quarkus: Quarkus is not known in the NVD Database CPE

So I finally found the time to test it 😉 And it works, thanks @nhumblot for the great work on the dependency check plugin.

@sberyozkin with the new version of the plugin, I no longuer need the CPE detection exclusion for quarkus-security, quarkus-munity and quarkus-resteasy. Great!

@abianche quarkus is audited but I’ll try catch up why quarkus is not showing up in this type of audit here as I assume it is done for other products. stay tunes.

Can someone from the core Quarkus team can declare the Quarkus artifact inside the NVD database ? Here is the up-to-date suppression dependency file that I use:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
    <!--
        This is a CPE suppression file for the maven dependency check plugin.
        Each CPE that is found by error (false positive) needs to be suppressed for a specific jar using it's GAV.
        See https://jeremylong.github.io/DependencyCheck/general/suppression.html
     -->
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for quarkus-jdbc-postgresql to postgresql
            ]]>
        </notes>
        <gav regex="true">^io\.quarkus:quarkus-jdbc-postgresql:.*$</gav>
        <cpe>cpe:/a:postgresql:postgresql</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for quarkus-resteasy to resteasy
            ]]>
        </notes>
        <gav regex="true">^io\.quarkus:quarkus-resteasy.*:.*$</gav>
        <cpe>cpe:/a:redhat:resteasy</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for quarkus-undertow to undertow
            ]]>
        </notes>
        <gav regex="true">^io\.quarkus:quarkus-undertow.*:.*$</gav>
        <cpe>cpe:/a:redhat:undertow</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for quarkus-swagger-ui to swagger_project:swagger-ui
            ]]>
        </notes>
        <gav regex="true">^io\.quarkus:quarkus-swagger-ui.*:.*$</gav>
        <cpe>cpe:/a:swagger_project:swagger-ui</cpe>
    </suppress>
    <suppress>
        <notes>
            <![CDATA[
                Suppress the false positive CPE for quarkus-netty to netty
            ]]>
        </notes>
        <gav regex="true">^io\.quarkus:quarkus-netty.*:.*$</gav>
        <cpe>cpe:/a:netty:netty</cpe>
    </suppress>
</suppressions>

@loicmathieu Hi Loic, sorry for a delay, thanks a million for verifying it, and for the help throughout this issue 😃 I’m going to close this issue again 😃 - but we will be reopening it if some new CVE will cause a plugin run failure etc. (I have another pending batch update to send)

@nhumblot thanks again for the plugin fix

Great! I’ll test it as soon à 6.2.0 will be out.

@loicmathieu Hi - I’m going to send a query to https://jeremylong.github.io/DependencyCheck/mailing-lists.html

@loicmathieu Request to register quarkus-http, quarkus-security and gizmo has been opened, will update once it has been resolved.

@loicmathieu Hi Loic - so our instruction for re-opening this issue had to be activated fast 😃, thanks for checking it. Hmm… so, I will ask to open CPEs for some well-known Quarkus projects, starting from the 2 you mentioned, we’ll get there eventually I guess. thanks

@loicmathieu CPE team has helped with updating Quarkus CPEs against one of the resolved CVEs so now there is a clear path toward managing this issue, I’ll ask them to help with syncing CPEs with some other known CVEs and then resolve this issue - from then on we will be sending updates to NVD as needed - and we can also use this issue as a notifier, ex, when a new false positive is created - then we re-open it, etc

Now that Quarkus is listed on https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=quarkus and CVE’s can be reported there by anyone in community (incl. red hat security) are there anything left on this issue or can we close it ?

Hi All, the process has started (most Quarkus releases have already been registered by the NVD CPE team) but other high-priority issues have intervened; we will resume the effort soon.

@lukaszlenart what you see is exactly the issue I described in this issue, except for Vert.x all these are false positive.

• graal-sdk is detected as GraalVM and the CVE is for en issue on the VM not on the SDK)
• mutiny is detected as something else
• quarkus-undertow is detected as undertow itself so an old CVE is linked

By adding Quarkus on the NVD database, quarkus-undertow would be detected as Quarkus and not Undertow and the issue disapear.

The dependency check plugin uses ‘CPE’ to, based on collected evidence (file name, maven artifactid/groupid), detected a dependency as known target on the vulnerability database, as long as Quarkus is not defined here, false positive will exist. No dependecy upgrade would correct this. You can add an exclusion file to workaround this issue.

@sberyozkin the OWASP plugin based it’s matching startegy on CPE (Common Platform Enumeration).

Here is the evidence it founds on quarkus-resteasy that leads to the cpe:redhat:resteasy:1.8.3, as soon as Quarkus CPE will be declared on the NVD Database it will leads to a Quarkus CPE instead of a resteasy ones so eliminates all false positive.

@loicmathieu I’m going to look into it shortly, thanks