Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: vulnerability in date-and-time (NPM) dependencies being flagged in kotlinx-datetime dependencies #6864

Open
volkert-fastned opened this issue Jul 22, 2024 · 5 comments
Open

[FP]: vulnerability in date-and-time (NPM) dependencies being flagged in kotlinx-datetime dependencies #6864

volkert-fastned opened this issue Jul 22, 2024 · 5 comments
Labels
FP Report

Comments

@volkert-fastned
Copy link
Contributor

volkert-fastned commented Jul 22, 2024
edited
Loading

Package URl

pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime*

CPE

cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*

CVE

CVE-2020-26289

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

10.0.3

Description

This NPM-specific CPE is apparently being erroneously applied to multiple Kotlin dependencies:

kotlinx-datetime-0.6.0-sources.jar	cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*	pkg:maven/org.jetbrains.kotlinx/[email protected]
kotlinx-datetime-js-0.6.0-sources.jar	cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*	pkg:maven/org.jetbrains.kotlinx/[email protected]
kotlinx-datetime-jvm-0.6.0-sources.jar	cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*	pkg:maven/org.jetbrains.kotlinx/[email protected]
kotlinx-datetime-macosarm64-0.6.0-sources.jar	cpe:2.3:a:date-and-time_project:date-and-time:0.6.0:*:*:*:*:*:*:*	pkg:maven/org.jetbrains.kotlinx/[email protected]

Since kotlinx-datetime is a Kotlin Multiplatform (KMP) library, the JS-specific dependencies of that library, such as kotlinx-datetime-js, could at least in theory be affected by this vulnerability if they depend on affected versions of the date-and-time NPM dependency, but it doesn't look like that's the reason why this vulnerability is getting flagged. (Even if it did, it should only flag it on the applicable -js dependencies of the library.)
@github-actions GitHub Actions
Copy link
Contributor

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10040271163

@github-actions GitHub Actions
Copy link
Contributor

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10040275711

@github-actions GitHub Actions
Copy link
Contributor

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10040307470

@volkert-fastned
Copy link
Contributor Author

The likely reason why github-actions couldn't automatically evaluate the false positives was probably because I suffixed the Maven package with an asterisk (*), to make it clear that all packages that start with pkg:maven/org.jetbrains.kotlinx/kotlinx-datetime are apparently flagged by this FP.

@volkert-fastned
Copy link
Contributor Author

This broader CVE-level suppression worked for me, but it does assume that the JS-specific dependencies of this KMP library don't actually depend on the affected JS library:

    <suppress>
        <notes><![CDATA[
        FP per issue #6864
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlinx/kotlinx-datetime.*$</packageUrl>
        <cve>CVE-2020-26289</cve>
    </suppress>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FP Report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@volkert-fastned