False negatives on Java org.webjars/bootstrap and org.webjars/jquery

[metametadata]

What happened:

1. Vulns in Java dep pkg:maven/org.webjars/bootstrap@3.4.1 are not detected:

   • CVE-2024-6484
   • CVE-2024-6485
   • CVE-2024-6531

2. CVE-2016-10707 in Java dep pkg:maven/org.webjars/jquery@1.11.1 is not detected.

What you expected to happen:

The vulns are detected.

How to reproduce it (as minimally and precisely as possible):

Maven POM file pom.xml:

Click me

<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>gd.wa</groupId>
    <artifactId>minimal-pom</artifactId>
    <version>1.0-SNAPSHOT</version>
    <packaging>jar</packaging>

    <name>minimal-pom</name>
    <url>http://maven.apache.org</url>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.webjars</groupId>
            <artifactId>bootstrap</artifactId>
            <version>3.4.1</version>
        </dependency>
    </dependencies>
</project>

SBOM file cycl.json generated from pom.xml via mvn -DoutputDirectory=. -DoutputFormat=json -DoutputName=cycl org.cyclonedx:cyclonedx-maven-plugin:2.8.0:makeBom -f pom.xml:

Click me

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.5",
  "serialNumber" : "urn:uuid:f58d4ca4-4151-3e20-a826-f01c71692f35",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2024-07-26T18:48:34Z",
    "lifecycles" : [
      {
        "phase" : "build"
      }
    ],
    "tools" : [
      {
        "vendor" : "OWASP Foundation",
        "name" : "CycloneDX Maven plugin",
        "version" : "2.8.0",
        "hashes" : [
          {
            "alg" : "MD5",
            "content" : "76ffec6a7ddd46b2b24517411874eb99"
          },
          {
            "alg" : "SHA-1",
            "content" : "5b0d5b41975b53be4799b9621b4af0cfc41d44b6"
          },
          {
            "alg" : "SHA-256",
            "content" : "6852aa0f4e42a2db745bab80e384951a6a65b9215d041081d675780999027e81"
          },
          {
            "alg" : "SHA-512",
            "content" : "417de20fcdcb11c9713bacbd57290d8e68037fdb4553fd31b8cb08bd760ad52dc65ea88ad4be15844ad3fd5a4d3e440d2f70326f2fe1e63ec78e059c9a883f8d"
          },
          {
            "alg" : "SHA-384",
            "content" : "5eb755c6492e7a7385fa9a1e1f4517875bcb834b2df437808a37a2d6f5285df428741762305980315a63fcef1406597d"
          },
          {
            "alg" : "SHA3-384",
            "content" : "0fe16a47cf7aab0b22251dafcc39939b68e8f1778093309d8d2060b51a08df445a8b8ed5a9561669faf2e55f907c76d8"
          },
          {
            "alg" : "SHA3-256",
            "content" : "3e5a1eb5ab7d0797498862794709ff8eaaa071fe4cc9ec77f52db7e2f97ef487"
          },
          {
            "alg" : "SHA3-512",
            "content" : "59281a3e29e76270d7f44b40b5b9f05e55f1ae3ec716d80add806f360940809e3813998ac7c5758043b8e248aed73b86e37dc506cdb4cde03c16bb617d8e5a3a"
          }
        ]
      }
    ],
    "component" : {
      "group" : "gd.wa",
      "name" : "minimal-pom",
      "version" : "1.0-SNAPSHOT",
      "licenses" : [ ],
      "purl" : "pkg:maven/gd.wa/minimal-pom@1.0-SNAPSHOT?type=jar",
      "externalReferences" : [
        {
          "type" : "website",
          "url" : "http://maven.apache.org"
        }
      ],
      "type" : "library",
      "bom-ref" : "pkg:maven/gd.wa/minimal-pom@1.0-SNAPSHOT?type=jar"
    },
    "properties" : [
      {
        "name" : "maven.goal",
        "value" : "makeBom"
      },
      {
        "name" : "maven.scopes",
        "value" : "compile,provided,runtime,system"
      }
    ]
  },
  "components" : [
    {
      "group" : "org.webjars",
      "name" : "bootstrap",
      "version" : "3.4.1",
      "description" : "WebJar for Bootstrap",
      "scope" : "required",
      "hashes" : [
        {
          "alg" : "MD5",
          "content" : "ba2f9fda2c1fece5ff121e8abc385475"
        },
        {
          "alg" : "SHA-1",
          "content" : "2c6a8508a4f1484abcaf334cf2fe3df97cf93eac"
        },
        {
          "alg" : "SHA-256",
          "content" : "90fdaa23fb3a9cbce04f4c51699312ab1f1fae2d70c0d1a84541b7e9a76e6e54"
        },
        {
          "alg" : "SHA-512",
          "content" : "fb6b12d98bdc2efb6f446fca9356ec0167a8e9757864e9209a66a51cc884c888742a53b22f0c2faeacea528a9e911f9c0a2fd60e6364bc5080cb4da12e68f5aa"
        },
        {
          "alg" : "SHA-384",
          "content" : "eb2dcd95bc3036573982d0814433f1d0b883d143f85db7a496c06507495577c068c191101356b2834418544d7f6513fa"
        },
        {
          "alg" : "SHA3-384",
          "content" : "2e2820179e8ccb6b00dad6d3d081e7bada7c61abfa85b561d8805997367e8976627804db3d5b2b17e75e478b8c7bd6fa"
        },
        {
          "alg" : "SHA3-256",
          "content" : "80ff4fa9640694c39b49021194379675f928be1101fa68e56b9a666193ed4620"
        },
        {
          "alg" : "SHA3-512",
          "content" : "84343ebb1c41b1731727196ec7b9eb733b904c70ec2d2b309928396273c0e48f83699d05b4125f69d1baa323268dfb736f9f6519742081becec556a4206dc98a"
        }
      ],
      "licenses" : [
        {
          "license" : {
            "id" : "Apache-2.0"
          }
        }
      ],
      "purl" : "pkg:maven/org.webjars/bootstrap@3.4.1?type=jar",
      "externalReferences" : [
        {
          "type" : "website",
          "url" : "http://webjars.org"
        },
        {
          "type" : "distribution-intake",
          "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/"
        },
        {
          "type" : "vcs",
          "url" : "http://github.com/webjars/bootstrap"
        }
      ],
      "type" : "library",
      "bom-ref" : "pkg:maven/org.webjars/bootstrap@3.4.1?type=jar"
    },
    {
      "group" : "org.webjars",
      "name" : "jquery",
      "version" : "1.11.1",
      "description" : "WebJar for jQuery",
      "scope" : "required",
      "hashes" : [
        {
          "alg" : "MD5",
          "content" : "66dec8956bb59fd4a8015c21b8673544"
        },
        {
          "alg" : "SHA-1",
          "content" : "195eda53ac8beba7bff08f9919b48c954c858590"
        },
        {
          "alg" : "SHA-256",
          "content" : "197d41758eb59374672fc9346749842b36d950d3f0b429c8846a297274cf95b3"
        },
        {
          "alg" : "SHA-512",
          "content" : "d889c87ca34cd9deb0d92231177379b4ae114f87e7ac95791161b3e83376c92485911bbe114fe736559a6adb5396b2176f980d5d450b1df7f8110ca359699dbf"
        },
        {
          "alg" : "SHA-384",
          "content" : "b2e589b8ed46628400975fa32ef36cdcd39f2b26e382e0dc45fe71409d92d1de412fc8ead298a1ed63b30da15d810849"
        },
        {
          "alg" : "SHA3-384",
          "content" : "55ad3e3353f9f9534dab5f0ae03ba672ef96232e7cbaec9988fffdbb7d6465d0f2665f6d401ba4460a4668aeb26d5889"
        },
        {
          "alg" : "SHA3-256",
          "content" : "9c1ec14dcfe883e7f4e922a6681f560623025b25b95fe86956e76898df42446d"
        },
        {
          "alg" : "SHA3-512",
          "content" : "134bb2dad553b56e548775f17b3d8c0a751a2533dcc8234dc2f1cb0313ee00a792457cc1f2e971a8a1efc58d551e5dbc78a63fd3dde0c6779a03ea0d0360d6f3"
        }
      ],
      "licenses" : [
        {
          "license" : {
            "id" : "MIT",
            "url" : "https://opensource.org/licenses/MIT"
          }
        }
      ],
      "purl" : "pkg:maven/org.webjars/jquery@1.11.1?type=jar",
      "externalReferences" : [
        {
          "type" : "website",
          "url" : "http://webjars.org"
        },
        {
          "type" : "distribution-intake",
          "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/"
        },
        {
          "type" : "vcs",
          "url" : "http://github.com/webjars/jquery"
        }
      ],
      "type" : "library",
      "bom-ref" : "pkg:maven/org.webjars/jquery@1.11.1?type=jar"
    }
  ],
  "dependencies" : [
    {
      "ref" : "pkg:maven/gd.wa/minimal-pom@1.0-SNAPSHOT?type=jar",
      "dependsOn" : [
        "pkg:maven/org.webjars/bootstrap@3.4.1?type=jar"
      ]
    },
    {
      "ref" : "pkg:maven/org.webjars/bootstrap@3.4.1?type=jar",
      "dependsOn" : [
        "pkg:maven/org.webjars/jquery@1.11.1?type=jar"
      ]
    },
    {
      "ref" : "pkg:maven/org.webjars/jquery@1.11.1?type=jar",
      "dependsOn" : [ ]
    }
  ]
}

Grype config config.yaml:

add-cpes-if-none: true

match:
  java:
    using-cpes: true

Finally, Grype grype -c config.yaml sbom:cycl.json output:

 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [5 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 5 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 5 not-fixed, 0 ignored
NAME    INSTALLED  FIXED-IN  TYPE          VULNERABILITY   SEVERITY
jquery  1.11.1               java-archive  CVE-2020-11023  Medium
jquery  1.11.1               java-archive  CVE-2020-11022  Medium
jquery  1.11.1               java-archive  CVE-2019-11358  Medium
jquery  1.11.1               java-archive  CVE-2015-9251   Medium
jquery  1.11.1               java-archive  CVE-2007-2379   Medium

Anything else we need to know?:

• The listed CVEs can be found by nvd-clojure (a wrapper for OWASP Dependency-Check which takes a Java classpath as an input) and Sonatype OSS Index analyzer in OWASP Dependency-Track (after uploading cycl.json SBOM):

  Screenshot

  

• AWS Inspector detects the mentioned Bootstrap vulns but misses the jQuery one.

• The mentioned vulns are not displayed at mvnrepository.com artifact pages (https://mvnrepository.com/artifact/org.webjars/bootstrap/3.4.1, https://mvnrepository.com/artifact/org.webjars/jquery/1.11.1).

• I'm using CycloneDX plugin to generate SBOMs as Grype/Syft is not reliable enough, specifically, looks like it doesn't respect transitive deps.

• I'm new to this so I may miss something obvious.

Environment:

• Output of grype version:

Application:         grype
Version:             0.79.3
BuildDate:           2024-07-11T18:39:52Z
GitCommit:           brew
GitDescription:      [not provided]
Platform:            darwin/arm64
GoVersion:           go1.22.5
Compiler:            gc
Syft Version:        v1.9.0
Supported DB Schema: 5

• OS: macOS.

[metametadata]

CVE-2016-10707 in Java dep pkg:maven/org.webjars/jquery@1.11.1 is not detected.

Looking at the affected versions in the corresponding GHSA entry GHSA-mhpp-875w-9cpv:

So AFAIU, Grype correctly didn't report this dep.

[spiffcs]

👋 Hey @metametadata thanks for the report on the false negatives.

For the first 3:

• CVE-2024-6484
• CVE-2024-6485
• CVE-2024-6531

It looks like they're all sitting as unreviewed in both NVD and GHSA. Because of this there are no entries in the grype database yet that would allow us to match based on PURL or CPE (cpe matching is turned off by default for java and we rely on GHSA's published analysis for PURL matching):

• GHSA-9mvj-f7w8-pvh2
• GHSA-vxmc-5x29-h64v
• GHSA-vc8w-jr9v-vj7f

For CVE-2016-10707 it looks like there is a small naming issue that needs to be resolved between what the package manager is resolving and what the vulnerability is being sourced against.

Here are the two different pacakges in maven
pkg:maven/org.webjars/jquery@1.11.1
org.webjars.npm:jquery

The one included in the SBOM is NOT vulnerable:
"purl" : "pkg:maven/org.webjars/jquery@1.11.1?type=jar",

The vulnerable PURL would be:
"purl" : "pkg:maven/org.webjars.npm/jquery@1.11.1?type=jar"

note the .npm in the group name - Are you sure these are the same jar?

[metametadata]

It looks like they're all sitting as unreviewed in both NVD and GHSA. Because of this there are no entries in the grype database yet that would allow us to match based on PURL or CPE

Got it, thanks!

I wonder how other scanners are able to match these CVEs then 🤔

note the .npm in the group name

Good catch! org.webjars.npm/* is an NPM WebJar which can be build automatically from the corresponding NPM package (via https://www.webjars.org GUI). OTOH, org.webjars/* is a classic WebJar which requires some kind of manual setup before building.

Are you sure these are the same jar?

They are different, even though somewhere inside they contain exactly the same jQuery JS code.

Conclusion:

1. There's a difference between org.webjars.npm/* and org.webjars/*.

2. For some reason CVEs for jQuery cover org.webjars.npm/jquery artifacts, but not org.webjars/jquery ones.

   It can be easily seen in Vulnerabilities column in https://mvnrepository.com/artifact/org.webjars.npm/jquery vs. https://mvnrepository.com/artifact/org.webjars/jquery.

3. Grype detects CVEs in org.webjars.npm/jquery and prints more info than for org.webjars/jquery:

   ✔ Scanned for vulnerabilities     [9 vulnerability matches]
      ├── by severity: 0 critical, 0 high, 9 medium, 0 low, 0 negligible
      └── by status:   4 fixed, 5 not-fixed, 0 ignored
   NAME    INSTALLED  FIXED-IN  TYPE          VULNERABILITY        SEVERITY
   jquery  1.11.1     1.12.2    java-archive  GHSA-rmxg-73gg-4p98  Medium
   jquery  1.11.1     3.5.0     java-archive  GHSA-jpcq-cgw6-v4j6  Medium
   jquery  1.11.1     3.5.0     java-archive  GHSA-gxr4-xjj5-5px2  Medium
   jquery  1.11.1     3.4.0     java-archive  GHSA-6c3j-c64m-qhgq  Medium
   jquery  1.11.1               java-archive  CVE-2020-11023       Medium
   jquery  1.11.1               java-archive  CVE-2020-11022       Medium
   jquery  1.11.1               java-archive  CVE-2019-11358       Medium
   jquery  1.11.1               java-archive  CVE-2015-9251        Medium
   jquery  1.11.1               java-archive  CVE-2007-2379        Medium
   

   There's still no CVE-2016-10707, but I think it's correct, as I wrote in the previous comment.

   I've also noticed that GHSA vulns here duplicate the CVE ones below them, e.g. GHSA-rmxg-73gg-4p98 is linked to CVE-2015-9251. Maybe Grype should somehow deduplicate such matches? Setting using-cpes to false helps with this, but I'm concerned it increases the risk of false negatives.

4. Switching from org.webjars/bootstrap to org.webjars.npm/bootstrap leads to excluding jQuery transitive dep from the dependency tree. And this is a good idea for me as I don't need jQuery in my real project.