proper product CPE registration with NIST ensures that when a vulnerability surfaces for one of the libraries it will be attributed to the correct CPE, but unless and until there is at least one registered CVE in the datafeeds for a library OWASP DependencyCheck will not yet have knowledge of the existence of its CPE.

Best way forward is a Github FP issue for your libraries, so that we can at least include rules to ensure your libraries don't get inappropriate CPE associations while there is no CVE yet in the vulnerability feeds.

I'll try to register it tomorrow evening (bedtime now for me), referencing this message thread as well as your Quarkus github issue. Feel free to already add it during the day; I expect to check if it's already opened and, if not, register it around 2200 CET.

kind regards,

Hans Aikema

On 7 Apr 2021, at 18:52, Siarhei Biarozkin <sbia...@redhat.com> wrote:

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/b2eaff11-ce97-414b-8276-855a95cbfc28n%40googlegroups.com.

Sergey Beryozkin

unread,

Apr 8, 2021, 5:55:18 AM4/8/21

to Hans Aikema, Dependency Check

Hi Hans

Thanks for the explanation - it is a fairly new area for me so it will take me a few tries to understand it completely :-).

But I've opened this issue:

https://github.com/jeremylong/DependencyCheck/issues/3270

(hopefully it captures the problem).

Re the main Quarkus CPE, `quarkus:quarkus`, some CVEs has been updated to link to it, for example:

https://nvd.nist.gov/vuln/detail/CVE-2020-25638

But we don't expect CVEs linking to `quarkus:quarkus-security` (it is API)/`quarkus:quarkus-http`/`quarkus:gizmo` dependencies in the short term at least.

Thanks, Sergey

Reply all

Reply to author

Forward