Security Issue wrongly set up at NIST

[gamma]

Hi,

we received a security alert originating from GHSA-gw55-jm4h-x339 linking to https://nvd.nist.gov/vuln/detail/CVE-2020-11050

Our OWASP dependency checker wrongly matched the javax.websocket:javax.websocket-api against this vulnerability with a high confidence in several fields of the MANIFEST.

Can you please check the reported Metadata to make sure it does match only the affected client side library and not the javax.websocket-api

[marci4]

Öhm idk what happened there. Trying to get in contact with github for that one.

Best regards,
Marcel

[marci4]

Could you provide some contact for your OWASP dependency checker? Maybe they can help us solve this issue as well?

Thx a lot
Best regards
Marcel

[gamma]

We're using the Gradle dependency checker by https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html

AFAIK they're loading updated XMLs from https://nvd.nist.gov/

[marci4]

I see reports for a lot of false positives in their issue database.

[gamma]

Thanks for checking.

[marci4]

If I understand it correctly, this false positive is caused by jeremylong/DependencyCheck#1827

[uap-universe]

The maven plugin org.owasp:dependency-check-maven is also affected.

Strange thing is, that the cpe ID is clearly java_websocket and not javax.websocket. So I think there is some weak pattern matching going on in these checkers and they report matches even if the package names are just similar to some degree but not equal. But this is just blindly guessing from my side.

UPDATE

This is what the report shows. Clearly the vulnerability ID and the package do not match exactly just closely. So I assume that can only be fixed on the checker's side.

Dependency	Vulnerability IDs	Package	Highest Severity	CVE Count	Confidence	Evidence Count
javax.websocket-api-1.1.jar	cpe:2.3:a:java-websocket_project:java-websocket:1.1:*:*:*:*:*:*:*	pkg:maven/javax.websocket/[email protected]	HIGH	1	Highest	29

[marci4]

Thats what my investigation showed.

I think there is an issue in the org.owasp match algorithm

[uap-universe]

I did not read through all the details, but it seems that the checker uses some sort of Lucene index and some sort of fuzzy search. As per the documentation, false positives as well as false negatives are expected. So I suspect the canon solution to this is to add a suppression file that looks somewhat like this:

<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[False positive TooTallNate/Java-WebSocket / javax.websocket]]></notes>
        <packageUrl regex="true">^pkg:maven/jakarta\.websocket/jakarta\.websocket\-(api|client-api|all)@.*$</packageUrl>
        <cpe>cpe:/a:java-websocket_project:java-websocket</cpe>
    </suppress>
    <suppress>
        <notes><![CDATA[False positive TooTallNate/Java-WebSocket / javax.websocket]]></notes>
        <packageUrl regex="true">^pkg:maven/javax\.websocket/javax\.websocket\-(api|client-api|all)@.*$</packageUrl>
        <cpe>cpe:/a:java-websocket_project:java-websocket</cpe>
    </suppress>
</suppressions>

That has to be done now by all projects using dependency check. It looks like there is nothing you can do as library author.

UPDATE
I modified the regular expressions so that they match all three artifacts in javax.websocket and jakarta.websocket group.

[marci4]

@universe thx a lot for your work!

Closing this issue as it is a false positive caused by the fuzzy search!

Will mention it in the advisory.

Best regards,
Marcel