Sonar confuses javax.websocket.javax.websocket-api with org.java-websocket.ava-WebSocket

Xavier_Baques · July 9, 2020, 1:27pm

SonarQube Version: 7.9.1 (build 27448)
Error observed: Sonar reports as security vulnerability that javax.websocket.javax.websocket-api does not have. The vulnerability reported is:

Filename: javax.websocket-api-1.0.jar | Reference: CVE-2020-11050 | CVSS Score: 8.1 | Category: CWE-295 | In Java-WebSocket less than or equal to 1.4.1, there is an Improper Validation of Certificate with Host Mismatch where WebSocketClient does not perform SSL hostname validation. This has been patched in 1.5.0.

The vulnerability reported refers to org.java-websocket.ava-WebSocket.

See maven links for both libraries:

javax.websocket.javax.websocket-api: https://mvnrepository.com/artifact/javax.websocket/javax.websocket-api
org.java-websocket.ava-WebSocket: https://mvnrepository.com/artifact/org.java-websocket/Java-WebSocket

Note that javax.websocket.javax.websocket-api latest version is 1.1 and that only org.java-websocket.ava-WebSocket has version 1.5.

This can be reproduced by using next dependency:

org.eclipse.jetty.aggregate jetty-all 9.4.27.v20200227 pom test

Sylvain_Combe · July 10, 2020, 8:20am

Hello Xavier
and welcome to SonarSource community forum!

Just to make certain, are you describing a case where SonarQube is wrongly reporting a vulnerability on a third party library on a project you scanned?

If the case, it is worth mentioning that SonarSource does not do any SCA (Software Composition Analysis), there are 3rd party plugins for the aggregation in SonarQube of the results of SCA tools though.
Do you have such plugin installed with your SonarQube?
You may want to report the false positive to the editor of the SCA analyzer tool then.

Best.
Sylvain

Xavier_Baques · July 10, 2020, 10:36am

Hello Sylvain,

Yes, I am describing a case where SonarQube is wronlgy reporting a vulnerability on a third party library of a project.

I’ll check the 3 party plugins we use with the service maintainers and let you know.

Thanks,
Xavier

Xavier_Baques · July 21, 2020, 12:12pm

Hello Sylvain,

The 3rd party plugin we are using is dependency-check.

Thanks,
Xavier

Quentin · July 27, 2020, 9:47am

Hello @Xavier_Baques,

As @Sylvain_Combe stated, we are not the maintainers of dependency-check, I’m afraid we can not help you further.

You should report this issue directly to them.

Best,
Quentin

system · July 31, 2020, 12:37pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.