How to deal with OWASP alert?
467 views
Skip to first unread message
Vitaly
Jan 21, 2019, 5:24:13 AM1/21/19
to Dependency Check
I hope it's not too offtopic - I'm trying to upgrade my Java libraries based on OWASP dependency report, but I'm little confused.
For example - OWASP alerted about google-cloud-logging-logback-0.56.0-alpha.jar. I upgraded this lib to the latest 0.78.0-alpha, but alert about https://nvd.nist.gov/vuln/detail/CVE-2017-5929 is still here.
Is there any guide/example how to convert OWASP dependency report to action items?
TIA, Vitaly
Jeremy Long
Jan 21, 2019, 6:16:10 PM1/21/19
to Vitaly, Dependency Check
Can you share the report? It will help me explain what is going on.
Thanks,
--Jeremy
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Vitaly
Jan 22, 2019, 2:38:46 AM1/22/19
to Dependency Check
Jeremy,
Thank you, after some RTFM I understood dependency check scanner has pretty high false positive rate.
In my case most of alerts was false positives. I think ability to suppress warnings with low CPE confidence level will be big improvement.
Regards,
Vitaly
Jeremy Long
Jan 22, 2019, 8:19:34 AM1/22/19
to Vitaly, Dependency Check
The issue is that a confidence filter can create false positives. It has historically been our recommendation to spend the time to triage an application and create a suppression file for future scans. In general, it does not take that long to create a suppression file for a given application once you understand how things work.
--Jeremy
dsw...@tzero.com
Mar 6, 2019, 2:18:26 PM3/6/19
to Dependency Check
How does one update the check library or point it to more detail? (Not just a local exception, but a contribution to the common library/tool for all who use it)
We're Seeing the Same logback CVE failure on check.
It looks like the parent jar using the dependency is checked, but it's the subdependent JAR that is the actual vulnerability (logback.jar 1.1.X)
The bug appears to be related to logback jar versions below 1.2.0 (fixed per Bugtrack https://bugzilla.redhat.com/show_bug.cgi?id=1432858)
The logback library jar in use/in the build is version 1.2.3 but the logging parent google-cloud-logging-logback-0.56.0-alpha.jar is the source of the alert.
It looks like the parent jar using the dependency is checked, but it's the subdependent JAR that is the actual vulnerability (logback.jar 1.1.X)
Jason Reber
dswift [11:07 AM]
Do any of the fixes listed on BugZilla offer a fix/update? https://bugzilla.redhat.com/show_bug.cgi?id=1432858
CVS-2017-5929
It shows to be fixed in version 1.2.0
Jason Reber [12:05 PM]
Untitled
One or more dependencies were identified with known vulnerabilities in dead-letter-service-application: (Excerpt of Report)
cpe:2.3:a:springsource:spring_framework:2.0.3:*:*:*:*:*:*:*) : CVE-2011-2730, CVE-2013-4152, CVE-2013-6429, CVE-2013-7315, CVE-2014-0054, CVE-2014-1904
logback-json-core-0.1.5.jar (pkg:maven/ch.qos.logback.contrib/logback-...@0.1.5, cpe:2.3:a:logback:logback:0.1.5:*:*:*:*:*:*:*) : CVE-2017-5929
google-cloud-logging-logback-0.56.0-alpha.jar (pkg:maven/com.google.cloud/google-cloud-l...@0.56.0-alpha, cpe:2.3:a:logback:logback:0.56.0.alpha:*:*:*:*:*:*:*) : CVE-2017-5929
grpc-netty-shaded-1.13.1.jar/META-INF/maven/io.netty/netty-tcnative-boringssl-static/pom.xml (pkg:maven/io.netty/netty-tcnative-...@2.0.8.Final, cpe:2.3:a:netty_project:netty:2.0.8:*:*:*:*:*:*:*) : CVE-2014-3488, CVE-2015-2156
auto-value-1.4.jar/META-INF/maven/com.google.guava/guava/pom.xml (pkg:maven/com.google.guava/guava@19.0, cpe:2.3:a:google:guava:19.0:*:*:*:*:*:*:*) : CVE-2018-10237
See the dependency-check report for more details.
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for dead-letter-service-multi-module 0.0.1-SNAPSHOT:
[INFO]
[INFO] dead-letter-service-publisher ...................... SUCCESS [03:23 min]
[INFO] dead-letter-service-multi-module ................... SUCCESS [ 4.787 s]
[INFO] dead-letter-service-application .................... FAILURE [05:05 min]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 08:45 min
[INFO] Finished at: 2019-03-06T19:04:42Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.0.0-M1:check (default-cli) on project dead-letter-service-application:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '9.0':
[ERROR]
[ERROR] logback-json-core-0.1.5.jar: CVE-2017-5929
[ERROR] google-cloud-logging-logback-0.56.0-alpha.jar: CVE-2017-5929
[ERROR]
[ERROR] See the dependency-check report for more details.
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR] mvn <goals> -rf :dead-letter-service-application
Uploading artifacts...
target/dependency-check-report.html: found 1 matching files
Uploading artifacts to coordinator... ok id=172921364 responseStatus=201 Created token=6Z_54BLV
ERROR: Job failed: exit code 1
Collapse
dsw...@tzero.com
Mar 6, 2019, 3:06:04 PM3/6/19
to Dependency Check
Apparently the "experimental release" has the bug, but the current release does not.
On Monday, January 21, 2019 at 3:24:13 AM UTC-7, Vitaly wrote:
Mark Prins
Mar 7, 2019, 9:30:28 AM3/7/19
to dependen...@googlegroups.com
On 06-03-19 20:18, dsw...@tzero.com wrote:
> How does one update the check library or point it to more detail? (Not
> just a local exception, but a contribution to the common library/tool
> for all who use it)
The code as well as the issue tracker are available at:
> How does one update the check library or point it to more detail? (Not
> just a local exception, but a contribution to the common library/tool
> for all who use it)
https://github.com/jeremylong/DependencyCheck
The issue tracker provides several templates eg. for false
postives/negatives, bugs etc. Click the "new issue" button to get there.
Not every flagged vulnerable dependency will actually be an application
vulnerability, it depends on the code path your application uses as
well. (I agree the easiest thing is upgrading to non-vuln dependency
versions)
HTH, Mark
Reply all
Reply to author
Forward
0 new messages