fix(fp): Fix more common false positives for popular PHP/composer frameworks with generic names#7994
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
@chadlwilson thanks for your PR 🙏 I ran it locally and in example case of #7984 it reduced 1040 findings across 35 dependencies to 36 findings across 14 dependencies (30 findings across 13 dependencies with the suggestion). |
This comment was marked as resolved.
This comment was marked as resolved.
Sure, here are remaining packages grouped by CPEs (my suggestion already included) Package IDs grouped by CPEpackageIdsGroupedByVulnerabilityId.json {
"cpe:2.3:a:authenticator:authenticator:7.6.0:*:*:*:*:*:*:*": [
"pkg:composer/scheb/[email protected]"
],
"cpe:2.3:a:authenticator_project:authenticator:7.6.0:*:*:*:*:*:*:*": [
"pkg:composer/scheb/[email protected]"
],
"cpe:2.3:a:archive_project:archive:1.5.0:*:*:*:*:*:*:*": [
"pkg:composer/pear/[email protected]"
],
"cpe:2.3:a:tar_project:tar:1.5.0:*:*:*:*:*:*:*": [
"pkg:composer/pear/[email protected]"
],
"cpe:2.3:a:lookup:lookup:3.0.0:*:*:*:*:*:*:*": [
"pkg:composer/sebastian/[email protected]"
],
"cpe:2.3:a:file_project:file:1.0.4:*:*:*:*:*:*:*": [
"pkg:composer/pimcore/[email protected]"
],
"cpe:2.3:a:finder_project:finder:6.4.24:*:*:*:*:*:*:*": [
"pkg:composer/symfony/[email protected]"
],
"cpe:2.3:a:htmlsanitizer_project:htmlsanitizer:6.4.18:*:*:*:*:*:*:*": [
"pkg:composer/symfony/[email protected]"
],
"cpe:2.3:a:newsletter:newsletter:1.2.0:*:*:*:*:*:*:*": [
"pkg:composer/pimcore/[email protected]"
],
"cpe:2.3:a:newsletter_project:newsletter:1.2.0:*:*:*:*:*:*:*": [
"pkg:composer/pimcore/[email protected]"
],
"cpe:2.3:a:pear:pear:1.10.16:*:*:*:*:*:*:*": [
"pkg:composer/pear/[email protected]"
],
"cpe:2.3:a:git-php_project:git-php:1.0.3:*:*:*:*:*:*:*": [
"pkg:composer/gal-digital-gmbh/[email protected]"
],
"cpe:2.3:a:file_project:file:4.1.0:*:*:*:*:*:*:*": [
"pkg:composer/phpunit/[email protected]"
],
"cpe:2.3:a:php-proxy:php-proxy:1.0.18:*:*:*:*:*:*:*": [
"pkg:composer/friendsofphp/[email protected]"
],
"cpe:2.3:a:sitemap_project:sitemap:2.0.1:*:*:*:*:*:*:*": [
"pkg:composer/gal-digital-gmbh/[email protected]"
],
"cpe:2.3:a:sitemap_project:sitemap:4.1.3:*:*:*:*:*:*:*": [
"pkg:composer/presta/[email protected]"
]
} |
|
OK, all but one of those are separate so I'll probably leave them for now. Feel free to suggest a PR to suppress them. You'll see some existing suppressions for the various
I am not sure if I agree that this is a false positive - and I intentionally excluded it from the suppressions. Since it is released and versioned alongside https://github.com/pear/pear-core-minimal It may indeed lead to false positives for some vulns affecting non minimal pieces. Unless the minimal variant is managed with a different CPE I'm not sure we can safely suppress this for all CVEs. |
…t part of core product Signed-off-by: Chad Wilson <[email protected]>
… frameworks Signed-off-by: Chad Wilson <[email protected]>
d2d4634 to
6b06246
Compare
I agree with you that this should be decided based on the underlying vulnerability. |
Description of Change
As discussed in #7984 there are a large number of FPs for common PHP frameworks/libs right now due to the vendor name being commonly part of the package, and individual modules often being independently versioned.
Most major frameworks appear to have different CPEs for the additional modules within NVD, so this should be low risk.
This builds upon and extends #7543. Should address most FPs from composer packages for
Related issues
Have test cases been added to cover the new functionality?
no - regexes tested via https://regexr.com/ and manually tested with ODC by @GALHP