Welcome! Please see the About page for a little more info on how this works.

Ask a Question

CVE-warning in org.fressian/fressian <- org.clojure/data.fressian

0 votes
in Clojure by

Dependency Information
When running clj-watson in a project with

org.clojure/data.fressian {:mvn/version "1.1.1"}

I get the following warning, refering to CVE-2018-10054 (relates to a vulnerability in H2 and its usage in older versions of datomic). I assume this is a false positive.

NAME: org.fressian/fressian
VERSION: 0.6.8

DEPENDENCY FOUND IN:

[org.clojure/data.fressian]

FIX SUGGESTION:

Vulnerabilities

SEVERITY: HIGH
IDENTIFIERS: CVE-2018-10054
CVSS: 8.8 (version 3.1)
PATCHED VERSION: Information not available.

1 Answer

0 votes
by

I agree that this is a false positive. Neither org.fressian/fressian nor org.clojure/data.fressian depend on either Datomic or h2, either explicitly or implicitly, even via test deps, so not sure how that could be possible even via test deps.

clj-watson depends on https://github.com/dependency-check/DependencyCheck to do its checks, and you can report false positives as an issue on its issue tracker https://github.com/dependency-check/DependencyCheck/issues.

by
edited ago by
clj-watson maintainer here...

Confirmed that data.fressian is flagged with that CVE on org.fressian/fressian which seems to be a false positive, so that should be reported to the dependency-check project.

We're working on better docs (for clj-watson) that would guide people through how to report false positives, and clarify how to set up a local exclusion for them until they get fixed.
ago by
I started to open a ticket at DependecyCheck, but I need to know several things:

- Package URI: "pkg:maven/org.fressian/fressian@0.6.8" ?
- CPE: no clue!
- ODC Integration - "CLI" right?
- ODC Version: help needed!
ago by
Package URI looks right.

For CPE, you'll have to put `unknown`. I used the CPE search on the NVD site and could not find any CPEs for `fressian`, nor does the 2018 CVE data feed contain `fressian`.

ODC Integration: CLI is the closest option.

ODC Version: https://github.com/clj-holmes/clj-watson/blob/main/deps.edn#L10 so it's current 12.1.6 unless you're overriding it locally.
Maintained by Cognitect on behalf of the Clojure community
...