DependencyCheck does not find some vulnerabilities for composer.lock file scan

[maxx-nomad]

Reporting Bugs/Errors

I scan my project for vulnerable composer dependencies with DependencyCheck (Jenkins plugin or cli version) and some vulnerabilities are not detected.

Example

For example, I use yii2 (2.0.12). It have vulnerabilities:
CVE-2018-7269, CVE-2018-6009, CVE-2018-6010.
But I see in report "Vulnerable Dependencies: 0"

All databases are updated:
NVD CVE 2018: 18/07/2018 17:13:51
NVD CVE Checked: 18/07/2018 17:15:33
NVD CVE Modified: 18/07/2018 16:00:56
VersionCheckOn: 1531934133930

[jeremylong]

Thank you for the bug report. I will try and look at this one soon.

[darshanmhatre]

@jeremylong Any updates on this ?

[obriat]

This feature is useless.
It didn't detect actual issues (here a major symfony one) and mixed up package name and version.
It's particularly true for Drupal modules which trigger 14 years old issues :

composer create-project drupal/recommended-project:9.4.10 . --stability dev --no-interaction --no-install
composer require drush/drush drupal/rest_views drupal/views_attach_library drupal/views_bulk_operations drupal/views_data_export drupal/views_field_compare drupal/leaflet_views

❯ composer audit --locked
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/http-kernel                                                              |
| CVE               | CVE-2022-24894                                                                   |
| Title             | CVE-2022-24894: Prevent storing cookie headers in HttpCache                      |
| URL               | https://symfony.com/cve-2022-24894                                               |
| Affected versions | >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5 |
|                   | .0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3 |
|                   | .2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0| |
|                   | >=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.50|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5. |
|                   | 2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.20|>=6.0.0,<6.0.20|>=6.1.0,<6.1.12|>=6.2. |
|                   | 0,<6.2.6                                                                         |
| Reported at       | 2023-02-01T08:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
 
./vendor/bin/drush sec
 [success] There are no outstanding security updates for Drupal projects.

docker run --rm -e user=$USER -u $(id -u ${USER}):$(id -g ${USER}) --volume dependency-check:/usr/share/dependency-check/data:z --volume $(pwd):/src:z  owasp/dependency-check:latest --scan ./composer.lock  --format "CSV" --project dependency-check scan: $(pwd) --out /src --enableExperimental


❯ sed -E 's/^.*(pkg[^,]*).*/\1/g' dependency-check-report.csv
pkg:composer/pear/pear-core-minimal@1.10.11
pkg:composer/pear/pear_exception@1.0.2
pkg:composer/drupal/rest_views@2.0.1
pkg:composer/drupal/views_attach_library@2.0.2
pkg:composer/drupal/views_bulk_operations@4.2.3
pkg:composer/drupal/views_bulk_operations@4.2.3
pkg:composer/drupal/views_data_export@1.2.0
pkg:composer/drupal/views_field_compare@1.0.0

In this example, I detect several problems :

• dependency-check fails to detect the CVE-2022-24894 on symfony/http-kernel
• it detects all packages that contain "views_*" as the old views module (before Drupal 8) ans not as plain modules as "drupal/views_data_export"
• I'm not a PEAR expert but it seems that the its the same problem: wrong package detection (
• About version miss match it's a Drupal "problem" since the numbering has changed after Drupal 8.8 release

I opened an issue on the drupal side :
https://www.drupal.org/project/drupal/issues/3339743#comment-14909313

[jeremylong]

@obriat CVE-2022-24894 is still awaiting analysis at the NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24894 ODC wouldn't report on this until the vulnerability is in a published state.

[jeremylong]

ODC will identify the vulnerabilities in yii2 if the OSS Index Analyzer is enabled.