
SONAR-13905 enable OWASP Dependency Check tool

Simon Brandhof 3年前
  1. 34
  2. 190
  3. 35

+ 34
- 2
build.gradle ファイルの表示

@@ -14,7 +14,7 @@ buildscript {
classpath 'io.spring.gradle:dependency-management-plugin:1.0.4.RELEASE'
classpath 'net.rdrei.android.buildtimetracker:gradle-plugin:0.11.0'
classpath 'org.jfrog.buildinfo:build-info-extractor-gradle:4.7.5'
classpath "org.owasp:dependency-check-gradle:4.0.2"
classpath 'org.owasp:dependency-check-gradle:6.0.2'
classpath 'org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.7.1'
@@ -49,6 +49,39 @@ if (!JavaVersion.current().java11Compatible) {
throw new GradleException("JDK 11+ is required to perform this build. It's currently " + System.getProperty("java.home") + ".")

apply plugin: 'org.owasp.dependencycheck'
dependencyCheck {
analyzers {
assemblyEnabled = false
autoconfEnabled = false
bundleAuditEnabled = false
cmakeEnabled = false
cocoapodsEnabled = false
composerEnabled = false
cocoapodsEnabled = false
golangDepEnabled = false
golangModEnabled = false
nodeAudit {
skipDevDependencies = true
nuspecEnabled = false
nugetconfEnabled = false
rubygemsEnabled = false
swiftEnabled = false

format = 'ALL'
junitFailOnCVSS = 0
failBuildOnCVSS = 0
suppressionFiles = ["${project.rootDir}/owasp-suppressions.xml", "${project.rootDir}/owasp-vulnerabilities.xml"]
skipProjects = project.subprojects
.findAll {it.name.contains('testing') ||
it.name.startsWith('it-') ||
it.name.contains('-test') ||
it.name == 'sonar-ws-generator'}
.collect { it.path }

allprojects {
apply plugin: 'com.jfrog.artifactory'
apply plugin: 'maven-publish'
@@ -90,7 +123,6 @@ subprojects {
apply plugin: 'java'
apply plugin: 'jacoco'
apply plugin: 'idea'
apply plugin: 'org.owasp.dependencycheck'

// do not deploy to Artifactory by default
artifactoryPublish.skip = true

+ 190
- 0
owasp-suppressions.xml ファイルの表示

@@ -0,0 +1,190 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">

This file lists the false-positives (the vulnerabilities that can not be exploited)

Elasticsearch API key service is not enabled.
See https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908
Fixed in Elasticsearch 6.8.4

Elasticsearch field level security feature is not used.
See https://www.elastic.co/guide/en/elasticsearch/reference/current/field-level-security.html
and https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456
Fixed in Elasticsearch 6.8.12

The vulnerability is about multiple users submitting requests to Elasticsearch. It's not
a false-positive because requests are sent anonymously. Authentication is disabled.
Fixed in Elasticsearch 6.8.2

Jenkins plugin - fixed in v2.8.1
See https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-1163CVE-2018-20200 and

Irrelevant exploit in OkHttp. It requires to control the server and to allow sniffing network traffic!
Obfuscating the code makes the documentation of the CVE impossible to apply.
See https://github.com/square/okhttp/issues/4967 and https://github.com/boclips/videos/commit/9f6c5ba96063f14fb6033f4f6efa6caf3c2701bd

Vulnerability in the Spring version embedded into sonar-security-java-frontend-plugin. Fixed in 8.4.
See https://jira.sonarsource.com/browse/SONARSEC-1189 and https://nvd.nist.gov/vuln/detail/CVE-2020-5398

Log4J SMTP Appender is not enabled, so the vulnerability is not exploitable.
See https://nvd.nist.gov/vuln/detail/CVE-2020-9488

SnakeYML vulnerability if the Elasticsearch YML configuration files have too many recursive aliases.
Fixed in SnakeYML 1.26.
Not exploitable because the file elasticsearch/config/*.yml are not supposed to be edited outside the build.

These 2 CVEs were opened in 2007, without any resolution. It's apparently about OpenID which
is not safe by design.
Anyway OpenID is not used. Microsoft authentication relies on OpenID Connect and OAuth 2.0.
See MSAL https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-adal-msal-java

This is a Suse packaging issue, not a Tomcat one
See https://nvd.nist.gov/vuln/detail/CVE-2020-8022 and https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1@%3Cusers.tomcat.apache.org%3E

Fixed in SQ 7.8. See https://jira.sonarsource.com/browse/SSF-74

Fixed in SQ 7.4. See https://jira.sonarsource.com/browse/SONAR-11305

false-positive - the OWASP tool considers SQ as being
gitlab 8.0, which comes with many vulnerabilities!
<filePath regex="true">.*build\.gradle</filePath>

false-positive - the OWASP tool considers sonar-auth-gitlab@8.0-SNAPSHOT as being
gitlab 8.0, which comes with many vulnerabilities!
<filePath regex="true">.*sonar-auth-gitlab-8.*\.jar.*</filePath>

The commons-compress 1.8 bundled with CSS analyzer is not used. Its vulnerabilities
can't be exploited.
Noise will be killed in https://github.com/SonarSource/sonar-css/issues/260
<filePath regex="true">.*sonar-css-plugin-1\.2.*\.jar.*</filePath>

false-positive - the OWASP tool considers sonar-ruby-plugin 1.7 as being
ruby 1.7, which comes with many vulnerabilities!
<packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-ruby-plugin@1\..*</packageUrl>

false-positive - the OWASP tool considers sonar-scala-plugin 1.x as being
scala 1.x, which come with many vulnerabilities
<packageUrl regex="true">pkg:maven/org\.sonarsource\.slang/sonar-scala-plugin@1\..*</packageUrl>

<!-- JRuby dirgra 0.3 is unexpectedly considered as JRuby 0.3 -->
<packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>

<!-- The sonar-scm-git-plugin 1.12 is unexpectedly considered as git 1.12 -->

The Java JSON libraries are unexpectedly considered as JS libraries suffering from
the json node module vulnerabilities.
<packageUrl regex="true">^pkg:maven/.*$</packageUrl>

This Guava vulnerability is not exploitable in the ABAP analyzer.
However it's planned to kill the noise:
<filePath regex="true">.*com\.sonarsource\.abap/sonar-abap-plugin.*</filePath>

This Guava vulnerability is not exploitable in the PLSQL analyzer.
However it's planned to kill the noise:
<filePath regex="true">.*com\.sonarsource\.plsql/sonar-plsql-plugin/3\.4.*</filePath>

False-positive - the subproject agentproxy
is considered as being the JCraft project.
<packageUrl regex="true">pkg:maven/com\.jcraft/jsch\.agentproxy\..*@0.0.7</packageUrl>

+ 35
- 0
owasp-vulnerabilities.xml ファイルの表示

@@ -0,0 +1,35 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">

Vulnerabilities in the SWIFT analyzer.
See https://jira.sonarsource.com/browse/SONARSWIFT-451
<filePath regex="true">.*sonar-swift-plugin-4\.2.*\.jar.*</filePath>
<vulnerabilityName>Remote code execution</vulnerabilityName>

The version of Netty packaged with Elasticsearch 6.8.x suffers from a few vulnerabilities.
The latter are considered as low risk by the Elastic team. Upgrading Netty in Elasticsearch 6.8.x
is not planned. See https://github.com/elastic/elasticsearch/issues/49396
<packageUrl regex="true">^pkg:maven/io\.netty/netty-.*@4\.1\.32.*$</packageUrl>

AssertJ should not be bundled with the Kotlin analyzer. Should be fixed in 1.6.
<filePath regex="true">.*sonar-kotlin-plugin-1\.5.*\.jar.*</filePath>
<vulnerabilityName>CWE-476: NULL Pointer Dereference</vulnerabilityName>
