8000 False Positive: CVE-2022-34169 CVE-2014-0107 xalan-2.7.1.jbossorg-6 in wildfly 26.1.3.Final · Issue #1732 · anchore/grype · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

False Positive: CVE-2022-34169 CVE-2014-0107 xalan-2.7.1.jbossorg-6 in wildfly 26.1.3.Final #1732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bhreddy83 opened this issue Feb 28, 2024 · 5 comments
Open

False Positive: CVE-2022-34169 CVE-2014-0107 xalan-2.7.1.jbossorg-6 in wildfly 26.1.3.Final #1732

bhreddy83 opened this issue Feb 28, 2024 · 5 comments
Labels
bug Something isn't working false-positive needs-discussion

Comments

@bhreddy83
Copy link

What happened:
When scan on a wildfly(26.1.3.Final) container which has xalan custom fork 2.7.1.jbossorg-6, the following vulnerabilities are reported.
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
xalan 2.7.1.jbossorg-6 2.7.2 java-archive GHSA-rc2w-r4jq-7pfx High
xalan 2.7.1.jbossorg-6 2.7.3 java-archive GHSA-9339-86wc-4qgf High

These are linked to CVE-2014-0107 and CVE-2022-34169.

What you expected to happen:
According to Wildfly community, xalan-2.7.1.jbossorg-6, both CVE-2014-0107 and CVE-2022-34169 are not affected. Probably Grype is comparing to NVD, anything less than 2.7.3 is at fault.

Upon inquiry to the community regarding the latest version with fixes for identified vulnerabilities, feedback indicated that reports in Maven Central were false positives. The custom fork, version 2.7.1.jbossorg-6, indeed addresses these vulnerabilities, as evidenced by the following commits.
CVE-2014-0107 - jboss/xalan-j@534f2d3
CVE-2022-34169 - jboss/xalan-j@1e91610

Environment:

  • Output of grype version:
    Application: grype
    Version: 0.70.0
    BuildDate: 2023-10-11T00:36:57Z
    GitCommit: 7e5df38
    GitDescription: v0.70.0
    Platform: linux/amd64
    GoVersion: go1.21.1
    Compiler: gc
    Syft Version: v0.93.0
    Supported DB Schema: 5

  • wildfly: 26.1.3.Final
@bhreddy83 bhreddy83 added the bug Something isn't working label Feb 28, 2024
@willmurphyscode
Copy link
Contributor

Hi @bhreddy83, thanks very much for the report. I'm not super familiar with Wildly. I did a quick search on DockerHub, and there are a lot of images with wildfly in the name. https://hub.docker.com/r/bitnami/wildfly seems like a good candidate, but I don't see a tag called 26.1.3.Final. Would you mind replying with a DockerHub link or similar to an image you believe is affected by this false positive? If the image you're scanning is private, maybe a link to the base image and some maven links for other things installed?

I think what you're saying is, "I have an image built with FROM bitnami/wildfly:26.1.3 that also adds a Jboss fork of Xalan,". Can you confirm this? Can you provide a link to the version of Xalan you used?

@bhr83
Copy link
bhr83 commented Feb 28, 2024

I am utilizing the source code from the WildFly repository version 26.1.3.Final, available at https://github.com/wildfly/wildfly/tree/26.1.3.Final, to build WildFly. Notably, in the pom.xml file at line 389, the xlan version is specified as 2.7.1.jbossorg-6.

@bhreddy83 bhreddy83 changed the title False Positive: CVE-2022-34169 xalan-2.7.1.jbossorg-6 in wildfly 26.1.3.Final False Positive: CVE-2022-34169 CVE-2014-0107 xalan-2.7.1.jbossorg-6 in wildfly 26.1.3.Final Feb 29, 2024
@willmurphyscode
Copy link
Contributor

Hi @bhr83 I'm not finding information about these fixes reported in any vulnerability data. For example, https://mvnrepository.com/artifact/xalan/xalan/2.7.1.jbossorg-6 shows both CVEs as affecting that version, as do the GHSA records.

It should be possible to PR the GHSA records for these vulnerabilities to record that the 2.7.1.jbossorg-6 has a fix; Grype is actually comparing to GHSA-9339-86wc-4qgf and GHSA-rc2w-r4jq-7pfx, which list 2.7.3 and 2.7.2 as the patched version, both higher than 2.7.1.jbossorg-6. In other words, Grype is matching the version constraint present in GHSA correctly, but it sounds like from those commits the version constraint might be wrong.

The next step is to try to PR the GHSA records linked above to put additional patched versions in. This might run into trouble because it's tracking data about a fork; I don't know the policies there.

@willmurphyscode willmurphyscode moved this to Backlog in OSS May 7, 2025
@westonsteimel
Copy link
Contributor
westonsteimel commented May 7, 2025
edited
Loading

@willmurphyscode, GitHub won't accept it because they only accept versions from maven central

@willmurphyscode
Copy link
Contributor

Notes for discussion: It seems that because this JAR is not from Maven Central, GHSA will not support it. Maybe we can discuss what other sources of vulnerability data we could use for it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-positive needs-discussion
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
5 participants
@wagoodman @westonsteimel @willmurphyscode @bhreddy83 @bhr83
0