Describe the bug
Some new vulnerabilities were added to the database w.r.t. XStream versions earlier than 1.4.16. That's of course a good thing. However, even after updating the XStream dependency to version 1.4.16, the DependencyCheck Maven plugin keeps reporting a whole laundry list of vulnerabilities, all of which should have been fixed in XStream 1.4.1.6, and some of which were already fixed in earlier versions of XStream as well:
mxparser-1.2.1.jar (pkg:maven/io.github.x-stream/mxparser@1.2.1, cpe:2.3:a:xstream_project:xstream:1.2.1:*:*:*:*:*:*:*) : CVE-2013-7285, CVE-2016-3674, CVE-2017-7957, CVE-2020-26217, CVE-2020-26258, CVE-2020-26259, CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, CVE-2021-21351
I've checked the descriptions/summaries of all of these listed CVEs in the NIST database, and all of them pertain only to XStream versions earlier than 1.4.16, and none of them appear to have anything to do with the transitive mxparser dependency.
For users of the DependencyCheck plugins who are googling for these specific CVEs, I'm listing and summarizing them below:
- CVE-2021-21349 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE's description
- CVE-2021-21348 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE's description
- CVE-2013-7285 -> Mitigated in XStream 1.4.11, no mention of mxparser anywhere in the CVE's description
- CVE-2020-26217 -> Mitigated in XStream 1.4.14, no mention of mxparser anywhere in the CVE's description
- CVE-2021-21347 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE's description
- CVE-2021-21346 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE's description
- CVE-2021-21345 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE's description
- CVE-2021-21344 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE's description
- CVE-2021-21343 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE's description
- CVE-2021-21342 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE's description
- CVE-2021-21341 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE's description
- CVE-2021-21351 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE's description
- CVE-2021-21350 -> Mitigated in XStream 1.4.16, no mention of mxparser anywhere in the CVE's description
- CVE-2020-26259 -> Mitigated in XStream 1.4.15, no mention of mxparser anywhere in the CVE's description
- CVE-2020-26258 -> Mitigated in XStream 1.4.15, no mention of mxparser anywhere in the CVE's description
- CVE-2016-3674 -> Mitigated in XStream 1.4.9, no mention of mxparser anywhere in the CVE's description
- CVE-2017-7957 -> Mitigated in XStream 1.4.10, no mention of mxparser anywhere in the CVE's description
I've encountered this issue often. Apparently the regex that is being used to check the minimum version of a potentially vulnerable dependency is erroneously checking the version numbers of any of its transitive dependencies as well. Adding false positives to the suppression file works as a workaround, but since this issue has been occurring often, a lot of false positives have had to be added to the suppression file this way. It would be nice if the underlying issue could be resolved, since it would alleviate the maintenance burden of the suppression file by any developers making use of the DependencyCheck plugin.
Version of dependency-check used
Tested with multiple versions of the plugin:
- The problem occurs using version 6.1.1 of the maven plugin.
- The problem occurs using version 6.1.3 of the maven plugin.
Log file
I'll provide one on request.
To Reproduce
Steps to reproduce the behavior:
-
Run the Maven Dependency Check plugin on a Maven project that has the XStream dependency version 1.4.16. Specifically this dependency:
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.16</version>
</dependency>
Expected behavior
None of the vulnerabilities that have been mitigated in XStream 1.4.16 should be reported by the plugin.
Additional context
a whole laundry list of vulnerabilities that have been mitigated in XStream 1.4.16 are erroneously reported by the plugin, incorrectly pointing at the transitive dependency mxparser-1.2.1.jar as the alleged culprit.
Describe the bug
Some new vulnerabilities were added to the database w.r.t. XStream versions earlier than 1.4.16. That's of course a good thing. However, even after updating the XStream dependency to version 1.4.16, the DependencyCheck Maven plugin keeps reporting a whole laundry list of vulnerabilities, all of which should have been fixed in XStream 1.4.1.6, and some of which were already fixed in earlier versions of XStream as well:
I've checked the descriptions/summaries of all of these listed CVEs in the NIST database, and all of them pertain only to XStream versions earlier than 1.4.16, and none of them appear to have anything to do with the transitive mxparser dependency.
For users of the DependencyCheck plugins who are googling for these specific CVEs, I'm listing and summarizing them below:
I've encountered this issue often. Apparently the regex that is being used to check the minimum version of a potentially vulnerable dependency is erroneously checking the version numbers of any of its transitive dependencies as well. Adding false positives to the suppression file works as a workaround, but since this issue has been occurring often, a lot of false positives have had to be added to the suppression file this way. It would be nice if the underlying issue could be resolved, since it would alleviate the maintenance burden of the suppression file by any developers making use of the DependencyCheck plugin.
Version of dependency-check used
Tested with multiple versions of the plugin:
Log file
I'll provide one on request.
To Reproduce
Steps to reproduce the behavior:
Run the Maven Dependency Check plugin on a Maven project that has the XStream dependency version 1.4.16. Specifically this dependency:
Expected behavior
None of the vulnerabilities that have been mitigated in XStream 1.4.16 should be reported by the plugin.
Additional context
a whole laundry list of vulnerabilities that have been mitigated in XStream 1.4.16 are erroneously reported by the plugin, incorrectly pointing at the transitive dependency mxparser-1.2.1.jar as the alleged culprit.