[FP]: CVE-2023-4759 org.eclipse.jgit@6.7.0.202309050840-r

[barchetta]

Package URl

pkg:maven/org.eclipse.jgit/org.eclipse.jgit@6.7.0.202309050840-r

CPE

cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.7.0; versions up to (excluding) 6.7.0.202309050840

cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.6.0; versions up to (excluding) 6.6.1.202309021850

CVE

CVE-2023-4759

ODC Integration

None

ODC Version

8.4.0

Description

According to the CVE description "The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r". The CPE states versions from (including) 6.7.0; versions up to (excluding) 6.7.0.202309050840. So maybe the fact that the CPE states to include 6.7.0 is triggering the FP. Or maybe it's because the excluded version does not have the -r at the end (like the version of the maven artifact does).

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.jgit</groupId>
   <artifactId>org.eclipse.jgit</artifactId>
   <version>6.7.0.202309050840-r</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5943
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:jgit</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6238507857

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.jgit</groupId>
   <artifactId>org.eclipse.jgit</artifactId>
   <version>6.7.0.202309050840-r</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5943
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:jgit</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6238518590

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.jgit</groupId>
   <artifactId>org.eclipse.jgit</artifactId>
   <version>6.7.0.202309050840-r</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5943
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:jgit</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6238514672

[chadlwilson]

Thanks for raising this @barchetta - I was also looking for guidance from the OWASP Dep Check team as to whether this is essentially due to the way NVD have tagged the affected versions. There are also false negatives here, as all jGit versions prior to 6.6.1 are also affected, but the current mapping doesn't reflect that.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4759
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11

cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*  From (including)6.6.0 | Up to (excluding)6.6.1.202309021850
cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*  From (including)6.7.0 | Up to (excluding)6.7.0.202309050840

While this is definitely a false positive it seems like it's just an NVD confusion about the date version suffixes (there will not be a 6.7.0.OTHERDATE-r and they should update to

cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*  Up to (excluding)6.6.1

I believe then it will go away in OWASP Dep check even though it sees the maven version as 6.7.0.202309050840-r. I'll try contacting them to ask them to re-check it.

[chadlwilson]

I suppose it is still a bit strange here that 202309021850-r seems to be considered less than 202309021850 when parsing the version string

In other words, if 6.7.0.202309021850-r > 6.7.0 (affected!) it seems odd that 6.7.0.202309021850-r is not also greater than 6.7.0.202309021850 (implying now not affected).

[gremi64]

Hi, i assume it's the same issue for

  <dependency>
      <groupId>org.eclipse.jgit</groupId>
      <artifactId>org.eclipse.jgit.ssh.jsch</artifactId>
      <version>6.7.0.202309050840-r</version>
  </dependency>

Which is considered having the same CVE-2023-4759

Because the "suppress" proposed by the bot doesn't work for this one, i suggest this one :

--EDIT--
Add version 6.7.x to avoid suppress the CVE for older version (good!) but it won't work for future version (sick!), let's hope NVD will correct this 🙏

<suppress base="true">
 <notes>
     <![CDATA[ FP per issue #5943 ]]>
 </notes>
 <packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit(\.[\w]*)*@6\.7\..*$</packageUrl>
 <cve>CVE-2023-4759</cve>
</suppress>

It works for everything under jgit (like : ...eclipse.jgit.ssh.jsch)

I used <cve> instead of <cpe> because i don't want to suppress "too much", but i could be wrong about that 🤔

Feel free to correct me on this !

[chadlwilson]

Yeah, probably the same.

I’ve been trying to get NVD to change the CPE versions but they seemed to misunderstand and update it to something even worse (and incorrect). Have tried again earlier today.

[chadlwilson]

I haven't had a reply yet from NIST NVD, sadly.

In any case, for what it's worth upgrading to the recently released JGit 6.8.0.202311291450-r will make this FP go away. https://projects.eclipse.org/projects/technology.jgit/releases/6.8.0

[gremi64]

Thank you for the heads up 🙏
I'll upgrade jgit then!