Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Different analysis result depending on if artifact is in Maven local repo or not #421

Closed
linbjo opened this issue Nov 14, 2024 · 3 comments · Fixed by #422
Closed

Different analysis result depending on if artifact is in Maven local repo or not #421

linbjo opened this issue Nov 14, 2024 · 3 comments · Fixed by #422

Comments

@linbjo
Copy link

linbjo commented Nov 14, 2024

Description of problem

Running the :dependencyCheckAnalyze gradle task gives different results for the artifact org.codehaus.woodstox:woodstox-core-asl:4.4.1 depending on if it is in the local Maven repo or not.

Expected behavior

The analysis result should be the same regardless of where the artifact is located.

Steps to reproduce

Using this Gradle project:

buildscript {
    repositories {
        maven {
            url "https://plugins.gradle.org/m2/"
        }
    }
    dependencies {
        classpath "org.owasp:dependency-check-gradle:11.1.0"
    }
}

plugins {
    id 'java'
}

group = 'org.example'
version = '1.0-SNAPSHOT'

repositories {
    mavenLocal()
    mavenCentral()
}

dependencies {
    // Vulnerable artifact? CVE-2022-40152
    implementation 'org.codehaus.woodstox:woodstox-core-asl:4.4.1'
}

apply plugin: 'org.owasp.dependencycheck'

dependencyCheck {
    failBuildOnCVSS = 0.0

    nvd {
        // NOTE: Change configuration or remove
        datafeedUrl = 'https://my-nvd-mirror.example.com/'
    }
}

Follow these steps:

  1. Start with empty Maven local repository and Gradle cache directories.
  2. Using the test project, run ./gradlew dependencyCheckAggregate --info
    • Result: Build is successful.
  3. Run mvn org.apache.maven.plugins:maven-dependency-plugin:get -Dartifact='org.codehaus.woodstox:woodstox-core-asl:4.4.1' to download the artifact to the local Maven repo.
  4. Re-run the analysis, ./gradlew dependencyCheckAggregate --info
    • Result: Build fails due to a found vulnerability.
One or more dependencies were identified with known vulnerabilities in odc-test-project:

woodstox-core-asl-4.4.1.jar (pkg:maven/org.codehaus.woodstox/woodstox-core-asl@4.4.1, cpe:2.3:a:fasterxml:woodstox:4.4.1:*:*:*:*:*:*:*) : CVE-2022-40152

Environment

------------------------------------------------------------
Gradle 8.11
------------------------------------------------------------

Build time:    2024-11-11 13:58:01 UTC
Revision:      b2ef976169a05b3c76d04f0fa76a940859f96fa4

Kotlin:        2.0.20
Groovy:        3.0.22
Ant:           Apache Ant(TM) version 1.10.14 compiled on August 16 2023
Launcher JVM:  17.0.13 (Eclipse Adoptium 17.0.13+11)
Daemon JVM:    /home/myuser/.sdkman/candidates/java/17.0.13-tem (no JDK specified, using current Java home)
OS:            Linux 5.15.167.4-microsoft-standard-WSL2 amd64
jeremylong added a commit that referenced this issue Nov 14, 2024
Gradle by default does not download the pom.xml from Central - without this false negatives may be generated.

resolves #421
@jeremylong
Copy link
Collaborator

See #422

Until the next release, you can resolve the problem by enabling the Central Analyzer:

dependencyCheck {
    failBuildOnCVSS = 0.0
    analyzers.centralEnabled = true
    nvd {
        // NOTE: Change configuration or remove
        datafeedUrl = 'https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache/'
    }
}

@jeremylong
Copy link
Collaborator

Thank you for noticing this discrepency.

@linbjo
Copy link
Author

linbjo commented Nov 14, 2024

Thanks for the quick reply and the workaround!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants