empty report on java Spring4 project

[pcouas]

Hi

I have launched cve-bin-tool 3.3 on an old JAVA Spring 4 project, there is no exécution error, but report is empty ??
Severity │ Count │
├──────────┼───────┤
│ CRITICAL │ 0 │
│ HIGH │ 0 │
│ MEDIUM │ 0 │
│ LOW │ 0 │
│ UNKNOWN │ 0

I know there is Critical CVE on Spring4 project ? https://mvnrepository.com/artifact/org.springframework/spring-core/4.3.30.RELEASE
Direct vulnerabilities:
CVE-2023-20863
CVE-2023-20861
CVE-2022-22971
CVE-2022-22970
CVE-2022-22968

Why you don't report CVE ?
I have an mistake in my configuration ?

Regards

[terriko]

What exactly are you trying to scan? The source code? A packaged jar file?

We don't have a binary checker that detects spring4 (although someone could potentially add one if you want to make a feature request), but we do have code that reads a maven pom.xml file and should be able to scan based on that. Does whatever you're trying to scan have a pom.xml file and we're not scanning it correctly, or are you missing that file?

[pcouas]

HiYes i tried to read an maven project with pom.xml containg Spring4 LibraryRegardsMy command line is simplycve-bin-tool Z:\zpoubelle\projectenvoyé : 6 mai 2024 à 18:53de : Terri Oda ***@***.***>à : intel/cve-bin-tool ***@***.***>cc : pcouas ***@***.***>, Author ***@***.***>objet : Re: [intel/cve-bin-tool] empty report on java Spring4 project (Issue #4101) What exactly are you trying to scan? The source code? A packaged jar file?We don't have a binary checker that detects spring4 (although someone could potentially add one if you want to make a feature request), but we do have code that reads a maven pom.xml file and should be able to scan based on that. Does whatever you're trying to scan have a pom.xml file and we're not scanning it correctly, or are you missing that file?—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[terriko]

Can you provide the pom.xml you're scanning, or the part with spring4 in it?

Looking at the CVEs you linked, it looks like the vendor is vmware and the product name is spring_framework so if the pom.xml file calls it anything other than exactly spring_framework, it's probably a lookup error and we're not finding the right thing in the database. For example, if it's called "spring" or "spring4" in pom.xml then we won't find the right component.

We're working on some stuff with PURLs over the next few months that'll help us start building a database of mappings for cases like this one where the product name in the vuln database doesn't precisely match what's in pom.xml, so if that's what this is it won't be an easy fix but it will be fixed in a few months after our google summer of code contributors get started on their projects. If that's not the issue, it might be something else messed up in our lookup code? Not sure. It's definitely a bug.

In the meantime, I'm not sure what the best workaround for you would be. If you're just trying to scan this one project, maybe generate and SBOM and add the exact vendor/product name as a CPE so you can scan that and get results as expected?

[pcouas]

envoyé : 6 mai 2024 à 19:31de : Philippe Couas ***@***.***>à : intel/cve-bin-tool ***@***.***>objet : Re: [intel/cve-bin-tool] empty report on java Spring4 project (Issue #4101)HiYes i tried to read an maven project with pom.xml containg Spring4 LibraryRegardsMy command line is simplycve-bin-tool Z:\zpoubelle\projectenvoyé : 6 mai 2024 à 18:53de : Terri Oda ***@***.***>à : intel/cve-bin-tool ***@***.***>cc : pcouas ***@***.***>, Author ***@***.***>objet : Re: [intel/cve-bin-tool] empty report on java Spring4 project (Issue #4101) What exactly are you trying to scan? The source code? A packaged jar file?We don't have a binary checker that detects spring4 (although someone could potentially add one if you want to make a feature request), but we do have code that reads a maven pom.xml file and should be able to scan based on that. Does whatever you're trying to scan have a pom.xml file and we're not scanning it correctly, or are you missing that file?—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[pcouas]

I have tried too with project https://github.com/waichee/spring4-rest-client-examplewithout succesenvoyé : 8 mai 2024 à 09:53de : Philippe Couas ***@***.***>à : intel/cve-bin-tool ***@***.***>objet : Re: [intel/cve-bin-tool] empty report on java Spring4 project (Issue #4101)envoyé : 6 mai 2024 à 19:31de : Philippe Couas ***@***.***>à : intel/cve-bin-tool ***@***.***>objet : Re: [intel/cve-bin-tool] empty report on java Spring4 project (Issue #4101)HiYes i tried to read an maven project with pom.xml containg Spring4 LibraryRegardsMy command line is simplycve-bin-tool Z:\zpoubelle\projectenvoyé : 6 mai 2024 à 18:53de : Terri Oda ***@***.***>à : intel/cve-bin-tool ***@***.***>cc : pcouas ***@***.***>, Author ***@***.***>objet : Re: [intel/cve-bin-tool] empty report on java Spring4 project (Issue #4101) What exactly are you trying to scan? The source code? A packaged jar file?We don't have a binary checker that detects spring4 (although someone could potentially add one if you want to make a feature request), but we do have code that reads a maven pom.xml file and should be able to scan based on that. Does whatever you're trying to scan have a pom.xml file and we're not scanning it correctly, or are you missing that file?—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[pcouas]

Z:\zpoubelle\spring4-rest-client-example-master>cve-bin-tool . [06:59:01] INFO cve_bin_tool - CVE Binary Tool v3.3 cli.py:571 INFO cve_bin_tool - This product uses the NVD API but is not endorsed or certified by the NVD. cli.py:572 WARNING cve_bin_tool - cli.py:615 ********************************************** Warning: this utility was developed for Linux. You may need to install additional utilities to use it on other operating systems. ********************************************** INFO cve_bin_tool.CVEDB - Using cached CVE data (<24h old). Use -u now to update immediately. cvedb.py:285 INFO cve_bin_tool.CVEDB - There are 358971 CVE entries in the database cvedb.py:362 INFO cve_bin_tool.CVEDB - There are 249088 CVE entries from NVD in the database cvedb.py:364 INFO cve_bin_tool.CVEDB - There are 100548 CVE entries from OSV in the database cvedb.py:364 INFO cve_bin_tool.CVEDB - There are 9187 CVE entries from GAD in the database cvedb.py:364 INFO cve_bin_tool.CVEDB - There are 148 CVE entries from REDHAT in the database cvedb.py:364 INFO cve_bin_tool - CVE database contains CVEs from National Vulnerability Database (NVD), Open Source Vulnerability Database (OSV), Gitlab Advisory Database (GAD) and RedHat cli.py:832 INFO cve_bin_tool - CVE database last updated on 11 May 2024 at 06:27:28 cli.py:835 INFO cve_bin_tool - Number of checkers: 359 cli.py:1019 INFO cve_bin_tool.VersionScanner - Checkers: accountsservice, acpid, apache_http_server, apcupsd, apparmor, asn1c, assimp, asterisk, atftp, avahi, axel, bash, bind, binutils, bird, bison, bluez, version_scanner.py:113 boinc, botan, bro, bubblewrap, busybox, bwm_ng, bzip2, c_ares, capnproto, ceph, chess, chrony, civetweb, clamav, collectd, commons_compress, connman, coreutils, cpio, cronie, cryptsetup, cups, curl, cvs, darkhttpd, dav1d, davfs2, dbus, debianutils, dhclient, dhcpcd, dhcpd, dmidecode, dnsmasq, docker, domoticz, dosfstools, dotnet, dovecot, doxygen, dpkg, dropbear, e2fsprogs, ed, elfutils, emacs, enscript, exfatprogs, exim, exiv2, f2fs_tools, faad2, fastd, ffmpeg, file, firefox, flac, fluidsynth, freeradius, freerdp, fribidi, frr, gawk, gcc, gdal, gdb, gdk_pixbuf, gimp, git, glib, glibc, gmp, gnomeshell, gnupg, gnutls, go, gpgme, gpsd, graphicsmagick, grep, grub2, gstreamer, gupnp, gvfs, gzip, haproxy, harfbuzz, haserl, hdf5, heimdal, hostapd, hunspell, hwloc, i2pd, icecast, icu, iperf3, ipmitool, ipsec_tools, iptables, irssi, iucode_tool, iwd, jack2, jacksondatabind, janus, jhead, jq, json_c, kbd, keepalived, kerberos, kexectools, kodi, kubernetes, ldns, lftp, libarchive, libass, libbpg, libcoap, libconfuse, libcurl, libdb, libde265, libebml, libevent, libexpat, libgcrypt, libgd, libgit2, libheif, libical, libidn2, libinput, libjpeg, libjpeg_turbo, libksba, liblas, libmatroska, libmemcached, libmicrohttpd, libmodbus, libnss, libpcap, libraw, librsvg, librsync, libsamplerate, libseccomp, libsndfile, libsolv, libsoup, libsrtp, libssh, libssh2, libtasn1, libtiff, libtomcrypt, libupnp, libuv, libvips, libvirt, libvncserver, libvorbis, libvpx, libxslt, lighttpd, linux_kernel, lldpd, logrotate, lrzip, lua, luajit, lxc, lynx, lz4, mailx, mariadb, mbedtls, mdadm, memcached, micropython, minetest, mini_httpd, minicom, minidlna, miniupnpc, miniupnpd, moby, modsecurity, monit, mosquitto, motion, mpg123, mpv, msmtp, mtr, mupdf, mutt, mysql, nano, nasm, nbd, ncurses, neon, nessus, netatalk, netdata, netkit_ftp, netpbm, nettle, nghttp2, nginx, ngircd, nmap, node, ntfs_3g, ntp, ntpsec, open_iscsi, open_vm_tools, openafs, opencv, openjpeg, openldap, opensc, openssh, openssl, openswan, openvpn, p7zip, pango, patch, pcre, pcre2, pcsc_lite, perl, php, picocom, pigz, pixman, png, polarssl_fedora, poppler, postgresql, ppp, privoxy, procps_ng, proftpd, protobuf_c, pspp, pure_ftpd, putty, python, qemu, qpdf, qt, quagga, radare2, radvd, raptor, rauc, rdesktop, readline, rpm, rsync, rsyslog, rtl_433, rtmpdump, runc, rust, samba, sane_backends, sdl, seahorse, shadowsocks_libev, snapd, sngrep, snort, socat, sofia_sip, speex, spice, sqlite, squashfs, squid, sslh, stellarium, strongswan, stunnel, subversion, sudo, suricata, sylpheed, syslogng, sysstat, systemd, tar, tcpdump, tcpreplay, terminology, tesseract, thrift, thttpd, thunderbird, timescaledb, tinyproxy, tor, tpm2_tss, traceroute, transmission, trousers, twonky_server, u_boot, udisks, unbound, unixodbc, upx, util_linux, varnish, vim, vlc, vorbis_tools, vsftpd, webkitgtk, wget, wireshark, wolfssl, wpa_supplicant, xerces, xml2, xscreensaver, xwayland, yasm, zabbix, zchunk, zeek, zlib, znc, zsh, zstandard INFO cve_bin_tool - Number of language checkers: 11 cli.py:1024 INFO cve_bin_tool.VersionScanner - Language Checkers: Dart, Go, Java, Javascript, Perl, Php, Python, R, Ruby, Rust, Swift version_scanner.py:138 INFO cve_bin_tool - Overall CVE summary: cli.py:1059 INFO cve_bin_tool - There are 0 products with known CVEs detected cli.py:1060 ┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐ │ CVE BINARY TOOL version: 3.3 │ └──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ • Report Generated: 2024-05-11 06:59:01 • Time of last update of CVE Data: 2024-05-11 06:27:28 ┌─────────────┐ │ CVE SUMMARY │ └─────────────┘ ┌──────────┬───────┐ │ Severity │ Count │ ├──────────┼───────┤ │ CRITICAL │ 0 │ │ HIGH │ 0 │ │ MEDIUM │ 0 │ │ LOW │ 0 │ │ UNKNOWN │ 0 │ └──────────┴───────┘ ┌─────────────┐ │ CPE SUMMARY │ └─────────────┘ ┌────────┬─────────┬─────────┬────────────────────────────────┬─────────────────────┬─────────────────┬───────────────────┬────────────────┬────────────────────┬──────────────────┐ │ Vendor │ Product │ Version │ Latest Upstream Stable Version │ CRITICAL CVEs Count │ HIGH CVEs Count │ MEDIUM CVEs Count │ LOW CVEs Count │ UNKNOWN CVEs Count │ TOTAL CVEs Count │ ├────────┼─────────┼─────────┼────────────────────────────────┼─────────────────────┼─────────────────┼───────────────────┼────────────────┼────────────────────┼──────────────────┤ └────────┴─────────┴─────────┴────────────────────────────────┴─────────────────────┴─────────────────┴───────────────────┴────────────────┴────────────────────┴──────────────────┘ ┌───────────────────────────────────────────────┐ │ Products with No Identified Vulnerabilities │ └───────────────────────────────────────────────┘ ┌────────┬─────────┬─────────┐ │ Vendor │ Product │ Version │ ├────────┼─────────┼─────────┤ └────────┴─────────┴─────────┘ Z:\zpoubelle\spring4-rest-client-example-master>

[terriko]

So, it looks like the problem may be that we aren't able to parse the version numbers correctly because of the way the file is constructed

https://github.com/waichee/spring4-rest-client-example/blob/master/pom.xml

It's all stuff like this:

    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-core</artifactId>
      <version>${spring.version}</version>

The ${spring.version} is defined above in <properties>, but I'm pretty sure cve-bin-tool is just reading ${spring.version} and not knowing what to do next.

Two potential options

• if this is a common construction we're going to encounter in other projects, you'll want to fix cve_bin_tool/parsers/java.py to expand things like ${spring.version} (patches welcome!)
• if this is unique to this file and not commonly used elsewhere, you may need to run a script or something to expand things so that what's in <version> is the correct version before scanning

That said, I think even if the version is fixed we'll run into the problem I described earlier: the component is listed as org.springframework and the CPE ID associated with those CVES is vmware:spring_framework -- we'll likely need to add some kind of mapping so it knows to connect the two, since a bare text search of springframework isn't smart enough to find spring_framework. Unfortunately, we don't have the infrastructure for that type of mapping yet (though it's coming in a few months as part of GSoC!) so this likely won't be fixed for some time.

[pcouas]

HiI have replace all properties with mvn help:effective-pom but problem still existRegardsenvoyé : 14 mai 2024 à 21:58de : Terri Oda ***@***.***>à : intel/cve-bin-tool ***@***.***>cc : pcouas ***@***.***>, Author ***@***.***>objet : Re: [intel/cve-bin-tool] empty report on java Spring4 project (Issue #4101) So, it looks like the problem may be that we aren't able to parse the version numbers correctly because of the way the file is constructedhttps://github.com/waichee/spring4-rest-client-example/blob/master/pom.xmlIt's all stuff like this: <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>${spring.version}</version>The ${spring.version} is defined above in <properties>, but I'm pretty sure cve-bin-tool is just reading ${spring.version} and not knowing what to do next.Two potential optionsif this is a common construction we're going to encounter in other projects, you'll want to fix cve_bin_tool/parsers/java.py to expand things like ${spring.version} (patches welcome!)if this is unique to this file and not commonly used elsewhere, you may need to run a script or something to expand things so that what's in <version> is the correct version before scanningThat said, I think even if the version is fixed we'll run into the problem I described earlier: the component is listed as org.springframework and the CPE ID associated with those CVES is vmware:spring_framework -- we'll likely need to add some kind of mapping so it knows to connect the two, since a bare text search of springframework isn't smart enough to find spring_framework. Unfortunately, we don't have the infrastructure for that type of mapping yet (though it's coming in a few months as part of GSoC!) so this likely won't be fixed for some time.—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[pcouas]

HiI have replace all properties withmvn help:effective-pom>pom.xmlProblem still existRegardsenvoyé : 14 mai 2024 à 21:58de : Terri Oda ***@***.***>à : intel/cve-bin-tool ***@***.***>cc : pcouas ***@***.***>, Author ***@***.***>objet : Re: [intel/cve-bin-tool] empty report on java Spring4 project (Issue #4101) So, it looks like the problem may be that we aren't able to parse the version numbers correctly because of the way the file is constructedhttps://github.com/waichee/spring4-rest-client-example/blob/master/pom.xmlIt's all stuff like this: <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>${spring.version}</version>The ${spring.version} is defined above in <properties>, but I'm pretty sure cve-bin-tool is just reading ${spring.version} and not knowing what to do next.Two potential optionsif this is a common construction we're going to encounter in other projects, you'll want to fix cve_bin_tool/parsers/java.py to expand things like ${spring.version} (patches welcome!)if this is unique to this file and not commonly used elsewhere, you may need to run a script or something to expand things so that what's in <version> is the correct version before scanningThat said, I think even if the version is fixed we'll run into the problem I described earlier: the component is listed as org.springframework and the CPE ID associated with those CVES is vmware:spring_framework -- we'll likely need to add some kind of mapping so it knows to connect the two, since a bare text search of springframework isn't smart enough to find spring_framework. Unfortunately, we don't have the infrastructure for that type of mapping yet (though it's coming in a few months as part of GSoC!) so this likely won't be fixed for some time.—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[terriko]

Yeah, as I said before, we don't have a lookup table that tells us that springframework is vmware, springframework in NVD right now. But it's coming! Our GSoC contributors are starting next week and one of them will be working on the framework needed to store and use this kind of mapping. So... the fix is on the way, but it's probably going to take at least another month or two.

The best workaround I can think of is still to put your components in an SBOM and add the CPE metadata yourself (SBOM supports that where pom.xml does not), but I can understand if that's not super appealing. But the fix is coming eventually! Just going to take a while.