New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative #1817
Conversation
Are we absolutely sure we can simply skip these checks for the netty-tcnative library? Isn't this something we use through netty when we do ClientTLS or QuorumTLS? I see in the pom.xml file that we use a quite recent netty, but a very old netty-tcnative-classes:
Some of these CVEs are actually quite scary (many affecting only the https admin api interface, but some can affect regular QuorumSSL and ClientSSL interfaces too, AFAICT). I also don't really understand what the netty-tcnative-classes artifact is. It is not mentioned in the documentation I found about netty-tcnative: https://netty.io/wiki/forked-tomcat-native.html |
never mind, I see 2.0.48.Final is actually the latest netty-tcnative. In this case I don't understand why these old CVEs appeared now. How can we get e.g. this one: https://nvd.nist.gov/vuln/detail/CVE-2015-2156 Do we have some old netty on our classpath we should exclude? |
I checked the maven dependency tree, and we don't have any old netty on our class path. These CVEs should not have appeared. Maybe OWASP is mixing the netty-tcnative version with the regular netty version? |
Yes, looks like it: https://www.giters.com/jeremylong/DependencyCheck/issues/3867 edit: here's the merged patch, owasp was fixed in 6.5.2: jeremylong/DependencyCheck#3865 |
Can we update owasp to latest 6.5.3? Will it cause any issues? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless we want to upgrade to latest owasp (6.5.3, we are on 5.3.0, so major version change is required) this is a +1 from me. It is a false positive, see previous comments.
@eolivelli @symat OWASP upgrade makes sense to me too. |
yeah... although even the latest OWASP version seems to find false positives:
Here e.g. CVE-2021-43797 should affect only netty prior to 4.1.71.Final and we already have 4.1.73.Final. See: https://nvd.nist.gov/vuln/detail/CVE-2021-43797 Interesting that OWASP 6.5.3 found some additional CVEs. (e.g. CVE-2021-29425, etc) These should be investigated too. |
I think the nicest would be to update to the latest OWASP, then go through the reported CVEs one-by-one to see if they are really false positives. |
I tried again, purging my local CVE database this time before running the new OWASP check with latest OWASP 6.5.3. It still reports the same 11 netty and 3 other CVEs that I listed before. |
That's a bummer, I double checked, this is a closed item in 6.5.2 milestone (one up from last item): https://github.com/jeremylong/DependencyCheck/milestone/38?closed=1 |
OK, I double-checked all the CVE errors detected by the latest OWASP 6.5.3. All of these are false positive. Also I checked the maven dependency tree to make sure we don't have any old netty/jetty/commons-io jars on the claspath). I think we are good to go. But I recommend to still update to the latest OWASP version in our project and also suppress these CVEs below. (let's hope OWASP will be fixed later to produce less false positives)
|
I have updated the OWASP plugin to 6.5.3, but it does not reveal additional CVEs |
@nkalmar please take another look |
@symat I have run the checker locally several times, cleaning the local cache, but I haven't seen new CVEs reported |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
interesting... I'm also unable now to reproduce the additional jetty and commins-io related false positives for some reason. Anyway, I think your PR is good and the mvn clean package -DskipTests dependency-check:check
is successful for me now.
Let's merge this and go ahead with the RC...
More context here: https://issues.apache.org/jira/browse/ZOOKEEPER-4469 I am also updating the OWASP dependency check Author: Enrico Olivelli <eolivelli@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes #1817 from eolivelli/ZOOKEEPER-4469 (cherry picked from commit 428e6f9) Signed-off-by: Mate Szalay-Beko <symat@apache.org>
More context here: https://issues.apache.org/jira/browse/ZOOKEEPER-4469 I am also updating the OWASP dependency check Author: Enrico Olivelli <eolivelli@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes #1817 from eolivelli/ZOOKEEPER-4469 (cherry picked from commit 428e6f9) Signed-off-by: Mate Szalay-Beko <symat@apache.org>
More context here: https://issues.apache.org/jira/browse/ZOOKEEPER-4469 I am also updating the OWASP dependency check Author: Enrico Olivelli <eolivelli@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes #1817 from eolivelli/ZOOKEEPER-4469 (cherry picked from commit 428e6f9) Signed-off-by: Mate Szalay-Beko <symat@apache.org>
More context here: https://issues.apache.org/jira/browse/ZOOKEEPER-4469 I am also updating the OWASP dependency check Author: Enrico Olivelli <eolivelli@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes #1817 from eolivelli/ZOOKEEPER-4469 (cherry picked from commit 428e6f9)
I merged this to the following branches:
On branch 3.5 I don't see we use netty tcnative, at least we don't have it explicitly added in pom.xml. However, I see some other CVE errors on that branch. We will have to handle branch-3.5 with a separate Jira later (after the 3.8.0 release, when we prepare 3.5.10) |
One of the devs at owasp clarified to me that this was only fixed for netty:netty artifact, and he also opened a new issue to fix it in other artifacts as well. So this is why we still see false positive in netty-tcnative. |
More context here: https://issues.apache.org/jira/browse/ZOOKEEPER-4469 I am also updating the OWASP dependency check Author: Enrico Olivelli <eolivelli@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1817 from eolivelli/ZOOKEEPER-4469
…ive (#3) More context here: https://issues.apache.org/jira/browse/ZOOKEEPER-4469 I am also updating the OWASP dependency check Author: Enrico Olivelli <eolivelli@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1817 from eolivelli/ZOOKEEPER-4469 Co-authored-by: Enrico Olivelli <eolivelli@apache.org>
More context here: https://issues.apache.org/jira/browse/ZOOKEEPER-4469 I am also updating the OWASP dependency check Author: Enrico Olivelli <eolivelli@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1817 from eolivelli/ZOOKEEPER-4469 (cherry picked from commit 428e6f9)
More context here: https://issues.apache.org/jira/browse/ZOOKEEPER-4469 I am also updating the OWASP dependency check Author: Enrico Olivelli <eolivelli@apache.org> Reviewers: Norbert Kalmar <nkalmar@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1817 from eolivelli/ZOOKEEPER-4469 (cherry picked from commit 428e6f9)
More context here:
https://issues.apache.org/jira/browse/ZOOKEEPER-4469
I am also updating the OWASP dependency check