Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: IronPython:2.7.11 is marked by Dependency-Check 9.0.9 as CRITICAL what is False Positive #6435

Closed
rafalkasa opened this issue Jan 31, 2024 · 7 comments
Closed

[FP]: IronPython:2.7.11 is marked by Dependency-Check 9.0.9 as CRITICAL what is False Positive #6435

rafalkasa opened this issue Jan 31, 2024 · 7 comments
Labels
dotnet FP Report

Comments

@rafalkasa
Copy link

rafalkasa commented Jan 31, 2024
edited
Loading

Package URl

pkg:nuget/[email protected]

CPE

cpe:2.3:a:python:python:2.7.11:::::::* (Confidence:Low)

CVE

CVE-2016-5636, CVE-2016-5636, CVE-2016-9063, CVE-2017-1000158, CVE-2018-1000802 and other as well

ODC Integration

{"label"=>"CLI"}

ODC Version

9.0.9

Description

In the case of the library itself in version 2.7.11 uses CPython in version 2.7.18, and most vulnerabilities are related to CPython in versions lower than 2.7.18 due to the fact that the library has a different versioning model than CPython. As a result, Dependency-Check marked this dependency as CRITICAL, which is not true.

IronPython - CPython Dependencies
IronPython 2 7 11 - CPython Dependencies

Report in Json for IronPython 2.7.11
dependency-check-report.json

Sonatype report:
https://ossindex.sonatype.org/component/pkg:nuget/[email protected]?utm_source=dependency-check&utm_medium=integration&utm_content=9.0.9
@github-actions GitHub Actions
Copy link
Contributor

Error parsing package url: https://www.nuget.org/packages/IronPython/2.7.11.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

@github-actions GitHub Actions
Copy link
Contributor

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7725260056

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 5, 2024

Nuget Coordinates

dotnet add package IronPython --version 2.7.11

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6435
   ]]></notes>
   <packageUrl regex="true">^pkg:nuget/IronPython@.*$</packageUrl>
   <cpe>cpe:/a:python:python</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7790776565

@github-actions github-actions bot added the dotnet label Feb 5, 2024
@rafalkasa
Copy link
Author

rafalkasa commented Feb 5, 2024
edited
Loading

In attachment you will find test results from my test project
image

dependency-check.zip

@chadlwilson
Copy link
Contributor

This suppression seems legit @aikebah - what do you think?

IronPython and CPyrthon are versioned independently even if they do share code in some versions, it's not appropriate to match in this way IMHO. IronPython would need its own CPE (and probably does have).

@aikebah
Copy link
Collaborator

aikebah commented Oct 20, 2024

@chadlwilson agreed, the two projects are unrelated (except for both being an implementation of an interpreter for the Python language) and NVD would use a separate CPE for IronPython should a CVE be published for it.

approved

@github-actions GitHub Actions
Copy link
Contributor

Suppress rule has been added to the generatedSuppressions branch.

github-actions bot added a commit that referenced this issue Oct 20, 2024
@github-actions
fix(fp): FP per issue #6435
5476811
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dotnet FP Report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aikebah @rafalkasa @chadlwilson