Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive on the PostgreSQL JDBC client JAR #1529

Closed
smoyer64 opened this issue Oct 15, 2018 · 6 comments
Closed

False positive on the PostgreSQL JDBC client JAR #1529

smoyer64 opened this issue Oct 15, 2018 · 6 comments
Labels
FP Report

Comments

@smoyer64
Copy link

CVE-2016-7048 was updated on 2018-10-12 and is now breaking our builds. Upon further inspection, we see that this is a vulnerability to those using the interactive installer - clearly those of us downloading this artifact from Maven Central are not affected

False positive on library postgresql.jar - reported as cpe:2.3:a:postgresql:postgresql:9.3 - CVE-2016-7048

<dependency>
     <groupId>org.postgresql</groupId>
     <artifactId>postgresql</artifactId>
</dependency>

At least versions >= 42.2.1 are affected.
@mirabilos
Copy link

This was fixed recently - see #1488 - but apparently pops up again.

There are multiple problems with this:

  • The CVE does not affect the JDBC driver in the first place.
  • The version compare algorithm is somehow broken: the CVE affects (<< 9.3.15 | (>> 9.3 && << 9.4.10) | (>> 9.4 && << 9.5.5)) which means PostgreSQL 10.x and PostgreSQL-JDBC 42.x are both not affected.

I’d definitely look at the latter in any case, since that shows that the Maven plugin somehow does not work correctly!

[INFO] --- dependency-check-maven:3.3.2:aggregate (default) @ veraweb-parent ---
[INFO] Central analyzer disabled
[INFO] Checking for updates
[INFO] starting getUpdatesNeeded() ...
[INFO] NVD CVE requires several updates; this could take a couple of minutes.
[INFO] Download Started for NVD CVE - 2004
[INFO] Download Started for NVD CVE - 2003
[INFO] Download Started for NVD CVE - 2002
[INFO] Download Complete for NVD CVE - 2003  (2312 ms)
[INFO] Download Started for NVD CVE - 2005
[INFO] Processing Started for NVD CVE - 2003
[INFO] Download Complete for NVD CVE - 2004  (2643 ms)
[INFO] Download Started for NVD CVE - 2006
[INFO] Processing Started for NVD CVE - 2004
[INFO] Download Complete for NVD CVE - 2005  (3008 ms)
[INFO] Download Started for NVD CVE - 2007
[INFO] Download Complete for NVD CVE - 2006  (3024 ms)
[INFO] Download Started for NVD CVE - 2008
[INFO] Download Complete for NVD CVE - 2002  (6238 ms)
[INFO] Download Started for NVD CVE - 2009
[INFO] Download Complete for NVD CVE - 2008  (3288 ms)
[INFO] Download Started for NVD CVE - 2010
[INFO] Download Complete for NVD CVE - 2009  (3037 ms)
[INFO] Download Started for NVD CVE - 2011
[INFO] Download Complete for NVD CVE - 2007  (4040 ms)
[INFO] Download Started for NVD CVE - 2012
[INFO] Download Complete for NVD CVE - 2012  (3255 ms)
[INFO] Download Started for NVD CVE - 2013
[INFO] Processing Complete for NVD CVE - 2003  (11752 ms)
[INFO] Processing Started for NVD CVE - 2005
[INFO] Download Complete for NVD CVE - 2011  (6216 ms)
[INFO] Download Started for NVD CVE - 2014
[INFO] Download Complete for NVD CVE - 2010  (7629 ms)
[INFO] Download Started for NVD CVE - 2015
[INFO] Download Complete for NVD CVE - 2013  (3967 ms)
[INFO] Download Started for NVD CVE - 2016
[INFO] Download Complete for NVD CVE - 2014  (3969 ms)
[INFO] Download Started for NVD CVE - 2017
[INFO] Processing Complete for NVD CVE - 2004  (17555 ms)
[INFO] Processing Started for NVD CVE - 2006
[INFO] Download Complete for NVD CVE - 2015  (3619 ms)
[INFO] Download Started for NVD CVE - 2018
[INFO] Download Complete for NVD CVE - 2016  (3524 ms)
[INFO] Download Started for NVD CVE - Modified
[INFO] Download Complete for NVD CVE - 2017  (6490 ms)
[INFO] Download Complete for NVD CVE - 2018  (8951 ms)
[INFO] Processing Complete for NVD CVE - 2005  (18546 ms)
[INFO] Processing Started for NVD CVE - 2002
[INFO] Download Complete for NVD CVE - Modified  (12096 ms)
[INFO] Processing Complete for NVD CVE - 2002  (8339 ms)
[INFO] Processing Started for NVD CVE - 2008
[INFO] Processing Complete for NVD CVE - 2006  (21055 ms)
[INFO] Processing Started for NVD CVE - 2009
[INFO] Processing Complete for NVD CVE - 2009  (19782 ms)
[INFO] Processing Started for NVD CVE - 2007
[INFO] Processing Complete for NVD CVE - 2008  (22850 ms)
[INFO] Processing Started for NVD CVE - 2012
[INFO] Processing Complete for NVD CVE - 2007  (53492 ms)
[INFO] Processing Started for NVD CVE - 2011
[INFO] Processing Complete for NVD CVE - 2012  (77745 ms)
[INFO] Processing Started for NVD CVE - 2010
[INFO] Processing Complete for NVD CVE - 2011  (60389 ms)
[INFO] Processing Started for NVD CVE - 2013
[INFO] Processing Complete for NVD CVE - 2010  (41067 ms)
[INFO] Processing Started for NVD CVE - 2014
[INFO] Processing Complete for NVD CVE - 2013  (28461 ms)
[INFO] Processing Started for NVD CVE - 2015
[INFO] Processing Complete for NVD CVE - 2014  (26197 ms)
[INFO] Processing Started for NVD CVE - 2016
[INFO] Processing Complete for NVD CVE - 2015  (12701 ms)
[INFO] Processing Started for NVD CVE - 2017
[INFO] Processing Complete for NVD CVE - 2016  (14855 ms)
[INFO] Processing Started for NVD CVE - 2018
[INFO] Processing Complete for NVD CVE - 2018  (39958 ms)
[INFO] Processing Started for NVD CVE - Modified
[INFO] Processing Complete for NVD CVE - 2017  (48260 ms)
[INFO] Processing Complete for NVD CVE - Modified  (6681 ms)
[INFO] Begin database maintenance.
[INFO] End database maintenance.
[INFO] Check for updates complete (278493 ms)
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (2 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (2 seconds)
[INFO] Finished Assembly Analyzer (2 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (4 seconds)
[INFO] Skipping CPE Analysis for npm
[INFO] Finished CPE Analyzer (6 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (14 seconds)
[WARNING] 

One or more dependencies were identified with known vulnerabilities in org.evolvis.veraweb (parent):

postgresql-42.2.5.jar (org.postgresql:postgresql:42.2.5, cpe:/a:postgresql:postgresql:42.2.5, cpe:/a:postgresql:postgresql_jdbc_driver:42.2.5) : CVE-2016-7048
javax.servlet-3.0.0.v201112011016.jar (org.eclipse.jetty.orbit:javax.servlet:3.0.0.v201112011016, cpe:/a:eclipse:jetty:3.0.0.v20111201, cpe:/a:jetty:jetty:3.0.0.v20111201) : CVE-2017-7656, CVE-2017-7658, CVE-2017-7657, CVE-2017-9735
logback-core-1.1.2.jar (cpe:/a:logback:logback:1.1.2, ch.qos.logback:logback-core:1.1.2) : CVE-2017-5929
jetty-util-9.0.7.v20131107.jar (cpe:/a:eclipse:jetty:9.0.7.v20131107, cpe:/a:jetty:jetty:9.0.7.v20131107, org.eclipse.jetty:jetty-util:9.0.7.v20131107) : CVE-2017-7656, CVE-2017-7658, CVE-2017-7657, CVE-2017-9735


See the dependency-check report for more details.

jeremylong added a commit that referenced this issue Oct 24, 2018
@jeremylong
patch for #1529
f9a8fd9
@jeremylong
Copy link
Owner

It appears that the CVE was updated recently to add cpe:/a:postgresql:postgresql:- - and currently, ODC treats the "-" as any. There are plans to change this behavior as part of the move from the NVD XML data feeds to the JSON data feeds.

Additionally, we have taken the stance on DB related findings that we would only suppress specific CVEs as they are reported/found as opposed to just suppressing the CPE. The reason is that suppressing by CPE will remove all future CVEs where as just suppressing by CVE will still match on new/un-reviewed findings and it is possible that one of these would affect the driver and still be listed under the database server's CPE.

@smoyer64
Copy link
Author

@jeremylong That all sounds reasonable ... we've suppressed it locally for now but let me know if we can help with the conversion to JSON, etc.

@mirabilos
Copy link

mirabilos commented Oct 24, 2018 via email

@jeremylong
Copy link
Owner

@mirabilos you are more than welcome to go use another product in this space - no need to be rude to maintainers.

  1. While a CPE may be present for postgressql_jdbc_driver there are other cases where the driver and server may be reported under the same CPE (see CVE-2018-1282).
  2. As explained above this is a database related finding as it a PostgreSQL CVE (not sure if that was a rhetorical question?). Also as explained above the specific CVE in question will be flagged for ALL versions of PostgreSQL because currently ODC treats "-" in the version number as any version. Treating the "-" as "any" will be resolved in the near future when we move from the NVD XML data feeds to the JSON data feeds.

@lock
Copy link

lock bot commented Nov 27, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Nov 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FP Report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@smoyer64 @mirabilos @jeremylong