[FP]: False positive findings in Dependency Checker for Apache Kafka

[va699]

Package URl

pkg:maven/org.apache.kafka/kafka_2.13@3.9.0

CPE

cpe:2.3:a:scala-lang:scala:2.10.0:::::::*

CVE

CVE-2017-15288

ODC Integration

{"label" => "Docker"}

ODC Version

12

Description

Hi Team,

We are getting vulnerability CVE-2017-15288 in Dependency Checker Tool findings, although as per our analysis we consider it as false positive.

Kindly check and get it fixed in Dependency Checker tool. So, this false positive does not appear in scan report.

Dependency Checker tool is scanning below mentioned path
pkg:maven/org.apache.kafka/kafka_2.13@3.9.0

Justification: This vulnerability is reported on kafka version 3.6.2, 3.7.1, 3.8.1 However in product, kafka 3.9.0 version is present.

Hence this vulnerability is false positive.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.apache.kafka</groupId>
   <artifactId>kafka_2.13</artifactId>
   <version>3.9.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #8131
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka_2\.13@.*$</packageUrl>
   <cpe>cpe:/a:scala-lang:scala</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/19425516847

[chadlwilson]

Please

1. supply the exact ODC version. 12 is not specific enough.
2. share the details from your report, preferably the HTML report that show the CPe, vuln and package.

This false positive is not reproducible via a Maven-oriented scan, so it may be caused by using the CLI (via the docker image), or your version.

[chadlwilson]

Given this looks like a duplicate of #7741 from someone using the exact same message template but with a different package (and never responded) I will close this report.

Suspect the information supplied here is incorrect, and due to repeated issues raised without supplying follow up information (#8019, #8084), will close this and reopen if reporters respond with additional information rather than have to spend more time following up later.

[va699]

wait for further information before closing it. Give me sometime

[va699]

this is the scala package for which the tool is wrongly reporting vulnerability kafka/3.9.0/1/fast/libs/scala-java8-compat_2.13-1.0.2.jar. Vulnerability is for scala version before 2.12.4

[chadlwilson]

As I have said on multiple of your previous issues, that individual jar name is not relevant. A package URI is a specific thing, like a HTTP URI. Also, if that is the jar that the vuln is in, then you have filled in the wrong package URI because it is very unlikely that ODC would detect a Kafka package uri for a scala jar.

If the scala jar is nested/embedded (which is likely) it should still detect the correct package URI for the nested jar and show it in the report.

You must take the specific package uri that is mentioned in the ODC report along with the CVE and CPE. The tool logs the package uri specifically in the output, and you can look at the HTML report also.

[chadlwilson]

If you’re not sure where to get the information from, please ask. It’s a waste of everyone’s time to keep raising issues incorrectly and not supplying things that can be reviewed.

[va699]

I have attached the snippet of ODC html report for this vulnerability. I have intentionally blurred some stuff.

[va699]

[chadlwilson]

If there are no pkg: identifiers in the “identifiers” section then there is nothing we can suppress centrally (that is why we cannot reproduce this). In the current state, will need to suppress it yourself via the file SHA, which is what the HtML report will suggest as the only suppression option.

You will get many false positives in cases where ODC cannot match a jar to an actual Maven package, because it can only rely on the file name and contents which is indeterminate. Since this jar has two version numbers in the file name, that will confuse it more. If you expand the “evidence” section and share that, it may tell us where it is getting information from (and where it is not).

You need to figure out why your setup cannot get package information. In such cases using the CLI, ODC relies on looking inside the jar for a pom.xml, (scala build tool jars won't have this I imagine, since they are not built by Maven) and then searching Maven/Sonatype Central with the hash to find the package metadata and URI.
Check your debug logs to see whether your Central Analyzer is working and correctly searching for this jar. If you have disabled the Central Analyzer, or it's not working reliably you will have problems with jars like these. As an alternative, if you have an internal Nexus or Artifactory proxy for Maven Central you can use one of these two analyzers as replacement for the Central Analyzer.