Composer packages with hyphen not resolved to correct CPE

[jackbentley]

Describe the bug
We currently have php-ampqlib as a composer dependency in our project at version 2.6.3. When running the dependency check, lots of vulnerabilities are erroneously listed against the package.

This is because the CPE assigned is cpe:2.3:a:php:php:2.6.3:*:*:*:*:*:*:* which is for the main PHP library. Which means we end up with hundreds of vulns that aren't even related.

Version of dependency-check used
6.0.3

Log file
currently don't have but can be provided

To Reproduce
Steps to reproduce the behaviour:

1. Require php-ampqlib as a dependency in a composer project
2. Run DependencyCheck on the project

Expected behaviour
Only vulns related to the package should be shown - not those of PHP entirely

Additional context
N/A

[jackbentley]

I've got a log file but its >1GB in size, so won't be uploading it. However, searching the log file reveals these interesting snippets:

2020-11-24 16:44:43,018 org.owasp.dependencycheck.analyzer.CPEAnalyzer:261
DEBUG - vendor search: {php-amqplib=1}
2020-11-24 16:44:43,018 org.owasp.dependencycheck.analyzer.CPEAnalyzer:263
DEBUG - product search: {php-amqplib=1}
2020-11-24 16:44:43,018 org.owasp.dependencycheck.data.cpe.AbstractMemoryIndex:273
DEBUG - product:(php\-amqplib) AND vendor:(php\-amqplib)
2020-11-24 16:44:43,039 org.owasp.dependencycheck.analyzer.CPEAnalyzer:281
DEBUG - identified vendor/product: php/php

Note a package by the name of php-font-lib is also searched. But the vendor is not the same name:

2020-11-24 16:44:43,015 org.owasp.dependencycheck.analyzer.CPEAnalyzer:261
DEBUG - vendor search: {phenx=1}
2020-11-24 16:44:43,015 org.owasp.dependencycheck.analyzer.CPEAnalyzer:263
DEBUG - product search: {php-font-lib=1}
2020-11-24 16:44:43,015 org.owasp.dependencycheck.data.cpe.AbstractMemoryIndex:273
DEBUG - product:(php\-font\-lib) AND vendor:(phenx)
2020-11-24 16:44:43,015 org.owasp.dependencycheck.analyzer.CPEAnalyzer:261
DEBUG - vendor search: {phenx=1}
2020-11-24 16:44:43,015 org.owasp.dependencycheck.analyzer.CPEAnalyzer:263
DEBUG - product search: {php-font-lib=1}
2020-11-24 16:44:43,015 org.owasp.dependencycheck.data.cpe.AbstractMemoryIndex:273
DEBUG - product:(php\-font\-lib) AND vendor:(phenx)
2020-11-24 16:44:43,016 org.owasp.dependencycheck.analyzer.CPEAnalyzer:261
DEBUG - vendor search: {phenx=1}
2020-11-24 16:44:43,016 org.owasp.dependencycheck.analyzer.CPEAnalyzer:263
DEBUG - product search: {php-font-lib=1}
2020-11-24 16:44:43,016 org.owasp.dependencycheck.data.cpe.AbstractMemoryIndex:273
DEBUG - product:(php\-font\-lib) AND vendor:(phenx)
2020-11-24 16:44:43,016 org.owasp.dependencycheck.analyzer.CPEAnalyzer:261
DEBUG - vendor search: {phenx=1}
2020-11-24 16:44:43,016 org.owasp.dependencycheck.analyzer.CPEAnalyzer:263
DEBUG - product search: {php-font-lib=1}
2020-11-24 16:44:43,016 org.owasp.dependencycheck.data.cpe.AbstractMemoryIndex:273
DEBUG - product:(php\-font\-lib) AND vendor:(phenx)

[twwd]

The same problem occurs for npm or PyPI packages with hyphens, see jeremylong/DependencyCheck#2940

[jackbentley]

After looking into the code it seems the problem is to do with the CPE search around here:
https://github.com/jeremylong/DependencyCheck/blob/9602eae8a0ab2f0a463522bf794dc9eef106d740/core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java#L265-L267

As you can see from the debug log, the correct parameters are being passed to the method call but for some reason, it isn't being matched properly.

It might be something to do with the "weightings" or might be to do with the escaping of the search query. I wasn't able to get much further than this.
https://github.com/jeremylong/DependencyCheck/blob/9602eae8a0ab2f0a463522bf794dc9eef106d740/core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java#L495-L501

In case you don't know, the good news is that you can add a supression.xml file to ignore the mismatch quite simply. In the HTML report, you can click the Supress button to generate the XML for you.

In my case, this suppression.xml removes the false positives for this package:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[Incorrectly assigned CPE]]></notes>
        <packageUrl regex="true">^pkg:composer/php\-amqplib/php\-amqplib@.*$</packageUrl>
        <cpe>cpe:/a:php:php</cpe>
    </suppress>
</suppressions>

You can pass the file path to the CLI command via the --suppression switch, or using the suppression.file key in a properties file. More info on suppressions and false positives here.

[twwd]

@jeremylong This is definitely a bug that package names are split up incorrectly on hyphens and then false positives are generated for all name parts. Since dependency check version 6, our suppression list is growing extremely.

[jeremylong]

@twwd this is definitely not a bug - it is how dependency-check is intended to work. The names developers give there projects are sometimes very different than what is used in the CPE within the NVD. The algorithm used does produce false positives - but in an attempt to reduce false negatives.

There are better ways of writing the suppression rule to reduce the noise. For instance, this looks like it would be a fairly common FP so one might include:

    <suppress>
        <notes><![CDATA[Incorrectly assigned CPE]]></notes>
        <packageUrl regex="true">^pkg:composer/php\-.*$</packageUrl>
        <cpe>cpe:/a:php:php</cpe>
    </suppress>

[twwd]

@jeremylong Thank you for the explanation. Due to the accumulation of false positives since the last major update in combination with packages with hyphens in the name I assumed a bug. But if the behavior is so desired or necessary to avoid false negatives, I create FP reports.