Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm modules that contain the name of a CPE are falsely identified in v6.0.0 #2796

Closed
aarongoldenthal opened this issue Sep 7, 2020 · 3 comments
Closed

npm modules that contain the name of a CPE are falsely identified in v6.0.0 #2796

aarongoldenthal opened this issue Sep 7, 2020 · 3 comments
Labels
FP Report
Milestone
6.0.3

Comments

@aarongoldenthal
Copy link

aarongoldenthal commented Sep 7, 2020
edited

Numerous npm modules that contain the name of a package with a valid CPE are falsely identified as that CPE in v6.0.0 (cli). This did not occur with v5.3.2. See some examples below:

|Vulnerability IDs                          |Package                                                                                                                                                      |Highest Severity                                   |CVE Count|Confidence|Evidence Count|
|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------|---------|----------|--------------|
|@babel/plugin-syntax-json-strings:7.8.3    |cpe:2.3:a:json_project:json:7.8.3:*:*:*:*:*:*:*                                                                                                              |pkg:npm/%40babel%2Fplugin-syntax-json-strings@7.8.3|HIGH     |          |Highest       |
|@types/json-schema:7.0.5                   |cpe:2.3:a:json_project:json:7.0.5:*:*:*:*:*:*:*                                                                                                              |pkg:npm/%40types%2Fjson-schema@7.0.5               |HIGH     |          |Highest       |
|@types/parse-json:4.0.0                    |cpe:2.3:a:json_project:json:4.0.0:*:*:*:*:*:*:* cpe:2.3:a:parsejson_project:parsejson:4.0.0:*:*:*:*:*:*:*                                                    |pkg:npm/%40types%2Fparse-json@4.0.0                |HIGH     |          |Highest       |
|decamelize-keys:1.1.0                      |cpe:2.3:a:decamelize_project:decamelize:1.1.0:*:*:*:*:*:*:*                                                                                                  |pkg:npm/decamelize-keys@1.1.0                      |HIGH     |          |Highest       |
|deep-extend:0.5.1                          |cpe:2.3:a:deep_extend_project:deep_extend:0.5.1:*:*:*:*:*:*:* cpe:2.3:a:extend_project:extend:0.5.1:*:*:*:*:*:*:*                                            |pkg:npm/deep-extend@0.5.1                          |CRITICAL |          |Highest       |
|deep-extend:0.6.0                          |cpe:2.3:a:deep_extend_project:deep_extend:0.6.0:*:*:*:*:*:*:* cpe:2.3:a:extend_project:extend:0.6.0:*:*:*:*:*:*:*                                            |pkg:npm/deep-extend@0.6.0                          |CRITICAL |          |Highest       |
|electron-to-chromium:1.3.480               |cpe:2.3:a:chromium:chromium:1.3.480:*:*:*:*:*:*:* cpe:2.3:a:chromium_project:chromium:1.3.480:*:*:*:*:*:*:* cpe:2.3:a:electron:electron:1.3.480:*:*:*:*:*:*:*|pkg:npm/electron-to-chromium@1.3.480               |HIGH     |          |Highest       |
|escape-string-regexp:1.0.5                 |cpe:2.3:a:string_project:string:1.0.5:*:*:*:*:*:*:*                                                                                                          |pkg:npm/escape-string-regexp@1.0.5                 |HIGH     |          |Highest       |
|escape-string-regexp:2.0.0                 |cpe:2.3:a:string_project:string:2.0.0:*:*:*:*:*:*:*                                                                                                          |pkg:npm/escape-string-regexp@2.0.0                 |HIGH     |          |Highest       |
|extend-shallow:2.0.1                       |cpe:2.3:a:extend_project:extend:2.0.1:*:*:*:*:*:*:*                                                                                                          |pkg:npm/extend-shallow@2.0.1                       |CRITICAL |          |Highest       |
|fast-json-stable-stringify:2.1.0           |cpe:2.3:a:json_project:json:2.1.0:*:*:*:*:*:*:*                                                                                                              |pkg:npm/fast-json-stable-stringify@2.1.0           |HIGH     |          |Highest       |
|is-docker:2.0.0                            |cpe:2.3:a:docker:docker:2.0.0:*:*:*:*:*:*:*                                                                                                                  |pkg:npm/is-docker@2.0.0                            |HIGH     |          |Highest       |
|json-parse-better-errors:1.0.2             |cpe:2.3:a:json_project:json:1.0.2:*:*:*:*:*:*:*                                                                                                              |pkg:npm/json-parse-better-errors@1.0.2             |HIGH     |          |Highest       |
|json-schema-traverse:0.4.1                 |cpe:2.3:a:json_project:json:0.4.1:*:*:*:*:*:*:*                                                                                                              |pkg:npm/json-schema-traverse@0.4.1                 |HIGH     |          |Highest       |
|json-schema:0.2.3                          |cpe:2.3:a:json_project:json:0.2.3:*:*:*:*:*:*:*                                                                                                              |pkg:npm/json-schema@0.2.3                          |HIGH     |          |Highest       |
|json-stable-stringify-without-jsonify:1.0.1|cpe:2.3:a:json_project:json:1.0.1:*:*:*:*:*:*:*                                                                                                              |pkg:npm/json-stable-stringify-without-jsonify@1.0.1|HIGH     |          |Highest       |
|json-stringify-safe:5.0.1                  |cpe:2.3:a:json_project:json:5.0.1:*:*:*:*:*:*:*                                                                                                              |pkg:npm/json-stringify-safe@5.0.1                  |HIGH     |          |Highest       |
|json5:2.1.3                                |cpe:2.3:a:json_project:json:2.1.3:*:*:*:*:*:*:*                                                                                                              |pkg:npm/json5@2.1.3                                |HIGH     |          |Highest       |
|markdownlint-cli:0.23.2                    |cpe:2.3:a:cli_project:cli:0.23.2:*:*:*:*:*:*:*                                                                                                               |pkg:npm/markdownlint-cli@0.23.2                    |HIGH     |          |Highest       |
|npm-run-path:2.0.2                         |cpe:2.3:a:npm:npm:2.0.2:*:*:*:*:*:*:*                                                                                                                        |pkg:npm/npm-run-path@2.0.2                         |HIGH     |          |Highest       |
|parse-json:5.0.0                           |cpe:2.3:a:json_project:json:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:parsejson_project:parsejson:5.0.0:*:*:*:*:*:*:*                                                    |pkg:npm/parse-json@5.0.0                           |HIGH     |          |Highest       |
|rc:1.2.8                                   |cpe:2.3:a:rc_project:rc:1.2.8:*:*:*:*:*:*:*                                                                                                                  |pkg:npm/rc@1.2.8                                   |HIGH     |          |Highest       |
|repeat-string:1.6.1                        |cpe:2.3:a:string_project:string:1.6.1:*:*:*:*:*:*:*                                                                                                          |pkg:npm/repeat-string@1.6.1                        |HIGH     |          |Highest       |
|split-string:3.1.0                         |cpe:2.3:a:string_project:string:3.1.0:*:*:*:*:*:*:*                                                                                                          |pkg:npm/split-string@3.1.0                         |HIGH     |          |Highest       |
|static-extend:0.1.2                        |cpe:2.3:a:extend_project:extend:0.1.2:*:*:*:*:*:*:*                                                                                                          |pkg:npm/static-extend@0.1.2                        |CRITICAL |          |Highest       |
|string-width:3.1.0                         |cpe:2.3:a:string_project:string:3.1.0:*:*:*:*:*:*:*                                                                                                          |pkg:npm/string-width@3.1.0                         |HIGH     |          |Highest       |
|string_decoder:1.3.0                       |cpe:2.3:a:string_project:string:1.3.0:*:*:*:*:*:*:*                                                                                                          |pkg:npm/string_decoder@1.3.0                       |HIGH     |          |Highest       |
|strip-json-comments:2.0.1                  |cpe:2.3:a:json_project:json:2.0.1:*:*:*:*:*:*:*                                                                                                              |pkg:npm/strip-json-comments@2.0.1                  |HIGH     |          |Highest       |
|strip-json-comments:3.1.0                  |cpe:2.3:a:json_project:json:3.1.0:*:*:*:*:*:*:*                                                                                                              |pkg:npm/strip-json-comments@3.1.0                  |HIGH     |          |Highest       |
|strip-json-comments:3.1.1                  |cpe:2.3:a:json_project:json:3.1.1:*:*:*:*:*:*:*                                                                                                              |pkg:npm/strip-json-comments@3.1.1                  |HIGH     |          |Highest       |
|unset-value:1.0.0                          |cpe:2.3:a:set-value_project:set-value:1.0.0:*:*:*:*:*:*:*                                                                                                    |pkg:npm/unset-value@1.0.0                          |CRITICAL |          |Highest       |
@aarongoldenthal aarongoldenthal changed the title npm modules that contain the name of a package with a valid CPE are falsely identified in v6.0.0 npm modules that contain the name a CPE are falsely identified in v6.0.0 Sep 8, 2020
@aarongoldenthal aarongoldenthal changed the title npm modules that contain the name a CPE are falsely identified in v6.0.0 npm modules that contain the name of a CPE are falsely identified in v6.0.0 Sep 8, 2020
@mprins mprins mentioned this issue Sep 8, 2020
Closed
@aarongoldenthal
Copy link
Author

This is also occurring for other package managers:

Nuget package Microsoft.AspNet.Web.Optimization.WebForms is reported as cpe:2.3:a:forms_project:forms.

@aarongoldenthal
Copy link
Author

Another example:

   <suppress>
      <notes><![CDATA[
      file name: cacheable-lookup:2.0.1
      ]]></notes>
      <packageUrl regex="true">^pkg:npm/cacheable\-lookup@.*$</packageUrl>
      <cpe>cpe:/a:lookup:lookup</cpe>
   </suppress>

jeremylong added a commit that referenced this issue Oct 11, 2020
@jeremylong
broadly reduce vulnerability matches for NPM per #2796
2d50b95
jeremylong added a commit that referenced this issue Oct 11, 2020
@jeremylong
broadly reduce vulnerability matches for NPM per #2796
d876a4e
jeremylong added a commit that referenced this issue Oct 11, 2020
@jeremylong
broadly reduce vulnerability matches for NPM per #2796
2d49d0c
@jeremylong jeremylong mentioned this issue Oct 11, 2020
Merged
jeremylong added a commit that referenced this issue Oct 13, 2020
@jeremylong
Node.js False Positives (#2878)
b67726f 
* broadly reduce vulnerability matches for NPM per #2796
@jeremylong
Copy link
Owner

At the moment - I highly recommend just disabling the Node JS Analyzer (--disableNodeJS). There are plans to revamp this analyzer and combine some of the logic in the node audit analyzer. The primary use for the Node JS analyzer will be for the vendor modules.

@jeremylong jeremylong added this to the 6.0.3 milestone Nov 2, 2020
This was referenced Mar 15, 2021
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FP Report
Projects
None yet
Milestone
6.0.3
Development

No branches or pull requests
2 participants
@jeremylong @aarongoldenthal