Significant Increase in Loose CPE Matches After Upgrading from v11.1.0 to v12.1.0

[Blaksey]

After upgrading from DependencyTrack v11.1.0 to v12.1.0, we noticed a sharp increase in CPE matches, leading to a flood of tickets for failures and suppression requests.

Upon further investigation, it appears that very loose CPE matches are causing this spike. For example, we’re seeing matches for any package with "Redis" in the name, even when they are unrelated.

Example Packages matched:

pkg:nuget/Microsoft.AspNetCore.DataProtection.Redis@0.3.3
pkg:nuget/Hangfire.Redis.StackExchange@1.9.4
pkg:nuget/EasyCaching.Redis@1.9.2
pkg:nuget/EFCoreSecondLevelCacheInterceptor.StackExchange.Redis@5.0.0
pkg:nuget/StackExchange.Redis@2.8.24

The CPE match shown in the HTML report typically looks like this:

cpe:2.3:a:redis:redis:5.0.0:::::::* (Confidence: Low)

We have reviewed the changelog, but we haven’t found any changes that directly explain this behavior.

Could you provide any insight into what might have changed in v12.1.0 regarding CPE matching? Is there a way to adjust the matching logic or fine-tune the confidence threshold to avoid these false positives?

Thanks in advance for your help!

[GALHP]

Moving from 11.1.1 to 12.1.0, we face a similar situation with php/node projects, where the composer.lock analyser produces a massive load of probably fasle-positive linked CVE from CPE matches.

The report json grows to ~200MB without skipping dev dependencies and ~50MB with --composerSkipDev.

No way to view the local html report in a browser.

I can provide more details or the composer.json and reports if needed.

[aikebah]

I could imagine #7295 to play a role in your discovered effects - could be confirmed by comparing the evidences section of those libraries in a report created by 11.1.1 and 12.1.0

[GALHP]

@aikebah

I would like to make a direct comparison between 11.1.1 and 12.1.0,
but due to #7406 or jeremylong/open-vulnerability-cli#270 / jeremylong/open-vulnerability-cli#274 the check only works with 12.1.0 at the moment.

I would have stayed on the latest v11 until this issue has been resolved for us, but that is not possible for the reasons mentioned above.

I randomly checked some matches and they were all false-positive due to incorrect version matching.

[aikebah]

@GALHP v11 should still be able to run using a cached CVE-Db updated/created by v12.1. There is no Db change format and as long as your project does not depend on the software that has the 'SAFETY'-related CVE it should run fine with auto update turned off.

They are suspected to be incorrect vendor/product determination due to some more items also brought in as vendor evidences by 12 compared to 11 and it would be good to confirm or deny whether that change is indeed at the root of it.

[GALHP]

@aikebah Thank you for your feedback and the information.

Our internal caching system is regularly updated using the vulnz cli tool.
After encountering the 'SAFETY' issue, we applied the fix from https://github.com/jeremylong/open-vulnerability-cli/releases/tag/v7.2.2, which then forced us to switch to version 12.1.1.

We have a significant number of projects reliant on this cache and unfortunately we have no backups of these cache files.

Is a mirror available that provides the vulnz-cli cache files as they were before the SAFETY issue?

This would greatly simplify our move back to v11 globally.

This approach has the dual benefit of ensuring a stable check across all our projects and giving us more scope to thoroughly investigate the problem with the alleged false-positives due to the changed vendor/product evidences.

Thanks in advance!

[jeremylong]

no mirror exists to my knowledge. You could easily build one by creating the mirror and then editing the single CVE entry that has the issue with SAFETY.

[GALHP]

no mirror exists to my knowledge. You could easily build one by creating the mirror and then editing the single CVE entry that has the issue with SAFETY.

Oh, is it really just one entry? I was expecting a more general data update on the NVD side.

This is a valuable approach to going back to v11 and investigating the v12 matching behaviour in more detail.

Thanks for your help on this.

[aikebah]

@GALHP If possible in your CI/CD environment it nevertheless might still be worth looking into sharing the CVE Db across your projects. Reinitializing from your own central mirror created by vulnz-cli is more friendly than crawling the full NVD Api each time, but would still repopulate the DB with 280k entries each time, slowing your build and wasting CPU cycles.

In our CI environment we have a shared persistent storage volume that hosts the CVE Db, and a scheduled job that runs in update-only mode to keep the DB frequently updated. Regardless of whether the projects run in no-update or in update mode they will have a fairly up-to-date set. Those that run in update mode might slightly reduce the amount of updates to be consumed in the scheduled job, those that run in no-update mode are still at most a few hours behind on new CVEs.

In our case we don't have the vulnz-cli mirror, so in case of a fatal DB crash we'd have to resort to a full crawl of the NVD API to rebuild, so a vulnz-cli mirror is still a nice addition to our a setup to enable a faster / more reliable recovery in case of DB disasters on our side, but up to now I still need to see a first occurrence of such corruption. I've only had to rebuild the DB from scratch on backward incompatible h2 library upgrades.

ODC v10, 11 and 12 can all run against the same external DB (no DB schema changes), but v12.1.0 is a hard requirement for the updates. For the h2 database that ODC uses by default only v11 and v12 can run on the same DB, as the upgraded of h2 library in v11 uses a new binary format for its datafiles.

[GALHP]

@aikebah Thanks for sharing your insights on your setup and database dependencies.

We are already using shared databases. In our gitlab ci we use a docker runner and we mount the shared databases directories in glrunner config. I was not aware of the exact dependencies between DB schema and checker version, thanks for pointing this out. We simply use a specific shared database for each major version of the dependency checker.

On top of that, we have our internal nvd cache built with vulnz cli and daily updates, which was mainly introduced to have an up-to-date cve reference without stressing the already stressed NVD API servers. But we have also had cases where the cache has kept us up and running with a corrupted DB and an overloaded NVD API.

The basic setup looks like this

.dependency-check-job: &dependency-check-job
  tags: 
    -web
  image: <custom-registry>/dependency-check:2.0.0-owasp12.1.0
  rules: ...
  variables:
    DEPENDENCY_CHECK_DATA_PATH: /owasp-12-data
    
dependency-check:
  extends: .dependency-check-job
  before_script:
    - ...
    - mkdir -p ./report
  script:
    - >
      dependency-check
      --project "$CI_PROJECT_TITLE"
      --format JSON
      --format GITLAB
      --data "$DEPENDENCY_CHECK_DATA_PATH"
      --out ./report
      --scan .
      --enableExperimental
      --failOnCVSS 7
      --suppression './dependency-check-suppression.xml'
      --nvdDatafeed '<custom-cache>/nvdcve-{0}.json.gz'
      --disableYarnAudit
  after_script:
    - >
      generate-report
      --owsap ./report/dependency-check-report.json
      $GENERATE_WIKI_FLAG
  artifacts:
    reports:
      dependency_scanning: ./report/dependency-check-gitlab.json

dependency-check:purge:
  extends: .dependency-check-job
  script:
    - dependency-check --purge --data "$DEPENDENCY_CHECK_DATA_PATH"
  when: manual
  manual_confirmation: 'This clears the OWASP database on the specific runner. Run this task if the dependency check fails due to a corrupt database. It is safe to run this job, as the database will be rebuilt if it does not exist.'
  allow_failure: true

[sigv]

I could imagine #7295 to play a role in your discovered effects - could be confirmed by comparing the evidences section of those libraries in a report created by 11.1.1 and 12.1.0

PHP Composer checks are affected, for example, considering package pkg:composer/phpunit/php-timer@6.0.0 as cpe:2.3:a:php:php:6.0:*:*:*:*:*:*:* resulting in 17 CVEs (including Critical). The base suppressions have been updated (#7486) to include php-* and *-php package names. However, auto-update is broken due to project restructuring, and will be resolved in v12.1.1.

In the meantime, creating a suppressions file locally can be beneficial.
This can be provided to dependency-check CLI as --suppression dependencycheck-suppression.xml.

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[
        https://github.com/dependency-check/DependencyCheck/pull/7486
        ]]></notes>
        <packageUrl regex="true">^pkg:composer/[^/]+/php[\-_].*$</packageUrl>
        <cpe>cpe:/a:php:php</cpe>
    </suppress>
    <suppress>
        <notes><![CDATA[
        https://github.com/dependency-check/DependencyCheck/pull/7486
        ]]></notes>
        <packageUrl regex="true">^pkg:composer/[^/]+/.*[\-_]php[0-9]*@.*$</packageUrl>
        <cpe>cpe:/a:php:php</cpe>
    </suppress>
</suppressions>

[GALHP]

@sigv thanks for debugging and fixing this FP issue!