Vulnerable dependency in .NET project not detected by dependency-check CLI

[Amedee Van Gasse]

I'm configuring dependency-check CLI to scan .NET projects and I am doing verification tests.

I have added two references that I know to contain a vulnerability, which I expect to be detected by dependency-check: WinSCP 5.17.9 and TinyMCE 4.9.6

Command used to run dependency-check:

withCredentials([file(credentialsId: 'dependencycheck-cli', variable: 'DEPENDENCYCHECK_PROPERTIES')]) {

    bat "$DEPENDENCY_CHECK/bin/dependency-check.bat --scan . " +

            '--format=HTML --format=XML ' +

            '--propertyfile=%DEPENDENCYCHECK_PROPERTIES% ' +

            '--noupdate ' +

            " --dotnet=\"c:/Program Files/dotnet/dotnet.exe\""

}

Expected result:

I get a dependency-check report with vulnerabilities of these two references.

Actual result:

The dependency-check result says "No results".

[Hans Aikema]

I don't use the Assembly Analyzer myself, but further digging into the reason for not detecting them would be to review the details on detected non-vulnerable libraries (hidden by default in the HTML report, only a link is rendered to make them visible). Note that the HTML report does not work well when browsed from the Jenkins workspace - you should download to local and then open with the browser from local folder - Jenkins renders the embedded javascript in HTML file from the workspace unusable as a security precaution. 

They contain details about all the 'evidences' that GrokAssembly was able to extract from the project resources as well as the identifiers that DependencyCheck decided to use for libraries (based on the combined information from the evidences).

If those did not result in cpe:2.3:winscp:winscp for your vulnerable WinSCP it would be the reason for non-discovery (as that is the cpe under which the NVD registers the WinSCP CVEs)

There can be many reasons for non-detection. Hard to offer more detailed advice without access to the resulting report (either XML or HTML)

kind regards,

Hans Aikema

On 26 Feb 2021, at 15:44, Amedee Van Gasse <amedee....@gmail.com> wrote:

I'm configuring dependency-check CLI to scan .NET projects and I am doing verification tests.

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/2dc6355d-b820-4bd1-971c-14cdf97093b8n%40googlegroups.com.

[Amedee Van Gasse]

I ran the CLI on my local machine, with the same MySQL backend, and there the vulnerability in TinyMCE is found but the one in WInSCP isn't.
Will compare with the results on Jenkins.

[Amedee Van Gasse]

Project: 

Scan Information (show all):

• dependency-check version: 6.1.1
• Report Generated On: Mon, 1 Mar 2021 09:57:02 +0100
• Dependencies Scanned: 496 (173 unique)
• Vulnerable Dependencies: 1
• Vulnerabilities Found: 3
• Vulnerabilities Suppressed: 0
• ...

SummaryDisplay: Showing All Dependencies (click to show less)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
BouncyCastle.Crypto.dll

pkg:generic/BouncyCas...@1.8.5
 
0

13
BouncyCastle.Crypto.dll

pkg:generic/BouncyCas...@1.8.9
 
0

11
Common.Logging.Core.dll

pkg:generic/Common.Lo...@3.4.0.0
 
0

9
Common.Logging.Core:3.4.1

pkg:nuget/Common.Lo...@3.4.1
 
0

17
Common.Logging.dll

pkg:generic/Common....@3.4.0.0
 
0

9
Common.Logging:3.4.1

pkg:nuget/Common....@3.4.1
 
0

16
NUnit.System.Linq.dll

pkg:generic/NUnit.Sy...@0.6.0.0
 
0

13
NUnit:3.7.1

pkg:nuget/NU...@3.7.1
 
0

10
Portable.BouncyCastle:1.8.5

pkg:nuget/Portable.B...@1.8.5
 
0

7
Portable.BouncyCastle:1.8.9

pkg:nuget/Portable.B...@1.8.9
 
0

10
TinyMCE:4.9.6
cpe:2.3:a:tiny:tinymce:4.9.6:*:*:*:*:*:*:*
cpe:2.3:a:tinymce:tinymce:4.9.6:*:*:*:*:*:*:*
pkg:nuget/Tin...@4.9.6
MEDIUM
3
Low
9
WinSCP.exe


 
0

2
WinSCP:5.17.9

pkg:nuget/Win...@5.17.9
 
0

10
WinSCPnet.dll

pkg:generic/WinS...@1.7.2.10905
 
0

9

[Amedee Van Gasse]

Hi @aikebah, I posted a report 10 days ago. Do you have enough information with this or do you need more?

[Hans Aikema]



Amadee,

Thanks for reminding me, had slipped my mind due to other activities.

Something that's missing in the HTML report snippet as quoted in your mail is which evidences the assembly analyzer was able to extract from WinSCP.

That might give a hint if the root for not finding anything would lie in the information available in the WinSCP binary, or some logical error in matching the evidences provided with the CPE-entry that NVD uses to register WinSCP CVEs.

The NVD CVE Analyzer uses the evidences discovered to do a fuzzy search for matching CPEs of the NVD data. So if the evidences delivered do not sufficiently match the official NVD coordinates for WinSCP DepCheck will not link the two and not discover the vulnerabilities.

Lack of evidences discovered would point at either missing identifiers in WinSCP, or an issue in the AssemblyAnalyzer. Presence of fitting evidences might point at an issue in the fuzzy search logic to determine the CPE.

Using verbose logging (--log <log file name>) might also help in determining what is searched for by the CPEAnalyzer

regards,

Hans

On 11 Mar 2021, at 11:15, Amedee Van Gasse <amedee....@gmail.com> wrote:

Hi @aikebah, I posted a report 10 days ago. Do you have enough information with this or do you need more?

To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/93a2de5d-f1bc-4cb6-91bc-9913c2d38213n%40googlegroups.com.

[Amedee Van Gasse]

Okay thanks.

To clarify, I have added WinSCP as a reference, and it's there when I do a nuget restore on the project, but it isn't actually used in the code of the project.

Would that make a difference?