trivy: False positive on jar scanning on fixed older minor version than latest

Description

The nimbus-jose-jwt version 9.8.1 got shaded json-smart which got a vulnerability.

{
    "Target": "app/lib/nimbus-jose-jwt-9.8.1.jar",
    "Type": "jar",
    "Vulnerabilities": [
      {
        "VulnerabilityID": "CVE-2021-27568",
        "PkgName": "net.minidev:json-smart",
        "InstalledVersion": "1.3.2",
        "FixedVersion": "2.4.1",
        "Layer": {
          "DiffID": "sha256:c16fcd5fe87ea387a5899b20fc0324af4863342b0ee962bce0cbda7464cb9f19"
        },
        "SeveritySource": "nvd",
        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-27568",
        "Title": "json-smart: uncaught exception may lead to crash or information disclosure",
        "Description": "An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.",
        "Severity": "CRITICAL",
        "CweIDs": [
          "CWE-754"
        ],

When I go to https://nvd.nist.gov/vuln/detail/CVE-2021-27568 : Up to (excluding) 1.3.2 -> the shaded version Up to (excluding) 2.3.1 Up to (excluding) 2.4.1

What did you expect to happen?

No vulnerability on an excluded not latest version

What happened instead?

“Severity”: “CRITICAL” on not vulnerable version 1.3.2

Output of run with -debug:

{
    "Target": "app/lib/nimbus-jose-jwt-9.8.1.jar",
    "Type": "jar",
    "Vulnerabilities": [
      {
        "VulnerabilityID": "CVE-2021-27568",
        "PkgName": "net.minidev:json-smart",
        "InstalledVersion": "1.3.2",
        "FixedVersion": "2.4.1",
        "Layer": {
          "DiffID": "sha256:c16fcd5fe87ea387a5899b20fc0324af4863342b0ee962bce0cbda7464cb9f19"
        },
        "SeveritySource": "nvd",
        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-27568",
        "Title": "json-smart: uncaught exception may lead to crash or information disclosure",
        "Description": "An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.",
        "Severity": "CRITICAL",
        "CweIDs": [
          "CWE-754"
        ],

Output of trivy -v:

Additional details (base image name, container registry info…):

trivy 0.18.3

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 16

Most upvoted comments

Fixed

+1
mbreevoort on Jun 7, 2021

Thnx for fixing the gitlab report. Tested and no false positive on nimbus-jose-jwt-9.8.1.jar -> shadowed json-smart 1.3.2 anymore 😃

+1
mbreevoort on Jun 3, 2021

@mbreevoort Thank you report issue. This advisory is provided by the gitlab advisory database.

I will send a PR to fix the Adivosory. https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/merge_requests/6889

+1
masahiro331 on May 30, 2021
Read more comments on GitHub
← trivy: false positive for CVE-2019-3826
trivy: FATAL error in image scan: failed to analyze image: failed to extract files: Could not extract the archive →