False positive for tomcat-annotations-api-8.5.23.jar

[maxim-vorotilo]

False positive on library tomcat-annotations-api-8.5.23.jar - reported as cpe:/a:apache:tomcat:3.0

dependency checker treated version 3.0 of Java API for Servlets (Annotations) as tomcat version.

<!-- https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-annotations-api -->
<dependency>
    <groupId>org.apache.tomcat</groupId>
    <artifactId>tomcat-annotations-api</artifactId>
    <version>8.5.23</version>
</dependency>

I tried all versions more then 8.5.23 (i.e. 9.0.1) and have the same situation.

[jeremylong]

Thanks for the report - we will look at including a patch in the next release.

[jeremylong]

This is one of the difficult FP for me to blindly suppress as the dependency in question is for a specific version of tomcat and could indicate an issue in your environment. This annotation library is part of tomcat. I'm on the fence with just suppressing this one - so here are two ideas:

1. ensure that this dependency is in the <scope>provided</scope and then configure dependency-check to skip the provided scope. This works well for more traditional environments where the folks doing the builds are not maintaining the servers - we can hope your patching program keeps tomcat up-to-date.
2. You can suppress these findings with the suppression rule below (or instead possibly suppress just the specific CVEs that are being flagged). I would probably recommend in this case to just suppress the specific CVEs - especially if in more of a dev-ops environment so if a new finding shows up you can be made aware to upgrade tomcat.

<suppress>
   <notes><![CDATA[
   file name: tomcat-annotations-api-8.5.23.jar
   ]]></notes>
   <gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
   <cpe>cpe:/a:apache:tomcat</cpe>
   <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
   <cpe>cpe:/a:apache_software_foundation:tomcat</cpe>
</suppress>

[maxim-vorotilo]

I tried all versions more then 8.5.23 (i.e. 9.0.1) and have the same situation.

Sorry, but thats not specific version. I just created ticket for version which i need, but problem exists for all versions.

I have no specific CVEs. All CVEs starting from tomcat 3.0 (it's very old tomcat) are in report. It's because of cpe:/a:apache:tomcat is not correctly parsed for tomcat-annotations-api-...jar and dependency-checker think that i use tomcat 3.0.

Thus, even if i suppress all these CVEs, every new CVE will break our build.

[jeremylong]

The three CVEs you are seeing affect every version of tomcat per the NVD. These are not old CVEs that only affect tomcat 3.0. However, if you read the description you can determine if your installation would be affected. If you do not feel these are a risk I would recommend suppressing them. At that point only future CVEs against tomcat that the NVD flags as affecting all versions would break your build.

[anderruiz]

I believe this is a real issue rather than a question, the problem I believe is that any tomcat-annotations-api-X.X.X.jar has the following information in the manifest.mf

Manifest-Version: 1.0
Name: javax/servlet/
Specification-Title: Java API for Servlets (Annotations)
Specification-Version: 3.0
Specification-Vendor: Sun Microsystems, Inc.
Implementation-Title: javax.servlet
Implementation-Version: 3.0.FR
Implementation-Vendor: Apache Software Foundation

There is no tomcat related information in the manifest but I believe this is transformed to:

cpe:/a:apache:tomcat:3.0

Causing in our case 34 false positives that related with old versions of tomcat because it is considering that we are running a 3.0 version of tomcat when we could be using even the latest version.

The same applies to el-api.jar and tomcat-servlet-api.jar in tomcat 9 at least

Name: javax/el/
Specification-Title: Expression Language
Specification-Version: 3.0
Specification-Vendor: Sun Microsystems, Inc.
Implementation-Title: javax.el
Implementation-Version: 3.0.FR
Implementation-Vendor: Apache Software Foundation

[anderruiz]

I've just tested and with dependency-check 2.1.1 this was not happening (because no cpe was created for this jar)

[jeremylong]

Sorry for the huge delay in response. The issue with the evidence collection has been resolved - the evidence pointing at the spec is not used in the analysis. This was actually resolved in a previous version (not just the latest snapshot).

In addition, since this ticket was opened the project made a change to how we are handling some of the "environment" type issues - we are creating suppression filters for them as they do create a lot of noise. As such, a suppression rule has been added for annotations.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.