[FP]: CVE-2022-21704, a log4js (node.js) dependency, gets flagged in a log4j (Java) dependency

[volkert-fastned]

Package URl

pkg:maven/org.apache.logging.log4j/[email protected]

CPE

cpe:2.3:a:apache:log4j:2.23.1:::::::*

CVE

CVE-2022-21704

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

9.2.0

Description

Vulnerability CVE-2022-21704, which applies to log4js (with an s at the end, a Node.js library) gets flagged on a Log4j (Java) dependency:

log4j-slf4j2-impl-2.23.1-sources.jar (pkg:maven/org.apache.logging.log4j/[email protected], cpe:2.3:a:apache:log4j:2.23.1:*:*:*:*:*:*:*, cpe:2.3:a:log4js_project:log4js:2.23.1:*:*:*:*:*:*:*) : CVE-2022-21704

Strangely enough, this suddenly got flagged (along with a bunch of other vulnerabilities) while I tried to upgrade a project from Kotlin 1.9.x to Kotlin 2.0. But the dependencies that suddenly got flagged with that upgrade weren't related to the Kotlin 2.0 upgrade.

Also worth noting: according to NIST, the CPE should in fact be cpe:2.3:a:log4js_project:log4js:*:*:*:*:*:node.js:*:*, but both CPEs that the DendencyCheck Gradle plugin flags have a wildcard in place of the node.js part. Perhaps that's what's causing this false positive?

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.apache.logging.log4j</groupId>
   <artifactId>log4j-slf4j2-impl</artifactId>
   <version>2.23.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6695
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j-slf4j2-impl@.*$</packageUrl>
   <cpe>cpe:/a:apache:log4j</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9268617953

[volkert-fastned]

This is one of multiple FPs of Node.js vulnerabilities that suddenly got flagged on Java/JVM dependencies while I was upgrading Kotlin from 1.9.x to 2.0, apparently because the CPE had an asterisk in the third position, which should have contained the string node.js, according to NIST:

• CVE-2021-3765, FP reported at [FP]: CVE-2021-3765, validator.js dependency gets flagged on hibernate-validator dependencies #6692
• CVE-2017-16111, FP reported at [FP]: CVE-2017-16111, which applies to the content module of the hapijs/hapi.js framework, gets falgged on ktor dependencies with content in the name #6693
• CVE-2016-10543, FP reported at [FP]: CVE-2016-10543, which applies to the call module of the hapijs/hapi.js framework, gets falgged on ktor dependencies with call in the name #6694
• CVE-2022-21704, FP reported at [FP]: CVE-2022-21704, a log4js (node.js) dependency, gets flagged in a log4j (Java) dependency #6695

[jeremylong]

approved

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.

[volkert-fastned]

@jeremylong This suppression didn't work, apparently. The FP is still getting flagged, even with the suppression added to my project:

log4j-slf4j2-impl-2.23.1-sources.jar (pkg:maven/org.apache.logging.log4j/[email protected], cpe:2.3:a:log4js_project:log4js:2.23.1:*:*:*:*:*:*:*) : CVE-2022-21704

[volkert-fastned]

@jeremylong I figured out why the automatically generated suppression didn't work.

See b2052fb#r142470093