[FP]: Regression - Multiple FPs for xstream

[cmunier]

Package URl

pkg:maven/io.github.x-stream/mxparser@1.2.2

CPE

cpe:2.3:a:xstream:xstream:1.2.2:::::::*

CVE

No response

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

12.1.2

Description

Dependency Check identifies several CVEs in com.thoughtworks.xstream:xstream:1.4.21 transitive dependency io.github.x-stream:mxparser:1.2.2.

mxparser-1.2.2.jar (pkg:maven/io.github.x-stream/mxparser@1.2.2, cpe:2.3:a:xstream:xstream:1.2.2:*:*:*:*:*:*:*) : CVE-2021-21345, CVE-2013-7285, CVE-2021-21344, CVE-2021-21346, CVE-2021-21347, CVE-2021-21350, CVE-2021-21342, CVE-2021-21351, CVE-2020-26217, CVE-2021-29505, CVE-2021-39139, CVE-2021-21349, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39153, CVE-2021-39154, CVE-2020-26258, CVE-2016-3674, CVE-2017-7957, CVE-2021-21341, CVE-2021-21343, CVE-2021-21348, CVE-2021-43859, CVE-2022-40151, CVE-2022-40152, CVE-2022-41966, CVE-2020-26259, CVE-2021-39140

This is a regression of #7683.

The CPE regex pattern cpe:/a:xstream(_project)?:xstream in dependencycheck-base-suppression.xml#L205 does not match.

It looks like the CPE matching behaves inconsistent:

• cpe:/a:xstream:xstream (regex=false) matches;
• cpe:/a:xstream:xstream (regex=true) does not match.

I propose to either update the supression definition mentioned above (e.g. regex cpe:/a:xstream(_project)?:xstream:.* as this seems to work) or to look into the CPE regex matching.

I suppose this also affects other CPE regex patterns introduced in 3ab1cbb.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.github.x-stream</groupId>
   <artifactId>mxparser</artifactId>
   <version>1.2.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7723
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.github\.x-stream/mxparser@.*$</packageUrl>
   <cpe>cpe:/a:xstream:xstream</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/15551605431

[aggeboe]

I suppose this also affects other CPE regex patterns introduced in 3ab1cbb.

@cmunier I believe you're correct.

With ODC Version 12.1.2 I have several CVEs due to <cpe regex="true">cpe:/a:json-java(_project)?:json-java</cpe> (dependencycheck-base-suppression.xml#L5637) no longer matching.

With ODC Version 12.1.1, the following CVEs are suppressed successfully

• btf-1.3.jar (pkg:maven/com.github.java-json-tools/btf@1.3, cpe:2.3:a:json-java_project:json-java:1.3:::::::*) : CVE-2022-45688, CVE-2023-5072
• jackson-coreutils-2.0.jar (pkg:maven/com.github.java-json-tools/jackson-coreutils@2.0, cpe:2.3:a:json-java_project:json-java:2.0:::::::*) : CVE-2022-45688, CVE-2023-5072
• jackson-coreutils-equivalence-1.0.jar (pkg:maven/com.github.java-json-tools/jackson-coreutils-equivalence@1.0, cpe:2.3:a:json-java_project:json-java:1.0:::::::*) : CVE-2022-45688, CVE-2023-5072
• json-patch-1.13.jar (pkg:maven/com.github.java-json-tools/json-patch@1.13, cpe:2.3:a:json-java_project:json-java:1.13:::::::*) : CVE-2022-45688, CVE-2023-5072
• json-schema-core-1.2.14.jar (pkg:maven/com.github.java-json-tools/json-schema-core@1.2.14, cpe:2.3:a:json-java_project:json-java:1.2.14:::::::, cpe:2.3:a:json-schema_project:json-schema:1.2.14:::::::) : CVE-2022-45688, CVE-2023-5072
• json-schema-validator-2.2.14.jar (pkg:maven/com.github.java-json-tools/json-schema-validator@2.2.14, cpe:2.3:a:json-java_project:json-java:2.2.14:::::::, cpe:2.3:a:json-schema_project:json-schema:2.2.14:::::::) : CVE-2022-45688, CVE-2023-5072
• msg-simple-1.2.jar (pkg:maven/com.github.java-json-tools/msg-simple@1.2, cpe:2.3:a:json-java_project:json-java:1.2:::::::*) : CVE-2022-45688, CVE-2023-5072
• uri-template-0.10.jar (pkg:maven/com.github.java-json-tools/uri-template@0.10, cpe:2.3:a:json-java_project:json-java:0.10:::::::*) : CVE-2022-45688, CVE-2023-5072

[jeremylong]

The difference is that the regex is trying to match the CPE 2.3 schema. So any of the regex introduced need to have cpe(:[0-9.]*)?:/? at the start. I'll create a PR shortly.

[jeremylong]

Still researching - may not be what I thought.

[aikebah]

@jeremylong you (also) need to extend the regex with a .* at the end. Non-regex matches do String prefix matching (startswith), regex matches need an explicit wildcard to match.

[cmunier]

@jeremylong you (also) need to extend the regex with a .* at the end. Non-regex matches do String prefix matching (startswith), regex matches need an explicit wildcard to match.

That's not intuitive. From a user perspective it would be better if a non-regex matcher and a regex matcher had an identical result for a literal string input (with no regex special characters).

Would a robust solution be to implicitely include a ".*" suffix in the CPE (or all) regex matchers?

[aikebah]

@cmunier I would consider it not intuitive if regexes (being an opt-in non-default case in the XSD) are behaving as prefix-matchers due to programmatic extension with a closing .*. Regexes are a mechanism intended for explicit specification of the wildcarding and should not be modified from the user-specified value.

Having said that I think we can do a better job on the documentation to indicate how the (default) non-regex CPE strings are matched (would need to look at the code whether or not the prefix-matching applies to all uses of non-regex regexStringType elements in the XSD, but know from past experience that for CPE it is used as a prefix-match).

[sean-astraia]

@jeremylong
Sorry for the question:
that this is closed, and issue 7683 along-side it,
does this mean we can expect a new release of the dependency checker available from https://plugins.jenkins.io/dependency-check-jenkins-plugin/
?
Currently a build I maintain is affected by this, with a long list of vulnerabilities reported regarding mxparser-1.2.2.jar
Thanks for any clarification!
Sean

[jeremylong]

#7726 is included in the latest release. See the milestone that it is tagged with.