Skip to content

fix: Avoid FPs when Composer product name has php#7486

Merged
aikebah merged 1 commit intodependency-check:mainfrom
sigv:fp-php-product
Mar 1, 2025
Merged

fix: Avoid FPs when Composer product name has php#7486
aikebah merged 1 commit intodependency-check:mainfrom
sigv:fp-php-product

Conversation

@sigv
Copy link
Copy Markdown
Contributor

@sigv sigv commented Feb 28, 2025
edited
Loading

Description of Change

Previously, only PHP package's vendor (product URL's namespace) was considered as evidence. As of DependencyCheck v12, specifically change from #7295, the product (name) is also being considered as evidence.

This results in new false positives, as noticed in #7444. PHP Composer checks are affected, for example, considering package pkg:composer/phpunit/php-timer@6.0.0 as cpe:2.3:a:php:php:6.0:*:*:*:*:*:*:* resulting in 17 CVEs (including Critical).

This commit adds two new suppression rules: one for php as the prefix, and one for php as the suffix. Both can be observed in the wild. Additionally, underscore is sometimes used instead of hyphen, and should be respected. Furthermore, there is symfony/polyfill-php83 which adds number suffix, which should also be suppressed as it currently maps to the base cpe:/a:php:php.

Related issues

Have test cases been added to cover the new functionality?

no

@boring-cyborg boring-cyborg bot added the core changes to core label Feb 28, 2025
@sigv sigv changed the title Avoid false positive PHP framework for php- products fix: Avoid FPs for php- product as PHP framework Feb 28, 2025
@sigv sigv mentioned this pull request Feb 28, 2025
Closed
@sigv
fix: Avoid FPs when Composer product name has php
acd2b89 
Previously, only PHP package's vendor (product URL's namespace) was
considered as evidence. As of DependencyCheck v12, specifically change
from b51921f, the product (name) is also being considered as evidence.

This results in new false positives. PHP Composer checks are affected,
for example, considering package `pkg:composer/phpunit/php-timer@6.0.0`
as `cpe:2.3:a:php:php:6.0:*:*:*:*:*:*:*` resulting in 17 CVEs
(including Critical).

This commit adds two new suppression rules: one for php as the prefix,
and one for php as the suffix. Both can be observed in the wild.
Additionally, underscore is sometimes used instead of hyphen, and should
be respected. Furthermore, there is `symfony/polyfill-php83` which adds
number suffix, which should also be suppressed as it currently maps to
the base `cpe:/a:php:php`.
@sigv sigv changed the title fix: Avoid FPs for php- product as PHP framework fix: Avoid FPs when Composer product name has php Feb 28, 2025
@aikebah
Copy link
Copy Markdown
Collaborator

aikebah commented Mar 1, 2025

Thanks for the PR

@aikebah aikebah added this to the 12.1.1 milestone Mar 1, 2025
@aikebah aikebah merged commit e12fadd into dependency-check:main Mar 1, 2025
7 checks passed
@sigv sigv deleted the fp-php-product branch March 2, 2025 16:41
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 2, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@aikebah aikebah aikebah approved these changes

Assignees

No one assigned

Labels

core changes to core

Projects

None yet

Milestone

12.1.1

Development

Successfully merging this pull request may close these issues.

2 participants

@sigv @aikebah