Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Transitive dependency versions getting conflated with parent dependencies (such as xstream -> mxparser)

See original GitHub issue

Describe the bug Some new vulnerabilities were added to the database w.r.t. XStream versions earlier than 1.4.16. That’s of course a good thing. However, even after updating the XStream dependency to version 1.4.16, the DependencyCheck Maven plugin keeps reporting a whole laundry list of vulnerabilities, all of which should have been fixed in XStream 1.4.1.6, and some of which were already fixed in earlier versions of XStream as well:

mxparser-1.2.1.jar (pkg:maven/io.github.x-stream/mxparser@1.2.1, cpe:2.3:a:xstream_project:xstream:1.2.1:*:*:*:*:*:*:*) : CVE-2013-7285, CVE-2016-3674, CVE-2017-7957, CVE-2020-26217, CVE-2020-26258, CVE-2020-26259, CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, CVE-2021-21351

I’ve checked the descriptions/summaries of all of these listed CVEs in the NIST database, and all of them pertain only to XStream versions earlier than 1.4.16, and none of them appear to have anything to do with the transitive mxparser dependency.

For users of the DependencyCheck plugins who are googling for these specific CVEs, I’m listing and summarizing them below:

  • CVE-2021-21349 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE’s description
  • CVE-2021-21348 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE’s description
  • CVE-2013-7285 -> Mitigated in XStream 1.4.11, no mention of mxparser anywhere in the CVE’s description
  • CVE-2020-26217 -> Mitigated in XStream 1.4.14, no mention of mxparser anywhere in the CVE’s description
  • CVE-2021-21347 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE’s description
  • CVE-2021-21346 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE’s description
  • CVE-2021-21345 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE’s description
  • CVE-2021-21344 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE’s description
  • CVE-2021-21343 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE’s description
  • CVE-2021-21342 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE’s description
  • CVE-2021-21341 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE’s description
  • CVE-2021-21351 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE’s description
  • CVE-2021-21350 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE’s description
  • CVE-2020-26259 -> Mitigated in XStream 1.4.15, no mention of mxparser anywhere in the CVE’s description
  • CVE-2020-26258 -> Mitigated in XStream 1.4.15, no mention of mxparser anywhere in the CVE’s description
  • CVE-2016-3674 -> Mitigated in XStream 1.4.9, no mention of mxparser anywhere in the CVE’s description
  • CVE-2017-7957 -> Mitigated in XStream 1.4.10, no mention of mxparser anywhere in the CVE’s description

I’ve encountered this issue often. Apparently the regex that is being used to check the minimum version of a potentially vulnerable dependency is erroneously checking the version numbers of any of its transitive dependencies as well. Adding false positives to the suppression file works as a workaround, but since this issue has been occurring often, a lot of false positives have had to be added to the suppression file this way. It would be nice if the underlying issue could be resolved, since it would alleviate the maintenance burden of the suppression file by any developers making use of the DependencyCheck plugin.

Version of dependency-check used Tested with multiple versions of the plugin:

  • The problem occurs using version 6.1.1 of the maven plugin.
  • The problem occurs using version 6.1.3 of the maven plugin.

Log file I’ll provide one on request.

To Reproduce Steps to reproduce the behavior:

  1. Run the Maven Dependency Check plugin on a Maven project that has the XStream dependency version 1.4.16. Specifically this dependency:

         <dependency>
         <groupId>com.thoughtworks.xstream</groupId>
         <artifactId>xstream</artifactId>
         <version>1.4.16</version>
     </dependency>

Expected behavior None of the vulnerabilities that have been mitigated in XStream 1.4.16 should be reported by the plugin.

Additional context a whole laundry list of vulnerabilities that have been mitigated in XStream 1.4.16 are erroneously reported by the plugin, incorrectly pointing at the transitive dependency mxparser-1.2.1.jar as the alleged culprit.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:6 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
jeremylongcommented, Mar 26, 2021

One thing to note - the core engine that identifies the CPEs does not currently have the dependency tree. Rather it just analyzes the files provided. This is so that multiple build systems and the command line interface can be supported.

0reactions
volkert-fastnedcommented, Mar 26, 2021

@jeremylong So in addition to the suppression that you suggested, I added the following one as well, and that finally shut it up:

    <suppress>
        <notes><![CDATA[
      mxparser is not Oracle JDK.
      ]]></notes>
        <packageUrl regex="true">^pkg:maven/io\.github\.x\-stream/mxparser@.*$</packageUrl>
        <cpe>cpe:/a:oracle:jdk</cpe>
    </suppress>

It’s still weird how your suppression suddenly triggered this false positive, though. Anyway, you might want to add this suppression to 6.1.4 as well. Thanks again. 🙂

Read more comments on GitHub >

github_iconTop Results From Across the Web

Maven dependency within dependency with different scope
I think the project's xstream dependency scope, 'test' is overriding the mylibrary's xstream dependency scope, 'compile'. In this kind of ...
Read more >
Overriding Dependency Versions and Using Version Ranges ...
Get step-by-step guidance on managing dependencies in Maven: declare dependencies, overriding dependency versions, and using version ranges.
Read more >
Overriding Dependency Versions with Spring Boot
This article explains some of the dependency management tricks that can be used to create libraries and apps that depend on newer versions...
Read more >
How to Resolve a Version Collision of Artifacts in Maven
We looked at how to control dependencies versions with the dependencyManagement section in the parent pom.xml. Finally, we tried the maven- ...
Read more >
arXiv:2001.07808v1 [cs.SE] 21 Jan 2020
due to transitive dependencies and the complexities of dependency ... artifacts in the classpath of Maven projects such as jxls-poi are ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

JsonArrayFixingInputStream produces broken output on certain repositories

Next page

Blocker (regression in 6.1.2): "Unable to find method 'com.google.common.collect.ImmutableList.toImmutableList()Ljava/util/stream/Collector;'"