Introduction
This post will give you intuition on reconfiguring the OWASP dependency check plugin to filter out false positives.
Objectives
The contents of this post were tailored for CS-35 Software Security, but the lessons can be useful for anyone new to static testing.
The following objectives will be met:
- Understand the connection between a given CPE and its vulnerabilities.
- Basic understanding of how OWASP matches a CPE to a vulnerability.
- Use the above objectives to filter out false positives from the report.
- Use OSS Index to validate the results in the dependency check report.
What are you being asked to do?
You are being asked to:
- Download the provided code base and upload it to Eclipse
- Reconfigure the pom.xml file to Integrate the Maven Dependency-Check Plugin
- Run a scan to generate a dependency check report
- Reconfigure the pom.xml file again to include the suppression.xml for the OWASP plugin
- List all false positives in the suppression.xml file and re-run the scan to produce a dependency check report that excludes the false positives listed in suppression.xml
Note
You will need to rename your first-dependency check report so that it is not overwritten by the second scan. Rename it to something like before-config-Dependency-Check Report.html.
How to identify false positives in the dependency check report
We will use the Common Platform Enumeration (CPE) to identify false positives in the OWASP dependency check report. When OWASP matches a vulnerability to the wrong CPE, the vulnerability becomes a clear false positive. That will be the basis for identifying false positives.
Excerpted from How To Read The Reports
There is a lot of information contained in the HTML version of the report. When analyzing the results, the first thing one should do is determine if the identified CPE is correct. Due to the way dependency-check works (see How it works for more information) the report may contain false positives. These false positives are primarily on the CPE values. If the CPE value is wrong, this is usually obvious, one should use the suppression feature in the report to generate a suppression XML file that can be used on future scans.
Every vulnerability in the dependency check report will have a list of CPEs under “Vulnerable Software & Versions.”
The listed CPEs for each vulnerability corresponds to a software version the dependency check plugin thinks is affected by that vulnerability.
If the CPE is not for the dependency version being used, then the dependency check plugin reported a false positive.
Example
I will use bcprov-jdk15on-1.46.jar as an example for finding false positives in the dependency check report below.
bcprov-jdk15on-1.46.jar (version 1.46) is the first dependency listed in the report. The VCE count for this dependency is 17, meaning it has 17-vulnerabilities. Click on the bcprov-jdk15on-1.46.jar to scroll down to its list of vulnerabilities.
First CVE for bcprov-jdk15on-1.46.jar
CVE-2013-1624 is matched with cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.46, which means it is a valid vulnerability because the software versions match.
To clarify, the dependency we are checking is bcprov-jdk15on-1.46.jar and the vulnerability is for legion-of-the-bouncy-castle-java-crytography-api:1.46, which is part of bcprov-jdk15on-1.46.jar.
Second CVE for bcprov-jdk15on-1.46.jar
CVE-2015-6644 is matched with cpe:2.3:a:org.bouncycastle:bcprov-jdk15on:1.46. Again, this is a valid vulnerability.
Skipping to the 16th CVE for bcprov-jdk15on-1.46.jar
CVE-2020-15522 is matched with:
None of the CPEs for CVE-2020-15522 are for version 1.46, so this vulnerability is a false positive and should be suppressed.
Verify that CVE-2020-15522 is a false positive for bcprov-jdk15on-1.46.jar
Go back to the top of the page and click on the package link for bcprov-jdk15on-1.46.jar.
The link will take you to OSS Index to see the number of known vulnerabilities for bcprov-jdk15on version 1.46 and its list of CVEs.
OSS Index shows a total of 16-vulnerabilities for bcprov-jdk15on-1.46.jar while OWASP dependency check report shows 17-vulnerabilities. Recall that we determined earlier that CVE-2020-15522 is a false positive. If you scroll through the list of vulnerabilities in the OSS index for bcprov-jdk15on-1.46.jar, you will not see CVE-2020-15522 as a listed vulnerability.
Conclusion
By verifying the CPEs for each vulnerability, we were able to find one false positive for bcprov-jdk15on-1.46.jar out of the 17-vulnerabilities reported by OWASP. OSS Index confirmed that CVE-2020-15522 was not an active vulnerability for bcprov-jdk15on-1.46.jar.