Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Unsuppressable vulnerability: BREACH attack possible in CSRF tokens

See original GitHub issue

Describe the bug Using org.springframework.security:spring-security-core:4.2.12.RELEASE reports a vulnerability:

BREACH attack possible in CSRF tokens

Suppressing it with:

<suppress>
    <gav regex="true">^org\.springframework\.security:spring-security-core:.*$</gav>
    <cpe>cpe:/a:pivotal_software:spring_security</cpe>
</suppress>

Changes the log message but doesn’t fully suppress it:

[WARNING] 

One or more dependencies were identified with known vulnerabilities in Logbook: Spring Boot Auto Configuration:

spring-security-core-4.2.12.RELEASE.jar (pkg:maven/org.springframework.security/spring-security-core@4.2.12.RELEASE) : BREACH attack possible in CSRF tokens

The report doesn’t include a suppress button for this.

Version of dependency-check used 5.0.0

Log file

[WARNING] 

One or more dependencies were identified with known vulnerabilities in Logbook: Spring Boot Auto Configuration:

spring-security-core-4.2.12.RELEASE.jar (pkg:maven/org.springframework.security/spring-security-core@4.2.12.RELEASE, cpe:2.3:a:pivotal_software:spring_security:4.2.12.release:*:*:*:*:*:*:*) : BREACH attack possible in CSRF tokens

https://github.com/zalando/logbook/pull/533 https://travis-ci.org/zalando/logbook/jobs/543568823

To Reproduce Steps to reproduce the behavior:

Go to https://github.com/zalando/logbook/pull/533
Checkout branch dependabot/maven/org.owasp-dependency-check-maven-5.0.0
Run mvn clean verify -D skipTests -P spring4
See error

Expected behavior I want to suppress this.

Issue Analytics

State:
Created 4 years ago
Comments:5 (1 by maintainers)

Top GitHub Comments

1reaction

jeremylongcommented, Jul 5, 2019

The OSS Index Analyzer may bring in vulnerabilities that do not exist in the NVD data feeds. With the release of 5.1.0 you can now suppress these findings using the new 1.3 suppression schema. This ticket should have been closed on 2019-06-28 when 5.1.0 was released .- I apologize that I missed closing this one. An example of the new suppression schema is below (note, ODC is backwards compatible with previous schemas):

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[
        This suppresses a CVE identified by OSS Index using the vulnerability name and packageUrl.
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty-server@.*$</packageUrl>
        <vulnerabilityName>CVE-2017-7656</vulnerabilityName>
    </suppress>
</suppressions>

0reactions

tjaronencommented, Jul 5, 2019

I re-enabled OSS index Analyzer and suppressed this vulnerability now like this:

    <suppress>
        <notes><![CDATA[
        This suppresses a CVE identified by OSS Index using the vulnerability name and packageUrl.
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring-security-core@4.2.12.RELEASE$</packageUrl>
        <vulnerabilityName>BREACH attack possible in CSRF tokens</vulnerabilityName>
    </suppress>