Adhoc FP and FN fixes (#289)

* Fixes #288 Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Suppress false positives when the package name is core Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Do not match application CVEs from OS distros Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Filter some NVD results based on sw_edition. Trims some amount of false positives Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Update vdb to get alpine version compare false positives Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> --------- Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
owasp-dep-scan · Apr 4, 2024 · a27b6ec · a27b6ec
1 parent 82d0fd9
commit a27b6ec
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 9 deletions.
diff --git a/depscan/lib/analysis.py b/depscan/lib/analysis.py
@@ -225,6 +225,24 @@ def pkg_sub_tree(
  )
 
 
+def is_lang_sw_edition(package_issue):
+ """Check if the specified sw_edition belongs to any application package type"""
+ if package_issue and package_issue["affected_location"].get("cpe_uri"):
+ all_parts = CPE_FULL_REGEX.match(
+ package_issue["affected_location"].get("cpe_uri")
+ )
+ if not all_parts or all_parts.group("sw_edition") in ("*", "-"):
+ return True
+ if (
+ config.LANG_PKG_TYPES.get(all_parts.group("sw_edition"))
+ or all_parts.group("sw_edition")
+ in config.LANG_PKG_TYPES.values()
+ ):
+ return True
+ return False
+ return True
+
+
 def is_os_target_sw(package_issue):
  """
  Since we rely on NVD, we filter those target_sw that definitely belong to a language
@@ -235,9 +253,9 @@ def is_os_target_sw(package_issue):
  )
  if (
  all_parts
- and all_parts.group("target_sw") != "*"
+ and all_parts.group("target_sw") not in ("*", "-")
  and (
- all_parts.group("target_sw") in config.LANG_PKG_TYPES.keys()
+ config.LANG_PKG_TYPES.get(all_parts.group("target_sw"))
  or all_parts.group("target_sw")
  in config.LANG_PKG_TYPES.values()
  )
@@ -367,7 +385,7 @@ def prepare_vdr(options: PrepareVdrOptions):
  if options.project_type in config.OS_PKG_TYPES:
  if vendor and (
  vendor in config.LANG_PKG_TYPES.values()
- or vendor in config.LANG_PKG_TYPES.keys()
+ or config.LANG_PKG_TYPES.get(vendor)
  ):
  fp_count += 1
  continue
@@ -382,17 +400,21 @@ def prepare_vdr(options: PrepareVdrOptions):
  version_used = purl_obj.get("version")
  package_type = purl_obj.get("type")
  qualifiers = purl_obj.get("qualifiers", {})
+ # Filter application CVEs from distros
+ if (config.LANG_PKG_TYPES.get(package_type) or package_type in config.LANG_PKG_TYPES.values()) and ((vendor and vendor in config.OS_PKG_TYPES) or not is_lang_sw_edition(package_issue)):
+ fp_count += 1
+ continue
  if package_type in config.OS_PKG_TYPES:
  # Bug #208 - do not report application CVEs
  if vendor and (
  vendor in config.LANG_PKG_TYPES.values()
- or vendor in config.LANG_PKG_TYPES.keys()
+ or config.LANG_PKG_TYPES.get(vendor)
  ):
  fp_count += 1
  continue
  if package_type and (
  package_type in config.LANG_PKG_TYPES.values()
- or package_type in config.LANG_PKG_TYPES.keys()
+ or config.LANG_PKG_TYPES.get(package_type)
  ):
  fp_count += 1
  continue

diff --git a/depscan/lib/config.py b/depscan/lib/config.py
@@ -156,6 +156,7 @@ def resource_path(relative_path):
  "Microsoft.IdentityModel.Clients.ActiveDirectory": "active_directory_authentication_library",
  "starkbank_ecdsa": "ecdsa-elixir",
  "php-pear": "pear-core-minimal",
+ "Selenium.WebDriver": "selenium"
 }
 
 # Default ignore list

diff --git a/depscan/lib/normalize.py b/depscan/lib/normalize.py
@@ -106,7 +106,8 @@ def create_pkg_variations(pkg_dict):
  ):
  tmpA = vendor.split(".")
  # Automatically add short vendor forms
- if len(tmpA) > 1 and len(tmpA[1]) > 3:
+ # Increase to 6 to reduce false positives when the package name is core
+ if len(tmpA) > 1 and len(tmpA[1]) > 6:
  if tmpA[1] != name:
  vendor_aliases.add(tmpA[1])
  # Add some common vendor aliases
@@ -208,7 +209,8 @@ def create_pkg_variations(pkg_dict):
  else:
  # Filter vendor aliases that are also name aliases for non pypi packages
  # This is needed for numpy which has the vendor name numpy
- if not purl.startswith("pkg:pypi"):
+ # Also needed for nuget. Eg: selenium:selenium
+ if not purl.startswith("pkg:pypi") and not purl.startswith("pkg:nuget"):
  vendor_aliases = [
  x for x in vendor_aliases if x not in name_aliases or x == vendor
  ]

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,12 +1,12 @@
 [project]
 name = "owasp-depscan"
-version = "5.3.0"
+version = "5.3.1"
 description = "Fully open-source security audit for project dependencies based on known vulnerabilities and advisories."
 authors = [
  {name = "Team AppThreat", email = "cloud@appthreat.com"},
 ]
 dependencies = [
- "appthreat-vulnerability-db==5.6.6",
+ "appthreat-vulnerability-db==5.6.7",
  "defusedxml",
  "oras~=0.1.26",
  "PyYAML",