[FP]: CVE-2017-20189

[favila]

Package URl

pkg:maven/com.clojure-goes-fast/jvm-alloc-rate-meter@0.1.4

CPE

cpe:2.3:a:clojure:clojure:*:*:*:*:*:*:*:*

CVE

CVE-2017-20189

ODC Integration

None

ODC Version

9.0.9

Description

CVE-2017-20189 is a vulnerability in Clojure < 1.9. (Although 2017, the CVE was recently issued.) The maven package url for these dependencies is specifically pkg:maven/org.clojure/clojure@*. However this seems to be fuzzy-matching many other org.clojure projects and even projects that are merely written in Clojure.

So far I have seen the following packageUrls match:

pkg:maven/com.clojure-goes-fast/jvm-alloc-rate-meter@0.1.4
pkg:maven/com.clojure-goes-fast/jvm-hiccup-meter@0.1.1
pkg:maven/liberator/liberator@0.15.3
pkg:maven/org.clojure/core.async@1.6.681
pkg:maven/org.clojure/core.cache@1.0.225
pkg:maven/org.clojure/core.incubator@0.1.4
pkg:maven/org.clojure/core.match@1.0.0
pkg:maven/org.clojure/core.memoize@1.0.253
pkg:maven/org.clojure/core.rrb-vector@0.1.2
pkg:maven/org.clojure/core.specs.alpha@0.2.62
pkg:maven/org.clojure/data.codec@0.1.0
pkg:maven/org.clojure/data.csv@0.1.4
pkg:maven/org.clojure/data.priority-map@1.1.0
pkg:maven/org.clojure/java.classpath@0.3.0
pkg:maven/org.clojure/java.classpath@1.0.0
pkg:maven/org.clojure/java.data@1.0.95
pkg:maven/org.clojure/java.jdbc@0.7.12
pkg:maven/org.clojure/math.combinatorics@0.1.4
pkg:maven/org.clojure/math.combinatorics@0.2.0
pkg:maven/org.clojure/spec.alpha@0.3.218
pkg:maven/org.clojure/test.check@0.10.0
pkg:maven/org.clojure/test.check@1.1.1
pkg:maven/org.clojure/tools.analyzer.jvm@1.2.3
pkg:maven/org.clojure/tools.analyzer@1.1.1
pkg:maven/org.clojure/tools.cli@0.3.5
pkg:maven/org.clojure/tools.cli@0.3.6
pkg:maven/org.clojure/tools.cli@1.0.206
pkg:maven/org.clojure/tools.cli@1.0.214
pkg:maven/org.clojure/tools.cli@1.0.219
pkg:maven/org.clojure/tools.logging@1.2.4
pkg:maven/org.clojure/tools.macro@0.1.5
pkg:maven/org.clojure/tools.namespace@0.2.11
pkg:maven/org.clojure/tools.namespace@1.2.0
pkg:maven/org.clojure/tools.reader@1.3.6
pkg:maven/ring/ring-anti-forgery@1.0.0
pkg:maven/ring/ring-codec@1.1.3
pkg:maven/ring/ring-codec@1.2.0
pkg:maven/ring/ring-defaults@0.1.5
pkg:maven/ring/ring-headers@0.1.3
pkg:maven/ring/ring-json@0.5.1
pkg:maven/ring/ring-mock@0.4.0
pkg:maven/ring/ring-ssl@0.2.1

This is just what I found in a largish clojure application, so this is likely not a complete list.

I used the following suppression:

<suppress>
  <packageUrl regex="true">^pkg:maven/(?!org\.clojure/clojure@).*$</packageUrl>
  <cve>CVE-2017-20189</cve>
</suppress>

This seems to be enough for it to correctly narrow down to only org.clojure/clojure and then start looking at the version. It detects clojure 1.8 jars and ignores clojure 1.9 and above.

Another possibility might be this:

<suppress>
  <packageUrl regex="true">^pkg:maven/(?!org\.clojure/clojure@).*$</packageUrl>
  <cpe>cpe:/a:clojure:clojure</cpe>
</suppress>

However I don't know for sure whether cpe:/a:clojure:clojure is meant to include any other clojure-adjacent products besides the core clojure artifact itself.

[github-actions]

Error parsing package url: many.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7757666679

[github-actions]

Error parsing package url: many.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7757821791

[github-actions]

Error parsing package url: many.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7760349297

[antonmos]

@favila could you update the Package URI in the description to a specific example instead of many so that we get this issue ready for maintainers to review?

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.clojure-goes-fast</groupId>
   <artifactId>jvm-alloc-rate-meter</artifactId>
   <version>0.1.4</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6438
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.clojure-goes-fast/jvm-alloc-rate-meter@.*$</packageUrl>
   <cpe>cpe:/a:clojure:clojure</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7895310657

[favila]

@favila could you update the Package URI in the description to a specific example instead of many so that we get this issue ready for maintainers to review?

I was concerned that this would create an overly narrow suppression rule like above.

Note to maintainers: please do not regard the list of affected packages above as exhaustive. Potentially hundreds of packages that are merely written in Clojure are affected by this false positive.

[antonmos]

@jeremylong how can I help move this forward?

[aikebah]

@antonmos @favila It's now only awaiting a FP suppression publishing workflow to be triggered using another more straight-forward FP issue

[aikebah]

Suppressions should now be active