CVE-2020-15250 not reported - Junit dependency
51 views
Skip to first unread message
Marco Andries
Nov 12, 2020, 7:55:03 AM11/12/20
to dependen...@googlegroups.com
Hi,
I found out that there's a known CVE on certain versions of junit: https://nvd.nist.gov/vuln/detail/CVE-2020-15250.
We are using
junit 4.12 in our Java code and the dependency-check-maven plugin in our CI so I was wondering why it wasn't reported.
For testing purposes I added the following dependencies in our 'pom.xml' file:
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>19.0</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
</dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>19.0</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
</dependency>
(On this guava version there's also a CVE reported: https://nvd.nist.gov/vuln/detail/CVE-2018-10237)
I executed the plugin directly from maven by executing:
mvn org.owasp:dependency-check-maven:6.0.3:check
In the console output and in 'dependency-check-report.html' the CVE on the guava version is reported:
guava-19.0.jar (pkg:maven/com.google.guava/guava@19.0, cpe:2.3:a:google:guava:19.0:*:*:*:*:*:*:*) : CVE-2018-10237
But the dependency on junit 4.12 is not reported anywhere.
I opened up the local NVD database and found an entry for the junit CVE so I'm missing why there's nothing reported for junit 4.12.
Can someone tell me why it's not being reported?
Kind regards
Marco
Hans Aikema
Nov 12, 2020, 8:39:55 AM11/12/20
to Marco Andries, dependen...@googlegroups.com
gut feel based on NVD page and maven coordinates would be the somewhat strange CPE in the NVD (junit:junit4 rather than junit:junit:4.....) is causing this false negative
Hans Aikema, direct vanuit de iCloud
Op 12 nov. 2020 om 13:55 heeft Marco Andries <andries...@gmail.com> het volgende geschreven:
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/CAMFV7aHjmVGzcXw9JUvZwuYVDnxKOa_g2B1Xsj56wRFFuT4CBQ%40mail.gmail.com.
Jeremy Long
Nov 14, 2020, 6:42:51 AM11/14/20
to Hans Aikema, Marco Andries, Dependency Check
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/442D6FFC-3172-4A84-A8A2-58EE81DB6096%40gmail.com.
Marco Andries
Nov 16, 2020, 9:20:33 AM11/16/20
to Dependency Check
Hi,
Already a big thanks for the quick replies.Was something changed already?
I'm a bit confused, it looks like the strange CPE is still there for junit:
https://nvd.nist.gov/vuln/detail/CVE-2020-15250
But now the vulnerability is found when there's a direct dependency to junit 4.12.
However when junit 4.12 is used as a dependency in another dependency, it's still not being found.
For e.g. we have a dependency on tess4j version 4.5.1
For e.g. we have a dependency on tess4j version 4.5.1
https://mvnrepository.com/artifact/net.sourceforge.tess4j/tess4j/4.5.1 > https://mvnrepository.com/artifact/org.apache.pdfbox/pdfbox/2.0.18 > https://mvnrepository.com/artifact/junit/junit/4.12
But junit 4.12 is not being reported as vulnerability.
Kind regards,
Marco
Op zaterdag 14 november 2020 om 12:42:51 UTC+1 schreef jerem...@gmail.com:
Hans Aikema
Nov 16, 2020, 10:26:43 AM11/16/20
to Marco Andries, Dependency Check
Marco,
The dependency of PDFBox on JUnit is test-scoped
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
In maven terminology that means that it is not propagated as a transitive dependency towards other projects. So
> https://mvnrepository.com/artifact/org.apache.pdfbox/pdfbox/2.0.18 > https://mvnrepository.com/artifact/junit/junit/4.12
does not hold, because pdfbox-2.0.18 as a project depends for its tests on junit 4.12 at build-time, but the runtime library that it produces does not have that dependency.
Only scopes ‘compile’ (the default) and ‘runtime’ are retained for transitive dependencies as documented in:
https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope
That’s why you don’t see it - maven (and any tools supporting the maven pom as a mechanism to define (transitive) dependencies) doesn’t consider the test-scoped dependency on Junit it as a dependency of your dependency allthough you can see it listed in the pom.xml
kind regards,
Hans Aikema
> To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/f39ce4b0-0072-476e-b68c-662c48f7a328n%40googlegroups.com.
The dependency of PDFBox on JUnit is test-scoped
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
</dependency>
In maven terminology that means that it is not propagated as a transitive dependency towards other projects. So
> https://mvnrepository.com/artifact/org.apache.pdfbox/pdfbox/2.0.18 > https://mvnrepository.com/artifact/junit/junit/4.12
does not hold, because pdfbox-2.0.18 as a project depends for its tests on junit 4.12 at build-time, but the runtime library that it produces does not have that dependency.
Only scopes ‘compile’ (the default) and ‘runtime’ are retained for transitive dependencies as documented in:
https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope
That’s why you don’t see it - maven (and any tools supporting the maven pom as a mechanism to define (transitive) dependencies) doesn’t consider the test-scoped dependency on Junit it as a dependency of your dependency allthough you can see it listed in the pom.xml
kind regards,
Hans Aikema
Marco Andries
Nov 16, 2020, 10:55:15 AM11/16/20
to Dependency Check
Thanks for the info!
Op maandag 16 november 2020 om 16:26:43 UTC+1 schreef aikebah:
Reply all
Reply to author
Forward
0 new messages