False positive when resolving a version with "constraints"

[vdmitrienko]

We declare a constraint to use version 9.4.57.v20241219 instead of 9.4.53.v20231009 for our transitive dependencies. However, the report still complains about CVEs found in the 9.4.53.v20231009.

dependencies {
    constraints {
        implementation('org.eclipse.jetty:jetty-webapp:9.4.57.v20241219')
    }
}

./gradlew dependencies output:

org.eclipse.jetty:jetty-webapp:9.4.53.v20231009 -> 9.4.57.v20241219

Build log:

jetty-client-9.4.53.v20231009.jar./root/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-client/9.4.53.v20231009/143440d3a77f9cf17abaad222451b3ea3b4ccc98/jetty-client-9.4.53.v20231009.jar
13:05:09     CVE-2024-22201.pkg:maven/org.eclipse.jetty/[email protected]
13:05:09       Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
13:05:09       location: /root/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-client/9.4.53.v20231009/143440d3a77f9cf17abaad222451b3ea3b4ccc98/jetty-client-9.4.53.v20231009.jar, project-references: [ gridgain-sql-copy:runtimeClasspath ]
13:05:09       cvssV3: HIGH, score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A)
13:05:09     CVE-2024-8184.pkg:maven/org.eclipse.jetty/[email protected]
13:05:09       There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack.  By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
13:05:09       location: /root/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-client/9.4.53.v20231009/143440d3a77f9cf17abaad222451b3ea3b4ccc98/jetty-client-9.4.53.v20231009.jar, project-references: [ gridgain-sql-copy:runtimeClasspath ]
13:05:09       cvssV3: MEDIUM, score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:2.8/RC:R/MAV:A)
13:05:09     CVE-2024-6763.pkg:maven/org.eclipse.jetty/[email protected]

The same problem is described here, but the issue is closed.

[jeremylong]

Can you open the HTML report, expand the evidence section, and post a copy of the collected evidence?

[vdmitrienko]

@jeremylong , here you are:

[jeremylong]

As expected - this is a matching issue not a detection issue. I believe there is a similar issue raised on the core dependency-check library. The gradle plugin is scanning the correct version, but the detection engine is a little loose and is determining the wrong CPE.

[jeremylong]

in other words - this has nothing to do with the constraints.

[jeremylong]

ack - I swapped the numbers when doing my analysis. Apparently this is an issue with the detection.

[vdmitrienko]

ack - I swapped the numbers when doing my analysis. Apparently this is an issue with the detection.

Thanks, @jeremylong. Any chance we can expect a fix soon?

[jeremylong]

I do have a number of other higher priority issues with dependency-check right now. We accept PRs...

[vdmitrienko]

I do have a number of other higher priority issues with dependency-check right now. We accept PRs...

Ok, I'll give it a try. Could you point me in the right direction on where to start?

[jeremylong]

We are collecting the incoming from the gradle project here:

dependency-check-gradle/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy

Line 429 in 92cf30b

protected void processConfigurations(Project project, Engine engine) {

What we need to figure out is the difference between what the dependencies task is doing vs how we are pulling the information.