Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73784

Dependency-Check 10.0.4 Plugin display no Vulnerabilities

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Major Major
    • None
    • Jenkins 2.462.2
      dependency-check-plugin version 5.5.1

      We run Jenkins in Kubernetes, OWASP Dependency-Check version 10.0.4 is started as a container and performs scans.

      Jenkins plugin in pipeline display "No Vulnerabilities Found" but xml report does contains vulnerabilities.

      Console output:

      // + dependency-check -n -s . -f XML --prettyPrint -o report.xml
      [INFO] Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user's risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
         About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
         False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html💖 Sponsor: https://github.com/sponsors/jeremylong
      [INFO] Analysis Started
      [INFO] Finished Archive Analyzer (0 seconds)
      [INFO] Finished File Name Analyzer (0 seconds)
      [INFO] Finished Jar Analyzer (0 seconds)
      [INFO] Finished Central Analyzer (1 seconds)
      [INFO] Finished Dependency Merging Analyzer (0 seconds)
      [INFO] Finished Hint Analyzer (0 seconds)
      [INFO] Finished Version Filter Analyzer (0 seconds)
      [INFO] Created CPE Index (2 seconds)
      [INFO] Finished CPE Analyzer (3 seconds)
      [INFO] Finished False Positive Analyzer (0 seconds)
      [INFO] Finished NVD CVE Analyzer (0 seconds)
      [WARN] Unable to determine Package-URL identifiers for 2 dependencies
      [INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
      [INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
      [INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
      [INFO] Finished Dependency Bundling Analyzer (0 seconds)
      [INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
      [INFO] Analysis Complete (4 seconds)
      [INFO] Writing XML report to: /home/jenkins/agent/workspace/build_tracing-config_master/report.xml
      [Pipeline] }
      [Pipeline] // script
      [Pipeline] dependencyCheckPublisher
      Collecting Dependency-Check artifact
      Parsing file /home/jenkins/agent/workspace/build_tracing-config_master/report.xml 

          [JENKINS-73784] Dependency-Check 10.0.4 Plugin display no Vulnerabilities

          Nikolas Falco added a comment -

          please attach as request the generated report, console log and pipeline configuration to understand what is doing and if the report is correct/empty

          Nikolas Falco added a comment - please attach as request the generated report, console log and pipeline configuration to understand what is doing and if the report is correct/empty

          Igor added a comment -

          how to describe the pipeline config best?

          Igor added a comment - how to describe the pipeline config best?

          Igor added a comment -

          just noticed that report.xml is indeed empty... will recreate and replace

          Igor added a comment - just noticed that report.xml is indeed empty... will recreate and replace

          Igor added a comment -

          Had to redeploy Jenkins - issue still persists, uploaded new report.xml

          Please advise how to debug this.

          Igor added a comment - Had to redeploy Jenkins - issue still persists, uploaded new report.xml Please advise how to debug this.

          Nikolas Falco added a comment -

          I confirm the issue, as workaround downgrade to owasp version 10.0.0.2

          Nikolas Falco added a comment - I confirm the issue, as workaround downgrade to owasp version 10.0.0.2

          Nikolas Falco added a comment -

          I see that in the report there are no vulnerabilities, only evidences

          Nikolas Falco added a comment - I see that in the report there are no vulnerabilities, only evidences

          Igor added a comment -

          And I can't see them in Jenkins build page, so that is expected?

          Igor added a comment - And I can't see them in Jenkins build page, so that is expected?

          Nikolas Falco added a comment - - edited

          I do not know what or where you see in the jenkins page but in the report file there is no vulnerabilities element.

          To clarify, your report contains

          <dependency isVirtual="true">
              <fileName>@antora/asciidoc-loader:3.1.8</fileName>
              <filePath>
                  /projectDir/docs-site/package-lock.json?@antora/site-generator:3.1.8/@antora/asciidoc-loader:3.1.8
              </filePath>
              <evidenceCollected>
                  <evidence type="vendor" confidence="HIGHEST">
                      <source>package.json</source>
                      <name>author</name>
                      <value>OpenDevise Inc. (https://opendevise.com)</value>
                  </evidence>
              </evidenceCollected>
              ...
          </dependency>
          

          No vulnerabilities are present

          This is how should be

          <dependency isVirtual="false">
              <fileName>tika-core-1.21.jar</fileName>
              <filePath>/home/martin/.m2/repository/org/apache/tika/tika-core/1.21/tika-core-1.21.jar</filePath>
              ...
              <evidenceCollected>
                  <evidence type="vendor" confidence="HIGH">
                      <source>file</source>
                      <name>name</name>
                      <value>tika-core</value>
                  </evidence>
                  ...
              </evidenceCollected>
              <identifiers>
                  <package confidence="HIGH">
                      <id>pkg:maven/org.apache.tika/tika-core@1.21</id>
                      <url>https://ossindex.sonatype.org/component/pkg:maven/org.apache.tika/tika-core@1.21?utm_source=dependency-check&amp;utm_medium=integration&amp;utm_content=7.1.1
                      </url>
                  </package>
                  <vulnerabilityIds confidence="HIGHEST">
                      <id>cpe:2.3:a:apache:tika:1.21:*:*:*:*:*:*:*</id>
                      <url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&amp;results_type=overview&amp;search_type=all&amp;cpe_vendor=cpe%3A%2F%3Aapache&amp;cpe_product=cpe%3A%2F%3Aapache%3Atika&amp;cpe_version=cpe%3A%2F%3Aapache%3Atika%3A1.21
                      </url>
                  </vulnerabilityIds>
              </identifiers>
              <vulnerabilities>
                  <vulnerability source="NVD">
                      <name>CVE-2019-10088</name>
                      <severity>HIGH</severity>
                      <cvssV2>
                          <score>6.8</score>
                          <accessVector>NETWORK</accessVector>
                          <accessComplexity>MEDIUM</accessComplexity>
                          <authenticationr>NONE</authenticationr>
                          <confidentialImpact>PARTIAL</confidentialImpact>
                          <integrityImpact>PARTIAL</integrityImpact>
                          <availabilityImpact>PARTIAL</availabilityImpact>
                          <severity>MEDIUM</severity>
                          <version>2.0</version>
                          <exploitabilityScore>8.6</exploitabilityScore>
                          <impactScore>6.4</impactScore>
                          <userInteractionRequired>true</userInteractionRequired>
                      </cvssV2>
                      <cvssV3>
                          <baseScore>8.8</baseScore>
                          <attackVector>NETWORK</attackVector>
                          <attackComplexity>LOW</attackComplexity>
                          <privilegesRequired>NONE</privilegesRequired>
                          <userInteraction>REQUIRED</userInteraction>
                          <scope>UNCHANGED</scope>
                          <confidentialityImpact>HIGH</confidentialityImpact>
                          <integrityImpact>HIGH</integrityImpact>
                          <availabilityImpact>HIGH</availabilityImpact>
                          <baseSeverity>HIGH</baseSeverity>
                          <exploitabilityScore>2.8</exploitabilityScore>
                          <impactScore>5.9</impactScore>
                          <version>3.0</version>
                      </cvssV3>
                      <cwes>
                          <cwe>CWE-770</cwe>
                      </cwes>
                      <description>A carefully crafted or corrupt zip file can cause an OOM in Apache Tika&apos;s RecursiveParserWrapper in versions
                          1.7-1.21. Users should upgrade to 1.22 or later.</description>
                      <references>
                          <reference>
                              <source>MLIST</source>
                              <url>https://lists.apache.org/thread.html/da9ee189d1756f8508d0f2386d8e25aca5a6df541739829232be8a94@%3Cdev.tika.apache.org%3E
                              </url>
                              <name>[tika-dev] 20190812 Re: security fixes for CVE-2019-10088 and CVE-2019-1009{3,4}</name>
                          </reference>
                          ...
                      </references>
                      <vulnerableSoftware>
                          <software vulnerabilityIdMatched="true" versionStartIncluding="1.7" versionEndIncluding="1.21">cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*
                          </software>
                      </vulnerableSoftware>
                  </vulnerability>
              </vulnerabilities>
          </dependency>
          </dependency>
          

          As you can see the vulnerability block where there are all the information is missing that means there are no vulnerabilities

          Nikolas Falco added a comment - - edited I do not know what or where you see in the jenkins page but in the report file there is no vulnerabilities element. To clarify, your report contains <dependency isVirtual= "true" > <fileName> @antora/asciidoc-loader:3.1.8 </fileName> <filePath> /projectDir/docs-site/package-lock.json?@antora/site-generator:3.1.8/@antora/asciidoc-loader:3.1.8 </filePath> <evidenceCollected> <evidence type= "vendor" confidence= "HIGHEST" > <source> package.json </source> <name> author </name> <value> OpenDevise Inc. (https://opendevise.com) </value> </evidence> </evidenceCollected> ... </dependency> No vulnerabilities are present This is how should be <dependency isVirtual= "false" > <fileName> tika-core-1.21.jar </fileName> <filePath> /home/martin/.m2/repository/org/apache/tika/tika-core/1.21/tika-core-1.21.jar </filePath> ... <evidenceCollected> <evidence type= "vendor" confidence= "HIGH" > <source> file </source> <name> name </name> <value> tika-core </value> </evidence> ... </evidenceCollected> <identifiers> <package confidence= "HIGH" > <id> pkg:maven/org.apache.tika/tika-core@1.21 </id> <url> https://ossindex.sonatype.org/component/pkg:maven/org.apache.tika/tika-core@1.21?utm_source=dependency-check&amp;utm_medium=integration&amp;utm_content=7.1.1 </url> </package> <vulnerabilityIds confidence= "HIGHEST" > <id> cpe:2.3:a:apache:tika:1.21:*:*:*:*:*:*:* </id> <url> https://nvd.nist.gov/vuln/search/results?form_type=Advanced&amp;results_type=overview&amp;search_type=all&amp;cpe_vendor=cpe%3A%2F%3Aapache&amp;cpe_product=cpe%3A%2F%3Aapache%3Atika&amp;cpe_version=cpe%3A%2F%3Aapache%3Atika%3A1.21 </url> </vulnerabilityIds> </identifiers> <vulnerabilities> <vulnerability source= "NVD" > <name> CVE-2019-10088 </name> <severity> HIGH </severity> <cvssV2> <score> 6.8 </score> <accessVector> NETWORK </accessVector> <accessComplexity> MEDIUM </accessComplexity> <authenticationr> NONE </authenticationr> <confidentialImpact> PARTIAL </confidentialImpact> <integrityImpact> PARTIAL </integrityImpact> <availabilityImpact> PARTIAL </availabilityImpact> <severity> MEDIUM </severity> <version> 2.0 </version> <exploitabilityScore> 8.6 </exploitabilityScore> <impactScore> 6.4 </impactScore> <userInteractionRequired> true </userInteractionRequired> </cvssV2> <cvssV3> <baseScore> 8.8 </baseScore> <attackVector> NETWORK </attackVector> <attackComplexity> LOW </attackComplexity> <privilegesRequired> NONE </privilegesRequired> <userInteraction> REQUIRED </userInteraction> <scope> UNCHANGED </scope> <confidentialityImpact> HIGH </confidentialityImpact> <integrityImpact> HIGH </integrityImpact> <availabilityImpact> HIGH </availabilityImpact> <baseSeverity> HIGH </baseSeverity> <exploitabilityScore> 2.8 </exploitabilityScore> <impactScore> 5.9 </impactScore> <version> 3.0 </version> </cvssV3> <cwes> <cwe> CWE-770 </cwe> </cwes> <description> A carefully crafted or corrupt zip file can cause an OOM in Apache Tika&apos;s RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later. </description> <references> <reference> <source> MLIST </source> <url> https://lists.apache.org/thread.html/da9ee189d1756f8508d0f2386d8e25aca5a6df541739829232be8a94@%3Cdev.tika.apache.org%3E </url> <name> [tika-dev] 20190812 Re: security fixes for CVE-2019-10088 and CVE-2019-1009{3,4} </name> </reference> ... </references> <vulnerableSoftware> <software vulnerabilityIdMatched= "true" versionStartIncluding= "1.7" versionEndIncluding= "1.21" > cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:* </software> </vulnerableSoftware> </vulnerability> </vulnerabilities> </dependency> </dependency> As you can see the vulnerability block where there are all the information is missing that means there are no vulnerabilities

          Igor added a comment -

          ok, thanks for the clarification!

          Igor added a comment - ok, thanks for the clarification!

            nfalco Nikolas Falco
            igor_teresco Igor
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: