The gradle plugin doesn't identify versions accurately when pulling Tomcat as a zip dependency

[edgarmolina2]

Background
Tomcat's POM publication in maven central sets the appropriate version (see here)

  <groupId>org.apache.tomcat</groupId>
  <artifactId>tomcat</artifactId>
  <version>9.0.40</version>

However, the library isn't packaged as a Jar file, so in order to pull it we must add the zip qualifier like so:

dependencies {
    tomcat 'org.apache.tomcat:tomcat:9.0.41@zip'
}

Gradle is able to get the file which can be utilized as needed, for example decompressing it to deploy Tomcat as part of an automated CI/CD build.

The problem comes when the dependency check validates the NVD CPEs, the plugin doesn't seem determine the right version and reports tons of false positives, please see the attached report (dependency-check-report.zip).
Haven't investigated deeper if gradle is able to determine the version or not.

Build Script
Here is a simple script to reproduce the issue:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath "org.owasp:dependency-check-gradle:6.0.4"
    }
}
 
repositories {
    mavenCentral()
}
 
apply plugin: "org.owasp.dependencycheck"
 
configurations {
    tomcat
}
 
dependencies {
    tomcat 'org.apache.tomcat:tomcat:9.0.41@zip'
}
 
dependencyCheck {
    failBuildOnCVSS = 5
}

Thanks!

[mprins]

as you can see from the evidence for eg. tomcat-api.jar the following numbers are extracted for version (these can be found in the manifest file):

Type	Source	Name	Value	Confidence
Version	Manifest	today	3	Low
Version	Manifest	dstamp	20201203	Low
Version	Manifest	Implementation-Version	9.0.41	High
Version	Manifest	tstamp	1143	Low
Version	Manifest	Bundle-Version	9.0.41	High
Version	Manifest	today	2020	Low

resulting in a low confidence indentification of the right version number and cpe:2.3:a:apache:tomcat:3.0:::::::*

since there is no proper dependency mangement to go with I'd suggegt you set up a suppression file for this atypical use.

[jeremylong]

Zip files are not analyzed per se - rather the contents of the ZIP files are analyzed.

It may be possible to enhance the version identification logic to add additional checks to corroborate the version info from the manifest.

In the meantime - I added some additional keys to ignore from the manifest which works as a temporary workaround.

[chadlwilson]

I believe this will have been addressed by changes to the Gradle plugin to resolve dependencies directly. If it's still an issue on current versions let's reopen.