Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FP]: CVE-2017-16111, which applies to the content module of the hapijs/hapi.js framework, gets falgged on ktor dependencies with content in the name #6693

Closed
volkert-fastned opened this issue May 28, 2024 · 6 comments
Labels
FP Report maven changes to the maven plugin

Comments

@volkert-fastned
Copy link
Contributor

Package URl

pkg:maven/io.ktor/[email protected]

CPE

cpe:2.3:a:content_project:content:2.3.11:::::::*

CVE

CVE-2017-16111

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

9.2.0

Description

Vulnerability CVE-2017-16111, which applies to the content module of hapi.js (a Node.js library) gets flagged on Ktor dependencies that have content in the name:

ktor-client-content-negotiation-jvm-2.3.11-sources.jar (pkg:maven/io.ktor/[email protected], cpe:2.3:a:content_project:content:2.3.11:*:*:*:*:*:*:*) : CVE-2017-16111
ktor-server-content-negotiation-jvm-2.3.11-sources.jar (pkg:maven/io.ktor/[email protected], cpe:2.3:a:content_project:content:2.3.11:*:*:*:*:*:*:*) : CVE-2017-16111

Strangely enough, this suddenly got flagged (along with a bunch of other vulnerabilities) while I tried to upgrade a project from Kotlin 1.9.x to Kotlin 2.0. But the dependencies that suddenly got flagged with that upgrade weren't related to the Kotlin 2.0 upgrade.

Also worth noting: according to NIST, the CPE should in fact be cpe:2.3:a:content_project:content:*:*:*:*:*:node.js:*:* but the CPE that the DendencyCheck Gradle plugin flags has a wildcard in place of the node.js part. Perhaps that's what's causing this false positive?

Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>io.ktor</groupId>
   <artifactId>ktor-client-content-negotiation-jvm</artifactId>
   <version>2.3.11</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6693
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.ktor/ktor-client-content-negotiation-jvm@.*$</packageUrl>
   <cpe>cpe:/a:content_project:content</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9268481543

@volkert-fastned
Copy link
Contributor Author

@jeremylong
Copy link
Owner

approved

Copy link
Contributor

Suppress rule has been added to the generatedSuppressions branch.

github-actions bot added a commit that referenced this issue May 28, 2024
@volkert-fastned
Copy link
Contributor Author

@jeremylong It still flags the second one, even with the automatically generated suppression in place:

ktor-server-content-negotiation-jvm-2.3.11-sources.jar (pkg:maven/io.ktor/[email protected], cpe:2.3:a:content_project:content:2.3.11:*:*:*:*:*:*:*) : CVE-2017-16111

@volkert-fastned
Copy link
Contributor Author

@jeremylong Not broad enough, see the suggestion I added to the fix commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Development

No branches or pull requests

2 participants