Sort out why the OWASP dependency-check returns incorrect versions

Created on 6 February 2023, almost 2 years ago
Updated 6 June 2024, 7 months ago

Problem/Motivation

When using the experimental OWAS depency check, the results should reports valid issues. It also should be consitant with composer audit or drush sec.
Instead it returns very old CVE that does not match exactly the installed modules/package name or version.

I understand that its still an experimental feature, but since its widely used tools, it worths the try to fix it, either on the Drupal side or on the OWASP one.
https://jeremylong.github.io/DependencyCheck/analyzers/index.html
https://jeremylong.github.io/DependencyCheck/analyzers/composer-lock.html

Steps to reproduce

# Install a drupal version with no core drupal security issues (9.4.10), one symfony issue.
composer create-project drupal/recommended-project:9.4.10 . --stability dev --no-interaction --no-install
# Install modules with security issues.
composer require drush/drush drupal/rest_views drupal/views_attach_library drupal/views_bulk_operations drupal/views_data_export drupal/views_field_compare drupal/leaflet_views

# Check for security issues "the composer way"
composer audit --locked
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/http-kernel                                                              |
| CVE               | CVE-2022-24894                                                                   |
| Title             | CVE-2022-24894: Prevent storing cookie headers in HttpCache                      |
| URL               | https://symfony.com/cve-2022-24894                                               |
| Affected versions | >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5 |
|                   | .0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3 |
|                   | .2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0| |
|                   | >=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.50|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5. |
|                   | 2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.20|>=6.0.0,<6.0.20|>=6.1.0,<6.1.12|>=6.2. |
|                   | 0,<6.2.6                                                                         |
| Reported at       | 2023-02-01T08:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

# Check for security issues "the drupal way" (outdated ?)
 drush sec
 [success] There are no outstanding security updates for Drupal projects.


# Check for security issues with owasp dependency check
docker run --rm -e user=$USER -u $(id -u ${USER}):$(id -g ${USER}) --volume dependency-check:/usr/share/dependency-check/data:z --volume $(pwd):/src:z  owasp/dependency-check:latest --scan ./composer.lock  --format "ALL" --project dependency-check scan: $(pwd) --out /src --enableExperimental

leaflet_views:2.2.12         cpe:2.3:a:drupal:views:2.2.12:*:*:*:*:*:*:*                 CVE-2008-6020
pear-core-minimal:1.10.11    cpe:2.3:a:pear:pear:1.10.11:*:*:*:*:*:*:*                   CVE-2009-4024
pear_exception:1.0.2         cpe:2.3:a:pear:pear:1.0.2:*:*:*:*:*:*:*                     CVE-2009-4024
rest_views:2.0.1             cpe:2.3:a:drupal:views:2.0.1:*:*:*:*:*:*:*                  CVE-2008-6020
views_attach_library:2.0.2   cpe:2.3:a:drupal:views:2.0.2:*:*:*:*:*:*:*                  CVE-2008-6020
views_bulk_operations:4.2.3  cpe:2.3:a:drupal:views:4.2.3:*:*:*:*:*:*:*                  CVE-2009-0575
                             cpe:2.3:a:drupal:views_bulk_operations:4.2.3:*:*:*:*:*:*:*  CVE-2009-0575
views_data_export:1.2.0      cpe:2.3:a:drupal:data:1.2.0:*:*:*:*:*:*:*                   ????
                             cpe:2.3:a:drupal:views:1.2.0:*:*:*:*:*:*:*                  CVE-2008-6020
views_field_compare:1.0.0    cpe:2.3:a:drupal:views:1.0.0:*:*:*:*:*:*:*                  CVE-2008-6020

Pear and Views seems out of the Drupal scope.
views_bulk_operations is certainly due to the old Drupal version format, hence views_bulk_operations:4.2.3 match Drupal 4 version.

πŸ“Œ Task
Status

Postponed: needs info

Version

11.0 πŸ”₯

Component
OtherΒ  β†’

Last updated 1 day ago

Created by

πŸ‡«πŸ‡·France O'Briat Nantes

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the β€œReport a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Issue created by @O'Briat
  • πŸ‡«πŸ‡·France O'Briat Nantes
  • I can't reproduce the composer audit finding on branch 10.0.x by typing composer install && composer audit. And those Symfony library pins released in 10.0.3. I don't see how that one is valid. I think that section should be removed from the issue summary so as not to confuse everyone.

    I am glad someone is testing out the OWASP tool because I had been meaning to look at it. Thank you for using Docker so others can reproduce the results.

    Is there a way to run the tool in a more verbose mode so we can understand how the software determines these very old issues exist?
    Are you definitely sure that the tool is listing these as issues, or as any CVE ever to affect that project?

  • πŸ‡«πŸ‡·France O'Briat Nantes
  • πŸ‡¦πŸ‡ΊAustralia larowlan πŸ‡¦πŸ‡ΊπŸ.au GMT+10

    I'm not sure why this is filed against Drupal core? Shouldn't it be against the OWASP tool instead?

  • Status changed to Postponed: needs info almost 2 years ago
  • πŸ‡«πŸ‡·France O'Briat Nantes

    @cilefen: This core issue should reproduce with a drupal/core 9.4.10, I'll try to send a simple compose.lock that could be used to reproduce the issue.
    @larowlan I add a comment on this issue: https://github.com/jeremylong/DependencyCheck/issues/1387
    This current Drupal issue should be left open at least to track the problem (SEO) and I think some problem are unique to the Drupal way of version numbering: first locking major to core version as major, then free it again.
    Maybe this wrong version matching could only be fixed by using specific options ?

  • Status changed to Needs work almost 2 years ago
  • πŸ‡«πŸ‡·France O'Briat Nantes
  • Status changed to Postponed: needs info almost 2 years ago
  • Drupal 9.4.11 exists. I don’t understand the purpose of this issue.

  • πŸ‡«πŸ‡·France O'Briat Nantes

    This point is NOT a security issue, it's about why depency-check returns false positive or miss vulnerabilities.
    Some problems come from the tool itself but other are Drupal dependant (version numbering at least).

    The goal is either to fix the Drupal side issues or to help depency-check to be more reliable since OWASP is the de-facto security standard.

    My example above is just here to help to reproduce the problem.

  • Ah, understood. So in #7 you mean that there is in fact a library with a security bug in symfony/http-kernel that composer audit detects, and yet the OWASP tool does not detect symfony/http-kernel, and the OWASP tool detects different things which are false.

  • πŸ‡«πŸ‡·France O'Briat Nantes

    Yes, that what I mean(it could be due to my bad english :))

    Once again this issue is mainly "for the record" and to keep track of the "OWASP" problem.

    On the Drupal side, the first task IMHO will be to discover why this tool (or the CVE database) mixes packages names. How an issue opened on View 6.x-2.2 14 years ago (https://nvd.nist.gov/vuln/detail/CVE-2008-6020) is matched with leaflet_views:2.2.12?

    Maybe someone here could help the depency-check team to improve it ? Check the ComposerLockAnalyzer class:
    https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/ja...

  • πŸ‡ΊπŸ‡ΈUnited States smustgrave

    ld this be reopened?

  • πŸ‡«πŸ‡·France O'Briat Nantes
Production build 0.71.5 2024