Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Steady's vulnerability reports for the com.fasterxml.jackson.core:jackson-databind 2.0.0, 2.6.5, and 2.8.0 projects are completely identical. #587

Open
momo-tong opened this issue May 18, 2023 · 3 comments

Comments

@momo-tong
Copy link

Describe the bug
Steady's vulnerability reports for the com.fasterxml.jackson.core:jackson-databind 2.0.0, 2.6.5, and 2.8.0 projects are completely identical.

My objective is to analyze the vulnerabilities of the com.fasterxml.jackson.core:jackson-databind 2.0.0, 2.6.5, and 2.8.0 versions. Since Steady only analyzes vulnerabilities for third-party dependencies using a POM configuration file, I have created my own configuration file. Steady analyzed the com.fasterxml.jackson.core:jackson-databind software for the three versions mentioned. The CVE reported on the Steady webpage are identical. Additionally, I used Steady to scan the JAR files for versions 2.0.0 and 2.6.5, and the vulnerability reports for all versions are also identical. I have updated the database to the latest.

Can you provide me with some assistance to resolve or explain this issue? Thanks very much!

To Reproduce
my own configuration file

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>untitled</artifactId>
    <version>2.0.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>11</maven.compiler.source>
        <maven.compiler.target>11</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <dependencies>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
            <version>2.0.0</version>
            <scope>compile</scope>
        </dependency>
    </dependencies>

</project>

the command

#sudo java -Xms2048m  -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal app
#sudo java -Xms2048m  -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal a2c
#sudo java -Xms2048m  -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload
#sudo java -Xms2048m  -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal report

Steady result

RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2017-17485
9.8 (v3.1)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2017-7525
9.8 (v3.1)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2018-11307
9.8 (v3.1)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2018-12022
7.5 (v3.0)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2018-12023
7.5 (v3.0)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2018-5968
8.1 (v3.1)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2018-7489
9.8 (v3.0)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2019-14540
9.8 (v3.1)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2019-16335
9.8 (v3.1)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2020-36518
7.5 (v3.1)

@serenaponta
Copy link
Contributor

Hi @momo-tong, you shared the configuration used as a pom file but from the command it looks like you used the CLI tool. The CLI does not consume the information in the pom and, e.g., to identify the scanned application uses the properties given in the ./steady-custom.properties file.

Could you share more insights on how you run the tool and attach the report or screenshot of the web frontend for the 3 applications you considered (corresponding to the three jackson-databind versions you are targeting)?

@momo-tong
Copy link
Author

Hi, Thanks for your reply.

I want to analyze the vulnerabilities of the com.fasterxml.jackson.core:jackson-databind 2.0.0, 2.6.5, and 2.8.0 versions. I will provide information of steady-custom.properties file and the web results. Could you please help me resolve this problem?

./steady-custom.properties file of com.fasterxml.jackson.core:jackson-databind 2.0.0
vulas.shared.backend.serviceUrl=http://localhost:8033/backend
vulas.shared.cia.serviceUrl=http://localhost:8033/cia
vulas.shared.tmpDir = vulas/tmp

vulas.core.appContext.group = org.example
vulas.core.appContext.artifact = untitled
vulas.core.appContext.version = 2.0.0-SNAPSHOT
vulas.core.app.appPrefixes = untitled
vulas.core.app.sourceDir = app

the screenshot of the web frontend for com.fasterxml.jackson.core:jackson-databind 2.0.0
1

./steady-custom.properties file of com.fasterxml.jackson.core:jackson-databind 2.6.5
vulas.shared.backend.serviceUrl=http://localhost:8033/backend
vulas.shared.cia.serviceUrl=http://localhost:8033/cia
vulas.shared.tmpDir = vulas/tmp

vulas.core.appContext.group = org.example
vulas.core.appContext.artifact = untitled
vulas.core.appContext.version = 2.6.5-SNAPSHOT
vulas.core.app.appPrefixes = untitled
vulas.core.app.sourceDir = app

the screenshot of the web frontend for com.fasterxml.jackson.core:jackson-databind 2.6.5
2

./steady-custom.properties file of com.fasterxml.jackson.core:jackson-databind 2.8.0
vulas.shared.backend.serviceUrl=http://localhost:8033/backend
vulas.shared.cia.serviceUrl=http://localhost:8033/cia
vulas.shared.tmpDir = vulas/tmp

vulas.core.appContext.group = org.example
vulas.core.appContext.artifact = untitled
vulas.core.appContext.version = 2.8.0-SNAPSHOT
vulas.core.app.appPrefixes = untitled
vulas.core.app.sourceDir = app

the screenshot of the web frontend for com.fasterxml.jackson.core:jackson-databind 2.8.0

3

@serenaponta
Copy link
Contributor

Hi @momo-tong,

sorry for the late reply. In the screenshots the right-most column "Includes vulnerable code" is not visible. From the results I expect it to show an "orange hourglass", meaning that the tool didn't yet or couldn't analyse the vulnerable code, i.e., it knows it includes a class or method changed in order to fix the vulnerability, but couldn't establish whether it contains it in its vulnerable or fixed version.

Whenever the vulnerability fix involves method code changes, orange hourglasses may turn to red/green marks thanks to the patch-lib-analyzer (running asynchronously from the scan in a dedicated container). The same can also be run manually for specific vulnerabilities as described at https://eclipse.github.io/steady/user/manuals/library_assessment/#usage

In case the vulnerability only includes no-code changes (or--in the current implementation of Steady--only changes class fields as it often happens for Jackson databind vulnerabilities), a manual assessment is needed, see Manual Library Assessment

Once assessments are available for a number of library versions and a given vulnerability (created either by patch-lib-analyzer or manually), the goal check-code can help creating additional results. However i do not think this fits your case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants