CVE Result Ambiguous - .NET Analyzer

34 views

Skip to first unread message

SHUBHAM JAIN

unread,

Dec 2, 2020, 1:09:23 AM12/2/20

to Dependency Check

Depedency-Check is reporting a CVE in Microsoft.VisualStudio.Telemetry dll
But when we look at raw output and we have below link

https://ossindex.sonatype.org/component/pkg:generic/Microsoft.Visual...@15.8.956?utm_source=dependency-check&utm_medium=integration&utm_content=6.0.3

found out that there is no vulnerability present in the mentioned dll file, but the same component is marked as Vulnerable as per logs:

{
"id" : "pkg:generic/Microsoft.Visual...@15.8.956",
"confidence" : "MEDIUM",
"url" : "https://ossindex.sonatype.org/component/pkg:generic/Microsoft.Visual...@15.8.956?utm_source=dependency-check&utm_medium=integration&utm_content=6.0.3"
} ],
"vulnerabilityIds" : [ {
"id" : "cpe:2.3:a:microsoft:visual_studio:15.8.956:::::::*",
"confidence" : "LOW"
} ],
"vulnerabilities" : [ {
"source" : "NVD",
"name" : "CVE-2014-3802",
"severity" : "MEDIUM",
"cvssv2" : {
"score" : 6.8,
"accessVector" : "NETWORK",
"accessComplexity" : "MEDIUM",
"authenticationr" : "NONE",
"confidentialImpact" : "PARTIAL",
"integrityImpact" : "PARTIAL",
"availabilityImpact" : "PARTIAL",
"severity" : "MEDIUM",
"version" : "2.0",
"exploitabilityScore" : "8.6",
"impactScore" : "6.4",
"userInteractionRequired" : "true"
}

We are scanning IIS Express Folder(C:\Program Files\IIS Express)
IIS Express Version : 10.0.19041.1
OS : Windows 2019 Server

Thanks in advance.

mark

unread,

Dec 2, 2020, 11:59:11 AM12/2/20

to dependen...@googlegroups.com

On 12/2/20 7:09 AM, SHUBHAM JAIN wrote:
> Depedency-Check is reporting a CVE in Microsoft.VisualStudio.Telemetry

> <https://ossindex.sonatype.org/component/pkg:generic/Microsoft.Visual...@15.8.956?utm_source=dependency-check&utm_medium=integration&utm_content=6.0.3> dll

> But when we look at raw output and we have below link
>
> https://ossindex.sonatype.org/component/pkg:generic/Microsoft.Visual...@15.8.956?utm_source=dependency-check&utm_medium=integration&utm_content=6.0.3
> <https://ossindex.sonatype.org/component/pkg:generic/Microsoft.Visual...@15.8.956?utm_source=dependency-check&utm_medium=integration&utm_content=6.0.3>
>
> found out that there is no vulnerability present in the mentioned dll
> file, but the same component is marked as Vulnerable as per logs:
>
> {
> "id" : "pkg:generic/Microsoft.Visual...@15.8.956",
> "confidence" : "MEDIUM",

it's called a false positive, as you can see the confidence that the dll
has been identified properly is "MEDIUM", you can set up a suppression
file to suppress these kind of things.
The docs show you how to do that, the html report even provides the
proper snippets of XML to add in the suppression file.
HTH
-M

Reply all

Reply to author

Forward

0 new messages