Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Project- and version-based false positives when shadow-cljs is a dependency #20

Closed
p-himik opened this issue Mar 11, 2022 · 5 comments
Closed

Project- and version-based false positives when shadow-cljs is a dependency #20

p-himik opened this issue Mar 11, 2022 · 5 comments

Comments

@p-himik
Copy link

p-himik commented Mar 11, 2022

At the bottom, a trimmed output generated by using the -Tclj-watson command from the README is attached.

By CVE ID:

  • CVE-2017-12424 - a completely unrelated product
  • CVE-2020-8910 - only relevant for version v20200224 and below, but the used version is 0.0-20211011-0726fdeb which is newer
Dependency Information
-----------------------------------------------------
NAME: thheller/shadow-cljsjs
VERSION: 0.0.22

DEPENDENCY FOUND IN:

[thheller/shadow-cljs]


FIX SUGGESTION: No secure version available
Vulnerabilities
-----------------------------------------------------

SEVERITY: CRITICAL
IDENTIFIERS: CVE-2017-12424 
CVSS: 9.8
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dependency Information
-----------------------------------------------------
NAME: org.clojure/google-closure-library
VERSION: 0.0-20211011-0726fdeb

DEPENDENCY FOUND IN:

[thheller/shadow-cljs]


FIX SUGGESTION: No secure version available
Vulnerabilities
-----------------------------------------------------

SEVERITY: MEDIUM
IDENTIFIERS: CVE-2020-8910 
CVSS: 6.5
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dependency Information
-----------------------------------------------------
NAME: thheller/shadow-cljs
VERSION: 2.17.5

DEPENDENCY FOUND IN:

Direct dependency.

FIX SUGGESTION: No secure version available
Vulnerabilities
-----------------------------------------------------

SEVERITY: CRITICAL
IDENTIFIERS: CVE-2017-12424 
CVSS: 9.8
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dependency Information
-----------------------------------------------------
NAME: thheller/shadow-util
VERSION: 0.7.0

DEPENDENCY FOUND IN:

[thheller/shadow-cljs]


FIX SUGGESTION: No secure version available
Vulnerabilities
-----------------------------------------------------

SEVERITY: CRITICAL
IDENTIFIERS: CVE-2017-12424 
CVSS: 9.8
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dependency Information
-----------------------------------------------------
NAME: thheller/shadow-client
VERSION: 1.3.3

DEPENDENCY FOUND IN:

[thheller/shadow-cljs]


FIX SUGGESTION: No secure version available
Vulnerabilities
-----------------------------------------------------

SEVERITY: CRITICAL
IDENTIFIERS: CVE-2017-12424 
CVSS: 9.8
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dependency Information
-----------------------------------------------------
NAME: thheller/shadow-undertow
VERSION: 0.2.0

DEPENDENCY FOUND IN:

[thheller/shadow-cljs]


FIX SUGGESTION: No secure version available
Vulnerabilities
-----------------------------------------------------

SEVERITY: CRITICAL
IDENTIFIERS: CVE-2017-12424 
CVSS: 9.8
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@mthbernardes
Copy link
Contributor

Which scan method did you use?

@p-himik
Copy link
Author

p-himik commented Mar 18, 2022

As mentioned, I used the command from the README, namely

$ clojure -Tclj-watson scan '{:output "stdout" :dependency-check-properties nil :fail-on-result true :deps-edn-path "deps.edn" :suggest-fix true :aliases ["*"] :database-strategy "dependency-check"}'

@mthbernardes
Copy link
Contributor

Could you try to execute it using github-advisory mode?
Just asking it because the strategy you used relies entirely on the DependencyCheck match algorithm.

@p-himik
Copy link
Author

p-himik commented Mar 19, 2022

I see. Yeah, the issue is not reproducible with that strategy. I'll try to reproduce it with just DependencyCheck.

@p-himik
Copy link
Author

p-himik commented Mar 20, 2022

Reported jeremylong/DependencyCheck#4237

@p-himik p-himik closed this as completed Mar 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@p-himik @mthbernardes