Skip to content

[FP]: selenium detected as archive_project #7460

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
xiaobc-mika opened this issue Feb 24, 2025 · 12 comments
Open

[FP]: selenium detected as archive_project #7460

xiaobc-mika opened this issue Feb 24, 2025 · 12 comments
Labels
FP Report maven changes to the maven plugin

Comments

@xiaobc-mika
Copy link

Package URl

pkg:maven/androidx.lifecycle/[email protected]

CPE

cpe:2.3:a:selenium:selenium:2.8.7:*:*:*:*:*:*:*

CVE

No response

ODC Integration

{"label" => "Gradle Plugin"}

ODC Version

12.1.0

Description

After suppressing this one it also matches with cpe:/a:archive_project:archive and cpe:/a:digital-ant:digital_ant.

We got a few of these sorts of issues after updating from 10.0.2 to 12.1.0, prompted by the recent parsing error.
@github-actions GitHub Actions
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>androidx.lifecycle</groupId>
   <artifactId>lifecycle-viewmodel</artifactId>
   <version>2.8.7</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7460
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/androidx\.lifecycle/lifecycle-viewmodel@.*$</packageUrl>
   <cpe>cpe:/a:selenium:selenium</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/13490721479

@github-actions github-actions bot added the maven changes to the maven plugin label Feb 24, 2025
@jeremylong jeremylong changed the title [FP]: [FP]: selenium detected as archive_project Feb 24, 2025
@github-actions GitHub Actions
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>androidx.lifecycle</groupId>
   <artifactId>lifecycle-viewmodel</artifactId>
   <version>2.8.7</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7460
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/androidx\.lifecycle/lifecycle-viewmodel@.*$</packageUrl>
   <cpe>cpe:/a:selenium:selenium</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/13497211357

@chadlwilson
Copy link
Collaborator

It’s hard to understand how this could have anything to do with selenium.

@xiaobc-mika
Copy link
Author

I don't understand it either.

Looks like this automation doesn't make the same connection either which seems weird.

We don't do anything special with the analysis.

dependencyCheck {
    failBuildOnCVSS = 5
    suppressionFile = "${rootDir}/dependency_check/dependency_check_suppression.xml"
    nvd {
        validForHours = 1
        apiKey = XXX
    }
    format = 'HTML'
    analyzers {
        ossIndex {
            enabled = true
            username = XXX
            password = XXX
        }
    }
}

We started getting a few of these after updating to 12.1.0. Even weirder was that some would show up when we ran it locally, but not on the CI or vice versa.

@chadlwilson
Copy link
Collaborator

Yeah, it's perhaps related to #7295 but would need to to look at the evidence in the report to see if that makes more sense.

@xiaobc-mika
Copy link
Author

File Path: /home/user/.gradle/caches/8.9/transforms/2480adcee23ed3cbc8ff47c62139c768/transformed/lifecycle-viewmodel-2.8.7/jars/classes.jar
MD5: 76cdb2bad9582d23c1f6f4d868218d6c
SHA1: b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256:8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

Evidence:

Type Source Name Value Confidence
Vendor central artifactid daml-lf-2.1-archive-proto High
Vendor central artifactid daml-lf-archive-proto High
Vendor central artifactid daml-lf-snapshot-java-proto High
Vendor central artifactid daml-lf-snapshot-proto High
Vendor central artifactid daml-lf-transaction-java-proto High
Vendor central artifactid ledger-api-java-proto High
Vendor central artifactid ledger-api-proto High
Vendor central artifactid ledger-api-value-java-proto High
Vendor central artifactid ledger-api-value-proto High
Vendor central artifactid redscorpion-all High
Vendor central artifactid selenium-java High
Vendor central groupid com.daml High
Vendor central groupid org.seleniumhq.selenium High
Vendor central groupid top.redscorpion High
Vendor gradle artifactid lifecycle-viewmodel Highest
Vendor gradle groupid androidx.lifecycle Highest
Vendor pom artifactid daml-lf-2.1-archive-proto Low
Vendor pom artifactid daml-lf-archive-proto Low
Vendor pom artifactid daml-lf-snapshot-java-proto Low
Vendor pom artifactid daml-lf-snapshot-proto Low
Vendor pom artifactid daml-lf-transaction-java-proto Low
Vendor pom artifactid ledger-api-java-proto Low
Vendor pom artifactid ledger-api-proto Low
Vendor pom artifactid ledger-api-value-java-proto Low
Vendor pom artifactid ledger-api-value-proto Low
Vendor pom artifactid redscorpion-all Low
Vendor pom artifactid selenium-java Low
Vendor pom developer email [email protected] Low
Vendor pom developer id barancev Medium
Vendor pom developer id diemol Medium
Vendor pom developer id james.h.evans.jr Medium
Vendor pom developer id simon.m.stewart Medium
Vendor pom developer id theautomatedtester Medium
Vendor pom developer id titusfortner Medium
Vendor pom developer name Alexei Barantsev Medium
Vendor pom developer name David Burns Medium
Vendor pom developer name Diego Molina Medium
Vendor pom developer name Digital Asset SDK Feedback Medium
Vendor pom developer name Jim Evans Medium
Vendor pom developer name Simon Stewart Medium
Vendor pom developer name Titus Fortner Medium
Vendor pom developer org Digital Asset (Switzerland) GmbH Medium
Vendor pom developer org URL https://www.digitalasset.com/developers Medium
Vendor pom groupid com.daml Highest
Vendor pom groupid org.seleniumhq.selenium Highest
Vendor pom groupid top.redscorpion Highest
Vendor pom name ${project.artifactId} High
Vendor pom name daml-lf-2.1-archive-proto High
Vendor pom name daml-lf-archive-proto High
Vendor pom name daml-lf-snapshot-java-proto High
Vendor pom name daml-lf-snapshot-proto High
Vendor pom name daml-lf-transaction-java-proto High
Vendor pom name ledger-api-java-proto High
Vendor pom name ledger-api-proto High
Vendor pom name ledger-api-value-java-proto High
Vendor pom name ledger-api-value-proto High
Vendor pom name org.seleniumhq.selenium:selenium-java High
Vendor pom parent-artifactid redscorpion-parent Low
Vendor pom url digital-asset/daml Highest
Vendor pom url https://selenium.dev/ Highest
Product central artifactid daml-lf-2.1-archive-proto High
Product central artifactid daml-lf-archive-proto High
Product central artifactid daml-lf-snapshot-java-proto High
Product central artifactid daml-lf-snapshot-proto High
Product central artifactid daml-lf-transaction-java-proto High
Product central artifactid ledger-api-java-proto High
Product central artifactid ledger-api-proto High
Product central artifactid ledger-api-value-java-proto High
Product central artifactid ledger-api-value-proto High
Product central artifactid redscorpion-all High
Product central artifactid selenium-java High
Product gradle artifactid lifecycle-viewmodel Highest
Product pom artifactid daml-lf-2.1-archive-proto Highest
Product pom artifactid daml-lf-archive-proto Highest
Product pom artifactid daml-lf-snapshot-java-proto Highest
Product pom artifactid daml-lf-snapshot-proto Highest
Product pom artifactid daml-lf-transaction-java-proto Highest
Product pom artifactid ledger-api-java-proto Highest
Product pom artifactid ledger-api-proto Highest
Product pom artifactid ledger-api-value-java-proto Highest
Product pom artifactid ledger-api-value-proto Highest
Product pom artifactid redscorpion-all Highest
Product pom artifactid selenium-java Highest
Product pom developer email [email protected] Low
Product pom developer id barancev Low
Product pom developer id diemol Low
Product pom developer id james.h.evans.jr Low
Product pom developer id simon.m.stewart Low
Product pom developer id theautomatedtester Low
Product pom developer id titusfortner Low
Product pom developer name Alexei Barantsev Low
Product pom developer name David Burns Low
Product pom developer name Diego Molina Low
Product pom developer name Digital Asset SDK Feedback Low
Product pom developer name Jim Evans Low
Product pom developer name Simon Stewart Low
Product pom developer name Titus Fortner Low
Product pom developer org Digital Asset (Switzerland) GmbH Low
Product pom developer org URL https://www.digitalasset.com/developers Low
Product pom groupid com.daml Highest
Product pom groupid org.seleniumhq.selenium Highest
Product pom groupid top.redscorpion Highest
Product pom name ${project.artifactId} High
Product pom name daml-lf-2.1-archive-proto High
Product pom name daml-lf-archive-proto High
Product pom name daml-lf-snapshot-java-proto High
Product pom name daml-lf-snapshot-proto High
Product pom name daml-lf-transaction-java-proto High
Product pom name ledger-api-java-proto High
Product pom name ledger-api-proto High
Product pom name ledger-api-value-java-proto High
Product pom name ledger-api-value-proto High
Product pom name org.seleniumhq.selenium:selenium-java High
Product pom parent-artifactid redscorpion-parent Medium
Product pom url digital-asset/daml High
Product pom url https://selenium.dev/ Medium
Version central version 0.3.2 High
Version central version 3.3.0-snapshot.20250219.13625.0.vbd7e542a High
Version central version 3.3.0-snapshot.20250221.13626.0.v450e992e High
Version central version 4.29.0 High
Version gradle version 2.8.7 Highest
Version pom version 0.3.2 Highest
Version pom version 3.3.0-snapshot.20250219.13625.0.vbd7e542a Highest
Version pom version 3.3.0-snapshot.20250221.13626.0.v450e992e Highest
Version pom version 4.29.0 Highest

Identifiers

@chadlwilson
Copy link
Collaborator

chadlwilson commented Feb 25, 2025
edited
Loading

@jeremylong @aikebah do you know why/how the evidence for the artifact at https://mvnrepository.com/artifact/androidx.lifecycle/lifecycle-viewmodel/2.8.7 is collecting all this information for seemingly completely unrelated things/versions?

https://dl.google.com/dl/android/maven2/androidx/lifecycle/lifecycle-viewmodel/2.8.7/lifecycle-viewmodel-2.8.7.jar

They claim they are coming from central and pom but I am not really sure how. Is it walking transitives from dependencyManagement or something?

Is it that the Vendor/Product evidence is being treated as high confidence?
Is this some strange uber-jar type of problem?

These kind of false positives because of seemingly dodgy evidence are a pretty big noise problem :-(

@aikebah
Copy link
Collaborator

aikebah commented Feb 25, 2025
edited
Loading

@chadlwilson That would likely mean a massive sha1 hash collision is at play. Most logical explanation reason would be an 'empty' jar
.
Items from 'central' are coming from the results of a sha1 search in Maven Central (using Central's 'legacy search')

@chadlwilson
Copy link
Collaborator

chadlwilson commented Feb 25, 2025
edited
Loading

Interesting. The "jars" for things like this project are basically empty (no classes in them) as they are aar predominantly, but not fully empty. I'm not sure what classes.jar ends up with in it inside Gradle, however I'd expect it's an empty jar, and some side effect of something "special" Android gradle plugins do (it's been a while since I did Android dev) since it does not seem to have a corollary in normal Gradle usage.

Having said that, many other pieces of evidence are coming, allegedly, from "pom" not just central? Does a sha collision also explain the pom evidence problems?

Nevertheless if it is indeed this, we should be able to fix such false positives I'd imagine. Whether that's inside the Gradle plugin with the specific configurations being scanned, or ODC core, I'm not sure. Possibly both.

@xiaobc-mika
Copy link
Author

I can confirm the jar file is empty

$ zipinfo transformed/lifecycle-viewmodel-2.8.7/jars/classes.jar 
Archive:  transformed/lifecycle-viewmodel-2.8.7/jars/classes.jar
Zip file size: 22 bytes, number of entries: 0
Empty zipfile.

@jeremylong
Copy link
Collaborator

What is the sha1 hash of classes.jar?

@xiaobc-mika
Copy link
Author 

$ sha1sum transformed/lifecycle-viewmodel-2.8.7/jars/classes.jar 
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33  transformed/lifecycle-viewmodel-2.8.7/jars/classes.jar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeremylong @aikebah @chadlwilson @xiaobc-mika