[FP]: v7.4.0 identifying CPE based on dependency and not installed version

[aarongoldenthal]

Package URl

pkg:npm/minimatch@^3.0.4

CPE

cpe:/a:minimatch_project:minimatch

CVE

CVE-2022-3517

ODC Integration

{"label"=>"CLI"}

ODC Version

7.4.0

Description

Starting with v7.4.0, Dependency Check is flagging CVE-2022-3517 for npm package minimatch@3.0.4, but this is not the correct version. This is run with a package-lock.json, and all dependencies installed.

Looking at the package-lock.json, the test-exclude package has the dependency "minimatch": "^3.0.4", but this is met via minimatch@3.1.2 (per the package-lock.json, and the installed package), which does not have the vulnerability.

[github-actions]

Error parsing package url: https://www.npmjs.com/package/minimatch.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3615242203

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3615251806

[aarongoldenthal]

Looking more closely at the log, Dependency Check is also throwing warnings that it fails to find the modules, but these modules should not be found in these locations. For example. in the messages below, minimatch is actually at the root level, so the package definition is at /builds/my-project/node_modules/minimatch/package.json.

...
[WARN] Unable to find node module: /builds/my-project/node_modules/@eslint/eslintrc/node_modules/minimatch/package.json
...
[WARN] Unable to find node module: /builds/my-project/node_modules/@humanwhocodes/config-array/node_modules/minimatch/package.json
...
[WARN] Unable to find node module: /builds/my-project/node_modules/eslint/node_modules/minimatch/package.json
...
[WARN] Unable to find node module: /builds/my-project/node_modules/eslint-plugin-n/node_modules/minimatch/package.json
...
[WARN] Unable to find node module: /builds/my-project/node_modules/glob/node_modules/minimatch/package.json
...

[aikebah]

Most likely a bug caused by #5078

[aarongoldenthal]

Most likely a bug caused by #5078

It would appear so. I now see it all over the place where the package-lock.json requirement is being identified as the CPE and not the actual installed package.

[jeremylong]

@aarongoldenthal - do you have a sample project or steps to reproduce? I ran:

npm init
npm i minimatch@^3.0.4
dependency-check.sh --scan .

No FP were identified.

[aarongoldenthal]

It appears to be occurring with transitive dependencies, where it's finding the minimum range as defined in package, not the actual version that was installed to satisfy it.

PS C:\test> npm i jest
PS C:\test> npm list minimatch
OCD_740_Transitive_Dependencies@ E:\Users\agoldent\Documents\Projects\NodeJS\Tests\OCD_740_Tran└─┬ jest@29.3.1
  └─┬ @jest/core@29.3.1
    ├─┬ @jest/reporters@29.3.1
    │ └─┬ glob@7.2.3
    │   └── minimatch@3.1.2
    └─┬ @jest/transform@29.3.1
      └─┬ babel-plugin-istanbul@6.1.1
        └─┬ test-exclude@6.0.0
          └── minimatch@3.1.2 deduped

The package-lock.json then shows:

    "node_modules/test-exclude": {
      "version": "6.0.0",
      "resolved": "https://registry.npmjs.org/test-exclude/-/test-exclude-6.0.0.tgz",
      "integrity": "sha512-cAGWPIyOHU6zlmg88jwm7VRyXnMN7iV68OGAbYDk/Mh/xC/pzVPlQtY6ngoIH/5/tciuhGfvESU8GrHrcxD56w==",
      "dependencies": {
        "@istanbuljs/schema": "^0.1.2",
        "glob": "^7.1.4",
        "minimatch": "^3.0.4"
      },
      "engines": {
        "node": ">=8"
      }
    },

And Dependency Check is flagging pkg:npm\/minimatch@%5E3.0.4 (that's ^3.0.4). You can see it in https://gitlab.com/gitlab-ci-utils/releaselog/, and Dependency Check results here.

I did setup a sample project at https://gitlab.com/aarongoldenthal/test-odc-transitive-dependency with only Jest installed, but Dependency Check is throwing an error on that package-lock.json.

[aarongoldenthal]

In v7.4.1, Dependency Check is finding the packages directly under node_modules and therefore the correct CPE. It is still generating many (hundreds in my case) of warnings for non-existent folders. This appears to occur where a 2nd level dependency is nested in a folder under the 1st level dependency, then it has 3rd level child dependencies that are actually at the parent node_modules level.

For example balanced-match is actually at /builds/node_modules/balanced-match, but it's a child of brace-expansion, which is at /builds/node_modules/markdownlint-cli/node_modules/brace-expansion:

[WARN] Unable to find node module: /builds/node_modules/markdownlint-cli/node_modules/balanced-match/package.json
[WARN] Unable to find node module: /builds/node_modules/markdownlint-cli/node_modules/fs.realpath/package.json
[WARN] Unable to find node module: /builds/node_modules/markdownlint-cli/node_modules/inflight/package.json
[WARN] Unable to find node module: /builds/node_modules/markdownlint-cli/node_modules/inherits/package.json
[WARN] Unable to find node module: /builds/node_modules/markdownlint-cli/node_modules/once/package.json

The package-lock.json shows:

    "node_modules/markdownlint-cli": {
      "version": "0.32.2",
      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.32.2.tgz",
      "integrity": "sha512-xmJT1rGueUgT4yGNwk6D0oqQr90UJ7nMyakXtqjgswAkEhYYqjHew9RY8wDbOmh2R270IWjuKSeZzHDEGPAUkQ==",
      "dev": true,
      "dependencies": {
        "commander": "~9.4.0",
        "get-stdin": "~9.0.0",
        "glob": "~8.0.3",
        "ignore": "~5.2.0",
        "js-yaml": "^4.1.0",
        "jsonc-parser": "~3.1.0",
        "markdownlint": "~0.26.2",
        "markdownlint-rule-helpers": "~0.17.2",
        "minimatch": "~5.1.0",
        "run-con": "~1.2.11"
      },
      "bin": {
        "markdownlint": "markdownlint.js"
      },
      "engines": {
        "node": ">=14"
      }
    },
    "node_modules/markdownlint-cli/node_modules/brace-expansion": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
      "dev": true,
      "dependencies": {
        "balanced-match": "^1.0.0"
      }
    },
    "node_modules/markdownlint-cli/node_modules/glob": {
      "version": "8.0.3",
      "resolved": "https://registry.npmjs.org/glob/-/glob-8.0.3.tgz",
      "integrity": "sha512-ull455NHSHI/Y1FqGaaYFaLGkNMMJbavMrEGFXG/PGrg6y7sutWHUHrz6gy6WEBH6akM1M414dWKCNs+IhKdiQ==",
      "dev": true,
      "dependencies": {
        "fs.realpath": "^1.0.0",
        "inflight": "^1.0.4",
        "inherits": "2",
        "minimatch": "^5.0.1",
        "once": "^1.3.0"
      },
      "engines": {
        "node": ">=12"
      },
      "funding": {
        "url": "https://github.com/sponsors/isaacs"
      }
    },
    "node_modules/markdownlint-cli/node_modules/minimatch": {
      "version": "5.1.1",
      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.1.tgz",
      "integrity": "sha512-362NP+zlprccbEt/SkxKfRMHnNY85V74mVnpUpNyr3F35covl09Kec7/sEFLt3RA4oXmewtoaanoIf67SE5Y5g==",
      "dev": true,
      "dependencies": {
        "brace-expansion": "^2.0.1"
      },
      "engines": {
        "node": ">=10"
      }
    },

[jeremylong]

@aarongoldenthal thanks for the info on the deeply nested. I'm pretty sure I know how to solve that.