Analysing Maven projects to extract CPE IDs for dependencies

[Soumya Vardhan Singh]

Hello

I am working on a project that needs to provide a functionality very similar to what OWASP Dependency Check provides but the database within which I need to check for vulnerabilities is a private vulnerability Database instead of the NVD.

I was planning on reusing Dependency Check's code to extract CPE-IDs from Maven projects and I was wondering what part of the code deals with that.

Any help/suggestions are appreciated.

Regards

SVS

[Jeremy Long]

CPE Identification is more then just a single module in the code. Take a look at the developer wiki: https://github.com/jeremylong/DependencyCheck/wiki/How-does-it-work%3F and https://github.com/jeremylong/DependencyCheck/wiki/Architecture

It would be easy enough to create a new analyzer using the plugin architecture already in place (https://github.com/jeremylong/DependencyCheck/wiki/Making-a-new-Analyzer).

--Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Soumya Vardhan Singh]

Hi

I extracted the code that returns the data from individual pom files regarding library names, versions and group IDs. The problem that I have now is how to match library names and group IDs in this data with library names and vendor names used for creating CPE IDs by NVD. Is there a particular section in the code that solves this problem?

Regards

Soumya Vardhan Singh

[Bernd Eckenfels]

Am Wed, 13 May 2015 18:53:43 +0530
schrieb Soumya Vardhan Singh <soumyavar...@gmail.com>:

> I extracted the code that returns the data from individual pom files
> regarding library names, versions and group IDs. The problem that I
> have now is how to match library names and group IDs in this data
> with library names and vendor names used for creating CPE IDs by NVD.
> Is there a particular section in the code that solves this problem?

I once suggested, that we should just use CPE IDs which are generated
from the Maven coordinates. They would be easy to derive automatically
and if enough vendors pick up on this habbit it would greatly improve
the pssobilities to report library problems via CVEs.

However all people I suggested it to did not think it was a good idea,
so there is no way to map maven coordinates to CPEs. There are some
databases out there which might be able to map fingerprints to CVEs,
but generally speaking there is no good source/database for that. Java,
especially Open Source vendors do not match very well with CVEs. (the
best sources I have come by are manually maintained Alerts of the big
Linux vendors).

Gruss
Bernd

[Jeremy Long]

SVS,

As I indicated before, there is no GAV->CPE mapping. Dependency-check works by collecting as much relevant textual information from the dependencies it is scanning, sorts this evidence into buckets (vendor, product, version), and then uses a lucene index of the vendor and product (from the list of CPEs contained in the NVD CVE entries) to make a best effort match. If a vendor/product match is identified then more queries happen to narrow down the version.

Just using the GAV coordinates from the POM generally does not provide enough evidence to make a correct CPE match.

--Jeremy