Sonar confuses javax.websocket.javax.websocket-api with org.java-websocket.ava-WebSocket

  • SonarQube Version: 7.9.1 (build 27448)
  • Error observed: Sonar reports as security vulnerability that javax.websocket.javax.websocket-api does not have. The vulnerability reported is:
Filename: javax.websocket-api-1.0.jar | Reference: CVE-2020-11050 | CVSS Score: 8.1 | Category: CWE-295 | In Java-WebSocket less than or equal to 1.4.1, there is an Improper Validation of Certificate with Host Mismatch where WebSocketClient does not perform SSL hostname validation. This has been patched in 1.5.0.

The vulnerability reported refers to org.java-websocket.ava-WebSocket.

See maven links for both libraries:

javax.websocket.javax.websocket-api: https://mvnrepository.com/artifact/javax.websocket/javax.websocket-api
org.java-websocket.ava-WebSocket: https://mvnrepository.com/artifact/org.java-websocket/Java-WebSocket

Note that javax.websocket.javax.websocket-api latest version is 1.1 and that only org.java-websocket.ava-WebSocket has version 1.5.

This can be reproduced by using next dependency:

org.eclipse.jetty.aggregate jetty-all 9.4.27.v20200227 pom test

Hello Xavier
and welcome to SonarSource community forum!

Just to make certain, are you describing a case where SonarQube is wrongly reporting a vulnerability on a third party library on a project you scanned?

If the case, it is worth mentioning that SonarSource does not do any SCA (Software Composition Analysis), there are 3rd party plugins for the aggregation in SonarQube of the results of SCA tools though.
Do you have such plugin installed with your SonarQube?
You may want to report the false positive to the editor of the SCA analyzer tool then.

Best.
Sylvain

1 Like

Hello Sylvain,

Yes, I am describing a case where SonarQube is wronlgy reporting a vulnerability on a third party library of a project.

I’ll check the 3 party plugins we use with the service maintainers and let you know.

Thanks,
Xavier

Hello Sylvain,

The 3rd party plugin we are using is dependency-check.

Thanks,
Xavier

Hello @Xavier_Baques,

As @Sylvain_Combe stated, we are not the maintainers of dependency-check, I’m afraid we can not help you further.

You should report this issue directly to them.

Best,
Quentin

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.