Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False Positive on any artifact with an ID or group ID that contains the name of a vulnerable library

See original GitHub issue

Looks like something has happened to the library pattern matching recently.

Example:

False positive CVE-2005-2311 on one of our internal library dependencies - reported as cpe:2.3:a:sms:sms:0.1.0:snapshot:*:*:*:*:*:*

<dependency>
  <groupId>com.sinch.sms</groupId>
  <artifactId>msisdn-validation-management-api</artifactId>
  <version>0.1.0-SNAPSHOT</version>
</dependency>

Same thing with another internal library named ha-scheduled-message-grpc, which was reported to contain an old vulnerability in GRPC library from 2017.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:1
  • Comments:7 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
Chr1stiancommented, Apr 14, 2021

@jeremylong What is a good way to write a suppression rule that ignores the warnings related to grpc version, but still will warn about any new OWASP positives for the given package/dependency?

My current attempt after reading the docs/wiki, but really unsure if it works as intended:

<suppress>
        <notes><![CDATA[
        This suppresses false positives identified on gRPC security. https://github.com/jeremylong/DependencyCheck/issues/2995
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.lightbend\.akka\.grpc/akka\-grpc\-runtime_2\.13@.*$</packageUrl>
        <cpe>cpe:/a:akka:akka</cpe>
        <cpe>cpe:/a:grpc:grpc</cpe>
        <cpe>cpe:/a:lightbend:akka</cpe>
        <cpe>cpe:/a:lightbend:akka-http</cpe>
        <cpe>cpe:/a:lightbend:akka_http</cpe>
    </suppress>
1reaction
mikaelcarlstedtcommented, Dec 4, 2020

@theHilikus That first filename containing grpc indicates it’s the same issue.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Turns out 78% of reported CVEs on top DockerHub images ...
JFrog Xray's new “Contextual Analysis” feature determines 78% of reported CVEs on top DockerHub images are not exploitable.
Read more >
APM 10.7 & 10.8 Security Vulnerabilities that are False Positive
This page lists security vulnerabilities reported by Black Duck/Code Insight/TechStack and other tools against APM 10.7 and 10.8 that are ...
Read more >
How we detect vulnerable libraries using OWASP ...
False positives are implied by the heuristics used mainly for detecting CPE identifier. We ca't get rid of all of them, until a...
Read more >
Troubleshoot vulnerability detection - Prisma
The above steps should help answer whether the vulnerable package exists in the image or not and answer if a CVE is truly...
Read more >
Tutorial on how to process vulnerability scans
False positives, false negatives, and data discrepancies are the main reasons ... vulnerable artifact, which might be one library or module; ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Gradle build failing in v6.1.1

Next page

Composer packages with hyphen not resolved to correct CPE