[FP]: False Positive on grpc-netty / grpc-netty-shaded : 1.50.2.jar

[keerthanavenky]

Package URl

pkg:maven/io.grpc/grpc-netty-shaded@1.50.2

CPE

cpe:2.3:a:netty:netty:1.50.2:*:*:*:*:*:*:*

CVE

CVE-2019-20444

ODC Integration

None

ODC Version

7.4.1

Description

False positive on library grpc-netty-shaded-1.50.2.jar

Find below the vulnerabilities reported by the dependency check tool:

CVE-2019-20444
CVE-2019-20445
CVE-2015-2156
CVE-2019-16869
CVE-2021-37136
CVE-2021-37137
CVE-2022-41881
CVE-2021-43797
CVE-2022-41915
CVE-2021-21295
CVE-2021-21409
CVE-2021-21290
CVE-2022-24823
CVE-2014-3488

I have gone through all these CVEs and could not find anything related to grpc-netty-shaded
The issues shown are related to other netty libraries.

[github-actions]

Error parsing package url: grpc-netty-shaded-1.50.2.jar.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3835877544

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3835894847

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3836317510

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3836388339

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3836843123

[aikebah]

@keerthanavenky Can you share more info on how you run it? The FP is expected to not happen for any of the 7.x versions. I tried reprocuction with both Maven-plugin and CLI and fail to get the FP CPE match you mention.

[abdullahkmunawar]

@aikebah we are leveraging the gradle plugin

[aikebah]

@aikebah we are leveraging the gradle plugin

Could not reproduce with the following build.gradle.kts

plugins {
    kotlin("jvm") version "1.8.0"
    id("org.owasp.dependencycheck") version "7.4.1"
}

group = "com.example"
version = "1.0-SNAPSHOT"

repositories {
    mavenCentral()
}

dependencies {
    implementation("io.grpc", "grpc-netty-shaded", "1.50.2")
}

gradle --version

------------------------------------------------------------
Gradle 7.6
------------------------------------------------------------

Build time:   2022-11-25 13:35:10 UTC
Revision:     daece9dbc5b79370cc8e4fd6fe4b2cd400e150a8

Kotlin:       1.7.10
Groovy:       3.0.13
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          1.8.0_352 (Temurin 25.352-b08)
OS:           Mac OS X 10.16 x86_64

[kevin-doyle]

I was able to reproduce the finding with the CLI scanning the jar directly, I did have to run the scan twice, after the second run CVE-2019-20444 showed in the report

Steps:

1. Download the jar from https://mvnrepository.com/artifact/io.grpc/grpc-netty-shaded/1.50.2
2. CLI Command dependency-check --scan grpc-netty-shaded-1.50.2.jar --disableCentral

[aikebah]

CLI without central search might trigger it, as no maven coordinates get linked so that the suppression will not work (visible in your report as no package is listed for it). That is precisely the type of FP that the recommendation to not disable central is about.

[kevin-doyle]

Understood, we don't run with --disableCentral, I only used the flag due to the issues lately with Maven Central. Thanks for the reply I think this answers why we are seeing the CVE

References:
#5342
#5341

[kevin-doyle]

I was able to reproduce the issue by setting up a structure similar to how our scan is performed.
Steps to Reproduce:

1. Create a new folder and a libs folder nested inside (ex: my-plugin/libs)
2. Download the https://mvnrepository.com/artifact/io.grpc/grpc-netty-shaded/1.50.2 jar and place the grpc-netty-shaded-1.50.2.jar inside the libs folder
3. From the top level folder, bundle the folder as a jar jar cvf plugin.jar .
4. Install the plugin to your local .m2 repository apache-maven-3.8.7/bin/mvn install:install-file -Dfile=plugin.jar -DgroupId=com.example -DartifactId=my-plugin -Dversion=0.0.1 -Dpackaging=jar
5. build.gradle configuration (Note: this finding occurs on version 8.1.0 as well)

plugins {
    id 'java'
    id("org.owasp.dependencycheck") version "7.4.1"
}
repositories {
    mavenLocal()
}

dependencies {
    implementation 'com.example:my-plugin:0.0.1'
}

6. Run ./gradlew dependencyCheckAnalyze

I bundled the plugin jar with some additional libraries. What I noticed is the "package" field is discovered on some libraries but not all. I'm wondering if this is something on the DependencyCheck end or on the central search end, if it's on central search we can close this issue out.

[aikebah]

@kevin-doyle Thanks for the detailed reproduction. Hope to get a detailed look into it over the weekend. I'd say that as the jar is downloaded from central it should've been matched in central search, so I'll try and see whether I can reproduce what you observed and can find out why it doesn't match.

[aikebah]

It appears as if documentation is not in line with actual implementation. I can reproduce your case because with the defaults in the gradle plugin the central analyzer appears to not be enabled.

Can reproduce the FP and fix it by configuring centralAnalyzer to enabled in build.gradle

dependencyCheck {
    analyzers {
        centralEnabled = true
    }
}

[aikebah]

Check the code-base and it's been disabled by default since v3.2.1 so the documentation is lacking an update on that.

[kevin-doyle]

@aikebah Thanks for all the help! I was able to resolve this on our end.