The importance of third-party software component analysis (English Software Composition Analysis - SCA) in the development process is growing with the release of annual reports on the vulnerabilities of open source libraries, which are published by Synopsys, Sonatype, Snyk, White Source. According to the report the number of identified vulnerabilities in open source in 2019 increased by almost 1.5 times compared to the previous year, while open source components are used by 60% to 80% of projects. In an independent opinion, SCA processes are a separate practice from OWASP SAMM and BSIMM as a maturity indicator, and in the first half of 2020, OWASP released a new OWASP Software Component Verification Standard (SCVS) that provides best practices for verifying third-party components in the supply chain BY.
One of the most illustrative cases with Equifax in May 2017. Unknown attackers have obtained information about 143 million Americans, including full names, addresses, social security numbers and driver's licenses. In 209 cases, the documents also included information about the bank cards of the victims. This leak occurred as a consequence of the exploitation of a critical vulnerability in Apache Struts 000 (CVE-2-2017), while the fix was released back in March 5638. The company had two months to install the update, but no one bothered about it.
This article will discuss the issue of choosing a tool for conducting SCA in terms of the quality of the analysis results. A functional comparison of the instruments will also be given. We will leave the process of embedding in CI / CD and integration opportunities for subsequent publications. A wide range of tools has been introduced by OWASP , but as part of the current review, we will only touch on the most popular open source Dependency Check tool, the slightly less well-known open source Dependency Track platform, and the Sonatype Nexus IQ Enterprise solution. We will also understand how these solutions work and compare the results obtained for false positives.
Principle of operation
is a utility (CLI, maven, jenkins module, ant) that analyzes project files, collects fragments of information about dependencies (package name, groupid, specification title, version ...), builds a CPE string - (Common Platform Enumeration), Package URL ( PURL) and detects vulnerabilities for CPE/PURL from databases (NVD, Sonatype OSS Index, NPM Audit API…), after which it builds a one-time report in HTML, JSON, XML format…
Consider what CPE looks like:
cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other- Part: An indication that the component belongs to the application (a), operating system (o), hardware (h) (Required item)
- Vendor: Name of the manufacturer of the product (Required item)
- Product: Product Name (Required)
- Component version (Deprecated item)
- Update: Package update
- Edition: Inherited version (Deprecated item)
- Language: Language defined in RFC-5646
- SW Edition: Software version
- Target SW: The software environment in which the product runs
- Target HW: Hardware environment where the product is running
- Other: Supplier or product information
An example CPE looks like this:
cpe:2.3:a:pivotal_software:spring_framework:3.0.0:*:*:*:*:*:*:*
The string means that CPE version 2.3 describes an application component from the manufacturer pivotal_software with the name spring_framework version 3.0.0. If we open a vulnerability in NVD, we can see the mention of this CPE. The first problem that you should immediately pay attention to is that CVE in NVD, according to CPE, reports the presence of a problem in the framework, and not in a specific component. That is, if the developers are tightly tied to the framework, and the identified vulnerability does not apply to the modules that the developers use, the security specialist will somehow have to disassemble this CVE and think about updating.
The URL is also used by the SCA tools. The package URL format is as follows:
scheme:type/namespace/name@version?qualifiers#subpath- Scheme: There will always be 'pkg' indicating that this is a package URL (Required)
- Type: The "type" of the package, or the "protocol" of the package, such as maven, npm, nuget, gem, pypi, etc. (required item)
- namespace: Some name prefix, such as a Maven group ID, Docker image owner, GitHub user or organization. Optional and depends on the type.
- Name: Package Name (Required)
- Package version
- Qualifiers: Additional qualification data for the package, such as OS, architecture, distribution, etc. Optional and type-specific item.
- subpath: Additional path in the package relative to the root of the package
For example:
pkg:golang/google.golang.org/genproto#googleapis/api/annotations
pkg:maven/org.apache.commons/[email protected]
pkg:pypi/[email protected]— on-premise web platform that accepts ready-made Bill of Materials (BOM) generated и , that is, ready-made specifications about the available dependencies. This is an XML file with a description of dependencies - name, hashes, package url, publisher, license. Next, Dependency Track parses the BOM, looks at the CVEs available for the identified dependencies from the vulnerability database (NVD, Sonatype OSS Index ...), and then builds graphs, calculates metrics, regularly updating data on the vulnerability status of the components.
An example of what a BOM might look like in XML format:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
<components>
<component type="library">
<publisher>Apache</publisher>
<group>org.apache.tomcat</group>
<name>tomcat-catalina</name>
<version>9.0.14</version>
<hashes>
<hash alg="MD5">3942447fac867ae5cdb3229b658f4d48</hash>
<hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
<hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
<hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
</hashes>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<purl>pkg:maven/org.apache.tomcat/[email protected]</purl>
</component>
<!-- More components here -->
</components>
</bom>BOM can be used not only as input parameters for Dependency Track, but also for inventorying software components in the supply chain, for example, for providing software to a customer. In 2014, a law was even proposed for consideration in the United States , which said that when purchasing software, any state. an institution must request a BOM to prevent the use of vulnerable components, but the act has not entered into force.
Back to SCA, Dependency Track has out-of-the-box integrations with Notification Platforms like Slack, vulnerability management systems like Kenna Security. It's also worth mentioning that Dependency Track also detects obsolete versions of packages and provides information about licenses (due to SPDX support).
If we talk specifically about the quality of SCA, then there is a fundamental difference.
Dependency Track does not accept a project as an input, but rather a BOM. This means that if we want to test the project, we first need to generate bom.xml, for example with CycloneDX. Thus, Dependency Track directly depends on CycloneDX. At the same time, it allows for customization. So the OZON team wrote to build BOM files for Golang projects for further scanning through Dependency Track.
is a commercial SCA solution from Sonatype, which is part of the Sonatype ecosystem, which also includes the Nexus Repository Manager. Nexus IQ can accept as input both war archives (for java projects) via the web interface or API, and BOM if your organization has not had time to switch from CycloneDX to a new solution. Unlike open source solutions, IQ not only refers to the CP / PURL to the identified component and the corresponding vulnerability in the database, but also takes into account its own research, for example, the name of the vulnerable function or class. The mechanisms of IQ will be discussed later in the analysis of the results.
Let's sum up some of the functional features, and also consider the supported languages for analysis:
Language
Nexus IQ
Dependency Check
Dependency Track
Java
+
+
+
C / C ++
+
+
—
C#
+
+
—
. Net
+
+
+
Erlang
—
—
+
JavaScript (NodeJS)
+
+
+
PHP
+
+
+
Python
+
+
+
Ruby
+
+
+
Perl
—
—
—
Ladder
+
+
+
Objective C
+
+
—
Swift
+
+
—
R
+
—
—
Go
+
+
+
Functionality
Functionality
Nexus IQ
Dependency Check
Dependency Track
The ability to ensure that the components used in the source code are checked for license purity
+
—
+
Ability to scan and analyze for vulnerabilities and license cleanliness for Docker images
+ Integration with Clair
—
—
Ability to configure security policy to use open source libraries
+
—
—
Ability to scan open source repositories for vulnerable components
+ RubyGems, Maven, NPM, Nuget, Pypi, Conan, Bower, Conda, Go, p2, R, Yum, Helm, Docker, CocoaPods, Git LFS
—
+ Hex, RubyGems, Maven, NPM, Nuget, Pypi
Availability of a dedicated research team
+
—
—
Operation in a closed circuit
+
+
+
Using Third Party Databases
+ Closed database Sonatype
+ Sonatype OSS, NPM Public Advisors
+ Sonatype OSS, NPM Public Advisors, RetireJS, VulnDB, own vulnerability database support
Ability to filter open source components when attempting to upload to development loop according to configured policies
+
—
—
Recommendations for fixing vulnerabilities, availability of links to the fix
+
+- (depends on description in public databases)
+- (depends on description in public databases)
Ranking of discovered vulnerabilities by criticality
+
+
+
Role access model
+
—
+
CLI support
+
+
+- (CycloneDX only)
Selection / sorting of vulnerabilities according to defined criteria
+
—
+
Dashboard by Application Status
+
—
+
Report generation in PDF format
+
—
—
Report generation in JSONCSV format
+
+
—
Russian language support
—
—
—
Integration options
Integration
Nexus IQ
Dependency Check
Dependency Track
Integration with LDAP/Active Directory
+
—
+
Bamboo continuous integration integration
+
—
—
Integration with continuous integration system (continous integration) TeamCity
+
—
—
Integration with the continuous integration system (continous integration) GitLab
+
+- (as a plugin for GitLab)
+
Integration with continuous integration system (continous integration) Jenkins
+
+
+
Availability of IDE plugins
+ IntelliJ, Eclipse, Visual Studio
—
—
Support for custom integration via web-services (API) of the tool
+
—
+
Dependency Check
First start
Run Dependency Check on a deliberately vulnerable application .
For this we use :
mvn org.owasp:dependency-check-maven:checkAs a result, dependency-check-report.html will appear in the target directory.
Let's open the file. After a summary of the total number of vulnerabilities, we can see information about vulnerabilities with a high level of Severity and Confidence, indicating the package, CPE, number of CVEs.
More detailed information follows, in particular, on the basis of which the decision was made (evidence), that is, a certain BOM.
Next comes CPE, PURL and a description of CVE. By the way, recommendations for fixing are not attached due to their absence in the NVD database.
To systematically view scan results, you can configure Nginx with minimal settings, or send the received defects to a defect management system that supports Dependency Check connectors. For example, Defect Dojo.
Dependency Track
Installation
Dependency Track, in turn, is a web-based platform with display graphs, so there is no acute issue of storing defects in a third-party solution.
There are following supported scenarios for installation: Docker, WAR, Executable WAR.
First start
Go to the URL of the running service. We enter through admin / admin, change the login and password, after which we get to the Dashboard. The next thing we will do is create a project for a Java test application in Home/Projects → Create Project . Let's take DVJA as an example.
Since Dependency Track can only take BOM as input, this BOM must be retrieved. Let's use :
mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBomWe get bom.xml and load the file in the created project DVJA → Dependencies → Upload BOM.
Let's go to Administration → Analyzers. We understand that we only have the Internal Analyzer enabled, which includes NVD. Let's also connect Sonatype OSS Index.
Thus, we get the following picture for our project:
Also in the list you can find one vulnerability applicable to Sonatype OSS:
The main disappointment was that Dependency Track no longer accepts Dependency Check xml reports. The latest supported versions of Dependency Check integration were 1.0.0 - 4.0.2 while I tested 5.3.2.
Here (And ) when it was still possible.
Nexus IQ
First start
The Nexus IQ installation comes from the software archives , but we have compiled a Docker image for this purpose.
After logging into the console, you need to create an Organization and an Application.
As you can see, the configuration in the case of IQ is somewhat more complicated, because we also need to create policies that are applicable to different “stages” (dev, build, stage, release). This is necessary to block vulnerable components as they move closer to the production pipeline, or block as soon as they get into the Nexus Repo when downloaded by developers.
To feel the difference between open source and enterprise, let's perform the same scan through Nexus IQ in the same way through , having previously created a test application in the NexusIQ interface dvja-test-and-compare:
mvn com.sonatype.clm:clm-maven-plugin:evaluate -Dclm.applicationId=dvja-test-and-compare -Dclm.serverUrl=<NEXUSIQIP> -Dclm.username=<USERNAME> -Dclm.password=<PASSWORD>
Follow the URL to the generated report in the IQ web interface:
Here you can see all policy violations with different severity levels (from Info to Security Critical). The letter D next to the component means that the component is Direct Dependency, and the letter T next to the component means that the component is Transitive Dependency, that is, it is transitive.
By the way, the report from Snyk reports that more than 70% of open source vulnerabilities found in Node.js, Java and Ruby are in transitive dependencies.
If we open one of the Nexus IQ policy violations, we can see the description of the component, as well as the Version Graph, which shows the location of the current version on the time graph, as well as at what point the vulnerability ceases to be vulnerable. The height of the candles on the graph shows the popularity of using this component.
If you go to the vulnerabilities section and open the CVE, you can read the description of this vulnerability, recommendations for remediation, as well as the reason why this component was violated, that is, the presence of the class DiskFileitem.class.
Let's summarize only the third-party Java components by removing the js components. In parentheses, we indicate the number of those vulnerabilities that were found outside of NVD.
Total Nexus IQ:
- Dependencies Scanned: 62
- Vulnerable Dependencies: 16
- Vulnerabilities Found: 42 (8 sonatype db)
Total Dependency Check:
- Dependencies Scanned: 47
- Vulnerable Dependencies: 13
- Vulnerabilities Found: 91 (14 sonatype oss)
Total Dependency Track:
- Dependencies Scanned: 59
- Vulnerable Dependencies: 10
- Vulnerabilities Found: 51 (1 sonatype oss)
The next step is to analyze the results and figure out which of these vulnerabilities is a real defect and which is a false positive.
Disclaimer
This review is not an indisputable truth. The author did not have a goal to single out a separate instrument against the background of others. The purpose of the review was to show how the SCA tools work and how to check their results.
Comparison of results
Requirements:
False positives for third-party component vulnerabilities are:
- CVE mismatch to identified component
- For example, if a vulnerability is found in the struts2 framework, and the tool points to a component of the struts-tiles framework that is not affected by this vulnerability, then this is a false positive
- CVE mismatch to detected component version
- For example, the vulnerability is tied to python version > 3.5 and the tool marks version 2.7 as vulnerable - this is false positive, since in fact the vulnerability only applies to the 3.x product branch
- Duplication of CVEs
- For example, if the SCA points to a CVE that allows an RCE to be implemented, then the SCA points to the same CVE that applies to Cisco products that are subject to that RCE. In this case, it will be false positive.
- For example, a CVE was found in the spring-web component, after which SCA points to the same CVE in other components of the Spring Framework, while the CVE has nothing to do with other components. In this case, it will be false positive.
The object of research is the Open Source project DVJA. The study involved only java components (without js).
Summary results
Let's move on to the result of a manual review of the identified vulnerabilities. A full report for each CVE can be found in the Appendix.
Summary results for all vulnerabilities:
Parameter
Nexus IQ
Dependency Check
Dependency Track
Total vulnerabilities identified
42
91
51
Incorrectly identified vulnerabilities (false positive)
2 (4.76%)
62 (68,13%)
29 (56.86%)
No relevant vulnerabilities found (false negative)
10
20
27
Summary results by components:
Parameter
Nexus IQ
Dependency Check
Dependency Track
Total Components Revealed
62
47
59
Total Vulnerable Components
16
13
10
Vulnerable components are incorrectly identified (false positive)
1
5
0
Vulnerable components are incorrectly identified (false positive)
0
6
6
Let's build visual graphs to estimate the ratio of false positive and false negative to the total number of vulnerabilities. Components are marked horizontally, and vulnerabilities identified in them are marked vertically.
In comparison, a similar study was conducted by the Sonatype team testing a project of 1531 components using the OWASP Dependency Check. As we can see, the ratio of noise to correct responses is consistent with our results.
Source:
Let's take a look at some of the CVEs from our scan results to understand the reason for such results.
Details
№ 1
Let's first analyze some interesting points of the Sonatype Nexus IQ.
Nexus IQ points out a deserialization issue with the ability to RCE multiple times in Spring Framework. CVE-2016-1000027 in spring-web:3.0.5 for the first time, and CVE-2011-2894 in spring-context:3.0.5 and spring-core:3.0.5. At first, it seems that there is a duplication of the vulnerability across several CVEs. For, if you look at CVE-2016-1000027 and CVE-2011-2894 in the NVD database, it seems that everything is obvious
Component
Vulnerability
spring-web:3.0.5
CVE-2016-1000027
spring-context:3.0.5
CVE-2011-2894
spring-core:3.0.5
CVE-2011-2894
Description from nvd:
Description from nvd:
CVE-2011-2894 is pretty well known by itself. In the report this CVE has been recognized as one of the most common. Descriptions for CVE-2016-100027 are, in principle, few in NVD, and it seems to be applicable only for Spring Framework 4.1.4. Let's take a look at and here it becomes more or less clear. From We understand that in addition to vulnerability in RemoteInvocationSerializingExporter in CVE-2011-2894, the vulnerability is seen in HttpInvokerServiceExporter. This is what Nexus IQ tells us:
However, there is nothing like this in NVD, which is why Dependency Check and Dependency Track receive false negatives.
It can also be understood from the description of CVE-2011-2894 that the vulnerability is indeed present in both spring-context:3.0.5 and spring-core:3.0.5. Confirmation of this can be found in the article from the one who found this vulnerability.
№ 2
Component
Vulnerability
Experience the Power of Effective Results
struts2-core:2.3.30
CVE-2016-4003
FALSE
If we study the CVE-2016-4003 vulnerability, we will understand that it was fixed in version 2.3.28, nevertheless Nexus IQ informs us about it. There is a note in the description of the vulnerability:
That is, the vulnerability exists only in conjunction with an outdated version of the JRE, which they decided to warn us about. Nevertheless, we consider it False Positive, although not the most terrible.
№ 3
Component
Vulnerability
Experience the Power of Effective Results
xwork-core:2.3.30
CVE-2017-9804
TRUE CODE
xwork-core:2.3.30
CVE-2017-7672
FALSE
If we look at the description for CVE-2017-9804 and CVE-2017-7672, we will understand that the problem is in URLValidator class, with CVE-2017-9804 stemming from CVE-2017-7672. The presence of the second vulnerability does not carry any payload, except that its severity has grown to High, so this can be considered unnecessary noise.
Overall, no other false positives were found for the Nexus IQ.
№ 4
There are a few things that make IQ stand out from other solutions.
Component
Vulnerability
Experience the Power of Effective Results
spring-web:3.0.5
CVE-2020-5398
TRUE CODE
The CVE in NVD says that it only applies to versions 5.2.x to 5.2.3, 5.1.x to 5.1.13, and versions 5.0.x to 5.0.16, however, if we look at the CVE description in Nexus IQ, then we will see the following:
Advisory Deviation Notice: The Sonatype security research team discovered that this vulnerability was introduced in version 3.0.2.RELEASE and not 5.0.x as stated in the advisory.
This is followed by a PoC for this vulnerability, which states that it is present in version 3.0.5.
False negative is sent to Dependency Check and Dependency Track.
№ 5
Let's look at false positive for Dependency Check and Dependency Track.
Dependency Check stands out in particular because it reflects those CVEs that apply to the entire framework in NVD to those components to which these CVEs do not apply. This applies to CVE-2012-0394, CVE-2013-2115, CVE-2014-0114, CVE-2015-0899, CVE-2015-2992, CVE-2016-1181, CVE-2016-1182, which Dependency Check “fastened” to struts-taglib:1.3.8 and struts-tiles-1.3.8. These components have nothing to do with what is described in CVE - request processing, page validation, and so on. This is due to the fact that only the framework is common between these CVEs and components, which is why Dependency Check considered this a vulnerability.
Same situation with spring-tx:3.0.5, and similar situation with struts-core:1.3.8. For struts-core, Dependency Check and Dependency Track found a lot of vulnerabilities that actually apply to struts2-core, which is essentially a separate framework. In this case, Nexus IQ correctly understood the picture and in those CVEs that it issued, indicated that struts-core had come end of life and it was necessary to switch to struts2-core.
№ 6
In some situations, treating an explicit Dependency Check and Dependency Track error is unfair. In particular CVE-2013-4152, CVE-2013-6429, CVE-2013-6430, CVE-2013-7315, CVE-2014-0054, CVE-2014-0225, CVE-2014-0225 which are Dependency Check and Dependency Track referred to spring-core:3.0.5 actually refer to spring-web:3.0.5. At the same time, some of these CVEs were found by Nexus IQ, however, IQ correctly identified them to another component. From the fact that these vulnerabilities were not found in spring-core, it cannot be argued that they are not in the framework in principle, and open source tools rightly pointed out these vulnerabilities (they just missed a little).
Conclusions
As we can see, the determination of the reliability of identified vulnerabilities by manual review does not give unambiguous results, which causes controversial issues. The results are that the Nexus IQ solution has the lowest false positive rate and the highest accuracy.
First of all, this is due to the fact that the Sonatype team expanded the description for each CVE vulnerability from NVD in their databases, indicating, up to the class or function of the vulnerability for a particular version of the component, having carried out additional research (for example, by checking vulnerabilities on older software versions).
An important influence on the results is also played by those vulnerabilities that were not included in NVD, but nevertheless are present in the Sonatype database marked SONATYPE. According to the report 45% of discovered open source vulnerabilities are not reported to NVD. According to the WhiteSource database, only 29% of all open source vulnerabilities filed outside of NVD end up being published there, which is why it's so important to look elsewhere for vulnerabilities as well.
As a result, Dependency Check generates a lot of noise, missing some of the vulnerable components. Dependency Track produces less noise and detects a large number of components, which does not visually hurt the eyes in the web interface.
Nevertheless, practice shows that it is open source that should become the first steps towards a mature DevSecOps. The first thing to think about for embedding SCA in development is processes, namely, thinking with management and related departments about what ideal processes should look like in your organization. It may turn out that for your organization, at first, Dependency Check or Dependency Track will cover all business needs, and Enterprise solutions will be a logical continuation due to the growing complexity of applications being developed.
Appendix A. Results for Components
Symbols:
- High - high and critical level vulnerabilities in the component
- Medium — Medium severity vulnerabilities in the component
- TRUE - True positive issue
- FALSE - False positive issue
Component
Nexus IQ
Dependency Check
Dependency Track
Experience the Power of Effective Results
dom4j:1.6.1
High
High
High
TRUE CODE
log4j-core: 2.3
High
High
High
TRUE CODE
log4j: 1.2.14
High
High
—
TRUE CODE
commons-collections:3.1
High
High
High
TRUE CODE
commons-fileupload:1.3.2
High
High
High
TRUE CODE
commons-beanutils:1.7.0
High
High
High
TRUE CODE
commons-codec:1:10
Medium
—
—
TRUE CODE
mysql-connector-java:5.1.42
High
High
High
TRUE CODE
spring-expression:3.0.5
High
component not found
TRUE CODE
spring-web:3.0.5
High
component not found
High
TRUE CODE
spring-context:3.0.5
Medium
component not found
—
TRUE CODE
spring-core:3.0.5
Medium
High
High
TRUE CODE
struts2-config-browser-plugin:2.3.30
Medium
—
—
TRUE CODE
spring-tx:3.0.5
—
High
—
FALSE
struts-core:1.3.8
High
High
High
TRUE CODE
xwork-core: 2.3.30
High
—
—
TRUE CODE
struts2-core: 2.3.30
High
High
High
TRUE CODE
struts-taglib:1.3.8
—
High
—
FALSE
struts-tiles-1.3.8
—
High
—
FALSE
Appendix B. Vulnerability Results
Symbols:
- High - high and critical level vulnerabilities in the component
- Medium — Medium severity vulnerabilities in the component
- TRUE - True positive issue
- FALSE - False positive issue
Component
Nexus IQ
Dependency Check
Dependency Track
Severity
Experience the Power of Effective Results
Comment
dom4j:1.6.1
CVE-2018-1000632
CVE-2018-1000632
CVE-2018-1000632
High
TRUE CODE
CVE-2020-10683
CVE-2020-10683
CVE-2020-10683
High
TRUE CODE
log4j-core: 2.3
CVE-2017-5645
CVE-2017-5645
CVE-2017-5645
High
TRUE CODE
CVE-2020-9488
CVE-2020-9488
CVE-2020-9488
low
TRUE CODE
log4j: 1.2.14
CVE-2019-17571
CVE-2019-17571
—
High
TRUE CODE
—
CVE-2020-9488
—
low
TRUE CODE
SONATYPE-2010-0053
—
—
High
TRUE CODE
commons-collections:3.1
—
CVE-2015-6420
CVE-2015-6420
High
FALSE
Duplicates RCE(OSSINDEX)
—
CVE-2017-15708
CVE-2017-15708
High
FALSE
Duplicates RCE(OSSINDEX)
SONATYPE-2015-0002
RCE (OSSINDEX)
RCE(OSSINDEX)
High
TRUE CODE
commons-fileupload:1.3.2
CVE-2016-1000031
CVE-2016-1000031
CVE-2016-1000031
High
TRUE CODE
SONATYPE-2014-0173
—
—
Medium
TRUE CODE
commons-beanutils:1.7.0
CVE-2014-0114
CVE-2014-0114
CVE-2014-0114
High
TRUE CODE
—
CVE-2019-10086
CVE-2019-10086
High
FALSE
Vulnerability is applicable only for versions 1.9.2+
commons-codec:1:10
SONATYPE-2012-0050
—
—
Medium
TRUE CODE
mysql-connector-java:5.1.42
CVE-2018-3258
CVE-2018-3258
CVE-2018-3258
High
TRUE CODE
CVE-2019-2692
CVE-2019-2692
—
Medium
TRUE CODE
—
CVE-2020-2875
—
Medium
FALSE
The same vulnerability as CVE-2019-2692, but with the addition "attacks may significantly impact additional products"
—
CVE-2017-15945
—
High
FALSE
Does not apply to mysql-connector-java
—
CVE-2020-2933
—
low
FALSE
Duplicate to CVE-2020-2934
CVE-2020-2934
CVE-2020-2934
—
Medium
TRUE CODE
spring-expression:3.0.5
CVE-2018-1270
component not found
—
High
TRUE CODE
CVE-2018-1257
—
—
Medium
TRUE CODE
spring-web:3.0.5
CVE-2016-1000027
component not found
—
High
TRUE CODE
CVE-2014-0225
—
CVE-2014-0225
High
TRUE CODE
CVE-2011-2730
—
—
High
TRUE CODE
—
—
CVE-2013-4152
Medium
TRUE CODE
CVE-2018-1272
—
—
High
TRUE CODE
CVE-2020-5398
—
—
High
TRUE CODE
Case in point in favor of IQ: "The Sonatype security research team discovered that this vulnerability was introduced in version 3.0.2.RELEASE and not 5.0.x as stated in the advisory."
CVE-2013-6429
—
—
Medium
TRUE CODE
CVE-2014-0054
—
CVE-2014-0054
Medium
TRUE CODE
CVE-2013-6430
—
—
Medium
TRUE CODE
spring-context:3.0.5
CVE-2011-2894
component not found
—
Medium
TRUE CODE
spring-core:3.0.5
—
CVE-2011-2730
CVE-2011-2730
High
TRUE CODE
CVE-2011-2894
CVE-2011-2894
CVE-2011-2894
Medium
TRUE CODE
—
—
CVE-2013-4152
Medium
FALSE
Duplicate of the same vulnerability in spring-web
—
CVE-2013-4152
—
Medium
FALSE
The vulnerability relates to the spring-web component
—
CVE-2013-6429
CVE-2013-6429
Medium
FALSE
The vulnerability relates to the spring-web component
—
CVE-2013-6430
—
Medium
FALSE
The vulnerability relates to the spring-web component
—
CVE-2013-7315
CVE-2013-7315
Medium
FALSE
SPLIT from CVE-2013-4152. + The vulnerability relates to the spring-web component
—
CVE-2014-0054
CVE-2014-0054
Medium
FALSE
The vulnerability relates to the spring-web component
—
CVE-2014-0225
—
High
FALSE
The vulnerability relates to the spring-web component
—
—
CVE-2014-0225
High
FALSE
Duplicate of the same vulnerability in spring-web
—
CVE-2014-1904
CVE-2014-1904
Medium
FALSE
The vulnerability relates to the spring-web-mvc component
—
CVE-2014-3625
CVE-2014-3625
Medium
FALSE
The vulnerability relates to the spring-web-mvc component
—
CVE-2016-9878
CVE-2016-9878
High
FALSE
The vulnerability relates to the spring-web-mvc component
—
CVE-2018-1270
CVE-2018-1270
High
FALSE
For spring-expression / spring-messages
—
CVE-2018-1271
CVE-2018-1271
Medium
FALSE
The vulnerability relates to the spring-web-mvc component
—
CVE-2018-1272
CVE-2018-1272
High
TRUE CODE
CVE-2014-3578
CVE-2014-3578(OSSINDEX)
CVE-2014-3578
Medium
TRUE CODE
SONATYPE-2015-0327
—
—
low
TRUE CODE
struts2-config-browser-plugin:2.3.30
SONATYPE-2016-0104
—
—
Medium
TRUE CODE
spring-tx:3.0.5
—
CVE-2011-2730
—
High
FALSE
The vulnerability does not apply to spring-tx
—
CVE-2011-2894
—
High
FALSE
The vulnerability does not apply to spring-tx
—
CVE-2013-4152
—
Medium
FALSE
The vulnerability does not apply to spring-tx
—
CVE-2013-6429
—
Medium
FALSE
The vulnerability does not apply to spring-tx
—
CVE-2013-6430
—
Medium
FALSE
The vulnerability does not apply to spring-tx
—
CVE-2013-7315
—
Medium
FALSE
The vulnerability does not apply to spring-tx
—
CVE-2014-0054
—
Medium
FALSE
The vulnerability does not apply to spring-tx
—
CVE-2014-0225
—
High
FALSE
The vulnerability does not apply to spring-tx
—
CVE-2014-1904
—
Medium
FALSE
The vulnerability does not apply to spring-tx
—
CVE-2014-3625
—
Medium
FALSE
The vulnerability does not apply to spring-tx
—
CVE-2016-9878
—
High
FALSE
The vulnerability does not apply to spring-tx
—
CVE-2018-1270
—
High
FALSE
The vulnerability does not apply to spring-tx
—
CVE-2018-1271
—
Medium
FALSE
The vulnerability does not apply to spring-tx
—
CVE-2018-1272
—
Medium
FALSE
The vulnerability does not apply to spring-tx
struts-core:1.3.8
—
CVE-2011-5057(OSSINDEX)
Medium
FASLE
Vulnerability to Struts 2
—
CVE-2012-0391(OSSINDEX)
CVE-2012-0391
High
FALSE
Vulnerability to Struts 2
—
CVE-2014-0094(OSSINDEX)
CVE-2014-0094
Medium
FALSE
Vulnerability to Struts 2
—
CVE-2014-0113(OSSINDEX)
CVE-2014-0113
High
FALSE
Vulnerability to Struts 2
CVE-2016-1182
3VE-2016-1182
—
High
TRUE CODE
—
—
CVE-2011-5057
Medium
FALSE
Vulnerability to Struts 2
—
CVE-2012-0392(OSSINDEX)
CVE-2012-0392
High
FALSE
Vulnerability to Struts 2
—
CVE-2012-0393(OSSINDEX)
CVE-2012-0393
Medium
FALSE
Vulnerability to Struts 2
CVE-2015-0899
CVE-2015-0899
—
High
TRUE CODE
—
CVE-2012-0394
CVE-2012-0394
Medium
FALSE
Vulnerability to Struts 2
—
CVE-2012-0838(OSSINDEX)
CVE-2012-0838
High
FALSE
Vulnerability to Struts 2
—
CVE-2013-1965(OSSINDEX)
CVE-2013-1965
High
FALSE
Vulnerability to Struts 2
—
CVE-2013-1966(OSSINDEX)
CVE-2013-1966
High
FASLE
Vulnerability to Struts 2
—
CVE-2013-2115
CVE-2013-2115
High
FASLE
Vulnerability to Struts 2
—
CVE-2013-2134(OSSINDEX)
CVE-2013-2134
High
FASLE
Vulnerability to Struts 2
—
CVE-2013-2135(OSSINDEX)
CVE-2013-2135
High
FASLE
Vulnerability to Struts 2
CVE-2014-0114
CVE-2014-0114
—
High
TRUE CODE
—
CVE-2015-2992
CVE-2015-2992
Medium
FALSE
Vulnerability to Struts 2
—
CVE-2016-0785(OSSINDEX)
CVE-2016-0785
High
FALSE
Vulnerability to Struts 2
CVE-2016-1181
CVE-2016-1181
—
High
TRUE CODE
—
CVE-2016-4003(OSSINDEX)
CVE-2016-4003
High
FALSE
Vulnerability to Struts 2
xwork-core:2.3.30
CVE-2017-9804
—
—
High
TRUE CODE
SONATYPE-2017-0173
—
—
High
TRUE CODE
CVE-2017-7672
—
—
High
FALSE
Double to CVE-2017-9804
SONATYPE-2016-0127
—
—
High
TRUE CODE
struts2-core:2.3.30
—
CVE-2016-6795
CVE-2016-6795
High
TRUE CODE
—
CVE-2017-9787
CVE-2017-9787
High
TRUE CODE
—
CVE-2017-9791
CVE-2017-9791
High
TRUE CODE
—
CVE-2017-9793
—
High
FALSE
Duplicate to CVE-2018-1327
—
CVE-2017-9804
—
High
TRUE CODE
—
CVE-2017-9805
CVE-2017-9805
High
TRUE CODE
CVE-2016-4003
—
—
Medium
FALSE
Applies to Apache Struts 2.x up to 2.3.28, which is version 2.3.30. However, based on the description, CVE works on all versions of Struts 2 as long as JRE 1.7 and below is used. Apparently they decided to reinsure us here, but it looks more like FALSE
—
CVE-2018-1327
CVE-2018-1327
High
TRUE CODE
CVE-2017-5638
CVE-2017-5638
CVE-2017-5638
High
TRUE CODE
The same vulnerability exploited by attackers in Equifax in 2017
CVE-2017-12611
CVE-2017-12611
—
High
TRUE CODE
CVE-2018-11776
CVE-2018-11776
CVE-2018-11776
High
TRUE CODE
struts-taglib:1.3.8
—
CVE-2012-0394
—
Medium
FALSE
For struts2-core
—
CVE-2013-2115
—
High
FALSE
For struts2-core
—
CVE-2014-0114
—
High
FALSE
For commons-beanutils
—
CVE-2015-0899
—
High
FALSE
Not related to taglib
—
CVE-2015-2992
—
Medium
FALSE
Related to struts2-core
—
CVE-2016-1181
—
High
FALSE
Not related to taglib
—
CVE-2016-1182
—
High
FALSE
Not related to taglib
struts-tiles-1.3.8
—
CVE-2012-0394
—
Medium
FALSE
For struts2-core
—
CVE-2013-2115
—
High
FALSE
For struts2-core
—
CVE-2014-0114
—
High
FALSE
Under commons-beanutils
—
CVE-2015-0899
—
High
FALSE
Does not apply to tiles
—
CVE-2015-2992
—
Medium
FALSE
For struts2-core
—
CVE-2016-1181
—
High
FALSE
Not related to taglib
—
CVE-2016-1182
—
High
FALSE
Not related to taglib
Source: habr.com