[FP]: CVE-2017-16111, which applies to the content module of the hapijs/hapi.js framework, gets falgged on ktor dependencies with content in the name

[volkert-fastned]

Package URl

pkg:maven/io.ktor/[email protected]

CPE

cpe:2.3:a:content_project:content:2.3.11:::::::*

CVE

CVE-2017-16111

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

9.2.0

Description

Vulnerability CVE-2017-16111, which applies to the content module of hapi.js (a Node.js library) gets flagged on Ktor dependencies that have content in the name:

ktor-client-content-negotiation-jvm-2.3.11-sources.jar (pkg:maven/io.ktor/[email protected], cpe:2.3:a:content_project:content:2.3.11:*:*:*:*:*:*:*) : CVE-2017-16111
ktor-server-content-negotiation-jvm-2.3.11-sources.jar (pkg:maven/io.ktor/[email protected], cpe:2.3:a:content_project:content:2.3.11:*:*:*:*:*:*:*) : CVE-2017-16111

Strangely enough, this suddenly got flagged (along with a bunch of other vulnerabilities) while I tried to upgrade a project from Kotlin 1.9.x to Kotlin 2.0. But the dependencies that suddenly got flagged with that upgrade weren't related to the Kotlin 2.0 upgrade.

Also worth noting: according to NIST, the CPE should in fact be cpe:2.3:a:content_project:content:*:*:*:*:*:node.js:*:* but the CPE that the DendencyCheck Gradle plugin flags has a wildcard in place of the node.js part. Perhaps that's what's causing this false positive?

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.ktor</groupId>
   <artifactId>ktor-client-content-negotiation-jvm</artifactId>
   <version>2.3.11</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6693
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.ktor/ktor-client-content-negotiation-jvm@.*$</packageUrl>
   <cpe>cpe:/a:content_project:content</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9268481543

[volkert-fastned]

This is one of multiple FPs of Node.js vulnerabilities that suddenly got flagged on Java/JVM dependencies while I was upgrading Kotlin from 1.9.x to 2.0, apparently because the CPE had an asterisk in the third position, which should have contained the string node.js, according to NIST:

• CVE-2021-3765, FP reported at [FP]: CVE-2021-3765, validator.js dependency gets flagged on hibernate-validator dependencies #6692
• CVE-2017-16111, FP reported at [FP]: CVE-2017-16111, which applies to the content module of the hapijs/hapi.js framework, gets falgged on ktor dependencies with content in the name #6693
• CVE-2016-10543, FP reported at [FP]: CVE-2016-10543, which applies to the call module of the hapijs/hapi.js framework, gets falgged on ktor dependencies with call in the name #6694
• CVE-2022-21704, FP reported at [FP]: CVE-2022-21704, a log4js (node.js) dependency, gets flagged in a log4j (Java) dependency #6695

[jeremylong]

approved

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.

[volkert-fastned]

@jeremylong It still flags the second one, even with the automatically generated suppression in place:

ktor-server-content-negotiation-jvm-2.3.11-sources.jar (pkg:maven/io.ktor/[email protected], cpe:2.3:a:content_project:content:2.3.11:*:*:*:*:*:*:*) : CVE-2017-16111

[volkert-fastned]

@jeremylong Not broad enough, see the suggestion I added to the fix commit.