CVE-2022-45688 wrongly still reported for pkg:maven/org.json/json@20230227 due to a bug

[aikebah]

Describe the bug
As spotted on

stleary/JSON-java#720 (comment)

CVE-2022-45688 is still reported for org.json:json version 20230227

A quick'n'dirty evalution with debug logging indicates that it is because the library version is not properly evaluated, leading to comparing the vulnerable software ranges to a version '*' of the library

Check vs cpe:2.3:a:json-java_project:json-java:*:*:*:*:*:*:*:* versions up to (excluding) 20220924 against targetVersion *

Note: the NVD entry is currently incorrect regarding the version range, that should've been up to (excluding) 20230227, but nevertheless the CVE should not have surfaced on reports for version 20230227

Version of dependency-check used
The problem occurs using version 8.1.1 as well as 8.1.2 of the maven plugin

Log file
When reporting errors, 99% of the time log file output is required. Please post the log file as a gist and provide a link in the new issue.

To Reproduce
Steps to reproduce the behavior:

1. Create a maven-project with a dependency on the fixed org.json package

   <dependency>
   <groupId>org.json</groupId>
   <artifactId>json</artifactId>
   <version>20230227</version>
   </dependency>

2. Run mvn org.owasp:dependency-check-maven:8.1.2:check on this project
3. Observe that the CVE is still reported

Expected behavior
CVE not reported, as the version of the dependency is beyond the vulnerable version range

[hgueltig]

As this bug creates a false positive, why not add it to the hosted suppression file until it is fixed to prevent any confusion?

[ahannah9]

It seems (@ into /) fixes it for me as it was originally. Maybe this needs to be revisited

Deliberate change commit (/ into @):

7d881ee

---

main:

https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/dependencycheck-base-suppression.xml#L6188

DependencyCheck/core/src/main/resources/dependencycheck-base-suppression.xml

Line 6188 in c0b2c0b

<packageUrl regex="true">^(?!pkg:maven/org\.json/json@).+$</packageUrl>

---

original commit on branch outside repo:

DependencyCheck/core/src/main/resources/dependencycheck-base-suppression.xml

Line 6188 in 8a8e5d2

<packageUrl regex="true">^(?!pkg:maven/org\.json/json/).+$</packageUrl>

[aikebah]

It seems (@ into /) fixes it for me as it was originally. Maybe this needs to be revisited

No that does not have to be revisited.... it 'fixes' it for you because that original commit was wrong and the current suppression is valid.

The suppression rules is meant to suppress it for anything that is NOT org.json/json

By restoring the original erroneous regEx you are even suppressing it for ANY version of org.json/json (in addition to anything that is not org.json/json), as the packageURL of org.json/json has an @-sign after json, not a forward slash.

[FyiurAmron]

note that in the meantime https://nvd.nist.gov/vuln/detail/CVE-2022-45688#VulnChangeHistorySection fixed (changed) the up to (excluding) 20220924 to up to (excluding) 20230227 - but, as expected, this false positive still appears.

[ochstobi]

Same false positive shows up also in version 20230618. Will this be fixed anytime in the future?

[aikebah]

Intention is definitely to get a structural fix for this in the future. I've taking a few looks at it, but it appears to not be an easy fix.

[chadlwilson]

Hi @aikebah - think your tactical fix was in 8.4.1 for this one, which resolves this and #5991 - we can probably close both of these now?

I guess the structural fix could be a separate issue?

[aikebah]

Right, somehow missed flagging these as resolved