[FP]: Wrongly reporting vulnerability CVE-2021-41033 on org.eclipse.osgi-3.18.0

[prabutdr]

Package URl

pkg:maven/org.eclipse.platform/org.eclipse.osgi@3.18.0

CPE

cpe:2.3:a:eclipse:equinox:::::::: versions up to (excluding) 4.21

CVE

CVE-2021-41033

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

8.3.1

Description

Per CVE Affected component:
Eclipse Equinox, at least until version 4.21
cpe:2.3:a:eclipse:equinox:::::::: versions up to (excluding) 4.21

only 3PP "org.eclipse.osgi-3.18.0.jar" used, but NOT packing/using the vulnerable 3PP component "Eclipse Equinox", even they are NOT packed as indirect dependency in the environment. And this vulnerability is more specific to IDE and the plugin installation of eclipse. But tool is reporting this vulnerability on org.eclipse.osgi-3.18.0.jar, which is wrong.

From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.platform</groupId>
   <artifactId>org.eclipse.osgi</artifactId>
   <version>3.18.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5881
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.platform/org\.eclipse\.osgi@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:equinox</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/5887144821

[prabutdr]

Hi team, any update on this pls?

[profhenry]

What is the status of this?
I tried to summarize the problem in order to make it more clear.

The Equinox Platform just bundles a bunch of components which can be also individually used and consumed from maven central. The Equinox Platform has a version number but each bundled component has its own version number (and a maven group/artifact id). The latest version of the Equinox Platform is 4.30, see here for a list of contained components are their version.

CVE-2021-41033 states that all Equinox versions < 4.21 affected.
A common use case is that you are using just part of the Equinox Platform, e.g. just the OSGi Framework

<dependency>
   <groupId>org.eclipse.platform</groupId>
   <artifactId>org.eclipse.osgi</artifactId>
   <version>3.18.0</version>
</dependency>

For an outsider it is hard to determine if your used component suffers from a CVE which just states which Equinox Platform version is affected. In this specific case i think that the OSGi Framework was not vulnerable because of CVE-2021-41033.
The problem was in P2, according to this issue.

However i think this a general problem and lets assume that the OSGi Framework was affected.
CVE-2021-41033 was fixed in Equinox Platform >= 4.21, which contains Equinox OSGi Framework in version 3.17, see here.
So using Equinox OSGi Framework in version 3.17 and above should be fine, but OWASP complains because it mixes up the Equinox Platform version with the Equinox OSGi Framework version.

I think this is general problem and might affect other parts of the Equinox Platform as well like (Equinox CM, Equinox Console, etc..) and it would be nice if we could work out a solution for this.

[profhenry]

The eclipse maintainer stated that this is indeed a false positive
and that the mentioned artifact (Equinox OSGi Framework) was never affected by CVE-2021-41033, see here.

So please add this as a false positive, thanks in advance.

[chadlwilson]

approved

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.