Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding version through through hints no longer shows up as evidence in the report #5894

Closed
svedin opened this issue Aug 21, 2023 · 1 comment · Fixed by #5900
Closed

Adding version through through hints no longer shows up as evidence in the report #5894

svedin opened this issue Aug 21, 2023 · 1 comment · Fixed by #5900
Labels
bug
Milestone
8.4.1

Comments

@svedin
Copy link

svedin commented Aug 21, 2023

Describe the bug
Looking under the evidence section in the report would show versions added through hints before version 8.4.0 of dependency check. Using the maven plugin (haven't tested with others so they might be affected).
I don't know if the issue is just in the report and if the added version is considered correctly when scanning or not.

Version of dependency-check used
The problem occurs using version 8.4.0 of the maven plugin

Log file
When reporting errors, 99% of the time log file output is required. Please post the log file as a gist and provide a link in the new issue.

To Reproduce

Steps to reproduce the behavior:
Can be reproduced with the following pom, running mvn dependency-check:check:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.example</groupId>
  <artifactId>foo</artifactId>
  <version>0.1-SNAPSHOT</version>
  <packaging>pom</packaging>

  <dependencies>
    <dependency>
      <groupId>org.hibernate</groupId>
      <artifactId>hibernate-validator</artifactId>
      <version>5.0.2.Final</version>
    </dependency>
  </dependencies>

  <build>
    <plugins>
      <plugin>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-maven</artifactId>
        <version>8.4.0</version>
      </plugin>
    </plugins>
  </build>
</project>

hibernate-validator has a version added from the default hints, but it doesn't show up in the report. Running the same pom but with version 8.3.1 instead shows the version under evidence in the report.

Expected behavior
The report should show the added version under evidence.

Additional context
I assume that this is related to #5812 and #5818
@svedin svedin added the bug label Aug 21, 2023
@aikebah aikebah added this to the 8.4.1 milestone Aug 26, 2023
@aikebah
Copy link
Collaborator

aikebah commented Aug 26, 2023

Unanticipated side-effect of that change indeed. For this specific case not harmful. The original inclusion of this hint was a hack targeted at resolving a false-negative (#534) that is nowadays cleanly resolved ever since NVD has switched to JSON datafeed which allowed dependencyCheck to properly link the CVE independent from the version hint. Both 8.3.1 and 8.4.0 report CVE-2014-3558, the earlier false-negative that was the original purpose of the version 5.0 hint.

aikebah added a commit that referenced this issue Aug 27, 2023
@aikebah
fix: Ensure evidences added by hints are not subsequently removed by …
c3b2541 
…filters

Fixes #5894
@aikebah aikebah mentioned this issue Aug 27, 2023
Merged
@aikebah aikebah linked a pull request Aug 27, 2023 that will close this issue
fix: Do not filter out evidences added by hints #5900
Merged
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
8.4.1
Development

Successfully merging a pull request may close this issue.

fix: Do not filter out evidences added by hints jeremylong/DependencyCheck
2 participants
@aikebah @svedin