Fix CVE on this plugin itself

[jycr]

Describe the bug
We use your great plugin on our projects with following configuration:

<scanPlugins>true</scanPlugins>

So, dependency-check-maven reports some CVE including CVE from dependency-check-maven itself.

Version of dependency-check used
The problem occurs using version 11.1.0 of the maven plugin

Log file

DependencyName	Description	Sha1	Identifiers	CPE	CVE	CWE	Vulnerability	Source	CVSSv2_Severity	CVSSv2_Score	CVSSv2	CVSSv3_BaseSeverity	CVSSv3_BaseScore	CVSSv3
h2-2.3.232.jar	H2 Database Engine	4fcc05d966ccdb2812ae8b9a718f69226c0cf4e2	pkg:maven/com.h2database/h2@2.3.232	cpe:2.3:a:h2database:h2:2.3.232:::::::*	CVE-2018-14335	CWE-59 Improper Link Resolution Before File Access ('Link Following')	h2database - Improper Link Resolution Before File Access The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.	OSSINDEX				MEDIUM	6.0	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
javax.json-1.1.4.jar	Default provider for JSR 374:Java API for Processing JSON	943f240a509d3c70b448a55c6735591ecbd37c88	pkg:maven/org.glassfish/javax.json@1.1.4		CVE-2023-7272	CWE-787 Out-of-bounds Write	In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.	OSSINDEX	HIGH	8.699999809265137	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
logback-core-1.2.11.jar	logback-core module	a01230df5ca5c34540cdaa3ad5efb012f1f1f792	pkg:maven/ch.qos.logback/logback-core@1.2.11	cpe:2.3:a:qos:logback:1.2.11:::::::*	CVE-2023-6378	CWE-502 Deserialization of Untrusted Data	A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.	NVD				HIGH	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A
maven-core-3.6.3.jar	Maven Core classes	eca800aa73e750ec9a880eb224f0bb68f5b7873b	pkg:maven/org.apache.maven/maven-core@3.6.3	cpe:2.3:a:apache:maven:3.6.3:::::::*	CVE-2021-26291	CWE-346 Origin Validation Error	Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html	NVD	MEDIUM	6.4	/AV:N/AC:L/Au:N/C:P/I:P/A:N	CRITICAL	9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A
maven-settings-3.6.3.jar	Maven Settings model	bbf4e06dcdb0bb33d1546c080df5c8d92b535d30	pkg:maven/org.apache.maven/maven-settings@3.6.3		CVE-2021-26291	CWE-346 Origin Validation Error	Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html	OSSINDEX				CRITICAL	9.100000381469727	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

To Reproduce
Steps to reproduce the behavior:

1. Go to root of this project
2. Launch following command :

   mvn org.owasp:dependency-check-maven:RELEASE:aggregate -Dformat=all

3. go to target/ repository to see report

Expected behavior
Upgrade dependencies to fix issue (javax.json can be replaced with org.glassfish:jakarta.json:2.0.1).

[jpmartins-ca]

In the latest version 12.1.0 still has the [CVE-2021-26291]. Is there any plan to fix it?

[aikebah]

CVE-2021-26291 is related to provided dependencies. We maintain the same backward compatibility as standard maven plugins, so our dependencies are on maven 3.6.3 to ensure full API compatibility, but they are not a part of our packaging, they are provided by the maven install of the user.

There are various ways to mitigate the CVE on maven-side. One solution is to update to maven 3.8.1 or later, another is to use a mirror configuration that catches all repositories and redirects them to a user-controlled proxy-repository that is backed only by trusted repositories over https (a very common scenario in enterprise environments with a local repository server (e.g Artifactory or Nexus) that is configured as the mirror for * in settings.xml (which in any case is the safer approach if you want strong control over the sources of your dependencies)

[jeremylong]

What @aikebah is saying - there are no plans to fix the issue as it is a provided dependency. Meaning end-users are responsible for using a non-vulnerable version of maven.

[jpmartins-ca]

I am using maven 3.9.9, java openjdk 17.0.13, it is a bit more tricky then just the version of mvn the end-user is using (mvnrepository.com also shows it as a CVE, I suspect it might be similar thing might be happening there)

Build up a minimal reproducer. see here. Key to replicate is:

                <configuration>
                    <failBuildOnCVSS>7</failBuildOnCVSS>
                    <scanPlugins>true</scanPlugins>
                </configuration>

[aikebah]

Clearly an error somehow in the scope attribution, since this is the dependency tree of the plugin limited to any org.apache.maven artifact:

[INFO] --- dependency:3.8.1:tree (default-cli) @ dependency-check-maven ---
[INFO] org.owasp:dependency-check-maven:maven-plugin:12.1.1-SNAPSHOT
[INFO] +- org.apache.maven:maven-plugin-api:jar:3.6.3:provided
[INFO] +- org.apache.maven:maven-settings:jar:3.6.3:provided
[INFO] +- org.apache.maven:maven-core:jar:3.6.3:provided
[INFO] |  +- org.apache.maven:maven-builder-support:jar:3.6.3:provided
[INFO] |  +- org.apache.maven:maven-repository-metadata:jar:3.6.3:provided
[INFO] |  +- org.apache.maven:maven-model-builder:jar:3.6.3:provided
[INFO] |  +- org.apache.maven:maven-resolver-provider:jar:3.6.3:provided
[INFO] |  +- org.apache.maven.resolver:maven-resolver-impl:jar:1.4.1:provided
[INFO] |  +- org.apache.maven.resolver:maven-resolver-spi:jar:1.4.1:provided
[INFO] |  +- org.apache.maven.resolver:maven-resolver-util:jar:1.4.1:compile
[INFO] |  \- org.apache.maven.shared:maven-shared-utils:jar:3.4.2:provided
[INFO] +- org.apache.maven.doxia:doxia-sink-api:jar:2.0.0:compile
[INFO] +- org.apache.maven.shared:file-management:jar:3.1.0:compile
[INFO] +- org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.15.1:provided
[INFO] +- org.apache.maven.reporting:maven-reporting-api:jar:4.0.0:compile
[INFO] +- org.apache.maven:maven-settings-builder:jar:3.6.3:provided
[INFO] +- org.apache.maven.shared:maven-dependency-tree:jar:3.3.0:compile
[INFO] +- org.apache.maven.plugin-testing:maven-plugin-testing-harness:jar:3.3.0:test
[INFO] +- org.apache.maven.shared:maven-artifact-transfer:jar:0.13.1:compile
[INFO] +- org.apache.maven:maven-model:jar:3.6.3:provided
[INFO] +- org.apache.maven:maven-artifact:jar:3.6.3:provided
[INFO] +- org.apache.maven.resolver:maven-resolver-api:jar:1.4.1:provided
[INFO] \- org.apache.maven.shared:maven-common-artifact-filters:jar:3.4.0:compile

[jpmartins-ca]

I do not know what it is, but it is everything but clear. We are not seeing the all picture for sure. Something is out of our sight, wrong assumptions are such a &%$#"!#"$...

Just have maven 3.9.9 (or some recent version), java 17 (or some recent version), and you can see by your selfs in the MinimalReproducer that it is just an empty maven project that only depends on dependency-check 12.1.0 in it configured in a specific way (failBuildOnCVSS=7 and scanPlugins=true) you can run the following and get your scan will fail:

mvn org.owasp:dependency-check-maven:RELEASE:aggregate

I see this as a (very challenging) opportunity to improve dependency-check perceived safety.